Microsoft has patched a zero-day vulnerability affecting all supported versions of Windows, which researchers say hackers exploited to launch ransomware attacks.
Microsoft said in a security alert on Tuesday that an attacker who successfully exploited the vulnerability in the Windows Shared Registry File System (CLFS) could gain full access to an unpatched system. Microsoft confirmed that attackers were actively exploiting the vulnerability.
Russian cybersecurity firm Kaspersky says the flaw was used to spread the Nokoyawa ransomware, which mostly targets Windows servers belonging to small and medium-sized companies located in the Middle East, North America, and Asia.
In its analysis of the vulnerability, Kaspersky says that Zero-Day stands out because it is being actively exploited by financially motivated cybercriminals.
“Cybercrime groups are becoming increasingly more sophisticated using zero-day vulnerabilities in their attacks,” said Boris Larin, Principal Security Researcher at Kaspersky. Previously, they were primarily a tool for APT actors, but cybercriminals now have the resources to obtain zero days and routinely use them in attacks.
Nokoyawa was first seen in February 2022 and is believed to be associated with the now-defunct Hive ransomware gang, which law enforcement hacked and shut down in January. “The two families share some striking similarities in their attack chain, from the tools used to the order in which they carry out the various steps,” Trend Micro said in an analysis at the time.
Nokoyawa malware encrypts files on the systems it compromises, but the operators also claim to steal valuable information that they threaten to leak unless a ransom is paid.
The US cybersecurity agency CISA added the newly patched Windows vulnerability to its catalog of known exploits and urged federal agencies to update systems before May 2.
Microsoft fixed nearly 100 bugs as part of its regular update on Patch Tuesday. The tech giant also fixed a remote code execution bug that could allow an unauthenticated remote attacker to run their code with elevated privileges on affected servers with Microsoft’s Message Queuing service enabled.