Get a demo
Voyager18 (research)

CVE-2023-28252: a dangerous combination of zero-day and ransomware

CVE-2023-28252 is a zero-day vulnerability affecting all versions of Microsoft Windows. Here's everything you need to know.

Yair Divinsky | December 06, 2023

Microsoft has taken action against an actively exploited zero-day vulnerability and has provided a patch to address it. The vulnerability, known as CVE-2023-28252 and referred to as “Windows Common Log File System Driver Elevation of Privilege Vulnerability,” allows for privilege escalation. 

If an attacker gains system access and has the capability to execute code, they can exploit this vulnerability to obtain SYSTEM privileges, which is the highest level of user privileges in Windows. 

Here are all the details:  

What is CVE-2023-28252? 

The exploitation of CVE-2023-28252 has gained attention due to its active use by the Nokoyawa ransomware, as discovered and reported by Kaspersky Technologies. According to Kaspersky, this vulnerability involves an out-of-bounds write (increment) exploit that occurs when the system tries to extend the metadata block. By exploiting this vulnerability, the attacker can manipulate the base log file, tricking the system into treating a falsified element within the file as genuine. 

To achieve this, the attacker alters the offset value that points to a specific Common Log File System (CLFS) structure in the computer’s memory. They replace it with an offset that directs to a maliciously crafted structure. This action provides a pointer to controlled memory at the user level, granting the attacker kernel read/write privileges. CLFS structures are integral components of the CLFS general-purpose logging system used by Windows operating systems. These structures consist of physical log files, log streams, log records, and other related elements.  

Nokoyawa ransomware emerged in March 2022 as a 64-bit Windows ransomware family. It exhibits significant similarities in its attack methodology to Hive, one of the most notorious ransomware families in 2021. The initial version of Nokoyawa was developed using the C programming language, while subsequent versions have transitioned to Rust, incorporating Elliptic Curve Cryptography (ECC) with Curve25519 and Salsa20 for file encryption. These later versions also require command-line arguments for execution.  


Does CVE-2023-28252 affect me? 

CVE-2023-28252 impacts all currently supported versions of Windows servers and clients, including Windows 11. This vulnerability has the potential to be exploited by local attackers, allowing them to do so without requiring any user interaction. The attack methods involved are relatively straightforward.   

Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2023-28252 in its list of Known Exploited Vulnerabilities. CISA has explicitly advised the Federal Civilian Executive Branch (FCEB) agencies to ensure the patching or securing of their systems by the first week of May. 

Has CVE-2023-28252 been actively exploited in the wild? 

Incidents of active exploitation in real-world scenarios have been discovered for this vulnerability. Kaspersky Technologies reported that in February, they identified instances of Nokoyawa ransomware attacks targeting Microsoft Windows servers used by small and medium-sized enterprises (SMEs) to exploit CVE-2023-28252 in order to achieve privilege escalation. 

 Nokoyawa threat actors likely gain initial access to the target system using various methods, including phishing with malicious attachments (T1566) and utilizing leaked or compromised credentials (T1078). These techniques bear resemblance to those employed by the Hive ransomware. 

Once a threat actor has successfully infiltrated the system and gained the ability to execute code, they exploit the zero-day vulnerability CVE-2023-28252 to escalate privileges, specifically targeting the HKEY_LOCAL_MACHINE\SAM registry hive to extract its contents (T1003).  

To establish command and control and move laterally within the target network, the attackers employ obfuscated codes (T1027) as part of the Cobalt Strike beaconing technique. They also utilize loaders to evade detection by antivirus software. 

Once the attackers are confident that they have compromised the entire network and extracted the necessary organizational data, they deploy the final payload: the Nokoyawa ransomware. The encryption process is initiated, and affected users receive a notification indicating the incident that has occurred on their system.  

The notification includes a URL link to Nokoyawa’s .onion portal for users to engage in chat with the “Support” team, along with warning guidelines. 

Also worth noting is that the Nokoyawa threat actors have been observed extracting password hashes by dumping the contents of the HKEY_LOCAL_MACHINE\SAM registry hive following the exploitation of the vulnerability.   

These credentials can be used to log in as a user and gain access to the systems. Once detected, organizations can leverage the “Disable AD User” playbook to promptly disable the compromised user account and minimize response time. 


Nokoyawa ransom note


How to fix CVE-2023-28252 

To effectively address the risks associated with this vulnerability, we strongly recommend promptly applying the patch released by Microsoft on ‘patch Tuesday’ (April 11, 2023). This patch is the optimal solution for mitigating potential vulnerabilities and reducing the chances of falling victim to the attack.  

However, we understand that applying patches can sometimes present challenges. If immediate patching is not feasible, implementing the following security best practices can significantly mitigate the threat: 

  1.  Conduct regular scans and assessments of organizational assets to identify vulnerabilities and misconfigurations. Patch and keep the operating systems, firmware, and applications up to date. 
  2. Enforce strong multi-factor authentication (MFA) and implement phishing protection measures for both user and administrative accounts. Adhere to the principle of least privilege and time-based access whenever possible. 
  3. Simulate attack scenarios to enhance employee awareness of phishing and other risks, ensuring incidents are promptly reported to the internal cyber security team. 
  4. Implement thorough network segmentation to prevent the spread of the attack and minimize its impact. 
  5. Deploy endpoint protection platforms (EPPs) such as Logpoint AgentX or other suitable solutions to secure endpoint devices. Ensure these devices are regularly updated, properly configured, and capable of generating alerts when disabled. 
  6. Develop a practice of creating and maintaining regular offline encrypted backups that encompass the entire organizational data infrastructure. Test the availability of backups through periodic restoration attempts. 
  7. Regularly review the security posture of third-party vendors connected to the organization. 
  8. Remain vigilant for any signs of leaked credentials on malware data leak sites and take appropriate measures accordingly. 
  9. Continuously monitor critical organizational assets using a combination of tools such as Sysmon and the Logpoint Converged SIEM platform. 

By implementing these recommendations and taking proactive security measures, organizations can significantly reduce the risks associated with this vulnerability and enhance their overall security posture. 

Next steps 

Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. Can you trust ChatGPT’s package recommendations?
  2. MITRE ATTACK framework – Mapping techniques to CVEs  
  3. Exploit maturity: an introduction  
  4. OWASP Top 10 vulnerabilities 2022: what we learned 
  5. How to fix CVE-2023-32784 in KeePass password manager

And finally…  

Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today. 


How do you detect a zero-day vulnerability?

A zero-day exploit is often challenging to identify. Tools like antimalware software, intrusion detection systems (IDS), and intrusion prevention systems (IPS) struggle to identify the attack signature, as it hasn’t been established yet. Consequently, the most effective method for detecting a zero-day attack relies on analyzing user behavior.

What is the best practice for zero-day vulnerabilities?

A strong security plan should encompass frequent system updates, thorough risk evaluations, and the deployment of advanced detection technologies capable of spotting abnormal activities, signaling a significant attack surface and a potential zero-day exploit. Check out our full guide on tackling zero-day threats.

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy