Alert Essentials:

Storm-2460 exploits a Windows Common Log File System (CLFS) driver vulnerability to escalate privileges and deploy ransomware. Patches are available and should be applied immediately.

Email Team

Detailed Threat Description:

The hacking group Storm-2460 is abusing a common log file system (CLFS) driver flaw to achieve system privileges, leading to ransomware attacks targeting IT organizations.

CLFS is a logging framework first introduced by Microsoft in Windows Server 2003 R2 and included in later Windows operating systems. It effectively allows users to record a series of steps, allowing actions to be reproduced accurately in the future or undone.

Microsoft has revealed that a now-patched security flaw impacting the Windows CLFS was exploited as a zero-day ransomware attack aimed at several targets. The initial entry vector of this campaign has yet to be determined, but it focuses on the Information technology, real estate, financial, and retail sectors of four countries.

CVE-2025-29824 allows local attackers with low privileges to bypass security controls, enabling lateral movement and ransomware deployment across networks. Pre-exploitation tactics use living-of-the-land techniques that abuse legitimate utilities and malicious MSBuild deployment to establish an initial foothold.

Afterward, Windows API functions are used to allocate memory and load PipeMagic, a sophisticated backdoor that grants attackers remote access. These strategies are followed by maneuvers engineered to centralize power and maximize benefits in the post-exploitation maneuvers of this complicated exploit.

The weakness has been added to the CISA Known Exploited Vulnerabilities (KEV) list, and patches were released on April 8, 2025. It is recommended that defense teams deploy these patches immediately.

The security updates for Windows 10 for x64-based Systems and Windows 10 for 32-bit Systems are not immediately available. When they are accessible, customers will be notified via a revision to the CVE information.

Windows 11 devices are impacted except version 24H2. Access to specific System Information Classes within NtQuerySystemInformation is restricted to users with SeDebugPrivilege, which only admin-like users can obtain in 24H2.

Impacts on Healthcare Organizations:

Exploitation of the CLFS driver flaw (CVE-2025-29824) enables attackers to escalate privileges, granting complete control over healthcare IT systems. This allows threat actors like Storm-2460 to deploy ransomware and exfiltrate sensitive patient data.

Therefore, the exploitation of CVE-2025-29824 intensifies healthcare’s existing ransomware crisis, combining technical breaches with severe operational and financial consequences.

Remind users of proper cyber hygiene and remain vigilant against threats.

Affected Products / Versions:

  • All Microsoft Windows Server versions up to Microsoft Windows 2025
  • Windows 10 x64-based and 32-bit systems are vulnerable, but security updates for Windows 10 have not yet been released as of April 2025
  • Patches have been issued for Windows 11, except for version 24H2, which was not affected by observed exploitation


CVEs
CVE-2025-29824 – CWE-20 – (CVSS 7.8)

Possible Indicators of Compromise (IoCs)

  • The exploit first uses the NtQuerySystemInformation API to leak kernel addresses to user mode
  • Monitor for the creation of files like C:\ProgramData\SkyPDF\PDUDrv.blf, an artifact tied explicitly to the CLFS exploit
  • Look for command-line activity originating from dllhost.exe that appears abnormal, especially commands involving –do, as seen in this exploitation chain
  • Configure alerts such as “Potential Windows DLL process injection” or “Suspicious access to LSASS service” to alert IT personnel to questionable activity
  • aaaaabbbbbbb.eastus.cloudapp.azure.com is a domain associated with the attack that Microsoft has turned off
  • C:\Windows\system32\dllhost.exe –do is a command line for the injected dllhost
  • Ransomware command lines in the attack are bcdedit /set {default} recoveryenabled no, wbadmin delete catalog -quiet, and wevtutil cl Application
  •  A ransom note with the name !_READ_ME_REXX2_!.txt is dropped
  • Two “. onion” domains have been seen in the !_READ_ME_REXX2_!.txt ransom notes
    • jbdg4buq6jd7ed3rd6cynqtq5abttuekjnxqrqyvk4xam5i7ld33jvqd.onion
    • uyhi3ypdkfeymyf5v35pbk3pz7st3zamsbjzf47jiqbcm3zmikpwf3qd.onion

Recommendations:

Engineering Recommendations:

  • Deploy patches immediately
  • Disable SeDebugPrivilege for non-essential accounts to limit lateral movement
  • Monitor the CLFS driver closely and apply available updates promptly
  • Use SIEM tools to track anomalous kernel driver interactions, especially in unpatched Windows 10 environments

Leadership/Program Recommendations:

  • Develop a powerful proactive threat-hunting initiative
  • Investigate the complete attack surface of the organization
  • Provide routine user awareness training
  • Participate in threat intelligence sharing to stay updated on emerging tactics

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

References: