Play Ransomware Actors Exploited Windows Zero-Day to Breach U.S. Organization
Security researchers have uncovered that hackers associated with the Play ransomware operation exploited a previously unknown zero-day vulnerability in Microsoft Windows to infiltrate a U.S.-based organization. The flaw, now tracked as CVE-2025-29824, affects the Windows Common Log File System (CLFS) driver and enables privilege escalation. Microsoft patched the vulnerability last month.
The attack was detailed by the Symantec Threat Hunter Team, a part of Broadcom, and highlights the increasing sophistication of ransomware actors in their use of zero-day exploits. Play—also known as Balloonfly or PlayCrypt—has been active since at least mid-2022 and is known for using double extortion tactics: exfiltrating sensitive data before encrypting files and demanding ransom.
In this incident, the threat actors are believed to have gained initial access via a public-facing Cisco Adaptive Security Appliance (ASA), although the exact exploitation method used for lateral movement remains unclear. Once inside, they deployed an exploit for CVE-2025-29824 to escalate privileges on a Windows system.
A custom information stealer known as Grixba, previously tied to Play operations, was used in the attack. The malicious payload was dropped into the victim’s Music folder under deceptive filenames such as paloaltoconfig.exe and paloaltoconfig.dll, mimicking legitimate Palo Alto Networks software.
Symantec’s analysis revealed that during exploitation, two key files were created in C:\ProgramData\SkyPDF:
PDUDrv.blf: A CLFS base log file used as an artifact of the exploit.
clssrv.inf: A malicious DLL injected into the winlogon.exe process, responsible for dropping two batch files.
One of these, servtask.bat, performs a variety of malicious actions: it escalates privileges, extracts sensitive registry hives (SAM, SYSTEM, SECURITY), creates a new user account named “LocalSvc,” and adds it to the Administrator group. The second, cmdpostfix.bat, is designed to clean up the system to cover the attackers' tracks.
Despite the extensive compromise, no ransomware payload was ultimately deployed during the intrusion, suggesting the attack may have been part of a broader reconnaissance or data exfiltration effort.
Symantec emphasized that the exploit for CVE-2025-29824 may have circulated among multiple threat actors prior to Microsoft's patch, underscoring the persistent risk posed by unpatched vulnerabilities.
Interestingly, Symantec clarified that the techniques observed in this campaign differ from those used by Storm-2460, another group identified by Microsoft that also weaponized the same flaw to deliver a trojan named PipeMagic.
This attack follows a growing trend: ransomware groups leveraging zero-day vulnerabilities to breach enterprise networks. Symantec previously reported similar behavior by the Black Basta group, which allegedly used CVE-2024-26169—another Windows privilege escalation flaw—as a zero-day in prior campaigns.
As zero-day exploitation becomes increasingly common among ransomware operators, security teams are urged to prioritize patch management and monitor for anomalous activity in high-risk areas like privilege elevation, credential access, and lateral movement.
No comments:
Post a Comment