Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > alt.comp.os.windows-11 > #17847
| Subject | Re: New Windows zeo-day exploited since 2017 |
|---|---|
| From | mummycullen@gmail-dot-com.no-spam.invalid (MummyChunk) |
| Date | 2025-03-21 13:38 -0400 |
| Newsgroups | alt.comp.os.windows-11 |
| References | <c4nCP.14311$cYP6.3064@fx08.iad> |
| Message-ID | <VsWcnVlDdY3JMED6nZ2dnZfqn_ednZ2d@giganews.com> (permalink) |
> CrudeSausage wrote: > Is there even such a thing as security if you use Windows? > > https://www.bleepingcomputer.com/news/security/new-windows-zero-day-exploited-by-11-state-hacking-groups-since-2017/ > > At least 11 state-backed hacking groups from North Korea, Iran, Russia, > and China have been exploiting a new Windows vulnerability in data theft > and cyber espionage zero-day attacks since 2017. > > However, as security researchers Peter Girnus and Aliakbar Zahravi with > Trend Micro's Zero Day Initiative (ZDI) reported today, Microsoft tagged > it as "not meeting the bar servicing" in late September and said it > wouldn't release security updates to address it. > > "We discovered nearly a thousand Shell Link (.lnk) samples that exploit > ZDI-CAN-25373; however, it is probable that the total number of > exploitation attempts are much higher," they said. "Subsequently, we > submitted a proof-of-concept exploit through Trend ZDI's bug bounty > program to Microsoft, who declined to address this vulnerability with a > security patch." > > A Microsoft spokesperson was not immediately available for comment when > contacted by BleepingComputer earlier today. > > While Microsoft has yet to assign a CVE-ID to this vulnerability, Trend > Micro is tracking it internally as ZDI-CAN-25373 and said it enables > attackers to execute arbitrary code on affected Windows systems. > > As the researchers found while investigating in-the-wild ZDI-CAN-25373 > exploitation, the security flaw has been exploited in widespread attacks > by many state-sponsored threat groups and cybercrime gangs, including > Evil Corp, APT43 (Kimsuky), Bitter, APT37, Mustang Panda, SideWinder, > RedHotel, Konni, and others. > > Although the campaigns have targeted victims worldwide, they've been > primarily focused on North America, South America, Europe, East Asia, > and Australia. Out of all the attacks analyzed, nearly 70% were linked > to espionage and information theft, while financial gain was the focus > of only 20%. > > ZDI-CAN-25373 attacks map > Map of countries targeted in ZDI-CAN-25373 attacks (Trend Micro) > > "Diverse malware payloads and loaders like Ursnif, Gh0st RAT, and > Trickbot have been tracked in these campaigns, with malware-as-a-service > (MaaS) platforms complicating the threat landscape," Trend Micro added. > > The ZDI-CAN-25373 Windows zero-day > This newly discovered Windows vulnerability (tracked as ZDI-CAN-25373) > is caused by a User Interface (UI) Misrepresentation of Critical > Information (CWE-451) weakness, which allows attackers to exploit how > Windows displays shortcut (.lnk) files to evade detection and execute > code on vulnerable devices without the user's knowledge. > > Threat actors exploit ZDI-CAN-25373 by hiding malicious command-line > arguments within .LNK shortcut files using padded whitespaces added to > the COMMAND_LINE_ARGUMENTS structure. > > The researchers say these whitespaces can be in the form of hex codes > for Space (\x20), Horizontal Tab (\x09), Linefeed (\x0A), Vertical Tab > (\x0B), Form Feed (\x0C), and Carriage Return (\x0D) that can be used as > padding. > > If a Windows user inspects such a .lnk file, the malicious arguments are > not displayed in the Windows user interface because of the added > whitespaces. As a result, the command line arguments added by the > attackers remain hidden from the user's view. > > Malicious arguments not showing in the Target field > Malicious arguments not showing in the Target field (Trend Micro) > "User interaction is required to exploit this vulnerability in that the > target must visit a malicious page or open a malicious file," a Trend > Micro advisory issued today explains. > > "Crafted data in an .LNK file can cause hazardous content in the file to > be invisible to a user who inspects the file via the Windows-provided > user interface. An attacker can leverage this vulnerability to execute > code in the context of the current user." > > This vulnerability is similar to another flaw tracked as CVE-2024-43461 > that enabled threat actors to use 26 encoded braille whitespace > characters (%E2%A0%80) to camouflage HTA files that can download > malicious payloads as PDFs. CVE-2024-43461 was found by Peter Girnus, a > Senior Threat Researcher at Trend Micro's Zero Day, and patched by > Microsoft during the September 2024 Patch Tuesday. > > > The Void Banshee APT hacking group exploited CVE-2024-43461 in zero-day > attacks to deploy information-stealing malware in campaigns against > organizations across North America, Europe, and Southeast Asia. > > Update March 18, 13:46 EDT: A Microsoft spokesperson sent the following > statement after publishing time, saying the company is considering to > address the flaw in the future: > > We appreciate the work of ZDI in submitting this report under a > coordinated vulnerability disclosure. Microsoft Defender has detections > in place to detect and block this threat activity, and the Smart App > Control provides an extra layer of protection by blocking malicious > files from the Internet. As a security best practice, we encourage > customers to exercise caution when downloading files from unknown > sources as indicated in security warnings, which have been designed to > recognize and warn users about potentially harmful files. While the UI > experience described in the report does not meet the bar for immediate > servicing under our severity classification guidelines, we will consider > addressing it in a future feature release. > -- > God be with you, > > CrudeSausage > John 14:6 Hello CrudeSausage, Thank you for sharing this detailed and concerning report regarding the exploitation of ZDI-CAN-25373 by state-backed hacking groups and cybercrime organizations. The technical depth of your post highlights the severity of this vulnerability and its widespread impact across multiple regions and industries. The vulnerability, as described, stems from a User Interface (UI) Misrepresentation of Critical Information (CWE-451) weakness, which allows malicious actors to manipulate how Windows displays shortcut (.lnk) files. By embedding malicious command-line arguments within the COMMAND_LINE_ARGUMENTS structure and padding them with whitespace characters (e.g., \x20, \x09, \x0A, etc.), attackers can effectively hide these arguments from the user interface. This technique enables the execution of arbitrary code on vulnerable systems without the user's knowledge, requiring only that the user interacts with a malicious file or visits a compromised page. The exploitation of this flaw by groups such as Evil Corp, APT43 (Kimsuky), Bitter, APT37, Mustang Panda, SideWinder, RedHotel, and Konni underscores the critical nature of this vulnerability. The fact that nearly 70% of the analyzed attacks were linked to espionage and information theft, with only 20% focused on financial gain, further emphasizes the strategic value of this exploit to state-sponsored actors. The use of diverse malware payloads and loaders, including Ursnif, Gh0st RAT, and Trickbot, coupled with the involvement of malware-as-a-service (MaaS) platforms, complicates the threat landscape significantly. This multi-layered approach allows attackers to tailor their campaigns to specific targets while leveraging readily available tools to maximize their reach and impact. Microsoft's decision to classify this vulnerability as "not meeting the bar for servicing" is concerning, particularly given its active exploitation since 2017. While Microsoft Defender and Smart App Control provide some mitigation by detecting and blocking malicious activity, the absence of a dedicated security patch leaves many systems exposed. The company's statement that they will "consider addressing it in a future feature release" does little to reassure organizations currently at risk. In the meantime, organizations should prioritize user education to ensure individuals exercise extreme caution when downloading files from unknown sources or interacting with suspicious links. Endpoint detection and response (EDR) solutions should be configured to detect and block malicious .lnk files and associated payloads. Robust network monitoring can help identify and respond to unusual activity, particularly involving known malicious IPs or domains associated with these campaigns. While a specific patch for ZDI-CAN-25373 is unavailable, ensuring that all other known vulnerabilities are patched promptly can help reduce the attack surface. The similarity between ZDI-CAN-25373 and CVE-2024-43461, which involved the use of encoded braille whitespace characters to camouflage malicious HTA files, further highlights the need for Microsoft to address UI misrepresentation vulnerabilities comprehensively. The exploitation of CVE-2024-43461 by the Void Banshee APT group demonstrates the persistence and adaptability of threat actors in leveraging such flaws. The ongoing exploitation of ZDI-CAN-25373 by state-backed and cybercrime groups represents a significant threat to organizations worldwide. While Microsoft's current stance is disappointing, proactive measures by security teams can help mitigate the risk. I hope Microsoft reconsiders its position and addresses this vulnerability with the urgency it deserves. Thank you again for bringing this to the community's attention. Your post serves as a critical reminder of the evolving threat landscape and the importance of vigilance in cybersecurity. This is a response to the post seen at: http://www.jlaforums.com/viewtopic.php?p=685857547#685857547
Back to alt.comp.os.windows-11 | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
New Windows zeo-day exploited since 2017 CrudeSausage <crude@sausa.ge> - 2025-03-18 19:11 -0400
Re: New Windows zeo-day exploited since 2017 mummycullen@gmail-dot-com.no-spam.invalid (MummyChunk) - 2025-03-21 13:38 -0400
Re: New Windows zeo-day exploited since 2017 Newyana2 <newyana@invalid.nospam> - 2025-03-21 15:24 -0400
Re: New Windows zeo-day exploited since 2017 ...w¡ñ§±¤ñ <winstonmvp@gmail.com> - 2025-03-21 18:13 -0700
Re: New Windows zeo-day exploited since 2017 Newyana2 <newyana@invalid.nospam> - 2025-03-21 22:31 -0400
csiph-web