8-Year Old Windows Shortcut Zero-Day Exploited by 11 State-Sponsored Groups
- С сайта: Zero-Day(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Zero-Day(cybersecuritynews.com)
A critical Windows vulnerability that has been exploited since 2017 by state-sponsored threat actors has been uncovered recently by researchers.
The vulnerability, tracked as ZDI-CAN-25373, allows attackers to execute hidden malicious commands on victims’ machines by leveraging specially crafted Windows shortcut (.lnk) files.
This security flaw impacts how Windows displays the contents of shortcut files through its user interface.
When users inspect a compromised .lnk file, Windows fails to display the malicious commands hidden within, effectively hiding the true danger of the file.
This exploitation technique has been adopted widely by sophisticated threat actors for cyber espionage operations.
Trend Micro researchers noted nearly 1,000 malicious .lnk files exploit this vulnerability across various campaigns.
Their analysis revealed that 11 state-sponsored groups from North Korea, Iran, Russia, and China have been actively using this technique primarily for espionage and data theft operations.
North Korea is the most active exploiter of this vulnerability, accounting for nearly half of the state-sponsored actors leveraging the technique.
.webp)
Countries of state-sponsored APT groups exploiting ZDI-CAN-25373 (Source – Trend Micro)
This trend underscores the cross-collaboration and tool-sharing patterns within North Korea’s cyber program.
.webp)
Targeted sectors in exploitation of ZDI-CAN-25373 (Source – Trend Micro)
Organizations across government, financial, telecommunications, and private sectors have been primary targets of these attacks.
.webp)
Files exploiting ZDI-CAN-25373 countries by file submission origin (Source – Trend Micro)
The widespread abuse spans multiple continents, with significant activity detected in North America, Europe, and East Asia.
Exploitation Details
The technical basis of the exploit involves padding the COMMAND_LINE_ARGUMENTS structure within .lnk files with specific whitespace characters.
Attackers use Space (0x20), Horizontal Tab (0x09), Line Feed (0x0A), and Carriage Return (0x0D) characters to hide malicious commands from users viewing the file properties.
.webp)
Large amounts of Space characters within the COMMAND_LINE_ARGUMENTS structure (Source – Trend Micro)
Large amounts of these characters can be observed within the compromised files.
Some North Korean threat actors, such as Earth Manticore (APT37) and Earth Imp (Konni), have been using extremely large .lnk files – with sizes up to 70.1 MB – containing excessive whitespace and junk content to further evade detection.
Security teams can identify suspicious shortcuts using hunting queries such as:-
eventSubId:2 AND (processFilePath:\"*\\cmd.exe\" OR processFilePath:\"*\\powershell.exe\") AND parentFilePath:\"*.lnk\"
Microsoft has classified this vulnerability as low severity and does not plan to issue a security patch. Organizations are advised to implement proper security controls and remain vigilant against suspicious shortcut files to protect against this persistent threat.
#Cyber_Security_News #Windows #Zero-Day #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
8-Year Old Windows Shortcut Zero-Day Exploited by 11 State-Sponsored Groups
Author: Guru BaranA critical Windows vulnerability that has been exploited since 2017 by state-sponsored threat actors has been uncovered recently by researchers.
The vulnerability, tracked as ZDI-CAN-25373, allows attackers to execute hidden malicious commands on victims’ machines by leveraging specially crafted Windows shortcut (.lnk) files.
This security flaw impacts how Windows displays the contents of shortcut files through its user interface.
When users inspect a compromised .lnk file, Windows fails to display the malicious commands hidden within, effectively hiding the true danger of the file.
This exploitation technique has been adopted widely by sophisticated threat actors for cyber espionage operations.
Trend Micro researchers noted nearly 1,000 malicious .lnk files exploit this vulnerability across various campaigns.
Their analysis revealed that 11 state-sponsored groups from North Korea, Iran, Russia, and China have been actively using this technique primarily for espionage and data theft operations.
North Korea is the most active exploiter of this vulnerability, accounting for nearly half of the state-sponsored actors leveraging the technique.
Countries of state-sponsored APT groups exploiting ZDI-CAN-25373 (Source – Trend Micro)This trend underscores the cross-collaboration and tool-sharing patterns within North Korea’s cyber program.
Targeted sectors in exploitation of ZDI-CAN-25373 (Source – Trend Micro)Organizations across government, financial, telecommunications, and private sectors have been primary targets of these attacks.
Files exploiting ZDI-CAN-25373 countries by file submission origin (Source – Trend Micro)The widespread abuse spans multiple continents, with significant activity detected in North America, Europe, and East Asia.
Exploitation Details
The technical basis of the exploit involves padding the COMMAND_LINE_ARGUMENTS structure within .lnk files with specific whitespace characters.
Attackers use Space (0x20), Horizontal Tab (0x09), Line Feed (0x0A), and Carriage Return (0x0D) characters to hide malicious commands from users viewing the file properties.
Large amounts of Space characters within the COMMAND_LINE_ARGUMENTS structure (Source – Trend Micro)Large amounts of these characters can be observed within the compromised files.
Some North Korean threat actors, such as Earth Manticore (APT37) and Earth Imp (Konni), have been using extremely large .lnk files – with sizes up to 70.1 MB – containing excessive whitespace and junk content to further evade detection.
Security teams can identify suspicious shortcuts using hunting queries such as:-
eventSubId:2 AND (processFilePath:\"*\\cmd.exe\" OR processFilePath:\"*\\powershell.exe\") AND parentFilePath:\"*.lnk\"
Microsoft has classified this vulnerability as low severity and does not plan to issue a security patch. Organizations are advised to implement proper security controls and remain vigilant against suspicious shortcut files to protect against this persistent threat.
#Cyber_Security_News #Windows #Zero-Day #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
