What We Do
How We Do
Get Started
Security advisories

Microsoft Zero-Day Vulnerability Abused in Nokoyawa Ransomware Attacks

April 12, 2023 | 2 MINS READ

Speak With A Security Expert Now



On April 11th, 2023, as part of Microsoft’s monthly Patch Tuesday release, Microsoft disclosed a zero-day vulnerability in the Windows Common Log File System (CLFS), which cybercriminals are actively exploiting to deploy Nokoyawa ransomware payloads. 

The vulnerability, tracked as CVE-2023-28252 (CVSS: 7.8), is a Privilege Escalation vulnerability in the Windows Common Log File System Driver; it impacts all supported Windows servers and client versions. Successful exploitation enables threat actors to gain SYSTEM privileges and fully compromise targeted Windows systems.

As exploitation of CVE-2023-28252 has been confirmed, immediate patching is strongly recommended. eSentire has detections in place to identify Nokoyawa ransomware precursors and variants.

What we’re doing about it

What you should do about it

Additional information

Exploitation of CVE-2023-28252 was first discovered by researchers from Kaspersky, who reported the vulnerability to Microsoft. Initial exploitation of the vulnerability was identified in February 2023. Related attacks have been identified impacting small and medium-sized businesses in the retail & wholesale, energy, manufacturing, healthcare, software development and other industries in the Middle East, North America, and Asia regions. There is no indication that these industries or locations were specifically targeted; other industries and countries are expected to be impacted in the future.

Nokoyawa is a strain of ransomware that surfaced in February 2022. It is capable of impacting 64-bit Windows-based systems in attacks. Nokoyawa shares code with JSWorm, Karma, and Nemty ransomware, and has previously been connected to the HIVE ransomware group. In September 2022, a Rust version of the ransomware was identified, in a switch from the initial Nokoyawa ransomware version, developed using the C programming language. Threat actors deploying Nokoyawa ransomware are known to employ the double extortion technique, where data is exfiltrated prior to ransomware deployment, and used to extort victims with the threat of data sale or public release.

To successfully exploit CVE-2023-28252, threat actors require previous access to a vulnerable device. It is currently unclear how threat actors gained access to systems prior to ransomware deployment. Organizations are recommended to review and apply the best practices for ransomware defense as provided by CISA in the #StopRansomware initiative.

In response, CISA added the vulnerability to its catalogue of Known Exploited Vulnerabilities, ordering FCEB agencies to secure their systems against it by May 2nd, 2023.


[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28252
[2] https://securelist.com/nokoyawa-ransomware-attacks-with-windows-zero-day/109483/
[3] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[4] https://www.cisa.gov/stopransomware/how-can-i-protect-against-ransomware

View Most Recent Advisories