CyberSecurity news
FlagThis
@securityonline.info
//
The Play ransomware gang has been actively exploiting a zero-day vulnerability in the Windows Common Log File System (CLFS), identified as CVE-2025-29824. This high-severity flaw allows attackers to gain SYSTEM privileges on compromised systems, enabling them to deploy malware and carry out other malicious activities. The vulnerability was patched by Microsoft in April 2025; however, it was actively exploited in targeted attacks across various sectors before the patch was released.
The Play ransomware gang's attack methodology is sophisticated, employing custom tools and techniques such as dual extortion. A key tool used is the Grixba infostealer, which scans networks and steals information. In addition to the Grixba infostealer, the group uses a payload injection technique where a malicious payload is injected into the winlogon.exe process. This allows them to inject the Sysinternals procdump.exe tool into various processes for malicious purposes.
The Symantec Threat Hunter Team identified this zero-day vulnerability being actively exploited, including an attack targeting an unnamed organization in the United States. The attackers likely used a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point. During the execution of the exploit, batch files are created to escalate privileges, dump the SAM, SYSTEM, and SECURITY Registry hives, create a new user, and clean up traces of exploitation. The exploitation of CVE-2025-29824 highlights the trend of ransomware actors using zero-days to infiltrate targets, underscoring the importance of prompt patching and robust security measures.
ImgSrc: securityonline.
References :
The Play ransomware gang's attack methodology is sophisticated, employing custom tools and techniques such as dual extortion. A key tool used is the Grixba infostealer, which scans networks and steals information. In addition to the Grixba infostealer, the group uses a payload injection technique where a malicious payload is injected into the winlogon.exe process. This allows them to inject the Sysinternals procdump.exe tool into various processes for malicious purposes.
The Symantec Threat Hunter Team identified this zero-day vulnerability being actively exploited, including an attack targeting an unnamed organization in the United States. The attackers likely used a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point. During the execution of the exploit, batch files are created to escalate privileges, dump the SAM, SYSTEM, and SECURITY Registry hives, create a new user, and clean up traces of exploitation. The exploitation of CVE-2025-29824 highlights the trend of ransomware actors using zero-days to infiltrate targets, underscoring the importance of prompt patching and robust security measures.
ImgSrc: securityonline.
Share:
References :
- securityaffairs.com: Security Affairs reports Play ransomware affiliate leveraged zero-day to deploy malware
- The DefendOps Diaries: The Defend Ops Diaries discusses Understanding the Play Ransomware Threat: Exploiting Zero-Day Vulnerabilities.
- The Hacker News: The Hacker News reports Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization
- BleepingComputer: BleepingComputer reports Play ransomware exploited Windows logging flaw in zero-day attacks.
- www.csoonline.com: Windows flaw exploited as zero-day by more groups than previously thought
- securityonline.info: Zero-Day CLFS Vulnerability (CVE-2025-29824) Exploited in Ransomware Attacks
- bsky.app: The Play ransomware group has exploited a Windows Common Log File System flaw in zero-day attacks to gain SYSTEM privileges and deploy malware on compromised systems.
- Davey Winder: Play Ransomware Zero-Day Attacks — US, Saudi Arabia Have Been Targeted
- www.techradar.com: Ransomware hackers target a new Windows security flaw to hit businesses
Classification:
- HashTags: #ransomware #zeroday #cybersecurity
- Company: Microsoft
- Target: organizations
- Attacker: Play ransomware gang
- Product: Windows
- Feature: privilege escalation
- Malware: Play
- Type: Ransomware
- Severity: Major