Saudi Arabia Archives

AppWizard

June 20, 2025

Embracer’s headcount dropped by 1.8k staff last year

Embracer Group has reduced its workforce by over 1,800 employees, specifically a decrease of 1,857 compared to the previous fiscal year. This follows approximately 1,400 job losses in the prior year. The company has also divested several studios, including Gearbox and Saber Interactive. Embracer is planning to split into three publicly-traded entities, and founder and CEO Lars Wingefors will step down, with Phil Rogers taking over as CEO. Wingefors will become executive chairman of the Board, focusing on strategic initiatives, mergers and acquisitions, and capital allocation.

Winsage

June 9, 2025

Why the ROG Xbox Ally and Ally X have Valve in their sights, not Nintendo

Microsoft has announced its first Xbox co-branded handheld devices, the ROG Xbox Ally and Ally X, in collaboration with Asus, set to launch in the holiday season of 2025. Pricing details are not yet available. The Xbox Ally is designed as a generalist device, while the Xbox Ally X targets high-performance gamers, both powered by AMD processors and equipped with Windows 11. They feature Xbox-branded buttons, a gaming interface, and access to Xbox Game Pass, along with the ability to stream console libraries via Xbox Cloud Gaming and Remote Play. The user interface is similar to that of Xbox consoles, with ergonomic grips inspired by Xbox controllers. Accessibility features from Xbox and Windows will be included, and the Xbox Play Anywhere initiative will allow games to function across PC, console, and cloud platforms. The launch will occur in multiple countries, including the US, UK, Japan, and several European nations, with plans to expand to additional territories. The devices aim to provide a unified gaming library for users with both PC and Xbox consoles, enhancing the existing ecosystem. The introduction of Windows 11 is highlighted as a key feature, offering access to games not available elsewhere. The ROG Xbox Ally and Ally X are positioned to compete with existing handhelds like the Steam Deck, with a focus on appealing to both console and PC gamers. Sales of Windows PC handhelds reached approximately 1.2 million units by the end of 2024.

AppWizard

June 5, 2025

New flagship smartphone makes PC gaming on mobile smoother than ever

RedMagic is set to launch its flagship gaming phone, the RedMagic 10S Pro, in global markets after its unveiling in China. The device features a Qualcomm Snapdragon 8 Elite Leading Version chipset and a dedicated RedCore R3 Pro gaming chip, allowing for enhanced gaming performance with up to 120FPS. It includes an advanced ICE-X cooling system with Liquid Metal 2.0 technology, which improves thermal management. The phone has a 6.85-inch BOE custom AMOLED 1.5K display with a 144Hz refresh rate and a peak brightness of 2,000 nits, alongside a 7,050 mAh battery supporting 80W wired charging. The camera system consists of a 50-megapixel main sensor, a 50-megapixel ultra-wide lens, and a 2-megapixel camera, plus a 16-megapixel front camera. Pricing for the RedMagic 10S Pro starts at €649 for the 12/256GB model and goes up to €999 for the 24GB/1TB model. Pre-orders will be available from June 12 to 17, 2025, with general sales starting on June 18. The phone will be available in various regions, including North America, Europe, Asia Pacific, GCC countries, Latin America, and the Middle East, with some countries receiving it at a later date.

Winsage

May 8, 2025

Windows 0-Day Vulnerability Exploited in Wild to Deploy Play ransomware

Threat actors associated with the Play ransomware operation exploited a zero-day vulnerability in Microsoft Windows, identified as CVE-2025-29824, before a patch was released on April 8, 2025. This vulnerability affects the Windows Common Log File System (CLFS) driver, allowing attackers to elevate their privileges to full system access. The Play ransomware group targeted an unnamed organization in the United States, likely gaining initial access through a public-facing Cisco Adaptive Security Appliance (ASA). During this intrusion, no ransomware payload was deployed; instead, the attackers used a custom information-stealing tool named Grixba. Microsoft attributed this activity to the threat group Storm-2460, known for deploying PipeMagic malware. The exploitation affected various sectors, including IT, real estate in the U.S., finance in Venezuela, software in Spain, and retail in Saudi Arabia. The vulnerability received a CVSS score of 7.8 and was addressed in Microsoft's April 2025 Patch Tuesday updates. The attack involved creating files in the path C:ProgramDataSkyPDF, injecting a DLL into the winlogon.exe process, extracting credentials from LSASS memory, creating new administrator users, and establishing persistence. The Play ransomware group has been active since June 2022 and employs double-extortion tactics. Organizations are urged to apply the security updates released on April 8, 2025, especially for vulnerable Windows versions, while Windows 11 version 24H2 is not affected due to existing security mitigations.

Winsage

May 7, 2025

Play ransomware affiliate leveraged zero-day to deploy malware

The Play ransomware gang exploited a critical vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, which has a CVSS score of 7.8 and is categorized as a "Use after free" vulnerability. This flaw allows an authorized attacker to elevate privileges locally and has been confirmed to be exploited in real-world attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities catalog in April. Microsoft addressed this vulnerability during its April Patch Tuesday security updates, acknowledging its exploitation in limited attacks targeting various sectors in the U.S. and Saudi Arabia. Researchers from Symantec reported that the Play ransomware gang used the CVE-2025-29824 exploit in an attack against a U.S. organization before the public disclosure and patching of the vulnerability. The attackers utilized the Grixba infostealer tool and initially exploited a public-facing Cisco ASA firewall to gain entry. They deployed tools to gather information, escalated privileges using the CVE-2025-29824 exploit, and executed malicious scripts to steal credentials. The exploit took advantage of race conditions in driver memory handling, allowing kernel access and manipulation of files. Before the patch was released, the exploit was reportedly used by multiple threat actors, and Microsoft linked it to other malware.

Winsage

May 7, 2025

Play ransomware exploited Windows logging flaw in zero-day attacks

The Play ransomware gang exploited a critical vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, to execute zero-day attacks, gaining SYSTEM privileges and deploying malware. Microsoft recognized this flaw and issued a patch during last month's Patch Tuesday. The gang targeted sectors including IT and real estate in the U.S., the financial sector in Venezuela, a Spanish software company, and retail in Saudi Arabia. They used the PipeMagic backdoor malware to deploy the CVE-2025-29824 exploit and install ransomware payloads. Symantec's Threat Hunter Team linked these activities to the Play ransomware-as-a-service operation, noting the use of the Grixba infostealer tool. The Play ransomware group, active since at least June 2022, employs double-extortion tactics and has compromised approximately 300 organizations globally as of October 2023. Notable victims include Rackspace, Arnold Clark, the City of Oakland, Dallas County, Antwerp, and Microchip Technology.

Winsage

April 10, 2025

Patch Tuesday leaves some users unable to login to Windows

A recent patch bundle released by Microsoft has caused login issues for some users of Windows Hello on Windows 11 and Server 2025, particularly those with System Guard Secure Launch or Dynamic Root of Trust for Measurement enabled. Affected users may need to reset their login PIN or biometric settings. The problematic patch is KB5055523, which addresses vulnerabilities including CVE-2025-29824, currently exploited by ransomware. Additionally, the March patch KB5053656 has been linked to various issues but also includes enhancements such as bug fixes and new features like Copilot+. Windows 10 users have now received a patch for the CVE-2025-29824 vulnerability.

Winsage

April 9, 2025

Microsoft patches zero-day actively exploited in string of ransomware attacks

Microsoft has addressed a zero-day vulnerability, CVE-2025-29824, exploited by the group Storm-2460, affecting the Windows Common Log File System (CLFS). This vulnerability has been linked to ransomware attacks on organizations in the U.S., Venezuela, Spain, and Saudi Arabia. Storm-2460 has targeted firms in the IT and real estate sectors in the U.S., a financial institution in Venezuela, a software company in Spain, and a retail business in Saudi Arabia. The exploitation allows attackers to escalate privileges from standard user accounts, facilitated by the PipeMagic malware, which has a CVSS score of 7.8. Microsoft has patched 32 CLFS vulnerabilities since 2022, with six exploited in the wild. This month's security update is Microsoft's fourth addressing over 100 vulnerabilities in the past year, with 18 affecting Microsoft Office products classified as high-severity.

Winsage

April 9, 2025

Patch Tuesday fixes an exploited bug, but not for Windows 10

Microsoft's Patch Tuesday updates addressed over 120 vulnerabilities, including one actively exploited flaw (CVE-2025-29824) and 11 critical issues. CVE-2025-29824 is an elevation of privilege vulnerability in the Windows Common Log File System Driver, targeted by the group Storm-2460 to deploy ransomware called PipeMagic, affecting victims in the US, Spain, Venezuela, and Saudi Arabia. This vulnerability has a CVSS score of 7.8 and allows attackers to escalate privileges due to a use-after-free flaw. Patches for Windows Server and Windows 11 have been released, but Windows 10 users are still awaiting a fix, with Microsoft promising updates soon. Among the critical vulnerabilities addressed, all allow for remote code execution (RCE). Notable vulnerabilities include: - CVE-2025-26670: LDAP Client RCE, Critical, CVSS 8.1 - CVE-2025-27752: Microsoft Excel RCE, Critical, CVSS 7.8 - CVE-2025-29791: Microsoft Excel RCE, Critical, CVSS 7.8 - CVE-2025-27745: Microsoft Office RCE, Critical, CVSS 7.8 - CVE-2025-27748: Microsoft Office RCE, Critical, CVSS 7.8 - CVE-2025-27749: Microsoft Office RCE, Critical, CVSS 7.8 - CVE-2025-27491: Windows Hyper-V RCE, Critical, CVSS 7.1 - CVE-2025-26663: Windows LDAP RCE, Critical, CVSS 8.1 - CVE-2025-27480: Windows RDP RCE, Critical, CVSS 8.1 - CVE-2025-27482: Windows RDP RCE, Critical, CVSS 8.1 - CVE-2025-26686: Windows TCP/IP RCE, Critical, CVSS 7.5 - CVE-2025-29809: Windows Kerberos Security Feature Bypass, Important, CVSS 7.1 Dustin Childs from ZDI noted that CVE-2025-29809 requires additional measures beyond standard patching. CVE-2025-26663 and CVE-2025-26670 are considered wormable, necessitating prompt updates, especially for networks exposing LDAP services. Adobe released over 50 fixes for vulnerabilities in products like Cold Fusion, After Effects, and Photoshop, with some issues in Cold Fusion classified as critical. AMD updated advisories regarding GPU access and various Ryzen AI software vulnerabilities.

Winsage

April 9, 2025

Exploitation of CLFS zero-day leads to ransomware activity

The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) identified a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS), designated as CVE-2025-29824. This vulnerability has been exploited by the PipeMagic malware, attributed to the group Storm-2460, affecting organizations in various sectors across the U.S., Venezuela, Spain, and Saudi Arabia. Microsoft released security updates on April 8, 2025, to address this vulnerability. The exploit allows attackers with standard user privileges to escalate their access, and it was executed from a dllhost.exe process. The exploit utilizes memory corruption techniques and the RtlSetAllBits API to gain all privileges and inject processes into SYSTEM processes. Post-exploitation, the attackers injected a payload into winlogon.exe, leading to ransomware activity characterized by file encryption and the creation of ransom notes. Indicators of compromise include the creation of a CLFS BLF file at C:ProgramDataSkyPDFPDUDrv.blf, command lines associated with ransomware activities, and specific domains linked to PipeMagic. Microsoft advises applying security updates promptly and recommends strategies for mitigating ransomware threats, including enabling cloud-delivered protection and utilizing device discovery.