- Microsoft said it observed a threat actor known as storm-2460 abuse a use after free error in Windows Common Log File System Driver
- The error is used to implement Pipemagic, which is then used to deliver ransomware
- Users are advised to install the released patch right away
Cyber criminals abuse a post-compromer zero-day vulnerability in Windows Common Log File System (CLFS) to implement ransomware.
Earlier this week, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) published a new in-depth report describing how an error is traced as CVE-20125-29824 is used in cyberattacks.
The error is described as a “use-after-free” vulnerability in Windows Common Log File System Driver, which allows threat actors to raise privileges locally. It got a severity of 7.8/10 (high).
Pipemagic and Ransomexx
The reservation here is that this is a vulnerability after compromises, which means that the threat actors already broke into these systems before they could abuse the error. It doesn’t bother very ransomware operators, Microsoft claims:
“Ransomware threat lactors appreciate the post-compromis increase of privilege utilities because they could enable them to escalate initial access, including passes from raw material malware distributors, to privileged access,” the blog reads. “They then use privileged access to widespread implementation and detonation of ransomware within an environment.”
In any case, at least one group abuses this error in nature right now. It is traced as Storm-2460 and apparently it uses it to implement Pipemagic Malware.
Pipemagic is a back door trojan that allows the group to eventually implement ransomware. It seems that the group was using Ransomexx this time, a variant that is not very popular or known.
Storm-2460 managed to use the error to target a “small number” organizations, Microsoft said. Most of them are within that, finance and retail industries and are located in the US, Venezuela, Spain and Saudi Arabia.
A security advice discussing the use after free errors was published on April 8, Microsoft said.
“Microsoft strongly recommends that organizations prioritize using security updates to increase privilege vulnerability to add a layer of defense against ransomware attacks whose threat actors are able to get a first footing,” the blog concludes.
