Play Ransomware Affiliate Leveraged Zero Day
Play Ransomware Gang Exploits Windows Zero-Day Vulnerability
TL;DR
The Play ransomware group leveraged a zero-day vulnerability in the Windows Common Log File System to gain SYSTEM privileges and deploy malware. This high-severity flaw, tracked as CVE-2025-29824, was exploited in targeted attacks against various sectors worldwide. The vulnerability was addressed in Microsoft’s April Patch Tuesday updates, highlighting the ongoing threat of ransomware and the importance of timely security patches.
Introduction
The Play ransomware gang has been identified as the perpetrator behind the exploitation of a critical Windows Common Log File System vulnerability. This zero-day attack allowed the group to gain elevated privileges and deploy malware on compromised systems. The vulnerability, tracked as CVE-2025-29824, has a CVSS score of 7.8 and was confirmed to be exploited in the wild by Microsoft.
Zero-Day Exploit Details
The vulnerability CVE-2025-29824 is a Use After Free flaw in the Windows Common Log File System Driver. This flaw enables attackers to elevate privileges locally, allowing them to gain SYSTEM privileges on affected systems. Microsoft confirmed that this vulnerability had been exploited in limited attacks against entities worldwide, including organizations in the IT and real estate sectors in the United States, and the retail sector in Saudi Arabia.
In April, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, underscoring its significance. Microsoft addressed the issue in its April Patch Tuesday security updates, emphasizing the need for immediate patching to mitigate potential risks.
Attack Methodology
Researchers at Symantec’s Threat Hunter Team reported that the Play ransomware gang utilized the CVE-2025-29824 zero-day exploit in an attack against a U.S. organization. Although no ransomware payload was deployed in this specific intrusion, the attackers used a custom tool known as the Grixba infostealer, which is associated with the Balloonfly group—the masterminds behind the Play ransomware operation.
The Balloonfly cybercrime group, active since at least June 2022, has targeted numerous organizations across North America, South America, and Europe. According to Symantec, the attackers exploited a public-facing Cisco ASA firewall as the initial infection vector. Once they gained access to a Windows system, they deployed tools like Grixba and the CVE-2025-29824 exploit. The attackers utilized PowerShell to gather information from Active Directory, exploited the vulnerability in the CLFS driver to gain higher privileges, and ran malicious DLLs and scripts to steal credentials. They also created admin accounts and performed operations to cover their tracks.
Key Tactics Used:
- Initial Infection Vector: Exploitation of a public-facing Cisco ASA firewall.
- Privilege Escalation: Use of the CVE-2025-29824 exploit to gain SYSTEM privileges.
- Information Gathering: Deployment of tools like Grixba and PowerShell scripts.
- Credential Theft: Execution of malicious DLLs and scripts to steal credentials.
- Persistence: Creation of admin accounts and scheduled tasks to maintain access.
Multiple Threat Actors Involved
The CVE-2025-29824 exploit was utilized by multiple threat actors before it was patched. Microsoft linked the exploit to the PipeMagic malware and Storm-2460, while Symantec observed different, non-fileless use by the Balloonfly group. This highlights the versatility and widespread use of zero-day vulnerabilities in cybercrime operations.
Conclusion
The exploitation of the CVE-2025-29824 vulnerability by the Play ransomware gang underscores the ongoing threat of ransomware and the importance of timely security patches. Organizations must remain vigilant and proactive in their cybersecurity measures to protect against such sophisticated attacks.
For further insights, check out the following resources:
- Symantec Threat Intelligence Report
- Microsoft Security Response Center
- CISA Known Exploited Vulnerabilities Catalog
Follow me on Twitter, Facebook, and Mastodon for more updates.
SecurityAffairs – hacking, ransomware