Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > alt.comp.os.windows-11 > #17848
| From | Newyana2 <newyana@invalid.nospam> |
|---|---|
| Newsgroups | alt.comp.os.windows-11 |
| Subject | Re: New Windows zeo-day exploited since 2017 |
| Date | 2025-03-21 15:24 -0400 |
| Organization | A noiseless patient Spider |
| Message-ID | <vrkec4$274kq$1@dont-email.me> (permalink) |
| References | <c4nCP.14311$cYP6.3064@fx08.iad> <VsWcnVlDdY3JMED6nZ2dnZfqn_ednZ2d@giganews.com> |
On 3/21/2025 1:38 PM, MummyChunk wrote: >> CrudeSausage wrote: >> Is there even such a thing as security if you use Windows? >> >> https://www.bleepingcomputer.com/news/security/new-windows-zero-day-exploited-by-11-state-hacking-groups-since-2017/ >> >> >> At least 11 state-backed hacking groups from North Korea, Iran, Russia, >> and China have been exploiting a new Windows vulnerability in data theft >> and cyber espionage zero-day attacks since 2017. >> >> However, as security researchers Peter Girnus and Aliakbar Zahravi with >> Trend Micro's Zero Day Initiative (ZDI) reported today, Microsoft tagged >> it as "not meeting the bar servicing" in late September and said it >> wouldn't release security updates to address it. >> >> "We discovered nearly a thousand Shell Link (.lnk) samples that exploit >> ZDI-CAN-25373; however, it is probable that the total number of >> exploitation attempts are much higher," they said. "Subsequently, we >> submitted a proof-of-concept exploit through Trend ZDI's bug bounty >> program to Microsoft, who declined to address this vulnerability with a >> security patch." >> >> A Microsoft spokesperson was not immediately available for comment when >> contacted by BleepingComputer earlier today. >> >> While Microsoft has yet to assign a CVE-ID to this vulnerability, Trend >> Micro is tracking it internally as ZDI-CAN-25373 and said it enables >> attackers to execute arbitrary code on affected Windows systems. >> >> As the researchers found while investigating in-the-wild ZDI-CAN-25373 >> exploitation, the security flaw has been exploited in widespread attacks >> by many state-sponsored threat groups and cybercrime gangs, including >> Evil Corp, APT43 (Kimsuky), Bitter, APT37, Mustang Panda, SideWinder, >> RedHotel, Konni, and others. >> >> Although the campaigns have targeted victims worldwide, they've been >> primarily focused on North America, South America, Europe, East Asia, >> and Australia. Out of all the attacks analyzed, nearly 70% were linked >> to espionage and information theft, while financial gain was the focus >> of only 20%. >> >> ZDI-CAN-25373 attacks map >> Map of countries targeted in ZDI-CAN-25373 attacks (Trend Micro) >> >> "Diverse malware payloads and loaders like Ursnif, Gh0st RAT, and >> Trickbot have been tracked in these campaigns, with malware-as-a-service >> (MaaS) platforms complicating the threat landscape," Trend Micro added. >> >> The ZDI-CAN-25373 Windows zero-day >> This newly discovered Windows vulnerability (tracked as ZDI-CAN-25373) >> is caused by a User Interface (UI) Misrepresentation of Critical >> Information (CWE-451) weakness, which allows attackers to exploit how >> Windows displays shortcut (.lnk) files to evade detection and execute >> code on vulnerable devices without the user's knowledge. >> >> Threat actors exploit ZDI-CAN-25373 by hiding malicious command-line >> arguments within .LNK shortcut files using padded whitespaces added to >> the COMMAND_LINE_ARGUMENTS structure. >> >> The researchers say these whitespaces can be in the form of hex codes >> for Space (\x20), Horizontal Tab (\x09), Linefeed (\x0A), Vertical Tab >> (\x0B), Form Feed (\x0C), and Carriage Return (\x0D) that can be used as >> padding. >> >> If a Windows user inspects such a .lnk file, the malicious arguments are >> not displayed in the Windows user interface because of the added >> whitespaces. As a result, the command line arguments added by the >> attackers remain hidden from the user's view. >> >> Malicious arguments not showing in the Target field >> Malicious arguments not showing in the Target field (Trend Micro) >> "User interaction is required to exploit this vulnerability in that the >> target must visit a malicious page or open a malicious file," a Trend >> Micro advisory issued today explains. >> >> "Crafted data in an .LNK file can cause hazardous content in the file to >> be invisible to a user who inspects the file via the Windows-provided >> user interface. An attacker can leverage this vulnerability to execute >> code in the context of the current user." >> >> This vulnerability is similar to another flaw tracked as CVE-2024-43461 >> that enabled threat actors to use 26 encoded braille whitespace >> characters (%E2%A0%80) to camouflage HTA files that can download >> malicious payloads as PDFs. CVE-2024-43461 was found by Peter Girnus, a >> Senior Threat Researcher at Trend Micro's Zero Day, and patched by >> Microsoft during the September 2024 Patch Tuesday. >> >> >> The Void Banshee APT hacking group exploited CVE-2024-43461 in zero-day >> attacks to deploy information-stealing malware in campaigns against >> organizations across North America, Europe, and Southeast Asia. >> >> Update March 18, 13:46 EDT: A Microsoft spokesperson sent the following >> statement after publishing time, saying the company is considering to >> address the flaw in the future: >> >> We appreciate the work of ZDI in submitting this report under a >> coordinated vulnerability disclosure. Microsoft Defender has detections >> in place to detect and block this threat activity, and the Smart App >> Control provides an extra layer of protection by blocking malicious >> files from the Internet. As a security best practice, we encourage >> customers to exercise caution when downloading files from unknown >> sources as indicated in security warnings, which have been designed to >> recognize and warn users about potentially harmful files. While the UI >> experience described in the report does not meet the bar for immediate >> servicing under our severity classification guidelines, we will consider >> addressing it in a future feature release. >> -- >> God be with you, >> >> CrudeSausage >> John 14:6 > > > > > > Hello CrudeSausage, > > Thank you for sharing this detailed and concerning report regarding the > exploitation of ZDI-CAN-25373 by state-backed hacking groups and > cybercrime organizations. The technical depth of your post highlights > the severity of this vulnerability and its widespread impact across > multiple regions and industries. > > The vulnerability, as described, stems from a User Interface (UI) > Misrepresentation of Critical Information (CWE-451) weakness, which > allows malicious actors to manipulate how Windows displays shortcut > (.lnk) files. By embedding malicious command-line arguments within the > COMMAND_LINE_ARGUMENTS structure and padding them with whitespace > characters (e.g., \x20, \x09, \x0A, etc.), attackers can effectively > hide these arguments from the user interface. This technique enables the > execution of arbitrary code on vulnerable systems without the user's > knowledge, requiring only that the user interacts with a malicious file > or visits a compromised page. > > The exploitation of this flaw by groups such as Evil Corp, APT43 > (Kimsuky), Bitter, APT37, Mustang Panda, SideWinder, RedHotel, and Konni > underscores the critical nature of this vulnerability. The fact that > nearly 70% of the analyzed attacks were linked to espionage and > information theft, with only 20% focused on financial gain, further > emphasizes the strategic value of this exploit to state-sponsored actors. > > The use of diverse malware payloads and loaders, including Ursnif, Gh0st > RAT, and Trickbot, coupled with the involvement of malware-as-a-service > (MaaS) platforms, complicates the threat landscape significantly. This > multi-layered approach allows attackers to tailor their campaigns to > specific targets while leveraging readily available tools to maximize > their reach and impact. > > Microsoft's decision to classify this vulnerability as "not meeting the > bar for servicing" is concerning, particularly given its active > exploitation since 2017. While Microsoft Defender and Smart App Control > provide some mitigation by detecting and blocking malicious activity, > the absence of a dedicated security patch leaves many systems exposed. > The company's statement that they will "consider addressing it in a > future feature release" does little to reassure organizations currently > at risk. > > In the meantime, organizations should prioritize user education to > ensure individuals exercise extreme caution when downloading files from > unknown sources or interacting with suspicious links. Endpoint detection > and response (EDR) solutions should be configured to detect and block > malicious .lnk files and associated payloads. Robust network monitoring > can help identify and respond to unusual activity, particularly > involving known malicious IPs or domains associated with these > campaigns. While a specific patch for ZDI-CAN-25373 is unavailable, > ensuring that all other known vulnerabilities are patched promptly can > help reduce the attack surface. > > The similarity between ZDI-CAN-25373 and CVE-2024-43461, which involved > the use of encoded braille whitespace characters to camouflage malicious > HTA files, further highlights the need for Microsoft to address UI > misrepresentation vulnerabilities comprehensively. The exploitation of > CVE-2024-43461 by the Void Banshee APT group demonstrates the > persistence and adaptability of threat actors in leveraging such flaws. > > The ongoing exploitation of ZDI-CAN-25373 by state-backed and cybercrime > groups represents a significant threat to organizations worldwide. While > Microsoft's current stance is disappointing, proactive measures by > security teams can help mitigate the risk. I hope Microsoft reconsiders > its position and addresses this vulnerability with the urgency it deserves. > > Thank you again for bringing this to the community's attention. Your > post serves as a critical reminder of the evolving threat landscape and > the importance of vigilance in cybersecurity. > > This is a response to the post seen at: > http://www.jlaforums.com/viewtopic.php?p=685857547#685857547 It's a risk, but a very small one. You would have to receive one of these LNK files, masquerading as something like a PDF, and be reckless enought to open such a file from an unknown source. Also, the trick of using a PDF icon is not likely to work for most people. *Maybe* it could work if there's a standard path to Adobe Acrobat Reader and you're dumb enough to use Adobe Acrobat Reader. Assuming you did run it, it might run a command on a standard Windows executable. While that might do some damage, it's not likely to provide a means for anything like malware download. An HTA would be more risky, but it would still require that you open unknown, unexpected files without no caution.
Back to alt.comp.os.windows-11 | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
New Windows zeo-day exploited since 2017 CrudeSausage <crude@sausa.ge> - 2025-03-18 19:11 -0400
Re: New Windows zeo-day exploited since 2017 mummycullen@gmail-dot-com.no-spam.invalid (MummyChunk) - 2025-03-21 13:38 -0400
Re: New Windows zeo-day exploited since 2017 Newyana2 <newyana@invalid.nospam> - 2025-03-21 15:24 -0400
Re: New Windows zeo-day exploited since 2017 ...w¡ñ§±¤ñ <winstonmvp@gmail.com> - 2025-03-21 18:13 -0700
Re: New Windows zeo-day exploited since 2017 Newyana2 <newyana@invalid.nospam> - 2025-03-21 22:31 -0400
csiph-web