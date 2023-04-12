



A newly discovered zero-day vulnerability in the Microsoft Common Log File System (CLFS) that is being exploited as part of the attack chain to deliver the Nokoyawa ransomware follows the other Microsoft’s April 2023 monthly patch update. One of nearly 100 issues. Scheduled for April 11th.

Privilege escalation exploits have been developed for several different versions and builds of the Windows Operating System (OS), including Windows 11. It was discovered in February 2023 by his three researchers, Boris Larin of Kaspersky, Genwei Jiang of Mandiant, and Quan Jin of DBAPP Security WeBin Lab. and has been assigned the designation CVE-2023-28252. It is rated Important in terms of severity and has a CVSS score of 7.8.

As of April 11, it has also been added to the Known Exploited Vulnerabilities (KEV) catalog maintained by the US Cybersecurity and Infrastructure Security Agency (CISA). This means that it is very influential.

Kaspersky says most of the vulnerabilities it discovers are used by Advanced Persistent Threat (APT) attackers, but CVE-2023-28252 stands out because it is being exploited by financially motivated cybercriminals. I’m here. According to the company’s Global Research and Analysis Team (GReAT):

Cybercrime groups are becoming increasingly sophisticated in using zero-day exploits in their attacks, he said. Previously, they were primarily tools for his APT attackers, but now cybercriminals have the resources to acquire zero-days and use them in their attacks on a daily basis.

Also, exploit developers are more than happy to assist them and develop exploit after exploit. It is very important for businesses to download the latest patches from Microsoft as soon as possible and use other protection methods such as EDR solutions, Larin added.

In an incident Kaspersky observed, CVE-2023-28252 was used in the Nokoyawa gang’s attack chain to elevate privileges and steal credentials from the Security Accounts Manager (SAM) database.

Gina Geisel, Product Marketing Manager at Automox, said: Exploitation of this vulnerability requires a malicious person to log in and execute a maliciously crafted binary to elevate their privilege level. An attacker who successfully exploited this vulnerability could gain system privileges.

As this is an actively exploited zero-day, Automox recommends deploying a patch within 24 hours with an official fix from Microsoft, she added.

new ransomware strain

Bharat Jogi, Director of Vulnerability and Threat Research at Qualys, said: [Nokoyawa] is a relatively new strain that may be related to one of the most notable ransomware families of 2021, the Hive ransomware, and has been associated with the compromise of over 300 organizations in just a few months. There is some open source intelligence that suggests it may be. It is not yet known which exact threat actor or APT group is using his Nokoyawa, but targets have been confirmed in his SMBs in South America, North America, Asia, and the Middle East.

Jogi added: This is not the first time this particular driver has become an attractive target for attackers. In September 2022 Microsoft fixed another vulnerability, CVE-2022-37969. This vulnerability was known to be exploited in the wild affecting this same component. CVE-2022-37969 was used by an unknown threat actor to gain elevated privileges upon gaining a foothold on the system.

Also note that CVE-2022-37969 was discovered and published by Mandiant and DBAPPSecurity. However, it is unknown if the findings are related to the same attacker.

Excessive RCE bugs

The April Patch Monthly update also includes fixes for seven critical vulnerabilities with CVSS scores between 7.5 and 9.8. If successfully exploited, they all lead to remote code execution (RCE) and should be prioritized. They are:

None of these vulnerabilities have been publicly disclosed and have never been exploited in the wild.

explosion from the past

Finally, notable for the April update is a new fix for CVE-2013-3900. This is an RCE vulnerability in the way the WinVerifyTrust function handles Windows Authenticode signature verification for Portable Executable (PE) files.

It can be exploited by modifying an existing signed executable and injecting malicious code without invalidating the existing certificate signature. If exploited, the attacker could take complete control of the target system.

This decade-old vulnerability is now re-published to add Server Core edition to the list of affected products. Dustin Childs of the Zero Day Initiative further pointed out that CVE-2013-3900 is being exploited as part of his 3CX attack chain. The patch is also an opt-in fix, so this update also serves as a reminder to security teams to make sure they have it. I dealt with it.

