CISA added CVE-2023-28252, a Windows zero-day vulnerability in the Common Log File System (CLFS), to its catalog of Known Exploited Vulnerabilities yesterday. This flaw was first discovered in February. It’s noted that this vulnerability is currently being actively exploited by cybercriminals across small and medium-sized businesses in the Middle East and North America. Threat actors have been monitored escalating privileges and deploying ransomware payloads, particularly Nokoyama.
Nokoyama ransomware first surfaced in February of 2022 and was viewed as one of several offshoots of JSWorm. Since then, it has used CLFS system flaws similar to CVE-2023-28252, including in 64-bit Windows systems, to perpetrate double extortion attacks with victims’ stolen data.
Microsoft patched this zero-day and 96 other bugs, including 45 remote code execution vulnerabilities, as part of April’s Patch Tuesday, Full details on yesterday’s patches can be found here: https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2023-patch-tuesday-fixes-1-zero-day-97-flaws/