- Multiple Ransomware -Groups Set Abuse of Windows Common Log File System Bug
- Among the abusers are ransomexx and play
- The error is used to drop back doors, encrypts and more
Notorious Ransomware actors have abused a zero-day vulnerability in the Windows Common Log File system to get system privileges and implement malware on target units, several security researchers have confirmed.
Zero-Day’s error was discovered and patched as part of Microsoft Patch Tuesday April 2024 cumulative update.
Given a severity of 7.8/10 (high), it is traced as CVE-2025-29824 and described as a use after free bug in Windows Common Log File System Driver, which allows an authorized attacker to raise the privileges locally.
Chats leaked
Microsoft was among the first companies that sound the alarm on the error and said hackers are using it to target it and real estate companies in the US, financial organizations in Venezuela, software companies in Spain and retailers in Saudi Arabia.
The researchers said the error was used by a threat actor called Ransomexx who used it to drop the pipemagic back door and other malware, including an encryption. However, Symantec also found Play, a notorious ransomware player who uses the error to access an American goal.
“Although no ransomware was inserted into intrusion, attackers emitted Grixba InfoTeals, which is a custom tool associated with Balloonfly, the striker behind the Play Ransomware operation,” Symantec explained in his report.
“Balloonfly is a cybercrime group that has been active since at least June 2022 and uses Play Ransomware (also known as Playcrypt) in attack.”
Play, also known as Playcrypt, is a threat actor who appeared in mid -2022. In the first year and a half of its existence, it claimed about 300 victims, some of which were critical infrastructure organizations. At the end of 2023, the FBI, CISA and other security agencies announced a common security advice that warned about the dangers appointed by play.
“Since June 2022, Play (also known as Playcrypt) Ransomware Group has affected a wide range of companies and critical infrastructure in North America, South America and Europe,” the advice read. “From October 2023, the FBI was aware of approximately 300 affected devices allegedly exploited by ransomware -actors.”
Via Bleeping computer
