Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > alt.comp.os.windows-11 > #17852
| From | ...w¡ñ§±¤ñ <winstonmvp@gmail.com> |
|---|---|
| Newsgroups | alt.comp.os.windows-11 |
| Subject | Re: New Windows zeo-day exploited since 2017 |
| Date | 2025-03-21 18:13 -0700 |
| Organization | windowsunplugged.com |
| Message-ID | <vrl2rr$2ouuj$1@dont-email.me> (permalink) |
| References | <c4nCP.14311$cYP6.3064@fx08.iad> <VsWcnVlDdY3JMED6nZ2dnZfqn_ednZ2d@giganews.com> <vrkec4$274kq$1@dont-email.me> |
Newyana2 wrote on 3/21/2025 12:24 PM: > On 3/21/2025 1:38 PM, MummyChunk wrote: >>> CrudeSausage wrote: >>> Is there even such a thing as security if you use Windows? >>> >>> https://www.bleepingcomputer.com/news/security/new-windows-zero-day-exploited-by-11-state-hacking-groups-since-2017/ >>> >>> >>> At least 11 state-backed hacking groups from North Korea, Iran, Russia, >>> and China have been exploiting a new Windows vulnerability in data theft >>> and cyber espionage zero-day attacks since 2017. >>> >>> However, as security researchers Peter Girnus and Aliakbar Zahravi with >>> Trend Micro's Zero Day Initiative (ZDI) reported today, Microsoft tagged >>> it as "not meeting the bar servicing" in late September and said it >>> wouldn't release security updates to address it. >>> >>> "We discovered nearly a thousand Shell Link (.lnk) samples that exploit >>> ZDI-CAN-25373; however, it is probable that the total number of >>> exploitation attempts are much higher," they said. "Subsequently, we >>> submitted a proof-of-concept exploit through Trend ZDI's bug bounty >>> program to Microsoft, who declined to address this vulnerability with a >>> security patch." >>> >>> A Microsoft spokesperson was not immediately available for comment when >>> contacted by BleepingComputer earlier today. >>> >>> While Microsoft has yet to assign a CVE-ID to this vulnerability, Trend >>> Micro is tracking it internally as ZDI-CAN-25373 and said it enables >>> attackers to execute arbitrary code on affected Windows systems. >>> >>> As the researchers found while investigating in-the-wild ZDI-CAN-25373 >>> exploitation, the security flaw has been exploited in widespread attacks >>> by many state-sponsored threat groups and cybercrime gangs, including >>> Evil Corp, APT43 (Kimsuky), Bitter, APT37, Mustang Panda, SideWinder, >>> RedHotel, Konni, and others. >>> >>> Although the campaigns have targeted victims worldwide, they've been >>> primarily focused on North America, South America, Europe, East Asia, >>> and Australia. Out of all the attacks analyzed, nearly 70% were linked >>> to espionage and information theft, while financial gain was the focus >>> of only 20%. >>> >>> ZDI-CAN-25373 attacks map >>> Map of countries targeted in ZDI-CAN-25373 attacks (Trend Micro) >>> >>> "Diverse malware payloads and loaders like Ursnif, Gh0st RAT, and >>> Trickbot have been tracked in these campaigns, with malware-as-a-service >>> (MaaS) platforms complicating the threat landscape," Trend Micro added. >>> >>> The ZDI-CAN-25373 Windows zero-day >>> This newly discovered Windows vulnerability (tracked as ZDI-CAN-25373) >>> is caused by a User Interface (UI) Misrepresentation of Critical >>> Information (CWE-451) weakness, which allows attackers to exploit how >>> Windows displays shortcut (.lnk) files to evade detection and execute >>> code on vulnerable devices without the user's knowledge. >>> >>> Threat actors exploit ZDI-CAN-25373 by hiding malicious command-line >>> arguments within .LNK shortcut files using padded whitespaces added to >>> the COMMAND_LINE_ARGUMENTS structure. >>> >>> The researchers say these whitespaces can be in the form of hex codes >>> for Space (\x20), Horizontal Tab (\x09), Linefeed (\x0A), Vertical Tab >>> (\x0B), Form Feed (\x0C), and Carriage Return (\x0D) that can be used as >>> padding. >>> >>> If a Windows user inspects such a .lnk file, the malicious arguments are >>> not displayed in the Windows user interface because of the added >>> whitespaces. As a result, the command line arguments added by the >>> attackers remain hidden from the user's view. >>> >>> Malicious arguments not showing in the Target field >>> Malicious arguments not showing in the Target field (Trend Micro) >>> "User interaction is required to exploit this vulnerability in that the >>> target must visit a malicious page or open a malicious file," a Trend >>> Micro advisory issued today explains. >>> >>> "Crafted data in an .LNK file can cause hazardous content in the file to >>> be invisible to a user who inspects the file via the Windows-provided >>> user interface. An attacker can leverage this vulnerability to execute >>> code in the context of the current user." >>> >>> This vulnerability is similar to another flaw tracked as CVE-2024-43461 >>> that enabled threat actors to use 26 encoded braille whitespace >>> characters (%E2%A0%80) to camouflage HTA files that can download >>> malicious payloads as PDFs. CVE-2024-43461 was found by Peter Girnus, a >>> Senior Threat Researcher at Trend Micro's Zero Day, and patched by >>> Microsoft during the September 2024 Patch Tuesday. >>> >>> >>> The Void Banshee APT hacking group exploited CVE-2024-43461 in zero-day >>> attacks to deploy information-stealing malware in campaigns against >>> organizations across North America, Europe, and Southeast Asia. >>> >>> Update March 18, 13:46 EDT: A Microsoft spokesperson sent the following >>> statement after publishing time, saying the company is considering to >>> address the flaw in the future: >>> >>> We appreciate the work of ZDI in submitting this report under a >>> coordinated vulnerability disclosure. Microsoft Defender has detections >>> in place to detect and block this threat activity, and the Smart App >>> Control provides an extra layer of protection by blocking malicious >>> files from the Internet. As a security best practice, we encourage >>> customers to exercise caution when downloading files from unknown >>> sources as indicated in security warnings, which have been designed to >>> recognize and warn users about potentially harmful files. While the UI >>> experience described in the report does not meet the bar for immediate >>> servicing under our severity classification guidelines, we will consider >>> addressing it in a future feature release. >>> -- >>> God be with you, >>> >>> CrudeSausage >>> John 14:6 >> >> >> >> >> >> Hello CrudeSausage, >> >> Thank you for sharing this detailed and concerning report regarding the >> exploitation of ZDI-CAN-25373 by state-backed hacking groups and >> cybercrime organizations. The technical depth of your post highlights >> the severity of this vulnerability and its widespread impact across >> multiple regions and industries. >> >> The vulnerability, as described, stems from a User Interface (UI) >> Misrepresentation of Critical Information (CWE-451) weakness, which >> allows malicious actors to manipulate how Windows displays shortcut >> (.lnk) files. By embedding malicious command-line arguments within the >> COMMAND_LINE_ARGUMENTS structure and padding them with whitespace >> characters (e.g., \x20, \x09, \x0A, etc.), attackers can effectively >> hide these arguments from the user interface. This technique enables >> the execution of arbitrary code on vulnerable systems without the >> user's knowledge, requiring only that the user interacts with a >> malicious file or visits a compromised page. >> >> The exploitation of this flaw by groups such as Evil Corp, APT43 >> (Kimsuky), Bitter, APT37, Mustang Panda, SideWinder, RedHotel, and >> Konni underscores the critical nature of this vulnerability. The fact >> that nearly 70% of the analyzed attacks were linked to espionage and >> information theft, with only 20% focused on financial gain, further >> emphasizes the strategic value of this exploit to state-sponsored actors. >> >> The use of diverse malware payloads and loaders, including Ursnif, >> Gh0st RAT, and Trickbot, coupled with the involvement of >> malware-as-a-service (MaaS) platforms, complicates the threat landscape >> significantly. This multi-layered approach allows attackers to tailor >> their campaigns to specific targets while leveraging readily available >> tools to maximize their reach and impact. >> >> Microsoft's decision to classify this vulnerability as "not meeting the >> bar for servicing" is concerning, particularly given its active >> exploitation since 2017. While Microsoft Defender and Smart App Control >> provide some mitigation by detecting and blocking malicious activity, >> the absence of a dedicated security patch leaves many systems exposed. >> The company's statement that they will "consider addressing it in a >> future feature release" does little to reassure organizations currently >> at risk. >> >> In the meantime, organizations should prioritize user education to >> ensure individuals exercise extreme caution when downloading files from >> unknown sources or interacting with suspicious links. Endpoint >> detection and response (EDR) solutions should be configured to detect >> and block malicious .lnk files and associated payloads. Robust network >> monitoring can help identify and respond to unusual activity, >> particularly involving known malicious IPs or domains associated with >> these campaigns. While a specific patch for ZDI-CAN-25373 is >> unavailable, ensuring that all other known vulnerabilities are patched >> promptly can help reduce the attack surface. >> >> The similarity between ZDI-CAN-25373 and CVE-2024-43461, which involved >> the use of encoded braille whitespace characters to camouflage >> malicious HTA files, further highlights the need for Microsoft to >> address UI misrepresentation vulnerabilities comprehensively. The >> exploitation of CVE-2024-43461 by the Void Banshee APT group >> demonstrates the persistence and adaptability of threat actors in >> leveraging such flaws. >> >> The ongoing exploitation of ZDI-CAN-25373 by state-backed and >> cybercrime groups represents a significant threat to organizations >> worldwide. While Microsoft's current stance is disappointing, proactive >> measures by security teams can help mitigate the risk. I hope Microsoft >> reconsiders its position and addresses this vulnerability with the >> urgency it deserves. >> >> Thank you again for bringing this to the community's attention. Your >> post serves as a critical reminder of the evolving threat landscape and >> the importance of vigilance in cybersecurity. >> >> This is a response to the post seen at: >> http://www.jlaforums.com/viewtopic.php?p=685857547#685857547 > > It's a risk, but a very small one. You would have to receive one of > these LNK files, masquerading as something like a PDF, and be > reckless enought to open such a file from an unknown source. > Also, the trick of using a PDF icon is not likely to work for most > people. *Maybe* it could work if there's a standard path to > Adobe Acrobat Reader and you're dumb enough to use Adobe > Acrobat Reader. > > Assuming you did run it, it might run a command on a standard > Windows executable. While that might do some damage, it's not > likely to provide a means for anything like malware download. > > An HTA would be more risky, but it would still require that you > open unknown, unexpected files without no caution. While the ZDexploit is valid... Neither CS(op) or Mummy Chunk may be the most credible sources. - considering the profile pic for the latter appears to be the ever popular, all-knowing computer guru singer-fashion designer Jessica Simpson. -- ...w¡ñ§±¤ñ
Back to alt.comp.os.windows-11 | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
New Windows zeo-day exploited since 2017 CrudeSausage <crude@sausa.ge> - 2025-03-18 19:11 -0400
Re: New Windows zeo-day exploited since 2017 mummycullen@gmail-dot-com.no-spam.invalid (MummyChunk) - 2025-03-21 13:38 -0400
Re: New Windows zeo-day exploited since 2017 Newyana2 <newyana@invalid.nospam> - 2025-03-21 15:24 -0400
Re: New Windows zeo-day exploited since 2017 ...w¡ñ§±¤ñ <winstonmvp@gmail.com> - 2025-03-21 18:13 -0700
Re: New Windows zeo-day exploited since 2017 Newyana2 <newyana@invalid.nospam> - 2025-03-21 22:31 -0400
csiph-web