Application Security , Attack Surface Management , Cybercrime

Microsoft Patches Zero-Day Bug Exploited by Ransomware Group

Attackers Drop Nokoyawa Ransomware; Experts See Increasing Criminal Sophistication
Microsoft Patches Zero-Day Bug Exploited by Ransomware Group
Ransom note left by Nokoyawa (Source: Kaspersky)

Cue patch or perish, "ransomware edition," as Microsoft on Tuesday released updates for all versions of Windows to fix 114 vulnerabilities, including a zero-day flaw being exploited by crypto-locking extortionists.

See Also: Defending Your AI Future with Prisma Cloud

Microsoft said in a security alert that "an attacker who successfully exploited this vulnerability could gain system privileges," giving them full access to the system.

Credit for identifying the flaw, which could be used to take down even the latest Windows 11 systems, goes to cybersecurity firm Kaspersky, which discovered the vulnerability in February and reported it to Microsoft. The security firm reported seeing the flaw being used in the wild, primarily against small and midsized organizations in North America, the Middle East and Asia, and said it was being used to infect systems with Nokoyawa ransomware. Known victims of the group hail from such sectors as healthcare, energy, retail, manufacturing and software development.

The vulnerability is in the Common Log File System, or CLFS, and has been designated CVE-2023-28252. New updates from Microsoft fix the flaw in supported versions of Windows Server 2008, 2012 and 2016, as well as Windows 10 and Windows 11.

The new flaw may give patch management personnel déjà vu. "If it seems familiar, that's because there was a similar zero-day patched in the same component just two months ago," said Dustin Childs, a security analyst at the Zero Day Initiative, a software vulnerability initiative run by cybersecurity firm Trend Micro (see: Microsoft's February Patch Tuesday Fixes 3 Zero-Days).

"This type of exploit is typically paired with a code execution bug to spread malware or ransomware," he added. "Definitely test and deploy this patch quickly."

Increasing Sophistication

Ransomware groups wielding zero-day exploits remain unusual. "We don't often see APTs using zero-day exploits in their attacks, and now there are financially motivated cybercriminal groups that have the resources to acquire exploits for unknown vulnerabilities and routinely use them in attacks," Kaspersky said. "Moreover, there are developers willing to help cybercriminal groups and to produce one exploit after another."

Nokoyawa appears to have a predilection for using Common Log File System, or CLFS, driver exploits, which Kaspersky said "were likely developed by the same exploit author," who's been tied to at least five different, high-quality exploits since June 2022.

Based on their tactics, techniques and procedures, Nokoyawa ransomware-wielding attackers may be former members or business partners of Hive ransomware. "The two families share some striking similarities in their attack chain, from the tools used to the order in which they execute various steps," Trend Micro reported in March 2022. Among the tools seen being used then were Cobalt Strike during the initial stages of the attack, as well as "anti-rootkit scanners GMER and PC Hunter for defense evasion."

While Hive ransomware was infiltrated by law enforcement in July 2022 and had its infrastructure shut down in January, Nokoyawa appears to remain fully operational.

113 More Fixes

The fix for CVE-2023-28252 is just one of a slew of vulnerabilities patched Tuesday by Microsoft. They include fixes for 45 different vulnerabilities that could be used to remotely exploit code. That represents a notable increase from the 33 remote code execution flaws patched by Microsoft in each of the previous three months, reported Adam Barnett, lead software engineer at Rapid7.

Some of the remote code execution flaws getting fixed include CVE-2023-21554 in the Windows message queuing service, which can be exploited by sending a specially crafted MSMQ packet and is used to remotely execute malicious code. The same goes for a flaw in Windows Pragmatic General Multicast, designated CVE-2023-28250.

For either type of attack to be successful, the Windows message queuing service must be enabled. "You can check to see if there is a service running named Message Queuing and TCP port 1801 is listening on the machine," Microsoft said in a security alert.

2013 Alert Gets Updated

Unusually, this month Microsoft updated and republished details of a 10-year-old WinVerifyTrust signature validation vulnerability tied to portable executable files.

ZDI's Childs said the flaw, designated CVE-2013-3900, has been getting exploited as part of the software supply chain attack on 3CX, which is a voice and video calling desktop client used by major multinational companies. Multiple security firms have attributed those attacks to North Korea's Lazarus group of APT hackers.

As in 2013, Microsoft's fix remains opt-in, and the company said it doesn't plan to make it a default. The fix "remains available as an opt-in feature via reg key setting, and is available on supported editions of Windows released since Dec. 10, 2013," including "all currently supported versions of Windows 10 and Windows 11."

Microsoft said the vulnerability could be exploited by an attacker who altered an existing portable executable file in a way that didn't invalidate its signature. "An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights," it said.

To address this risk, Microsoft recommends that application developers sign their apps using its stricter Trusted Root Program verification system and that customers restrict their Windows environments to only use apps signed in this manner, albeit after first testing this approach "to evaluate how it will behave in their environments."

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.