Microsoft says the RansomEXX ransomware gang has been exploiting a high-severity zero-day flaw in the Windows Common Log File System to gain SYSTEM privileges on victims' systems. This ransomware gang has also targeted high-profile organizations, including computer hardware giant GIGABYTE, Konica Minolta, the Texas Department of Transportation (TxDOT), Brazil's court system, Montreal's STM public transport system, and government software provider Tyler Technologies. The attackers first installed the PipeMagic backdoor malware on compromised systems, which was used to deploy the CVE-2025-29824 exploit, ransomware payloads, and !_READ_ME_REXX2_!.txt ransom notes after encrypting files. These attacks exploited another Windows Common Log File System Driver zero-day, a privilege escalation flaw tracked as CVE-2023-28252. Discovered by Kaspersky in 2022, the malware can harvest sensitive data, provides full remote access to infected devices, and enables attackers to deploy additional malicious payloads to move laterally through victims' networks. CVE-2025-29824 is due to a use-after-free weakness that lets local attackers with low privileges gain SYSTEM privileges in low-complexity attacks that don't require user interaction. As ESET reported last month, PipeMagic has also been used to deploy exploits targeting a Windows Win32 Kernel Subsystem zero-day (CVE-2025-24983) since March 2023. "The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia," Microsoft revealed today.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 08 Apr 2025 19:05:22 +0000