In February, researchers at Kaspersky discovered a Windows zero-day that is being used extensively in sophisticated ransomware attacks similar to Common Log File System (CLFS) driver exploits they had seen previously, but turned out to be a zero-day attack, supporting different versions and builds of Windows, including Windows 11:
While the majority of zero-days that we’ve discovered in the past were used by APTs, this particular zero-day was used by a sophisticated cybercrime group that carries out ransomware attacks. This group is notable for its use of a large number of similar but unique Common Log File System (CLFS) driver exploits that were likely developed by the same exploit author. Since at least June 2022, we’ve identified five different exploits used in attacks on retail & wholesale, energy, manufacturing, healthcare, software development and other industries. Using the CVE-2023-28252 zero-day, this group attempted to deploy the Nokoyawa ransomware as a final payload.
We see a significantly increasing level of sophistication among cybercriminal groups. We don’t often see APTs using zero-day exploits in their attacks, and now there are financially motivated cybercriminal groups that have the resources to acquire exploits for unknown vulnerabilities and routinely use them in attacks.
Microsoft released a patch for this vulnerability (CVE-2023-28252) in this week’s April Patch Tuesday release.
I have a pair of comments on this. Starting with Christopher Peacock, Principal Detection Engineer, SCYTHE:
“This type of activity proves ransomware actors can develop or procure unknown exploits. A zero-day makes placing one piece of a puzzle easier for the adversary and more complicated for defenders to detect. It’s, therefore, necessary for organizations to have holistic defense in depth for all the pieces in the puzzle.”
Jan Lovmand, CTO, BullWall follows up with this:
“Cybercriminals are quicker to exploit zero day vulnerabilities than companies are at deploying patches. The average time to patch these vulnerabilities is more than 60 days for the average enterprise. Once the zero-day fix is announced, cybercriminals know precisely what the vulnerability is and work overtime to write exploits specifically for this.
“If companies think they can prevent every attack, they are mistaken. It is simply a matter of time before a new ransomware variant hits that catches the endpoint security stack by surprise or when a threat actor finds that one lone system on your network that hasn’t been patched.
“To protect against zero-day attacks, companies must be keeping their systems up to date with the latest security patches, use strong and complex passwords, implement MFA, maintain regular backups of critical data and they should consider implementing a rapid containment strategy. Ransomware Containment tools are becoming a critical part of this overall strategy.”
Anyone who has followed this blog will know that I always preach that you should be staying up to date with the latest patches as they stop stuff like this from being hugely problematic. So if you haven’t updated all your Microsoft based PCs, you might want to do so ASAP as the number of threat actors who will be using this vulnerability is about to go up.
Like this:
Like Loading...
Related
This entry was posted on April 12, 2023 at 4:00 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
If You Didn’t Install April’s Patch Tuesday Updates, You Might Want To Do So ASAP As There’s An Actively Exploited Threat Out There
In February, researchers at Kaspersky discovered a Windows zero-day that is being used extensively in sophisticated ransomware attacks similar to Common Log File System (CLFS) driver exploits they had seen previously, but turned out to be a zero-day attack, supporting different versions and builds of Windows, including Windows 11:
While the majority of zero-days that we’ve discovered in the past were used by APTs, this particular zero-day was used by a sophisticated cybercrime group that carries out ransomware attacks. This group is notable for its use of a large number of similar but unique Common Log File System (CLFS) driver exploits that were likely developed by the same exploit author. Since at least June 2022, we’ve identified five different exploits used in attacks on retail & wholesale, energy, manufacturing, healthcare, software development and other industries. Using the CVE-2023-28252 zero-day, this group attempted to deploy the Nokoyawa ransomware as a final payload.
We see a significantly increasing level of sophistication among cybercriminal groups. We don’t often see APTs using zero-day exploits in their attacks, and now there are financially motivated cybercriminal groups that have the resources to acquire exploits for unknown vulnerabilities and routinely use them in attacks.
Microsoft released a patch for this vulnerability (CVE-2023-28252) in this week’s April Patch Tuesday release.
I have a pair of comments on this. Starting with Christopher Peacock, Principal Detection Engineer, SCYTHE:
“This type of activity proves ransomware actors can develop or procure unknown exploits. A zero-day makes placing one piece of a puzzle easier for the adversary and more complicated for defenders to detect. It’s, therefore, necessary for organizations to have holistic defense in depth for all the pieces in the puzzle.”
Jan Lovmand, CTO, BullWall follows up with this:
“Cybercriminals are quicker to exploit zero day vulnerabilities than companies are at deploying patches. The average time to patch these vulnerabilities is more than 60 days for the average enterprise. Once the zero-day fix is announced, cybercriminals know precisely what the vulnerability is and work overtime to write exploits specifically for this.
“If companies think they can prevent every attack, they are mistaken. It is simply a matter of time before a new ransomware variant hits that catches the endpoint security stack by surprise or when a threat actor finds that one lone system on your network that hasn’t been patched.
“To protect against zero-day attacks, companies must be keeping their systems up to date with the latest security patches, use strong and complex passwords, implement MFA, maintain regular backups of critical data and they should consider implementing a rapid containment strategy. Ransomware Containment tools are becoming a critical part of this overall strategy.”
Anyone who has followed this blog will know that I always preach that you should be staying up to date with the latest patches as they stop stuff like this from being hugely problematic. So if you haven’t updated all your Microsoft based PCs, you might want to do so ASAP as the number of threat actors who will be using this vulnerability is about to go up.
Share this:
Like this:
Related
This entry was posted on April 12, 2023 at 4:00 pm and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.