- Several ransomware groups have seen a bug of newspaper system to abuse Windows Common
- Among the attackers are ransomexx and play
- The bug is used to drop deadlines, encryptors and more
Notice ransomware actors abused zero-day vulnerability in the Windows common newspaper file system to obtain system privileges and deploy malware on target devices, have confirmed several safety researchers.
The zero-day defect was discovered and corrected as part of the Microsoft patch Tuesday April 2024 cumulative update.
Given a gravity score of 7.8 / 10 (high), it is followed as CVE-2025-29824, and describes as a use after free bug in the Windows Common Journal System Pilot which allows authorized attackers to raise locally.
Disclosed cats
Microsoft was among the first companies to ring the alarm on the bug, saying that the pirates use it to target companies and real estate companies in the United States, financial organizations in Venezuela, software companies in Spain and retailers in Saudi Arabia.
The researchers said that the bug had been used by a threat actor called Ransomexx, who used it to drop the pipemagic stolen door and other malicious software, including a cryptor. However, Symantec also found Play, a sadly famous ransomware reader, using the bug to access an American target.
“Although no ransomware payload was deployed in intrusion, the attackers deployed the Infosaler Grixba, which is a personalized tool associated with Balloon, the attackers behind the gaming ransomware operation,” said Symantec in his report.
“Balloon is a cybercrime group that has been active since at least June 2022 and uses gaming ransomware (also known as PlayCrypt) in attacks.”
The game, also known as PlayCrypt, is a threat player who emerged in mid-2022. During the first and a half year of his existence, he claimed around 300 victims, some of whom were critical infrastructure organizations. At the end of 2023, the FBI, the CISA and other security agencies published a joint security opinion, warning dangers posed by the game.
“Since June 2022, the play (also known as PlayyCrypt) Ransomware Group has had an impact on a wide range of companies and critical infrastructure in North America, South America and Europe,” said the opinion. “In October 2023, the FBI was aware of around 300 affected entities which would have been exploited by ransomware actors.”
Via Bleeping Compompute
