In early April 2025, cybersecurity researchers uncovered a sophisticated attack by the Play ransomware group, also known as Balloonfly. This operation exploited a previously unknown Windows zero-day vulnerability, CVE-2025-29824, to escalate privileges within targeted systems. The vulnerability resided in the Windows Common Log File System (CLFS) driver and was actively exploited before Microsoft released a patch on April 8, 2025.
Although the attackers did not deploy ransomware payloads during this specific intrusion, they utilized the Grixba infostealer a custom tool associated with Balloonfly to gather sensitive information. This incident underscores the increasing sophistication of ransomware groups and their ability to exploit zero-day vulnerabilities for malicious purposes.
Anatomy of the Attack
Initial Access
The attackers likely gained initial access through a public-facing Cisco ASA firewall. From there, they moved laterally to a Windows machine within the targeted network. On this machine, they deployed various tools and samples, including the Grixba infostealer and the exploit for CVE-2025-29824. Notably, some of these samples were disguised with names resembling legitimate software, such as “paloaltoconfig.exe” and “1day.exe,” and were stored in the Music folder to evade detection.
Privilege Escalation via CVE-2025-29824
The core of the attack involved exploiting CVE-2025-29824, a vulnerability in the CLFS driver. The exploit manipulated the driver’s handling of file operations to achieve privilege escalation. Specifically, it involved creating a race condition between two threads: one closing a file handle and the other performing an I/O control operation. This sequence led to the use of a deallocated memory structure, allowing the attackers to execute arbitrary code with SYSTEM-level privileges.
During exploitation, two files were created in the “C:\ProgramData\SkyPDF” directory: “PDUDrv.blf,” a base log file, and “clssrv.inf,” a DLL injected into the winlogon.exe process. The injected DLL facilitated the execution of batch files designed to extract registry hives and create a new administrative user named “LocalSvc.” These batch files also performed cleanup operations to remove traces of the attack.
Indicators of Compromise (IOCs)
Several files associated with the attack have been identified as indicators of compromise:
- gt_net.exe: Infostealer.Grixba
- go.exe: CVE-2025-29824 exploit
- clssrv.inf: Exploit DLL payload
- cmdpostfix.bat: Batch file for cleanup
- servtask.bat: Batch file for privilege escalation and data extraction
These files were strategically placed and named to avoid detection by security tools.
Broader Implications and Threat Landscape
The exploitation of CVE-2025-29824 was not limited to the Play ransomware group. Microsoft reported that another threat actor, Storm-2460, also exploited this vulnerability using the PipeMagic malware. Storm-2460’s approach differed by launching the exploit in memory via the dllhost.exe process, indicating multiple actors independently discovered and utilized the same zero-day vulnerability.
The Play ransomware group has been active since at least June 2022 and is known for its double-extortion tactics, where data is exfiltrated before encryption to pressure victims into paying ransoms. As of October 2023, they had impacted approximately 300 organizations worldwide, including entities in North America, South America, Europe, and Australia.
Their operations have evolved to include targeting Linux environments, specifically VMware ESXi systems, indicating a broadening of their attack surface and an increase in sophistication.
Preventative Measures
To mitigate the risk of similar attacks, organizations should consider the following best practices:
- Regularly Update and Patch Systems: Ensure all systems, especially those exposed to the internet, are up-to-date with the latest security patches.
- Implement Network Segmentation: Divide the network into segments to limit lateral movement in case of a breach.
- Use Multi-Factor Authentication (MFA): Require MFA for all remote access and administrative accounts to add an extra layer of security.
- Monitor for Unusual Activity: Employ intrusion detection and prevention systems to monitor for anomalous behavior indicative of an attack.
- Restrict Administrative Privileges: Limit administrative access to only those who need it and regularly review permissions.
- Educate Employees: Conduct regular training sessions to raise awareness about phishing and other social engineering tactics.
- Backup Data Regularly: Maintain regular, offline backups of critical data to facilitate recovery in case of ransomware attacks.
- Conduct Security Audits: Perform periodic security assessments to identify and remediate vulnerabilities.
- Implement Application Whitelisting: Restrict the execution of unauthorized applications to prevent malware from running.
- Develop an Incident Response Plan: Prepare a comprehensive response strategy to quickly address and contain security incidents.
Conclusion
The exploitation of CVE-2025-29824 by the Play ransomware group highlights the critical importance of proactive cybersecurity measures. As threat actors continue to develop and deploy sophisticated attacks, organizations must remain vigilant, ensuring systems are patched, access is controlled, and employees are educated on security best practices. By implementing robust security frameworks and staying informed about emerging threats, organizations can better protect themselves against the evolving landscape of cybercrime.
