Microsoft has patched a zero-day vulnerability affecting all supported versions of Windows, which researchers say hackers exploited to launch ransomware attacks.
Microsoft said in a security alert on Tuesday that an attacker who successfully exploited the vulnerability in the Windows Common Log File System (CLFS) could gain full access to an unpatched system. Microsoft confirmed that attackers were actively exploiting the vulnerability.
Russian cybersecurity company Kaspersky says the flaw was used to deploy Nokoyawa ransomware, predominantly targeting Windows servers belonging to small and medium-sized businesses based in the Middle East, North America and Asia.
In its analysis of the vulnerability, Kaspersky says that the zero-day stands out because it is actively exploited by financially motivated cyber criminals.
“Cyber crime groups are becoming increasingly more sophisticated using zero-day exploits in their attacks,” said Boris Larin, lead security researcher at Kaspersky. “Previously, they were primarily a tool of APT actors, but now cyber criminals have the resources to acquire zero-days and routinely use them in attacks.”
Nokoyawa was first observed in February 2022 and is believed to be connected to the now-defunct Hive ransomware gang, which law enforcement infiltrated and shut down in January. “The two families share some striking similarities in their attack chain, from the tools used to the order in which they execute various steps,” Trend Micro said in an analysis at the time.
The Nokoyawa malware encrypts files on systems it compromises, but the operators also claim to steal valuable information that they threaten to leak unless a ransom is paid.
U.S. cybersecurity agency CISA added the newly patched Windows vulnerability to its known exploited vulnerabilities catalog and urged federal agencies to update systems before May 2.
Microsoft fixed almost 100 flaws as part of its regularly scheduled Patch Tuesday update. The tech giant also fixed a remote code execution flaw that could allow a remote, unauthenticated attacker to run their code with elevated privileges on affected servers with Microsoft’s Message Queuing service enabled.