XPost: alt.comp.os.windows-11
Is there even such a thing as security if you use Windows?
<
https://www.bleepingcomputer.com/news/security/new-windows-zero-day-exploited-by-11-state-hacking-groups-since-2017/>
At least 11 state-backed hacking groups from North Korea, Iran, Russia,
and China have been exploiting a new Windows vulnerability in data theft
and cyber espionage zero-day attacks since 2017.
However, as security researchers Peter Girnus and Aliakbar Zahravi with
Trend Micro's Zero Day Initiative (ZDI) reported today, Microsoft tagged
it as "not meeting the bar servicing" in late September and said it
wouldn't release security updates to address it.
"We discovered nearly a thousand Shell Link (.lnk) samples that exploit ZDI-CAN-25373; however, it is probable that the total number of
exploitation attempts are much higher," they said. "Subsequently, we
submitted a proof-of-concept exploit through Trend ZDI's bug bounty
program to Microsoft, who declined to address this vulnerability with a security patch."
A Microsoft spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.
While Microsoft has yet to assign a CVE-ID to this vulnerability, Trend
Micro is tracking it internally as ZDI-CAN-25373 and said it enables
attackers to execute arbitrary code on affected Windows systems.
As the researchers found while investigating in-the-wild ZDI-CAN-25373 exploitation, the security flaw has been exploited in widespread attacks
by many state-sponsored threat groups and cybercrime gangs, including
Evil Corp, APT43 (Kimsuky), Bitter, APT37, Mustang Panda, SideWinder,
RedHotel, Konni, and others.
Although the campaigns have targeted victims worldwide, they've been
primarily focused on North America, South America, Europe, East Asia,
and Australia. Out of all the attacks analyzed, nearly 70% were linked
to espionage and information theft, while financial gain was the focus
of only 20%.
ZDI-CAN-25373 attacks map
Map of countries targeted in ZDI-CAN-25373 attacks (Trend Micro)
​"Diverse malware payloads and loaders like Ursnif, Gh0st RAT, and
Trickbot have been tracked in these campaigns, with malware-as-a-service
(MaaS) platforms complicating the threat landscape," Trend Micro added.
The ZDI-CAN-25373 Windows zero-day
This newly discovered Windows vulnerability (tracked as ZDI-CAN-25373)
is caused by a User Interface (UI) Misrepresentation of Critical
Information (CWE-451) weakness, which allows attackers to exploit how
Windows displays shortcut (.lnk) files to evade detection and execute
code on vulnerable devices without the user's knowledge.
Threat actors exploit ZDI-CAN-25373 by hiding malicious command-line
arguments within .LNK shortcut files using padded whitespaces added to
the COMMAND_LINE_ARGUMENTS structure.
The researchers say these whitespaces can be in the form of hex codes
for Space (\x20), Horizontal Tab (\x09), Linefeed (\x0A), Vertical Tab
(\x0B), Form Feed (\x0C), and Carriage Return (\x0D) that can be used as padding.
If a Windows user inspects such a .lnk file, the malicious arguments are
not displayed in the Windows user interface because of the added
whitespaces. As a result, the command line arguments added by the
attackers remain hidden from the user's view.
Malicious arguments not showing in the Target field
Malicious arguments not showing in the Target field (Trend Micro)
"User interaction is required to exploit this vulnerability in that the
target must visit a malicious page or open a malicious file," a Trend
Micro advisory issued today explains.
"Crafted data in an .LNK file can cause hazardous content in the file to
be invisible to a user who inspects the file via the Windows-provided
user interface. An attacker can leverage this vulnerability to execute
code in the context of the current user."
This vulnerability is similar to another flaw tracked as CVE-2024-43461
that enabled threat actors to use 26 encoded braille whitespace
characters (%E2%A0%80) to camouflage HTA files that can download
malicious payloads as PDFs. CVE-2024-43461 was found by Peter Girnus, a
Senior Threat Researcher at Trend Micro's Zero Day​​​, and patched by Microsoft during the September 2024 Patch Tuesday.
The Void Banshee APT hacking group exploited CVE-2024-43461 in zero-day
attacks to deploy information-stealing malware in campaigns against organizations across North America, Europe, and Southeast Asia.
Update March 18, 13:46 EDT: A Microsoft spokesperson sent the following statement after publishing time, saying the company is considering to
address the flaw in the future:
We appreciate the work of ZDI in submitting this report under a
coordinated vulnerability disclosure. Microsoft Defender has detections
in place to detect and block this threat activity, and the Smart App
Control provides an extra layer of protection by blocking malicious
files from the Internet. As a security best practice, we encourage
customers to exercise caution when downloading files from unknown
sources as indicated in security warnings, which have been designed to recognize and warn users about potentially harmful files. While the UI experience described in the report does not meet the bar for immediate servicing under our severity classification guidelines, we will consider addressing it in a future feature release.
--
God be with you,
CrudeSausage
John 14:6
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)