Ransomware gangs increasingly deploy zero-days to maximize attacks

Microsoft issued a patch for a zero-day that researchers at Kaspersky said was used to deliver Nokoyawa ransomware.
A pedestrian walks past the logo of the U.S. computer and micro-computing company, Microsoft on January 25, 2023 in Issy-les-Moulineaux, France. (Photo by Chesnot/Getty Images)

In a move meant to maximize the damage and reach of its ransomware campaign, a cybercrime group recently deployed a Microsoft zero-day vulnerability to execute a global digital extortion campaign against small and medium-sized businesses, researchers at the cybersecurity firm Kaspersky said Tuesday.

The use of a previously unknown software vulnerability is notable because zero-days had been primarily deployed by skilled nation-state threat groups, according to Boris Larin, lead security researcher with Kaspersky’s Global Research and Analysis Team. Now, however, “cybercriminals have the resources to acquire zero-days and routinely use them in attacks. There are also exploit developers willing to help them and develop exploit after exploit.”

The increasing adoption of zero-days by ransomware gangs is yet another troubling development when it comes to defending against the scourge of these types of digital crimes, especially as groups already appear to have become more aggressive in their targets and demands from victims to comply with ransom demands.

The zero-day in question has been patched by Microsoft and assigned CVE-2023-28252 on Tuesday. The cybercrime group used it to try and deliver the Nokoyawa ransomware variant on the targets, according to Larin. The group associated with the attack is notable for its use of a large number of similar exploits against the Windows Common Log File System, Larin said in a writeup published Tuesday, deploying at least five different versions since June 2022 in attacks against retail, wholesale, energy, manufacturing, health care and software development targets.


“The criminals responsible for Nokoyawa activity have demonstrated a notable level of technical resourcefulness for some time,” said Tom Hegel, a senior threat researcher with the cybersecurity firm SentinelLabs. It’s not all that “surprising to see such a profitable enterprise employing zero-day exploits. Their continued success in obtaining ransom payments suggests that they will persist in developing and acquiring more advanced methods of initial access to their target organizations.”

The CVE patched Tuesday would allow attackers with authentication privileges to run code on the target system and launch an elevation-of-privilege exploit, Larin said. His writeup did not include additional details about the vulnerability or how to trigger it in order to “ensure that everyone has enough time to patch their systems before other actors develop exploits” for the bug, he wrote. The writeup will be updated in nine days, he added.

In addition to issuing a patch for the zero-day on Tuesday, Microsoft also fixed 97 other flaws as part of its monthly Patch Tuesday initiative, according to a breakdown from Bleeping Computer.

The notification of the zero-day marks the second consecutive month where an already-exploited vulnerability was patched by the company, Security Week’s Ryan Naraine noted. In March, the company detailed a Microsoft Outlook bug, tracked as CVE-2023-23397, that had been exploited for nearly a year by a “Russia-based threat actor … in targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe,” the company said in a blog post.

Latest Podcasts