Among software vulnerabilities, none is more feared than so-called “zero days,” which are known only to the attackers (that is, defenders have “zero days” to patch). These have traditionally been used sparingly in targeted attacks carried out by nation-states.
Recently, however, this has started to change, and zero day exploits have started turning up more regularly in commercial campaigns, with ransomware leading this charge.
A good example is a zero day attack that Kaspersky Lab recently spotted being used as part of attacks by the Nokoyawa ransomware on SMBs in North America and the Middle East.
Subsequently identified as CVE-2023-28252, it was an elevation of privileges vulnerability in the Common Log File System (CLFS), an important component used internally by Windows versions dating back to the early 2000s.
This isn’t the only significant zero day that’s been used as part of ransomware in recent times. Another is CVE-2022-44698, which Google’s Threat Analysis Group (TAG) discovered being used by the Magniber ransomware to bypass Windows Defender SmartScreem anti-malware detection.
Or, not long before in a non-Windows context, CVE-2023-0669, reportedly used by the Clop group in ransomware attacks targeting the GoAnywhere MFT secure file transfer tool.
But what really grabbed people’s attention was that the CLFS zero day affected Windows, the world’s most common computing platform. All zero days are dangerous, but Windows zero days are the most highly prized because they can be used against almost any organization on the planet.
The downside for the ransomware actors is that once an exploit against a Windows zero day has been used, time is always short. Windows is heavily monitored for these types of attacks, and the chance of discovery is very high.
This raises several questions: Why have ransomware attackers have started pushing zero days, since ransomware has succeeded for many years without needing them, and what is the source of these exploits?
Professional white hat researchers spend their days hunting for vulnerabilities of all kinds, with the most powerful examples attracting bug bounties from affected vendors running into tens or even hundreds of thousands of dollars.
If criminal black hat researchers make the same discovery, they sell them to the highest bidder, traditionally nation-states with deep pockets.
In short, for a ransomware group to get hold of an unknown Windows flaw that could be deployed as a zero day is going to cost them a lot of money unless they have discovered it for themselves.
It’s possible that ransomware groups have become rich enough to research flaws for themselves, but that still doesn’t explain why they would need to use them in the first place.
Zero days can be powerful, but they come with disadvantages. The first is that they attract a lot of attention, not only from cybersecurity vendors but national intelligence services who pay close attention to any group using sophisticated methods.
Ironically, they also grab unwanted attention from rival criminals as they rush to copy the exploit for use in their own attacks. That’s why when zero days in programs such as operating systems and browsers become public, they are often described as patching emergencies.
Pessimists will be inclined to see ransomware attackers using zero days as part of a longer-term and depressing pattern in which commercial groups start thinking and behaving thinking more like nation-states. If so, this may herald an era of even greater sophistication.