Microsoft has just tried to plug a breach in its security, visibly exploited by a gang of ransomware. Its latest Patch Tuesday – a batch of security updates released once a month – resulted in 97 new patches, seven of which were critical, with the balance classed as major flaws.
And the use of one of the patched vulnerabilities, a flaw in the Common Log File System (CLFS) general-purpose logging service, was observed in detail by Russian cybersecurity vendor Kaspersky, which reported this malicious activity to Microsoft. Cybercriminals would have tried to rely on this flaw to deploy the Nokoyawa ransomware in February 2023 during an attack, according to Kaspersky.
Escalation of privileges
The flaw exploited in the Common Log File System allowed attackers to elevate their privileges and steal credentials from the Security Account Manager (SAM) database. This then paved the way for the deployment of the ransomware. As the Zero Day Initiative points out, Microsoft had already rolled out a patch soon in February 2023, arguably a sign that the breach hadn’t been properly closed.
According to Kaspersky, this group of malicious hackers specialized in exploiting flaws in Common Log File System drivers. The publisher has thus counted the use of five similar, but different, vulnerabilities in attacks observed since June 2022 targeting organizations in the Middle East, North America, and Asia.
Increased technique of attacks
As Kaspersky reminds us, the use of zero-day vulnerabilities by cybercriminals is not so frequent. This last example shows that there are groups willing to invest in the development of exploits, a sign of a “significant increase in the level of sophistication” of these attacks.
Spotted in March 2022 by Trend Micro, Nokoyawa ransomware may be related to Hive ransomware, a malicious program that had done serious damage in 2021. The two ransomware shared, the company noted, similar methods, tools and the same infrastructure .