A newly discovered zero-day vulnerability in the Microsoft Common Log File System (CLFS) – which is being exploited as part of an attack chain delivering the Nokoyawa ransomware – is among nearly 100 other issues addressed by Microsoft in its April 2023 Patch Tuesday update, which dropped on schedule on 11 April.
The privilege escalation exploit was developed for multiple different versions and builds of the Windows operating system (OS) including Windows 11. It was discovered in February 2023 by three researchers, Boris Larin of Kaspersky, Genwei Jiang of Mandiant and Quan Jin of DBAPPSecurity WeBin Lab, and has been assigned the designation CVE-2023-28252. It is rated as ‘Important’ in terms of severity and carries a CVSS score of 7.8.
As of 11 April it has also been added to the Known Exploited Vulnerabilities (KEV) catalogue maintained by the United States’ Cybersecurity and Infrastructure Security Agency (CISA) – which means it is exceptionally impactful.
Kaspersky said that while most of the vulnerabilities it stumbles upon are used by advanced persistent threat (APT) actors, CVE-2023-28252 stands out because it is being exploited by financially-motivated cyber criminals, as Larin, who is lead security researcher at the firm’s Global Research and Analysis Team (GReAT) observed.
“Cyber crime groups are becoming increasingly more sophisticated using zero-day exploits in their attacks. Previously they were primarily a tool of APT actors but now cyber criminals have the resources to acquire zero-days and routinely use them in attacks,” he said.
“There are also exploit developers willing to help them and develop exploit after exploit. It’s very important for businesses to download the latest patch from Microsoft as soon as possible, and use other methods of protection, such as EDR solutions,” added Larin.
In the incident observed by Kaspersky, CVE-2023-28252 was used by the Nokoyawa gang during its attack chain to elevate privileges and steal credentials from the Security Account Manager (SAM) database.
Gina Geisel, product marketing manager at Automox, said: “This vulnerability leverages existing system access to actively exploit a device and is a result of how the CLFS driver interacts with objects in memory on a system. To exploit this vulnerability successfully, a bad actor would need to log in and then execute a maliciously crafted binary to elevate the privilege level. An attacker who successfully exploited this vulnerability could then gain system privileges.
“With an official fix from Microsoft, Automox recommends patch deployment within 24 hours since this is an actively exploited zero-day,” she added.
New ransomware strain
Bharat Jogi, director of vulnerability and threat research at Qualys, said: “[Nokoyawa] is a relatively new strain for which there is some open source intel to suggest that it is possibly related to Hive ransomware – one of the most notable ransomware families of 2021 and linked to breaches of over 300 organisations in a matter of just a few months. While it is still unclear who the exact threat actor or APT group is using Nokoyawa, targets have been observed in South and North America, regions across Asia and SMBs in the Middle East.
Jogi added: “This is not the first time that this specific driver has been an attractive target for threat actors. In September 2022, Microsoft fixed another vulnerability – CVE-2022-37969, which was known to be exploited in the wild – that affected this same component. CVE-2022-37969 was leveraged by an unknown threat actor to gain elevated privileges once they had a foothold on the system.”
Note additionally that CVE-2022-37969 was also uncovered and disclosed by Mandiant and DBAPPSecurity, although it is unclear whether or not the discoveries are related to the same attacker.
Glut of RCE bugs
The April Patch Tuesday update also contains fixes for seven critical vulnerabilities, with CVSS scores ranging from 7.5 to 9.8. If successfully exploited, all of them lead to remote code execution (RCE), so should be addressed as a priority. They are as follows:
None of these vulnerabilities have previously been made public, and nor have any of them yet been exploited in the wild.
Blast from the past
Finally, also notable in the April update is a new fix for CVE-2013-3900, which is an RCE vulnerability in how the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable (PE) files.
It can be exploited by modifying an existing signed executable file and injecting malicious code into it without invalidating its existing certification signature. If exploited, an attacker could take complete control of the target system.
This 10-year-old vulnerability is being republished now to add Server Core editions to the affected products list. Dustin Childs of the Zero Day Initiative additionally noted that CVE-2013-3900 has been exploited as part of the 3CX attack chain, and as the patch is an opt-in fix, the update also serves to remind security teams to check that they have addressed it.