Linkedin X-twitter
    • October 5, 2025

    Play ransomware group exploits known vulnerabilities in targeted campaign against U.S. entities

    The Play ransomware group just dropped a new list of victims, hitting US manufacturing, real estate, and engineering firms hard. Companies like Baum Precision Machining, Anderson Aluminum, and Promark Partners were compromised through common, unpatched vulnerabilities. This is a critical wake-up call for every security leader, especially those running Fortinet VPNs or on-prem Exchange servers.

    Over the past few weeks, Play’s leak site has claimed successful attacks against:

    • Baum Precision Machining
    • Anderson Aluminum
    • Energy Fishing & Rental Services
    • Celtic Engineering
    • Edwards Interiors
    • Promark Partners

    Their attack chain is consistent, effective, and entirely preventable. Here’s their playbook, stripped of the jargon:

    HOW THEY GET IN: They aren’t using secret zero-days. Play is relentlessly exploiting old Fortinet SSL-VPN flaws (like CVE-2018-13379) and the ProxyNotShell vulnerabilities in Microsoft Exchange. Your unpatched edge infrastructure is their open front door.

    HOW THEY TAKE OVER: Once inside, it’s a race to become Domain Admin. They dump credentials from memory (LSASS) using tools like Mimikatz and go after your Active Directory database (NTDS.dit) for offline password cracking. They use tools like AdFind to map your entire domain structure in minutes.

    HOW THEY SPREAD: With admin credentials in hand, they live off the land. They use standard admin tools like PsExec and RDP to move laterally across your network, deploying tools and seeking high-value data while looking like any other system administrator.

    HOW THEY STEAL & ENCRYPT: Before deploying the final payload, they steal your crown jewels. Using tools like WinSCP, they exfiltrate gigabytes of your sensitive data to their own servers. This is the setup for their double-extortion threat. Only then do they deploy the encryptor, adding the .play extension and leaving a ransom note designed to create confusion and pressure.

    This isn’t magic; it’s a methodology that preys on security gaps. Here’s how you counter their playbook:

    • PATCH YOUR SYSTEMS. Yesterday. Especially internet-facing Fortinet and Exchange servers. This is step one and the most critical.
    • MONITOR FOR CREDENTIAL THEFT. Tune your EDR to detect and block LSASS memory dumping and alert on suspicious reconnaissance activity from tools like AdFind.
    • SEGMENT YOUR NETWORK. Don’t let a single breach give an attacker the keys to the entire kingdom. Restrict server-to-server communication.
    • WATCH YOUR DATA EGRESS. A large, unexpected outbound data transfer is a massive red flag for exfiltration. Know what normal looks like and alert on deviations.

    APT Play is winning by exploiting the basics. Don’t let them win on your network.

    #CyberSecurity #ThreatIntel #Ransomware #PlayRansomware #InfoSec #CyberAttack #VulnerabilityManagement #Fortinet #MicrosoftExchange #BlueTeam #DFIR #CISO

    Previous Post
    Next Post
      Categories
      Recent Posts