Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > alt.comp.os.windows-11 > #17820

New Windows zeo-day exploited since 2017

Cross-posted to 2 groups.

Show all headers | View raw

Is there even such a thing as security if you use Windows?

<https://www.bleepingcomputer.com/news/security/new-windows-zero-day-exploited-by-11-state-hacking-groups-since-2017/>

At least 11 state-backed hacking groups from North Korea, Iran, Russia, 
and China have been exploiting a new Windows vulnerability in data theft 
and cyber espionage zero-day attacks since 2017.

However, as security researchers Peter Girnus and Aliakbar Zahravi with 
Trend Micro's Zero Day Initiative (ZDI) reported today, Microsoft tagged 
it as "not meeting the bar servicing" in late September and said it 
wouldn't release security updates to address it.

"We discovered nearly a thousand Shell Link (.lnk) samples that exploit 
ZDI-CAN-25373; however, it is probable that the total number of 
exploitation attempts are much higher," they said. "Subsequently, we 
submitted a proof-of-concept exploit through Trend ZDI's bug bounty 
program to Microsoft, who declined to address this vulnerability with a 
security patch."

A Microsoft spokesperson was not immediately available for comment when 
contacted by BleepingComputer earlier today.

While Microsoft has yet to assign a CVE-ID to this vulnerability, Trend 
Micro is tracking it internally as ZDI-CAN-25373 and said it enables 
attackers to execute arbitrary code on affected Windows systems.

As the researchers found while investigating in-the-wild ZDI-CAN-25373 
exploitation, the security flaw has been exploited in widespread attacks 
by many state-sponsored threat groups and cybercrime gangs, including 
Evil Corp, APT43 (Kimsuky), Bitter, APT37, Mustang Panda, SideWinder, 
RedHotel, Konni, and others.

Although the campaigns have targeted victims worldwide, they've been 
primarily focused on North America, South America, Europe, East Asia, 
and Australia. Out of all the attacks analyzed, nearly 70% were linked 
to espionage and information theft, while financial gain was the focus 
of only 20%.

ZDI-CAN-25373 attacks map
Map of countries targeted in ZDI-CAN-25373 attacks (Trend Micro)

​"Diverse malware payloads and loaders like Ursnif, Gh0st RAT, and 
Trickbot have been tracked in these campaigns, with malware-as-a-service 
(MaaS) platforms complicating the threat landscape," Trend Micro added.

The ZDI-CAN-25373 Windows zero-day
This newly discovered Windows vulnerability (tracked as ZDI-CAN-25373) 
is caused by a User Interface (UI) Misrepresentation of Critical 
Information (CWE-451) weakness, which allows attackers to exploit how 
Windows displays shortcut (.lnk) files to evade detection and execute 
code on vulnerable devices without the user's knowledge.

Threat actors exploit ZDI-CAN-25373 by hiding malicious command-line 
arguments within .LNK shortcut files using padded whitespaces added to 
the COMMAND_LINE_ARGUMENTS structure.

The researchers say these whitespaces can be in the form of hex codes 
for Space (\x20), Horizontal Tab (\x09), Linefeed (\x0A), Vertical Tab 
(\x0B), Form Feed (\x0C), and Carriage Return (\x0D) that can be used as 
padding.

If a Windows user inspects such a .lnk file, the malicious arguments are 
not displayed in the Windows user interface because of the added 
whitespaces. As a result, the command line arguments added by the 
attackers remain hidden from the user's view.

Malicious arguments not showing in the Target field
Malicious arguments not showing in the Target field (Trend Micro)
"User interaction is required to exploit this vulnerability in that the 
target must visit a malicious page or open a malicious file," a Trend 
Micro advisory issued today explains.

"Crafted data in an .LNK file can cause hazardous content in the file to 
be invisible to a user who inspects the file via the Windows-provided 
user interface. An attacker can leverage this vulnerability to execute 
code in the context of the current user."

This vulnerability is similar to another flaw tracked as CVE-2024-43461 
that enabled threat actors to use 26 encoded braille whitespace 
characters (%E2%A0%80) to camouflage HTA files that can download 
malicious payloads as PDFs. CVE-2024-43461 was found by Peter Girnus, a 
Senior Threat Researcher at Trend Micro's Zero Day​​​, and patched by 
Microsoft during the September 2024 Patch Tuesday.


The Void Banshee APT hacking group exploited CVE-2024-43461 in zero-day 
attacks to deploy information-stealing malware in campaigns against 
organizations across North America, Europe, and Southeast Asia.

Update March 18, 13:46 EDT: A Microsoft spokesperson sent the following 
statement after publishing time, saying the company is considering to 
address the flaw in the future:

We appreciate the work of ZDI in submitting this report under a 
coordinated vulnerability disclosure. Microsoft Defender has detections 
in place to detect and block this threat activity, and the Smart App 
Control provides an extra layer of protection by blocking malicious 
files from the Internet. As a security best practice, we encourage 
customers to exercise caution when downloading files from unknown 
sources as indicated in security warnings, which have been designed to 
recognize and warn users about potentially harmful files. While the UI 
experience described in the report does not meet the bar for immediate 
servicing under our severity classification guidelines, we will consider 
addressing it in a future feature release.
-- 
God be with you,

CrudeSausage
John 14:6

Back to alt.comp.os.windows-11 | Previous | Next — Next in thread | Find similar | Unroll thread

Thread

New Windows zeo-day exploited since 2017 CrudeSausage <crude@sausa.ge> - 2025-03-18 19:11 -0400
  Re: New Windows zeo-day exploited since 2017 mummycullen@gmail-dot-com.no-spam.invalid (MummyChunk) - 2025-03-21 13:38 -0400
    Re: New Windows zeo-day exploited since 2017 Newyana2 <newyana@invalid.nospam> - 2025-03-21 15:24 -0400
      Re: New Windows zeo-day exploited since 2017 ...w¡ñ§±¤ñ  <winstonmvp@gmail.com> - 2025-03-21 18:13 -0700
        Re: New Windows zeo-day exploited since 2017 Newyana2 <newyana@invalid.nospam> - 2025-03-21 22:31 -0400

csiph-web