img-banner

published há 17 dias

New Windows zero-day exploited by 11 state hacking groups since 2017 in campaigns globally and in the EU

- At least 11 state-supported hacking groups from North Korea, Iran, Russia, and China have been using a Windows vulnerability for data theft and cyber espionage attacks since 2017. Researchers from Trend Micro's Zero Day Initiative reported that Microsoft labeled this vulnerability as not meeting the bar servicing in late September 2024 and decided not to release security updates for it. - The researchers found almost a thousand Shell Link (.lnk) samples that exploit the vulnerability known as ZDI-CAN-25373. They believe the actual number of exploitation attempts is likely much higher. They submitted a proof-of-concept exploit to Microsoft, but the company has declined to address the vulnerability with a security patch. - Microsoft has not yet assigned a CVE-ID to this vulnerability, but Trend Micro is tracking it internally as ZDI-CAN-25373. This flaw allows attackers to run arbitrary code on affected Windows systems. The researchers noted that many state-sponsored threat groups and cybercriminal gangs, including Evil Corp, APT43, Bitter, APT37, Mustang Panda, SideWinder, and RedHotel, have been using this vulnerability in widespread attacks. - The attacks have primarily focused on regions in North America, South America, Europe, East Asia, and Australia. The analysis revealed that about 70% of these attacks were aimed at espionage and information theft, while only 20% were financially motivated. - The ZDI-CAN-25373 vulnerability stems from a User Interface (UI) Misrepresentation of Critical Information (CWE-451) issue. This allows attackers to exploit how Windows shows shortcut (.lnk) files, letting them execute code on vulnerable devices without the user being aware. Attackers hide malicious command-line arguments in .LNK shortcut files using padded whitespaces. - These whitespaces can come in different forms, such as hex codes for Space, Horizontal Tab, Linefeed, Vertical Tab, Form Feed, and Carriage Return, which work as padding. When a user checks a compromised . lnk file, the harmful arguments remain hidden because of these extra whitespaces, preventing detection. - User interaction is needed to exploit this vulnerability; victims must visit a malicious website or open a harmful file. The crafted .LNK file can hide dangerous content from view, enabling attackers to run code in the context of the current user. - This vulnerability is similar to another flaw known as CVE-2024-43461, where 26 encoded braille whitespace characters helped hide malicious HTA files. CVE-2024-43461 was discovered and was patched by Microsoft in September 2024. The Void Banshee hacking group used this flaw in attacks against organizations in North America, Europe, and Southeast Asia. - A Microsoft spokesperson later stated that the company is considering addressing the vulnerability in the future. They have existing defenses to detect and block related threats and recommend users be cautious when downloading files from unknown sources. Although the issue doesn't meet immediate severity guidelines, Microsoft may address it in future updates.