A zero-day vulnerability stemming from how Windows User Interface handles its shortcut (.lnk) files has been exploited by at least 11 nation-state actors in widespread threat campaigns.
According to an analysis by Trend Zero Day Initiative (ZDI), the bug bounty and vulnerability disclosure program that first found and reported the flaw to Microsoft, the vulnerability exposes systems to significant risks of data theft and cyber espionage.
“ZDI identified nearly 1000 malicious .lnk files abusing ZDI-CAN-25373, a vulnerability that allows attackers to execute hidden malicious commands on a victim machine by leveraging crafted shortcut files,” said the ZDI team in a blog post.
The zero-day vulnerability, tracked as ZDI-CAN-25373, has yet to be publicly acknowledged and assigned a CVE-ID by Microsoft.
A fix is far from sight
ZDI-CAN-25373 has to do with the way Windows displays the contents of .lnk files, a type of binary file used by Windows to act as a shortcut to a file, folder, or application, through the Windows UI.
A threat actor can prepare a malicious .lnk file (with command line arguments) and deliver it to the victim who inspects it with the faulty Windows-provided user interface. The UI fails to flag the underlying malicious content, setting off code execution on the victim machine.
The flaw was issued a medium severity, CVSS 7 out of 10, rating by NVD because of its requirement for user interaction where the victim must visit a malicious page or open a malicious file.
Microsoft, however, reportedly declined to take further action citing the case as not “meeting the bar servicing.”
“We submitted a proof-of-concept exploit through Trend ZDI’s bug bounty program to Microsoft, who declined to address this vulnerability with a security patch.” ZDI team said.
Requests sent to Microsoft for comments did not receive a response until the publishing of this article.
North Korea, Iran, Russia among top abusers
ZDI reports widespread abuse of the vulnerability by multiple APT groups, including state-sponsored actors like Evil Corp, Kimsuky (APT43), Earth Imp (Konni), Earth Anasi (Bitter), and Earth Manticore.
“Our analysis revealed that 11 state-sponsored groups from North Korea, Iran, Russia, and China have employed ZDI-CAN-25373 in operations primarily motivated by cyber espionage and data theft.” ZDI team added. ZDI identified large-scale instances of the exploit across a variety of campaigns dating back to 2017.
Almost half (45.5%) of these attacks originated from North Korea, followed by Iran (18.2%), and Russia (18.2%), the ZDI report added. A majority (68.2%) of these actors are known for their motivation towards information theft/ espionage, while 22.7% were found operating for financial gain. Quite obviously, over a fifth (22.8%) of the exploitation targeted systems in the Government sector, with 8.8% targeting those in the financial sector.