Microsoft has revealed {that a} now-patched safety flaw impacting the Home windows Frequent Log File System (CLFS) was exploited as a zero-day in ransomware assaults aimed toward a small variety of targets.
“The targets embody organizations within the info expertise (IT) and actual property sectors of the USA, the monetary sector in Venezuela, a Spanish software program firm, and the retail sector in Saudi Arabia,” the tech big said.
The vulnerability in query is CVE-2025-29824, a privilege escalation bug in CLFS that could possibly be exploited to realize SYSTEM privileges. It was fixed by Redmond as a part of its Patch Tuesday replace for April 2025.
Microsoft is monitoring the exercise and the post-compromise exploitation of CVE-2025-29824 underneath the moniker Storm-2460, with the menace actors additionally leveraging a malware named PipeMagic to ship the exploit in addition to ransomware payloads.
The precise preliminary entry vector used within the assaults is at present not identified. Nevertheless, the menace actors have been noticed utilizing the certutil utility to obtain malware from a reliable third-party web site that was beforehand compromised to stage the payloads.
The malware is a malicious MSBuild file that incorporates an encrypted payload, which is then unpacked to launch PipeMagic, a plugin-based trojan that has been detected within the wild since 2022.
It is price mentioning right here that CVE-2025-29824 is the second Home windows zero-day flaw to be delivered through PipeMagic after CVE-2025-24983, a Home windows Win32 Kernel Subsystem privilege escalation bug, which was flagged by ESET and patched by Microsoft final month.
Beforehand, PipeMagic was additionally noticed in reference to Nokoyawa ransomware assaults that exploited one other CLFS zero-day flaw (CVE-2023-28252).
“In a few of the different assaults that we attribute to the identical actor, we additionally noticed that, previous to exploiting the CLFS elevation-of-privilege vulnerability, the sufferer’s machines have been contaminated with a customized modular backdoor named ‘PipeMagic’ that will get launched through an MSBuild script,” Kaspersky pointed out in April 2023.
It is essential to notice that Home windows 11, model 24H2, isn’t affected by this particular exploitation, as entry to sure System Data Lessons inside NtQuerySystemInformation is restricted to customers with SeDebugPrivilege, which usually solely admin-like users can receive.
“The exploit targets a vulnerability within the CLFS kernel driver,” the Microsoft Risk Intelligence staff defined. “The exploit then makes use of a reminiscence corruption and the RtlSetAllBits API to overwrite the exploit course of’s token with the worth 0xFFFFFFFF, enabling all privileges for the method, which permits for course of injection into SYSTEM processes.”
Profitable exploitation is adopted by the menace actor extracting consumer credentials by dumping the reminiscence of LSASS and encrypting information on the system with a random extension.
Microsoft stated it was unable to acquire a ransomware pattern for evaluation, however stated that the ransom be aware dropped after encryption included a TOR area tied to the RansomEXX ransomware family.
“Ransomware menace actors worth post-compromise elevation of privilege exploits as a result of these may allow them to escalate preliminary entry, together with handoffs from commodity malware distributors, into privileged entry,” Microsoft stated. “They then use privileged entry for widespread deployment and detonation of ransomware inside an surroundings.”
Source link