Ethical Hacking News
The Play ransomware gang has exploited a high-severity Windows Common Log File System (CLFS) flaw in zero-day attacks, breaching the networks of around 300 organizations worldwide. Microsoft linked these attacks to the RansomEXX ransomware gang and warned that the attackers used a combination of exploits and custom malware tools to gain access to multiple networks.
The Play ransomware gang exploited a high-severity Windows CLFS flaw (CVE-2025-29824) to gain SYSTEM privileges and deploy malware on compromised systems. The targets of these attacks include organizations in IT, real estate, financial sectors, and retail in the US, Venezuela, Spain, and Saudi Arabia. Microsoft linked these attacks to the RansomEXX ransomware gang, which used PipeMagic backdoor malware to deploy exploit payloads and ransom notes. The attackers also deployed Grixba infostealer tool, a custom network-scanning and information-stealing tool associated with Balloonfly group. The Play ransomware gang has been involved in previous attacks exploiting zero-day vulnerabilities and using double-extortion tactics. The FBI reported that the Play ransomware gang breached around 300 organizations worldwide as of October 2023. The attackers' use of 'as-a-service' model makes it harder to detect their operations, as they offer malware to other attackers for use in attacks.
Microsoft has confirmed that a ransomware gang known as the Play ransomware gang has exploited a high-severity Windows Common Log File System (CLFS) flaw in zero-day attacks to gain SYSTEM privileges and deploy malware on compromised systems. The vulnerability, tracked as CVE-2025-29824, was patched during last month's Patch Tuesday but was still exploited by attackers in a limited number of attacks.
The targets of these attacks include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. Microsoft linked these attacks to the RansomEXX ransomware gang, saying that the attackers installed the PipeMagic backdoor malware, which was used to drop the CVE-2025-29824 exploit, deploy ransomware payloads, and ransom notes after encrypting files.
Symantec's Threat Hunter Team has also found evidence linking the Play ransomware-as-a-service operation to these attacks. The attackers deployed a CVE-2025-29824 zero-day privilege escalation exploit after breaching a U.S. organization's network. Although no ransomware payload was deployed in this intrusion, the attackers deployed the Grixba infostealer, which is a custom tool associated with Balloonfly, the attackers behind the Play ransomware operation.
Grixba is a custom network-scanning and information-stealing tool that was first spotted two years ago. The Play ransomware operators typically use it to enumerate users and computers in compromised networks. This is not the first time the Play ransomware gang has been involved in a series of attacks that have exploited zero-day vulnerabilities.
The Play cybercrime gang surfaced in June 2022 and is also known for double-extortion attacks, in which its affiliates pressure victims into paying ransoms to avoid having their stolen data leaked online. The FBI issued a joint advisory with CISA and the Australian Cyber Security Centre (ACSC) in December 2023, warning that the Play ransomware gang had breached the networks of around 300 organizations worldwide as of October 2023.
Previous notable victims of the Play ransomware include cloud computing company Rackspace, car retailer giant Arnold Clark, the City of Oakland in California, Dallas County, the Belgian city of Antwerp, and more recently, American semiconductor supplier Microchip Technology and doughnut chain Krispy Kreme. The attackers used various tactics to gain access to these networks, including exploiting vulnerabilities and using social engineering.
The Play ransomware gang is a particularly dangerous operation because it operates as an 'as-a-service' model, meaning that it offers its malware to other attackers for use in their own attacks. This has made it easier for the group to spread its operations across multiple targets and evade detection by security software.
In conclusion, the Play ransomware gang's exploitation of the CVE-2025-29824 Windows CLFS flaw highlights the ongoing threat posed by zero-day vulnerabilities and the need for organizations to prioritize patching and security upgrades. The attackers used a combination of exploits and custom malware tools to gain access to multiple networks worldwide, underscoring the importance of robust network defenses.
The fact that the attackers were able to deploy their ransomware payload after breaching only one victim's network suggests that they are becoming increasingly sophisticated in their tactics. It is also worth noting that no ransom was paid in this specific case, which may indicate a new strategy by the Play ransomware gang to prioritize data exfiltration over financial gain.
The breach of 300 organizations worldwide by the Play ransomware gang as reported by the FBI in December 2023 underscores the global nature of cyber threats. The fact that these networks were breached highlights the need for organizations to strengthen their security postures and implement robust incident response plans in order to minimize damage from such attacks.
In light of this attack, it is crucial for organizations to take immediate action to patch their systems and prevent further exploitation of the CVE-2025-29824 vulnerability. They should also monitor their networks closely for signs of malicious activity and ensure that they have implemented effective security measures to protect themselves against future attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Play-Ransomware-Gang-Exploits-Windows-Logging-Flaw-in-Zero-Day-Attacks-ehn.shtml
https://www.bleepingcomputer.com/news/security/play-ransomware-exploited-windows-logging-flaw-in-zero-day-attacks/
https://thehackernews.com/2025/05/play-ransomware-exploited-windows-cve.html
https://nvd.nist.gov/vuln/detail/CVE-2025-29824
https://www.cvedetails.com/cve/CVE-2025-29824/
https://www.infosecinstitute.com/resources/malware-analysis/ransomexx-the-malware-that-attacks-linux-os/
https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-ransomexx
https://sensorstechforum.com/pipemagic-malware-analysis-and-removal-guide/
https://www.pcrisk.com/removal-guides/32629-pipemagic-malware
https://www.bleepingcomputer.com/news/security/play-ransomware-gang-uses-custom-shadow-volume-copy-data-theft-tool/
https://adlumin.com/post/playcrypt-ransomware/
Published: Wed May 7 11:35:13 2025 by llama3.2 3B Q4_K_M
