Critical Windows CLFS Zero-Day Exploited by Ransomware Group — Patch Now!
A new zero-day vulnerability in Microsoft Windows has come under active exploitation by a sophisticated ransomware group, prompting an urgent security response from Microsoft. The flaw, identified as CVE-2025-29824, affects the Common Log File System (CLFS) and has already been used in targeted attacks across multiple industries and countries.
What’s the Vulnerability?
CVE-2025-29824 is an elevation of privilege (EoP) vulnerability in the CLFS kernel driver. It allows attackers with standard user access to escalate privileges and execute code at the system level — effectively giving them full control of a device.
Microsoft issued a security patch on April 8, 2025, in response to growing exploitation activity in the wild.
Who's Behind the Attacks?
The attacks have been linked to Storm-2460, a threat actor deploying the PipeMagic malware. Microsoft attributes this group with targeting organizations across:
-
United States (IT and real estate)
-
Venezuela (financial sector)
-
Spain (software firms)
-
Saudi Arabia (retail)
The malware and exploit chain have been identified as components in a ransomware delivery campaign.
How the Attack Works
Here’s a simplified breakdown of the attack chain:
-
Initial Access: Attackers use Windows
certutilto download a malicious MSBuild file from a compromised website. -
Decryption and Execution: The file is decrypted and executed using the
EnumCalendarInfoAAPI. -
PipeMagic Malware Deployment: The backdoor malware is installed, enabling further actions.
-
CLFS Exploit Execution: Leveraging the
dllhost.exeprocess and theRtlSetAllBitsAPI, attackers manipulate memory and overwrite process tokens to gain full privileges. -
Kernel Address Leak: Exploitation depends on the
NtQuerySystemInformationAPI to leak kernel memory addresses — a method that fails on Windows 11 24H2, which restricts access to that data. -
CLFS File Drop: A suspicious file (
C:\ProgramData\SkyPDF\PDUDrv.blf) is created as part of the exploit. -
Credential Dumping: The attackers use
procdump.exeto extract LSASS process memory, stealing credentials. -
Ransomware Deployment: Files are encrypted, a ransom note is dropped, and system recovery options are disabled.
Ransomware Details
The final payload is suspected to be from the RansomEXX family, as indicated by .onion domains in the ransom notes. The ransomware:
-
Renames files with random extensions
-
Drops a ransom note titled
!READ_ME_REXX2!.txt -
Launches from
dllhost.exeusing the--do [path_to_ransom]flag -
Deletes Windows backups and disables recovery using commands like:
Microsoft’s Recommendations
To defend against this active threat, Microsoft urges all users and admins to:
-
Apply the April 8, 2025 patch for CVE-2025-29824
-
Enable cloud-delivered protection in Microsoft Defender Antivirus
-
Use device discovery to locate unmanaged systems
-
Turn on EDR in block mode to halt malware actions
-
Leverage automated investigation tools in Microsoft Defender for Endpoint
-
Apply attack surface reduction (ASR) rules to limit abuse of system components
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
C:\ProgramData\SkyPDF\PDUDrv.blf | File Path | Dropped during CLFS exploit |
dllhost.exe --do [path_to_ransom] | Command Line | Malware execution |
procdump.exe on winlogon.exe | Command | LSASS dump for credential theft |
bcdedit /set recoveryenabled no | Command | Disables recovery options |
aaaaabbbbbbb.eastus.cloudapp.azure[.]com | Domain | Used by PipeMagic malware |
No comments:
Post a Comment