Windows 10: Windows under attack: 0-day vulnerability used by ransomware group

Microsoft released security updates for Windows yesterday and revealed today that the updates include a patch for a 0-day issue that is exploited in the wild.

The vulnerability -- Windows Common Log File System Driver Elevation of Privilege Vulnerability -- is tracked as CVE-2025-29824.

Important information:

• The issue affects most supported server and client versions of Windows, including Windows 10, Windows 11, and Windows Server 2025.
• Microsoft notes that the exploit does not work in Windows 11, version 24H2.
• It is a use-after-free security issue that may be exploited for local elevation attacks.
• The attack does not require user interaction.
• The attacker may gain system privileges upon successful exploitation.

Microsoft notes that it is aware of limited attacks. It mentions targets in the IT and real estate sectors in the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia specifically in a special announcement on its security website.

Installation of the update protects systems against exploits. Microsoft's guidance includes an ominous note revealing that the company is delaying the patch for Windows 10 systems. It does not provide an explanation for the delay. Affected users and administrators are asked to monitor the official CVE on Microsoft's MSRC website for updates regarding the rollout of the patch to Windows 10 systems.

Home users may use Windows Update to install the patch immediately on Windows 11. This is done via Settings > Windows Update. Note that a restart of the system is necessary to finalize the installation of the security update.

On the technical side, the vulnerability is found in the Common Log File System (CLFS) kernel driver according to Microsoft. The company says that has not determined the initial attack vector, but discovered "some notable pre-exploitation behaviors by Storm-2460".

Good to known: Storm 2460, which is better known as RansomEXX, is a notorious ransomware group.

Microsoft observed the following behavior in multiple cases:

• The threat actor uses the certutil tool to download a malicious file from a legitimate but compromised third-party website.
• The downloaded file was a malicious MSBuild file.
• The malware in question goes by the name PipeMagic, which has been known since 2023.
• After deployment of the malware, it is exploiting the vulnerability described in this guide for process injection into system processes.

One of the activities of the malware on the user system is the dumping and parsing of LSASS memory to obtain user credentials. Ransomware activity followed on the target systems, notably file encryption and the adding of random extensions.

Closing Words


Microsoft recommends to install the Windows security patches immediately to protect systems from exploit attempts. The delay on Windows 10 is unfortunate, as it means that systems remain vulnerable to attacks until Microsoft releases the patch for the system.

Now You: when do you install updates on your systems? Did you install the April 2025 security updates already?

Thank you for being a Ghacks reader. The post Windows under attack: 0-day vulnerability used by ransomware group appeared first on gHacks Technology News.

read more...

 

About Ransomware attack

Here is Microsoft's Customer Guidance on the Ransomware Attack:

• In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Update enabled are protected against attacks on this vulnerability. For those organizations who have not yet applied the
  security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010.

• For customers using Windows Defender, we released an update earlier today which detects this threat as Ransom:Win32/WannaCrypt.
  As an additional “defense-in-depth” measure, keep up-to-date anti-malware software installed on your machines. Customers running anti-malware software from any number of security companies can confirm with their provider, that they are protected.

• This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect against SMBv1 attacks, customers
  should consider blocking legacy protocols on their networks).

For the full article,
Click HERE

 

Ransomware attack on Windows 10 PCs.... question

Here is Microsoft's Customer Guidance on the Ransomware Attack:

• In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Update enabled are protected against attacks on this vulnerability. For those organizations who have not yet applied the
  security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010.

• For customers using Windows Defender, we released an update earlier today which detects this threat as Ransom:Win32/WannaCrypt.
  As an additional “defense-in-depth” measure, keep up-to-date anti-malware software installed on your machines. Customers running anti-malware software from any number of security companies can confirm with their provider, that they are protected.

• This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect against SMBv1 attacks, customers
  should consider blocking legacy protocols on their networks).

For the full article, Click HERE

 

Is Windows 10 still vulnerable to WannaCry Ransomware?

The best defensive strategy to protect yourself from malware and ransomware (crypto malware) infections is a

comprehensive approach to include prevention and your
best defense is back up, back up, and more back up on a regular basis. When implementing a backup strategy include testing to ensure it works before an emergency arises; routinely check to verify backups are being made and
stored properly; remove (disconnect) and isolate all backups from the network or home computer...if not, you risk ransomware infecting them when it strikes.

• The smartest way to stay unaffected by ransomware? Backup!
• Encrypted by ransomware...Prevention before the fact is the only guaranteed peace of mind
• Use an Anti-Exploit Program to Help Protect Your PC From Zero-Day Attacks
• Why Everyone Should disable VSSAdmin.exe Now!
• Ransomware and RDP – Close those RDP ports now and stay vigilant!

For more suggestions to protect yourself from ransomware infections, see my comments (Post #2) in this topic...Ransomware
Avoidance...it includes a list of prevention tools.