-
Multiple ransomware groups seen abusing Windows Common Log File System bug
-
Among the abusers are RansomEXX and Play
-
The bug is used to drop backdoors, encryptors, and more
Notorious
ransomware
actors have been abusing a zero-day vulnerability in the Windows Common Log File System to gain system privileges and deploy
malware
on target devices, multiple security researchers have confirmed.
The zero-day flaw was discovered, and patched, as part of the Microsoft Patch Tuesday April 2024 cumulative update.
Given a severity score of 7.8/10 (high), it is tracked as CVE-2025-29824, and described as a use after free bug in Windows Common Log File System Driver that allows an authorized attackers to elevate privileges locally.
Acquire Keeper Personal for merely $1.67 per month, Keeper Family for only $3.54 per month, and Keeper Business for just $7 per month.
Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.
It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.
Preferred partner (
What does this mean?
)
View Deal
Chats leaked
Microsoft was one of the initial companies to raise concerns about the vulnerability, stating that attackers are exploiting it to target IT and real estate businesses in the U.S., financial institutions in Venezuela, software companies in Spain, and retail entities in Saudi Arabia.
Researchers indicated that the vulnerability was exploited by a malicious group known as RansomEXX. They utilized this flaw to deploy the PipeMagic backdoor along with additional malware such as encryption tools. Nonetheless, Symantec discovered another notorious ransomware entity named Play exploiting the same weakness for targeting entities within the U.S.
Symantec detailed in their report, “Even though no ransomware payload was executed during the breach, the intruders did deploy the Grixba infostealer, a customized instrument linked to Balloonfly—the same group responsible for the Play ransomware attacks.”
BALLOONFLY is a cybercriminal organization that has operated since at least June 2022 and employs the Play ransomware (which is also referred to as PlayCrypt) during their assaults.
Play, alternatively called Playcrypt, surfaced around mid-2022. Within the initial one-and-a-half-year period, this group reportedly targeted approximately 300 entities, including several crucial infrastructure groups. As we moved into late 2023, the FBI, CISA, along with various cybersecurity authorities, issued a collaborative alert highlighting the risks associated with Play’s activities.
As stated in the advisory, since June 2022, the Play (or Playcrypt) ransomware gang has targeted numerous enterprises and crucial infrastructures across North America, South America, and Europe,” it reads. “By October 2023, the FBI had identified around 300 victimized organizations reportedly hit by these cybercriminals.
Via
BleepingComputer
You might also like
- LockBit ransomware attackers are exploiting Fortinet firewall vulnerabilities.
-
Take a look at our guide to the
best authenticator app -
We’ve rounded up the
best password managers
Like this article? For more stories like this, follow us on MSN by clicking the +Follow button at the top of this page.
