Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > alt.comp.os.windows-11 > #17848

Re: New Windows zeo-day exploited since 2017

From Newyana2 <newyana@invalid.nospam>
Newsgroups alt.comp.os.windows-11
Subject Re: New Windows zeo-day exploited since 2017
Date 2025-03-21 15:24 -0400
Organization A noiseless patient Spider
Message-ID <vrkec4$274kq$1@dont-email.me> (permalink)
References <c4nCP.14311$cYP6.3064@fx08.iad> <VsWcnVlDdY3JMED6nZ2dnZfqn_ednZ2d@giganews.com>

Show all headers | View raw


On 3/21/2025 1:38 PM, MummyChunk wrote:
>> CrudeSausage wrote:
>> Is there even such a thing as security if you use Windows?
>>
>> https://www.bleepingcomputer.com/news/security/new-windows-zero-day-exploited-by-11-state-hacking-groups-since-2017/ 
>>
>>
>> At least 11 state-backed hacking groups from North Korea, Iran, Russia,
>> and China have been exploiting a new Windows vulnerability in data theft
>> and cyber espionage zero-day attacks since 2017.
>>
>> However, as security researchers Peter Girnus and Aliakbar Zahravi with
>> Trend Micro's Zero Day Initiative (ZDI) reported today, Microsoft tagged
>> it as "not meeting the bar servicing" in late September and said it
>> wouldn't release security updates to address it.
>>
>> "We discovered nearly a thousand Shell Link (.lnk) samples that exploit
>> ZDI-CAN-25373; however, it is probable that the total number of
>> exploitation attempts are much higher," they said. "Subsequently, we
>> submitted a proof-of-concept exploit through Trend ZDI's bug bounty
>> program to Microsoft, who declined to address this vulnerability with a
>> security patch."
>>
>> A Microsoft spokesperson was not immediately available for comment when
>> contacted by BleepingComputer earlier today.
>>
>> While Microsoft has yet to assign a CVE-ID to this vulnerability, Trend
>> Micro is tracking it internally as ZDI-CAN-25373 and said it enables
>> attackers to execute arbitrary code on affected Windows systems.
>>
>> As the researchers found while investigating in-the-wild ZDI-CAN-25373
>> exploitation, the security flaw has been exploited in widespread attacks
>> by many state-sponsored threat groups and cybercrime gangs, including
>> Evil Corp, APT43 (Kimsuky), Bitter, APT37, Mustang Panda, SideWinder,
>> RedHotel, Konni, and others.
>>
>> Although the campaigns have targeted victims worldwide, they've been
>> primarily focused on North America, South America, Europe, East Asia,
>> and Australia. Out of all the attacks analyzed, nearly 70% were linked
>> to espionage and information theft, while financial gain was the focus
>> of only 20%.
>>
>> ZDI-CAN-25373 attacks map
>> Map of countries targeted in ZDI-CAN-25373 attacks (Trend Micro)
>>
>> ​"Diverse malware payloads and loaders like Ursnif, Gh0st RAT, and
>> Trickbot have been tracked in these campaigns, with malware-as-a-service
>> (MaaS) platforms complicating the threat landscape," Trend Micro added.
>>
>> The ZDI-CAN-25373 Windows zero-day
>> This newly discovered Windows vulnerability (tracked as ZDI-CAN-25373)
>> is caused by a User Interface (UI) Misrepresentation of Critical
>> Information (CWE-451) weakness, which allows attackers to exploit how
>> Windows displays shortcut (.lnk) files to evade detection and execute
>> code on vulnerable devices without the user's knowledge.
>>
>> Threat actors exploit ZDI-CAN-25373 by hiding malicious command-line
>> arguments within .LNK shortcut files using padded whitespaces added to
>> the COMMAND_LINE_ARGUMENTS structure.
>>
>> The researchers say these whitespaces can be in the form of hex codes
>> for Space (\x20), Horizontal Tab (\x09), Linefeed (\x0A), Vertical Tab
>> (\x0B), Form Feed (\x0C), and Carriage Return (\x0D) that can be used as
>> padding.
>>
>> If a Windows user inspects such a .lnk file, the malicious arguments are
>> not displayed in the Windows user interface because of the added
>> whitespaces. As a result, the command line arguments added by the
>> attackers remain hidden from the user's view.
>>
>> Malicious arguments not showing in the Target field
>> Malicious arguments not showing in the Target field (Trend Micro)
>> "User interaction is required to exploit this vulnerability in that the
>> target must visit a malicious page or open a malicious file," a Trend
>> Micro advisory issued today explains.
>>
>> "Crafted data in an .LNK file can cause hazardous content in the file to
>> be invisible to a user who inspects the file via the Windows-provided
>> user interface. An attacker can leverage this vulnerability to execute
>> code in the context of the current user."
>>
>> This vulnerability is similar to another flaw tracked as CVE-2024-43461
>> that enabled threat actors to use 26 encoded braille whitespace
>> characters (%E2%A0%80) to camouflage HTA files that can download
>> malicious payloads as PDFs. CVE-2024-43461 was found by Peter Girnus, a
>> Senior Threat Researcher at Trend Micro's Zero Day​​​, and patched by
>> Microsoft during the September 2024 Patch Tuesday.
>>
>>
>> The Void Banshee APT hacking group exploited CVE-2024-43461 in zero-day
>> attacks to deploy information-stealing malware in campaigns against
>> organizations across North America, Europe, and Southeast Asia.
>>
>> Update March 18, 13:46 EDT: A Microsoft spokesperson sent the following
>> statement after publishing time, saying the company is considering to
>> address the flaw in the future:
>>
>> We appreciate the work of ZDI in submitting this report under a
>> coordinated vulnerability disclosure. Microsoft Defender has detections
>> in place to detect and block this threat activity, and the Smart App
>> Control provides an extra layer of protection by blocking malicious
>> files from the Internet. As a security best practice, we encourage
>> customers to exercise caution when downloading files from unknown
>> sources as indicated in security warnings, which have been designed to
>> recognize and warn users about potentially harmful files. While the UI
>> experience described in the report does not meet the bar for immediate
>> servicing under our severity classification guidelines, we will consider
>> addressing it in a future feature release.
>> -- 
>> God be with you,
>>
>> CrudeSausage
>> John 14:6
> 
> 
> 
> 
> 
> Hello CrudeSausage,
> 
> Thank you for sharing this detailed and concerning report regarding the 
> exploitation of ZDI-CAN-25373 by state-backed hacking groups and 
> cybercrime organizations. The technical depth of your post highlights 
> the severity of this vulnerability and its widespread impact across 
> multiple regions and industries.
> 
> The vulnerability, as described, stems from a User Interface (UI) 
> Misrepresentation of Critical Information (CWE-451) weakness, which 
> allows malicious actors to manipulate how Windows displays shortcut 
> (.lnk) files. By embedding malicious command-line arguments within the 
> COMMAND_LINE_ARGUMENTS structure and padding them with whitespace 
> characters (e.g., \x20, \x09, \x0A, etc.), attackers can effectively 
> hide these arguments from the user interface. This technique enables the 
> execution of arbitrary code on vulnerable systems without the user's 
> knowledge, requiring only that the user interacts with a malicious file 
> or visits a compromised page.
> 
> The exploitation of this flaw by groups such as Evil Corp, APT43 
> (Kimsuky), Bitter, APT37, Mustang Panda, SideWinder, RedHotel, and Konni 
> underscores the critical nature of this vulnerability. The fact that 
> nearly 70% of the analyzed attacks were linked to espionage and 
> information theft, with only 20% focused on financial gain, further 
> emphasizes the strategic value of this exploit to state-sponsored actors.
> 
> The use of diverse malware payloads and loaders, including Ursnif, Gh0st 
> RAT, and Trickbot, coupled with the involvement of malware-as-a-service 
> (MaaS) platforms, complicates the threat landscape significantly. This 
> multi-layered approach allows attackers to tailor their campaigns to 
> specific targets while leveraging readily available tools to maximize 
> their reach and impact.
> 
> Microsoft's decision to classify this vulnerability as "not meeting the 
> bar for servicing" is concerning, particularly given its active 
> exploitation since 2017. While Microsoft Defender and Smart App Control 
> provide some mitigation by detecting and blocking malicious activity, 
> the absence of a dedicated security patch leaves many systems exposed. 
> The company's statement that they will "consider addressing it in a 
> future feature release" does little to reassure organizations currently 
> at risk.
> 
> In the meantime, organizations should prioritize user education to 
> ensure individuals exercise extreme caution when downloading files from 
> unknown sources or interacting with suspicious links. Endpoint detection 
> and response (EDR) solutions should be configured to detect and block 
> malicious .lnk files and associated payloads. Robust network monitoring 
> can help identify and respond to unusual activity, particularly 
> involving known malicious IPs or domains associated with these 
> campaigns. While a specific patch for ZDI-CAN-25373 is unavailable, 
> ensuring that all other known vulnerabilities are patched promptly can 
> help reduce the attack surface.
> 
> The similarity between ZDI-CAN-25373 and CVE-2024-43461, which involved 
> the use of encoded braille whitespace characters to camouflage malicious 
> HTA files, further highlights the need for Microsoft to address UI 
> misrepresentation vulnerabilities comprehensively. The exploitation of 
> CVE-2024-43461 by the Void Banshee APT group demonstrates the 
> persistence and adaptability of threat actors in leveraging such flaws.
> 
> The ongoing exploitation of ZDI-CAN-25373 by state-backed and cybercrime 
> groups represents a significant threat to organizations worldwide. While 
> Microsoft's current stance is disappointing, proactive measures by 
> security teams can help mitigate the risk. I hope Microsoft reconsiders 
> its position and addresses this vulnerability with the urgency it deserves.
> 
> Thank you again for bringing this to the community's attention. Your 
> post serves as a critical reminder of the evolving threat landscape and 
> the importance of vigilance in cybersecurity.
> 
> This is a response to the post seen at:
> http://www.jlaforums.com/viewtopic.php?p=685857547#685857547

   It's a risk, but a very small one. You would have to receive one of
these LNK files, masquerading as something like a PDF, and be
reckless enought to open such a file from an unknown source.
Also, the trick of using a PDF icon is not likely to work for most
people. *Maybe* it could work if there's a standard path to
Adobe Acrobat Reader and you're dumb enough to use Adobe
Acrobat Reader.

   Assuming you did run it, it might run a command on a standard
Windows executable. While that might do some damage, it's not
likely to provide a means for anything like malware download.

   An HTA would be more risky, but it would still require that you
open unknown, unexpected files without no caution.

Back to alt.comp.os.windows-11 | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread


Thread

New Windows zeo-day exploited since 2017 CrudeSausage <crude@sausa.ge> - 2025-03-18 19:11 -0400
  Re: New Windows zeo-day exploited since 2017 mummycullen@gmail-dot-com.no-spam.invalid (MummyChunk) - 2025-03-21 13:38 -0400
    Re: New Windows zeo-day exploited since 2017 Newyana2 <newyana@invalid.nospam> - 2025-03-21 15:24 -0400
      Re: New Windows zeo-day exploited since 2017 ...w¡ñ§±¤ñ  <winstonmvp@gmail.com> - 2025-03-21 18:13 -0700
        Re: New Windows zeo-day exploited since 2017 Newyana2 <newyana@invalid.nospam> - 2025-03-21 22:31 -0400

csiph-web