Kaspersky’s SecureList has published a blog detailing an observed Nokoyawa ransomware attack utilizing a previously unknown Microsoft vulnerability. While the use of zero-days is mostly associated with nation-state threat groups, the actors behind Nokoyawa ransomware are known for their technical sophistication and tendency to utilize exploits targeting the Common Log File System, of which the zero day was associated with. After being reported to Microsoft, the exploit was assigned CVE-2023-28252 and patched. Subsequently, the vulnerability was added to CISA’s Known Exploited Vulnerabilities Catalog on April 11, 2023.

This makes the second time this month that Microsoft has patched a zero-day vulnerability already observed being utilized in the wild. Zero-days are becoming increasingly popular for ransomware groups to utilize as this segment of the criminal economy grows in sophistication. This trend underscores the importance of members proactively hunting for unusual activity on the network, as that may be the only way to detect a compromise. Read more at SecureList.