CyberSecurity news
FlagThis - #play
|
Pradeep Bairaboina@Tech Monitor
//
The Play ransomware group has been actively targeting organizations worldwide since June 2022, with the FBI reporting that approximately 900 entities have been compromised as of May 2025. These attacks span across North America, South America, and Europe, targeting a diverse range of businesses and critical infrastructure. The group employs a "double extortion" tactic, exfiltrating sensitive data before encrypting systems, putting additional pressure on victims to pay the ransom.
The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) have issued updated advisories regarding the Play ransomware, highlighting new tactics, techniques, and procedures (TTPs) employed by the group. One notable tactic includes exploiting vulnerabilities in the SimpleHelp remote access tool. Specifically, multiple ransomware groups, including those affiliated with Play, have been actively targeting the CVE-2024-57727 path traversal vulnerability, which allows attackers to download arbitrary files from the SimpleHelp server. The advisories also note that Play operators regularly contact victims via phone, threatening to release stolen data if ransom demands are not met. To mitigate the threat posed by Play ransomware, authorities recommend several proactive security measures, including implementing multifactor authentication, maintaining offline data backups, and developing and testing a recovery plan. It is also critical to keep all operating systems, software, and firmware updated to patch known vulnerabilities. SimpleHelp has released security updates to address the exploited vulnerabilities and strongly urges customers to apply these fixes immediately. While Play ransomware has been linked to attacks on critical infrastructure, including nine attacks impacting healthcare, experts recommend constant vigilance and proactive security strategies across all sectors.
Share:
References :
Classification:
@securityonline.info
//
The Play ransomware gang has been actively exploiting a zero-day vulnerability in the Windows Common Log File System (CLFS), identified as CVE-2025-29824. This high-severity flaw allows attackers to gain SYSTEM privileges on compromised systems, enabling them to deploy malware and carry out other malicious activities. The vulnerability was patched by Microsoft in April 2025; however, it was actively exploited in targeted attacks across various sectors before the patch was released.
The Play ransomware gang's attack methodology is sophisticated, employing custom tools and techniques such as dual extortion. A key tool used is the Grixba infostealer, which scans networks and steals information. In addition to the Grixba infostealer, the group uses a payload injection technique where a malicious payload is injected into the winlogon.exe process. This allows them to inject the Sysinternals procdump.exe tool into various processes for malicious purposes. The Symantec Threat Hunter Team identified this zero-day vulnerability being actively exploited, including an attack targeting an unnamed organization in the United States. The attackers likely used a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point. During the execution of the exploit, batch files are created to escalate privileges, dump the SAM, SYSTEM, and SECURITY Registry hives, create a new user, and clean up traces of exploitation. The exploitation of CVE-2025-29824 highlights the trend of ransomware actors using zero-days to infiltrate targets, underscoring the importance of prompt patching and robust security measures.
Share:
References :
Classification:
|