Hackers Exploit Windows Flaw for Cyberespionage

Nearly a dozen state-sponsored advanced threat groups (APTs) from China, Russia, Iran and North Korea have exploited a vulnerability in Microsoft Windows, known as ZDI-CAN-25373, to steal information and spy on government, military and critical infrastructure organizations around the world, according to Security Boulevard. The vulnerability, active since at least 2017 according to the Zero Day Initiative, has allowed attackers to execute malicious commands through LNK (.lnk) files, which are disguised as harmless shortcuts.

"This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows," reads the Zero Day Initiative website. "User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file."

However, even considering the years that the vulnerability has been active, Microsoft has stated that it has no plans to patch the flaw due its low impact, raising concerns among cybersecurity experts.

"It is unusual for Microsoft not to release a security patch for this vulnerability, given that it is being actively exploited by nation-state groups, considering that these are usually patched in a short time," says Thomas Richards, Principal Consultant, Black Duck, for Security Boulevard. Richards also stresses the seriousness of the problem and the need for an immediate response to mitigate the associated risks.

Vulnerability Details

The ZDI-CAN-25373 vulnerability affects the way Windows handles LNK files, which are shortcuts to applications, files or folders. Attackers have created nearly 1,000 malicious .lnk files, although it is estimated that the actual number could be much higher, reports Zero Day Initiative. These files are disguised as harmless documents, which increases the likelihood that users will manually execute them, thus triggering malicious commands.

According to Trend Micro's Zero Day Initiative (ZDI) researchers, 70% of the identified campaigns are aimed at espionage and information theft, while 20% focus on financial targets. The remaining percentage of attacks appear to be designed to cause direct damage, reports Trend Micro.

Groups exploiting this vulnerability include Kimsuky, Konni, and APT37 from North Korea, as well as Bitter, which has led campaigns against targets in Pakistan. The Russian group Evil Corp has also been identified among the attackers, reports Bleeping Computer. North Korea leads in the use of this vulnerability, accounting for 45.5% of the groups identified, followed by Iran and Russia (18.2% each) and China (18.1%). Sectors affected include public finance, telecommunications, energy, military and defense. The United States is the most affected country, with 343 recorded attacks, followed by Canada (39), Russia (25) and South Korea (23).

"Organizations in these sectors are at a higher risk of exploitation and should scan and secure ZDI-CAN-25373 immediately, as well as be vigilant about .lnk files in general. In addition, organizations are advised to investigate potential attacks or attempted attacks on systems using ZDI-CAN-25373 as an intrusion vector," reports Trend Micro.

Microsoft's and Experts Response

The Record reports that Microsoft has no plans to patch the vulnerability, calling it "low severity." The company argues that its Defender security product can detect and block these threats, and that its Smart App Control feature also prevents the execution of malicious files. In addition, Windows displays an automatic warning when a user attempts to open a .lnk file downloaded from the Internet. However, experts such as Richards, say that the lack of a patch leaves users exposed to continued attacks.

ZDI researchers warn that as geopolitical tensions rise, the use of zero-day vulnerabilities by state actors and cybercriminals is likely to intensify. "This increasing prevalence of zero-day exploitation requires the implementation of comprehensive security solutions to effectively safeguard critical assets and industries," says Peter Girnus and Aliakbar Zahravi, Investigators, Trend Micro.

Although Microsoft has opted not to patch the flaw, implementing proactive security measures, such as user education, continuous monitoring, and the use of advanced threat detection tools, can help mitigate the associated risks. However, Security Boulevard reports that the lack of an official patch remains a point of concern for the cybersecurity community.