.The zero-day vulnerability, tracked as ZDI-CAN-25373, has yet to be publicly acknowledged and assigned a CVE-ID by Microsoft. ZDI-CAN-25373 has to do with the way Windows displays the contents of .lnk files, a type of binary file used by Windows to act as a shortcut to a file, folder, or application, through the Windows UI.A threat actor can prepare a malicious .lnk file (with command line arguments) and deliver it to the victim who inspects it with the faulty Windows-provided user interface. The UI fails to flag the underlying malicious content, setting off code execution on the victim machine.The flaw was issued a medium severity, CVSS 7 out of 10, rating by NVD because of its requirement for user interaction where the victim must visit a malicious page or open a malicious file.Microsoft, however, reportedly declined to take further action citing the case as not “meeting the bar servicing.””We submitted a proof-of-concept exploit through Trend ZDI’s bug bounty program to Microsoft, who declined to address this vulnerability with a security patch.” ZDI team said.Requests sent to Microsoft for comments did not receive a response until the publishing of this article.
North Korea, Iran, Russia among top abusers: ZDI reports widespread abuse of the vulnerability by multiple APT groups, including state-sponsored actors like Evil Corp, Kimsuky (APT43), Earth Imp (Konni), Earth Anasi (Bitter), and Earth Manticore.”Our analysis revealed that 11 state-sponsored groups from North Korea, Iran, Russia, and China have employed ZDI-CAN-25373 in operations primarily motivated by cyber espionage and data theft.” ZDI team added. ZDI identified large-scale instances of the exploit across a variety of campaigns dating back to 2017.Almost half (45.5%) of these attacks originated from North Korea, followed by Iran (18.2%), and Russia (18.2%), the ZDI report added. A majority (68.2%) of these actors are known for their motivation towards information theft/ espionage, while 22.7% were found operating for financial gain. Quite obviously, over a fifth (22.8%) of the exploitation targeted systems in the Government sector, with 8.8% targeting those in the financial sector.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3850346/new-windows-zero-day-feared-abused-in-widespread-espionage-for-years.html
