THE THREAT
On April 11th, 2023, as part of Microsoft’s monthly Patch Tuesday release, Microsoft disclosed a zero-day vulnerability in the Windows Common Log File System (CLFS), which cybercriminals are actively exploiting to deploy Nokoyawa ransomware payloads.
The vulnerability, tracked as CVE-2023-28252 (CVSS: 7.8), is a Privilege Escalation vulnerability in the Windows Common Log File System Driver; it impacts all supported Windows servers and client versions. Successful exploitation enables threat actors to gain SYSTEM privileges and fully compromise targeted Windows systems.
As exploitation of CVE-2023-28252 has been confirmed, immediate patching is strongly recommended. eSentire has detections in place to identify Nokoyawa ransomware precursors and variants.
What we’re doing about it
- eSentire Managed Vulnerability (MVS) has plugins in place to identify CVE-2023-28252
- The eSentire Threat Intelligence team has performed threat hunts across the client base for known related Indicators of Compromise
- The eSentire product suite has a variety of detections in place to identify activity associated with ransomware deployment and precursors
- eSentire security teams continue to track this vulnerability for additional details and detection opportunities
What you should do about it
- After performing a business impact review, apply the relevant security patches provided by Microsoft
- Alternative mitigations are not available at this time
Additional information
Exploitation of CVE-2023-28252 was first discovered by researchers from Kaspersky, who reported the vulnerability to Microsoft. Initial exploitation of the vulnerability was identified in February 2023. Related attacks have been identified impacting small and medium-sized businesses in the retail & wholesale, energy, manufacturing, healthcare, software development and other industries in the Middle East, North America, and Asia regions. There is no indication that these industries or locations were specifically targeted; other industries and countries are expected to be impacted in the future.
Nokoyawa is a strain of ransomware that surfaced in February 2022. It is capable of impacting 64-bit Windows-based systems in attacks. Nokoyawa shares code with JSWorm, Karma, and Nemty ransomware, and has previously been connected to the HIVE ransomware group. In September 2022, a Rust version of the ransomware was identified, in a switch from the initial Nokoyawa ransomware version, developed using the C programming language. Threat actors deploying Nokoyawa ransomware are known to employ the double extortion technique, where data is exfiltrated prior to ransomware deployment, and used to extort victims with the threat of data sale or public release.
To successfully exploit CVE-2023-28252, threat actors require previous access to a vulnerable device. It is currently unclear how threat actors gained access to systems prior to ransomware deployment. Organizations are recommended to review and apply the best practices for ransomware defense as provided by CISA in the #StopRansomware initiative.
In response, CISA added the vulnerability to its catalogue of Known Exploited Vulnerabilities, ordering FCEB agencies to secure their systems against it by May 2nd, 2023.
References:
[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252
[2] https://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/
[3] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[4] https://www.cisa.gov/stopransomware/how-can-i-protect-against-ransomware
