Skip to main content

Latest Cybersecurity News

Memory Integrity Enforcement (MIE) — iPhone 17’s Game-Changing Security Shield

  Apple’s iPhone 17 introduces Memory Integrity Enforcement (MIE) — their most substantial memory safety upgrade in consumer device history, specifically designed to thwart spyware like Pegasus The Verge MacRumors Daily CyberSecurity The Tech Buzz . How it works : Built on Enhanced Memory Tagging Extension (EMTE) , along with secure typed allocators and tag confidentiality, MIE provides always-on protection covering the kernel and over 70 user-land processes The Verge MacRumors AppleInsider The Tech Buzz . Hardware support : MIE is integrated into the A19 and A19 Pro chips in the iPhone 17 lineup and iPhone Air—and Apple is extending enhanced memory safety to older models that don't support EMTE MacRumors GIGAZINE The Tech Buzz . Security impact : Apple’s Security Engineering & Architecture (SEAR) team confirms that MIE “vastly reduces the exploitation strategies,” preventing zero-click and memory corruption chains Daily CyberSecurity The Verge CyberScoop . Activ...
Post a Comment
Read more
Labels

Play (aka PlayCrypt) — Ransomware Threat Analysis & Defender Playbook Prepared by CyberDudeBivash Threat Intelligence — updated Aug 31, 2025

 


Executive summary

Play is a closed ransomware crew (double-extortion) active since 2022 and among the most active actors through 2024–2025. A June 4, 2025 joint CISA/FBI/ACSC update put the victim count at ~900 organizations (as of May 2025) and documented fresh TTPs, including exploitation of the SimpleHelp RMM vulnerability (CVE-2024-57727) by actors tied to Play. CISA

How Play breaks in (Initial access — ATT&CK TA0001)

  • Known-vuln exploitation of internet-facing apps, especially FortiOS (CVE-2018-13379, CVE-2020-12812) and Microsoft Exchange ProxyNotShell (CVE-2022-41040, CVE-2022-41082). External RDP/VPN are also abused when exposed or weakly protected. CISA

  • 2025 pivot: initial-access brokers linked to Play mass-exploited SimpleHelp RMM (CVE-2024-57727) for RCE after Jan 16, 2025 disclosure; CISA later issued a separate advisory on widespread ransomware abuse of this flaw. Patch or isolate versions ≤ 5.5.7. CISA+1

Tooling & tradecraft (Execution/Lateral, Discovery/Evasion)

  • Red-teamware & tunnels: Cobalt Strike, SystemBC, PsExec; distribution via GPO once domain-wide access is achieved. Mimikatz and credential searches follow initial foothold. WinPEAS often appears in post-exploitation discovery. CISA

  • Recon & AV tamper: AdFind for AD queries; Grixba (custom .NET infostealer) for network/software inventory and AV scanning; GMER/IOBit/PowerTool to disable security tools and clear logs. CISA

  • Pressure ops: victims get unique contact emails (@gmx.de / @web.de) and often phone calls to staff/help desks to coerce payment. CISA

  • Grixba/VSS copy lineage: independent research previously documented Play’s Grixba and a shadow-copy data-theft tool—useful context for spotting older tradecraft in your telemetry. BleepingComputer

Data theft & crypto (Exfiltration/Impact)

  • Exfil path: data split and archived with WinRAR (.rar), then shipped via WinSCP to actor-controlled infra (Tor-hosted leak site for shaming if unpaid). CISA

  • Encryption details: AES+RSA hybrid with intermittent encryption (every other 0x100000-byte chunk), adds .PLAY extension, and drops ReadMe.txt (commonly in C:\Users\Public\Music\). CISA

  • ESXi/Linux variant: powers off VMs, targets VM-related files (.vmdk, .vmem, etc.), writes PLAY_Readme.txt and even sets the ESXi welcome banner to the ransom note. CISA

Hunting cues you can deploy today (behavior > hashes)

  • Edge & RMM: spikes of HTTP(S) requests to SimpleHelp endpoints on vulnerable builds; sudden RDP/VPN logons from new geos/ASNs; Exchange servers showing ProxyNotShell/OWASSRF-style artifacts. CISAMicrosoft

  • Post-exploitation combo: AdFindWinPEASCobalt Strike/SystemBC beacons → PsExec bursts → WinRAR + WinSCP egress. CISA

  • Play artifacts (Windows): creation of ReadMe.txt, high-volume rename/write bursts, intermittent encryption patterns, and activity under C:\Users\Public\Music\. CISA

  • ESXi telemetry: vim-cmd enumeration and mass VM power-off followed by access to /vmfs/volumes/; welcome banner changed to ransom text. CISA

High-impact mitigations (that actually cut risk)

  1. Patch the edge first: FortiOS KEVs, Exchange ProxyNotShell, and SimpleHelp CVE-2024-57727; if you ever ran ≤5.5.7, assume compromise and rotate creds used there. CISA+1

  2. Phishing-resistant MFA (FIDO2/WebAuthn) on VPN/RDP/help-desk; disable clientless VPN modes unless mandated. CISA

  3. RMM/Tunnel control: inventory and default-deny unapproved RMM; alert on first-use PsExec, SystemBC detections, and Plink SSH tunnels. CISA

  4. Exfil choke points: block/inspect SFTP/WinSCP from servers; DLP/egress rules for RAR exfil; Tor egress blocking. CISA

  5. Resilience: immutable/offline backups, cross-domain replication, and tested restores; practice double-extortion comms table-tops. CISA

Rapid response playbook (print-friendly)

  1. Contain: isolate suspected hosts; disable suspicious VPN/RDP sessions; geofence edge; temporarily block WinSCP/Tor egress.

  2. Preserve: snapshot servers/VMs; pull AD, Exchange, VPN, SimpleHelp, and EDR logs; mirror any exfil endpoints.

  3. Hunt: look for AdFind/WinPEAS, SystemBC/Cobalt Strike, PsExec GPO pushes, ReadMe.txt + .PLAY, WinRAR→WinSCP sequences. CISA

  4. Eradicate: patch KEVs; remove persistence (new admins, scheduled tasks, services); rotate creds (domain, VPN, service).

  5. Recover & notify: staged restore, extra egress controls; coordinate legal/PR; report to FBI/CISA per sector requirements. CISA

What’s new in 2025 (why this matters)

  • The SimpleHelp exploitation wave materially lowered the bar for intrusions and supply-chain style access into downstream customers; it remains in the CISA KEV and demands priority patching/segmentation. CISA

  • Play’s scale (≈900 victims) and phone-pressure tactics increase legal/compliance exposure even when encryption is contained. CISA

Sources / further reading

  • CISA/FBI/ACSC #StopRansomware: Play (updated Jun 4, 2025) — TTPs, tools, IOCs, ESXi YARA, ~900 victims. CISA+1

  • CISA AA25-163A (Jun 12, 2025) — Ransomware exploiting SimpleHelp CVE-2024-57727 at scale. CISA

  • Microsoft / CrowdStrike — Exchange ProxyNotShell/OWASSRF exploitation background. Microsoft

  • Trend Micro & BleepingComputerSystemBC/Grixba, custom data-gathering & VSS tools. Trend MicroBleepingComputer


#CyberDudeBivash #PlayRansomware #PlayCrypt #Ransomware #DoubleExtortion #SimpleHelp #ProxyNotShell #Fortinet #ESXi #MITREATTACK #DFIR #XDR #ThreatIntel

Labels:

Comments

Post a Comment