A significant zero-day vulnerability has been discovered within the Common Log File System (CLFS) of Windows operating systems, leading to urgent calls for users to implement security patches. This flaw, designated as CVE-2023-28252, was identified by Kaspersky's Global Research & Analysis Team (GReAT) through their Behavioral Detection Engine and Exploit Prevention components. "We detected attempts to exploit a previously unknown vulnerability," said a member of the GReAT team, emphasizing the critical nature of the discovery.
"We detected attempts to exploit a previously unknown vulnerability,"
Microsoft has acknowledged the threat and fixed it in the April Patch Tuesday update, which was released on April 4, 2023. Users are advised to install these updates "as soon as possible," highlighting the severity of the ongoing exploitation of this vulnerability in cybercriminal activity, particularly in ransomware attacks.
"as soon as possible,"
CVE-2023-28252 is classified as a privilege-elevation vulnerability. Attackers need to manipulate a Binary Log File (BLF) to gain higher privileges within the system, which allows them to continue their malicious activities. "To exploit it, attackers must have initial access with user privileges," explained an expert from Kaspersky. While specific technical details remain restricted to prevent further criminal exploitation, insights into indicators of compromise are available through their Securelist website.
"To exploit it, attackers must have initial access with user privileges,"
Evaluating the nature of CVE-2023-28252, Kaspersky's analysis shows that it has been particularly used to deploy the Nokoyawa ransomware variant against victims. Interestingly, the attackers have demonstrated a pattern of creating similar exploits targeting vulnerabilities within the CLFS in prior incidents. "After examining the exploit, our experts concluded that the attackers were also responsible for earlier exploits for vulnerabilities in the same CLFS," said a researcher from Kaspersky, which sheds light on the continuity and persistence of these cyber threats.
"After examining the exploit, our experts concluded that the attackers were also responsible for earlier exploits for vulnerabilities in the same CLFS,"
In addition to the Nokoyawa ransomware, other tools such as Cobalt Strike Beacon and the modular backdoor Pipemagic have been observed in conjunction with these types of attacks. This pattern of tool usage underscores the calculated and sophisticated nature of the cybercriminals behind exploitation attempts.
To defend against such vulnerabilities, cybersecurity professionals stress the importance of maintaining updated security protocols. "First of all, we recommend installing the April updates for Windows," said an adviser from Kaspersky. Protecting all work computers and servers with transmission security measures and reliable software is crucial in mitigating the risks associated with both known and zero-day vulnerabilities. Kaspersky's security products are designed to automatically detect attacks related to CVE-2023-28252 as well as malware used by the perpetrators of this exploit.
"First of all, we recommend installing the April updates for Windows,"
In the evolving landscape of cybersecurity, proactive measures and timely updates remain essential for safeguarding digital assets. With the constant emergence of new threats like CVE-2023-28252, organizations and individuals must prioritize comprehensive cybersecurity frameworks that can adapt to the shifting terrain of cybercrime. As Kaspersky experts prepare to disclose further technical details later this month, users are urged to remain vigilant and enhance their defensive postures accordingly.
