Critical Windows flaw has been exploited in ransomware attacks, so patch now

Hand increasing the protection level by turning a knob
(Image credit: Shutterstock)

There is a serious flaw affecting all supported versions of Windows server and client, which hackers are actively exploiting, researchers are warning. Therefore, IT teams should apply the fix immediately, they say.

The flaw in question is tracked as CVE-2023-28252, a zero-day in the Windows Common Log File System (CLFS). Discovered by researchers from Mandiant and WeBin Lab, the vulnerability can be used in low-complexity attacks. It requires no user interaction, but does require local access, BleepingComputer reports. 

Threat actors that successfully leverage the flaw can gain SYSTEM privileges and fully compromise the target endpoint, it was said. Simultaneously, researchers from Kaspersky have also seen it exploited, apparently to deploy the Nokoyawa ransomware strain.

Fixing zero-days

"Kaspersky researchers uncovered the vulnerability in February as a result of additional checks into a number of attempts to execute similar elevation of privilege exploits on Microsoft Windows servers belonging to different small and medium-sized businesses in the Middle Eastern and North American regions," the company said in a press release.

"CVE-2023-28252 was first spotted by Kaspersky in an attack in which cybercriminals attempted to deploy a newer version of Nokoyawa ransomware."

The researchers claim the same threat actor has been leveraging this flaw, as well as a number of other similar flaws, since early summer 2022. They were using them to target wholesale, energy, manufacturing, healthcare, and software development firms. 

Now, Microsoft has addressed the problem in its April Patch Tuesday cumulative update, and researchers are urging all users to deploy the fix immediately. The cumulative update addresses another 96 flaws, including 45 remote code execution (RCE) flaws.

Furthermore, the Cybersecurity and Infrastructure Security Agency (CISA) added this zero-day to its catalog of Known Exploited Vulnerabilities and ordered Federal Civilian Executive Branch (FCEB) organizations to apply the fix by May 2.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.