Hackers Exploited Windows Zero-day For Ransomware Attacks

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Microsoft recently fixed a zero-day vulnerability that threat actors exploited to gain unauthorized privileges in the Windows Common Log File System (CLFS).

The cybersecurity analysts at SecureList from Kaspersky affirmed that the threat actors reportedly used this exploit to deploy Nokoyawa ransomware payloads.

Microsoft has identified and assigned CVE-2023-28252 to a security vulnerability affecting the Common Log File System that could allow for unauthorized escalation of privileges. 

While Microsoft taken swift action to address the issue and has released a patch on April 11, 2023, as part of its latest round of security updates known as “April Patch Tuesday.”

Here below, we have mentioned the name of those entities who have discovered this vulnerability:-

  • Genwei Jiang of Mandiant
  • Quan Jin of DBAPPSecurity’s WeBin Lab

Exploitation

It’s a low-complexity vulnerability in Windows, where a local attacker can exploit it in a simple attack without interacting with the user. This affects all supported Windows server and client versions.

Threat actors could gain complete control of the targeted Windows system and compromise it in full phase on successful exploitation. 

With the release of Patch Tuesday this month, 97 security bugs have been fixed, including 45 vulnerabilities that could allow remote code execution.

In this case, the cybersecurity analysts have identified that the operators of Nokoyawa ransomware actively exploited the CVE-2023-28252 flaw in their attacks.

The Nokoyawa ransomware gang has continued to target the Common Log File System (CLFS) driver, leveraging a variety of exploits since June 2022. 

Though these exploits share some similarities, they have distinct characteristics that differentiate them.

The Nokoyawa ransomware group has been actively targeting a variety of industry verticals using multiple Common Log File System (CLFS) exploits.

They have reportedly used at least five additional exploits, with their attacks reaching various industries. While their targets include the following sectors:-

  • Retail 
  • Wholesale
  • Energy
  • Manufacturing
  • Healthcare
  • Software development

Since 2018, in the Windows CLFS driver, Microsoft has patched 32 local privilege escalation vulnerabilities. Among them, here we have mentioned the primary three which are exploited as zero-days by the threat actors in the wild:- 

Rapid Evolution

Since its emergence in February 2022, the Nokoyawa ransomware has been identified as a serious threat to 64-bit Windows-based systems. 

Known for its double extortion tactics, the ransomware is designed to encrypt a victim’s files and steal sensitive information from compromised networks and systems. 

Threat actors behind the Nokoyawa ransomware then demand a ransom payment to return access to encrypted files and prevent the public release of the stolen data.

Using the C programming language, the initial Nokoyawa ransomware version was developed. While now, Nokoyawa has been rewritten in Rust, and at the moment, it has been identified that it shares code with the following ransomware:-

  • JSWorm
  • Karma
  • Nemty

The threat actors used a newer version of Nokoyawa in this attack, which has many differences from the JSWorm codebase used previously.

The level of sophistication among cybercriminal groups has increased significantly in recent years, and this trend is expected to continue.

Why do Organizations need Unified endpoint management – 
Download Free E-books & Whitepapers

Related Read: