Update: Play Ransomware Group Uses CVE-2025-29824 for Post-Exploitation Access
Play ransomware group has recently exploited a vulnerability in the Windows Common Log File System (CLFS) driver, now tracked as CVE-2025-29824, which allows local privilege escalation to SYSTEM level. This flaw was used in targeted attacks before Microsoft issued a patch on April 8, 2025, making it a zero-day, but it is now patched and no longer considered a zero-day. In one case, the attackers gained initial access through a public-facing Cisco ASA appliance, then moved laterally to a Windows machine where the exploit was executed. The payload dropped included a custom-built infostealer named Grixba, disguised to appear as Palo Alto Networks software, placed in the user’s Music folder to avoid suspicion. During exploitation, files were written to a hidden directory and a DLL was injected into the winlogon[.]exe process to enable persistence and further actions. The attackers used batch scripts to dump SAM, SYSTEM, and SECURITY registry hives, create a new local admin account, and clean up traces to avoid detection. These actions were performed quietly, with no ransomware deployed during the intrusion, suggesting reconnaissance or staging for a larger operation. This activity concerns the use of a zero-day by a ransomware group, which is typically more common among nation-state actors. This move indicates a clear evolution in Play’s capabilities, with more emphasis on stealth and long-term access. Microsoft also observed another group, Storm-2460, using the same vulnerability to deploy malware in separate campaigns, showing the exploit may have been available to multiple actors. While the CVSS score for this vulnerability is 7.8, the real-world impact is higher due to its post-compromise utility, allowing full control of compromised systems. Security teams should know that even though the exploit does not immediately drop ransomware, it lays the groundwork for rapid domain-wide encryption or data theft. Applying the April 2025 patches is critical, especially for older Windows versions and any system lacking updated privilege escalation protections. Given how quickly this zero-day was abused in the wild, delaying patching significantly increases the risk of compromise.
Large-Scale Discord Phishing Campaign Linked to Inferno Drainer Drains Millions from Crypto Users
A well-organized phishing campaign has been actively targeting cryptocurrency users through Discord, resulting in over $9 million in stolen funds and affecting more than 30,000 victims within six months. The attackers redirect users who attempt to access legitimate Discord support channels from Web3 project sites to fake servers that mimic those communities. Once inside, users are presented with a fake version of the Collab[.]Land verification bot is a tool commonly used to verify wallet holdings and assign roles. The imitation process convinces users to connect their wallets and unknowingly sign malicious transactions that allow the attacker to drain assets. These phishing sites are nearly identical to real platforms, and the attackers rotate domains frequently to avoid being flagged. A key method to keep the campaign alive involves hijacking expired vanity Discord invite links, which users may revisit through saved links in old announcements or websites, unknowingly landing on a malicious server. The operation has been linked to Inferno Drainer, a notorious crypto-draining toolkit claiming to shut down in 2023 but reemerged with more advanced tactics. The attackers use single-use smart contracts to avoid triggering wallet security alerts, store configurations directly on the blockchain to obscure infrastructure, and rely on proxy communications that are hard to trace. These methods make detecting and blocking their infrastructure extremely difficult for automated tools. Even if a phishing domain is reported and taken down, the group quickly spins up new ones, keeping the campaign persistent and adaptable. The strategy effectively combines social engineering with technical sophistication, making even experienced users vulnerable. Given the scale and complexity of this campaign, users must avoid clicking unverified Discord links, use verified bots only, and always scrutinize wallet transaction prompts before signing anything.
GenAI and Cloud App Misuse Drive Rising Cyber Risk in Healthcare Sector
Cyberattacks against the healthcare sector are on the rise, fueled by growing dependence on cloud applications and the rapid adoption of generative AI tools in day-to-day operations. According to the Netskope Threat Labs 2025 report, attackers increasingly use trusted cloud services, including GitHub, OneDrive, Google Drive, and Amazon S3, to deliver malware, with GitHub alone linked to monthly malware downloads in 13% of healthcare organizations. These platforms are exploited due to their widespread use and trusted status, making it easier for malicious content to slip past defenses. At the same time, the mishandling of sensitive and regulated data continues to be the sector's top concern, with 81% of data policy violations involving uploads to unauthorized or personal cloud services. Patient records, intellectual property, and even source code are often exposed due to improper usage of these tools without adequate oversight. The rising integration of genAI tools is further compounding the risk. Nearly 90% of healthcare organizations now use genAI, most embedding these capabilities directly into workflows and using organizational data to train the models. While these tools promise operational benefits, they also introduce new pathways for data leaks and regulatory violations, especially when users turn to personal accounts, which are still used by 71% of healthcare staff despite a slight decline. ChatGPT leads genAI adoption in the sector, followed by platforms like Google Gemini, but many others are being blocked due to privacy concerns. In response, healthcare providers are increasingly deploying Data Loss Prevention (DLP) solutions, with usage up to 54%, along with measures like Remote Browser Isolation and strict app access controls. Still, the ongoing use of unmanaged genAI tools and cloud storage solutions exposes the sector. To prevent further breaches, the focus must remain on strengthening data governance, inspecting all downloads, and limiting app access based on clear business needs.
Critical AWS Amplify Studio Vulnerability Allows Authenticated Code Execution
A critical vulnerability in AWS Amplify Studio, tracked as CVE-2025-4318, has been identified and patched by Amazon on May 5, 2025. The issue lies within the amplify-codegen-ui package, a core module responsible for generating front-end code from UI Builder components used in the Amplify Studio interface and AWS CLI. The flaw stems from insufficient input validation in the expression-binding process when importing component schemas, which allows an authenticated user to inject and execute arbitrary JavaScript code during rendering and build. This vulnerability affects version 2.20.2 and earlier and has been assigned a CVSS v4 score of 9.5, underscoring its potential for high-impact exploitation. A malicious user with permissions to modify or create components could exploit this to compromise backend systems, exfiltrate data, disrupt services, or embed malicious code that spreads through the development pipeline. Although no active exploitation was detected before patching, the vulnerability presents a serious risk, especially in collaborative environments with multiple user editing components. It could open the door to supply chain attacks if left unpatched, allowing compromised components to affect downstream applications. Currently, there is no evidence that CVE-2025-4318 is being actively exploited in the wild. AWS has released version 2.20.3 of amplify-codegen-ui to address the flaw and urges customers to upgrade immediately. Organizations should also audit all custom components for unexpected code, restrict edit access to trusted users, and apply the fix to any forked codebases. For additional protection, monitoring build logs, enabling API tracking with CloudTrail is recommended, and scanning imported component schemas for untrusted scripts is recommended. This incident reinforces the need for strong input validation and strict permission controls in low-code development tools that automate front-end code generation.
