In the evolving landscape of cybersecurity, a recent discovery by Kaspersky highlights a formidable new threat. In February, Kaspersky's experts identified a cybercriminal group leveraging a zero-day vulnerability in the Microsoft Common Log File System (CLFS). This exploit, impacting several versions of the Windows operating system—including Windows 11—was used to facilitate attacks aimed at deploying Nokoyawa ransomware.
The cybersecurity community was alerted when Microsoft assigned the CVE identifier CVE-2023-28252 to this particular vulnerability. Following the identification of the threats associated with this exploit, Microsoft released a patch during their regular Patch Tuesday update. This vulnerability is significant as it permitted attackers to elevate privileges and potentially extract sensitive information from the Security Account Manager (SAM) database.
While Kaspersky frequently witnesses vulnerabilities exploited by Advanced Persistent Threats (APTs), this instance marks a shift. "Cybercrime groups are becoming increasingly more sophisticated using zero-day exploits in their attacks," said Boris Larin, Lead Security Researcher with the Global Research and Analysis Team (GReAT). Larin noted the evolution in the tactics of cybercriminals, stating that previously, such zero-day exploits were primarily tools of APT actors. Now, criminal enterprises have the resources to harness these vulnerabilities routinely.
"Cybercrime groups are becoming increasingly more sophisticated using zero-day exploits in their attacks,"
The attacks linked to CVE-2023-28252 have targeted a wide array of industries across the Middle East and North America, including retail, energy, manufacturing, healthcare, and software development. The features of this particular k ransomware variant—Nokoyawa—suggest that it has diverged from older variants, which were often simple rebrandings of the JSWorm ransomware. Kaspersky noted that the newer Nokoyawa ransomware presents a unique codebase, marking a clear step forward in the complexity of attacks.
As these exploitations become more common, the necessity for robust cybersecurity measures grows. Larin emphasized, "It’s very important for businesses to download the latest patch from Microsoft as soon as possible, and use other methods of protection, such as EDR solutions." Kaspersky's products are actively detecting and neutralizing threats associated with this vulnerability.
Adding to the urgency, Kaspersky has shared a list of recommendations for organizations looking to defend against potential exploitations. Key actions include employing effective endpoint protection and dedicated services designed to thwart high-profile attacks. Specifically, the Kaspersky Managed Detection and Response service is highlighted as a method to identify and preempt attacks before they can achieve their objectives.
To supplement endpoint protection, Kaspersky advises organizations to implement anti-APT solutions and Endpoint Detection and Response (EDR) capabilities. These tools enhance the organization’s ability to discover, detect, and respond to potential threats effectively. Ensuring that security operations center (SOC) teams are equipped with the latest threat intelligence and access to ongoing training is also deemed critical for maintaining vigilance.
Another procedural recommendation emphasizes the necessity of keeping systems updated, particularly Microsoft Windows installations. Organizations are urged to ensure that patches are applied promptly and consistently to mitigate risks associated with emerging vulnerabilities.
As the cybersecurity community continues to grapple with the implications of these findings, it is clear that vigilance, preparedness, and a proactive approach to security will be essential in combating the rising tide of sophisticated cyber threats. Kaspersky plans to provide additional insights on CVE-2023-28252, following the patch release to offer companies insights they can act upon.
