The Symantec Threat Hunter Team reported that attackers affiliated with the Play ransomware group (also known as Balloonfly or PlayCrypt) targeted an unnamed organization in the United States, likely using a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point. Microsoft’s Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) identified that the exploitation activity has been attributed to a threat group called Storm-2460, which deploys the PipeMagic malware in ransomware campaigns. Threat actors linked to the Play ransomware operation exploited a zero-day vulnerability in Microsoft Windows prior to its patching on April 8, 2025. “Ransomware threat actors value post-compromise elevation of privilege exploits because these could enable them to escalate initial access into privileged access,” Microsoft stated in its security advisory. While no ransomware payload was deployed in the discovered intrusion, the attackers utilized a custom information-stealing tool called Grixba, which has been previously associated with the Play ransomware operation. The group has previously developed custom tools like Grixba, which have been disguised as legitimate security software, including fake SentinelOne and Palo Alto Networks applications. The vulnerability, tracked as CVE-2025-29824, affects the Windows Common Log File System (CLFS) driver and allows attackers to elevate their privileges from standard user to full system access. This incident highlights the continuing evolution of ransomware tactics and the importance of prompt patching, especially for vulnerabilities that enable privilege escalation, which are critical components in ransomware attack chains. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The Play ransomware group, active since June 2022, is known for deploying double-extortion tactics, where sensitive data is exfiltrated prior to encryption. Organizations are strongly advised to apply the security updates released on April 8, 2025, especially for systems running vulnerable versions of Windows. Microsoft specifically mentioned that customers running Windows 11 version 24H2 are not affected by this vulnerability due to security mitigations already in place.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 07 May 2025 11:54:58 +0000