New Windows Zero-Day Exploited by 11 State Hacking Groups Since 2017
At least 11 state-backed hacking groups from North Korea, Iran, Russia, and China have been exploiting a new Windows vulnerability since 2017, using it in data theft and cyber espionage zero-day attacks. This discovery was made by security researchers Peter Girnus and Aliakbar Zahravi with Trend Micro's Zero Day Initiative (ZDI), who reported their findings today.
The vulnerability, tracked as ZDI-CAN-25373, is a User Interface (UI) Misrepresentation of Critical Information (CWE-451) weakness that allows attackers to exploit how Windows displays shortcut (.lnk) files. According to Trend Micro, threat actors exploit this vulnerability by hiding malicious command-line arguments within .LNK shortcut files using padded whitespaces added to the COMMAND_LINE_ARGUMENTS structure.
The researchers found nearly a thousand Shell Link (.lnk) samples that exploit ZDI-CAN-25373, but they believe the actual number of exploitation attempts is much higher. Despite submitting a proof-of-concept exploit through Trend Micro's bug bounty program, Microsoft declined to address this vulnerability with a security patch.
Microsoft has yet to assign a CVE-ID to this vulnerability, but Trend Micro is tracking it internally as ZDI-CAN-25373 and said it enables attackers to execute arbitrary code on affected Windows systems. The campaigns have targeted victims worldwide, primarily focusing on North America, South America, Europe, East Asia, and Australia.
Out of all the attacks analyzed, nearly 70% were linked to espionage and information theft, while financial gain was the focus of only 20%. Diverse malware payloads and loaders like Ursnif, Gh0st RAT, and Trickbot have been tracked in these campaigns, with malware-as-a-service (MaaS) platforms complicating the threat landscape.
The researchers say user interaction is required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file. Crafted data in an .LNK file can cause hazardous content to be invisible to a user who inspects the file via the Windows-provided user interface.
The Vulnerability and Its Implications
This vulnerability is similar to another flaw tracked as CVE-2024-43461, which enabled threat actors to use 26 encoded braille whitespace characters (%E2%A0%80) to camouflage HTA files that can download malicious payloads as PDFs. CVE-2024-43461 was found by Peter Girnus and patched by Microsoft during the September 2024 Patch Tuesday.
The Void Banshee APT hacking group exploited CVE-2024-43461 in zero-day attacks to deploy information-stealing malware in campaigns against organizations across North America, Europe, and Southeast Asia. The fact that this vulnerability is similar to another known flaw highlights the importance of keeping software up-to-date with the latest security patches.
Microsoft's Response
A Microsoft spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today. However, after publishing time, a statement was sent from Microsoft stating that they appreciate the work of ZDI in submitting this report and are considering to address the flaw in the future.
Microsoft said their security best practice is for customers to exercise caution when downloading files from unknown sources as indicated in security warnings, which have been designed to recognize and warn users about potentially harmful files. While the UI experience described in the report does not meet the bar for immediate servicing under their severity classification guidelines, they will consider addressing it in a future feature release.
The Threat Landscape
This heavily exploited Windows vulnerability (tracked as ZDI-CAN-25373) is a critical security concern. The researchers say these whitespaces can be in the form of hex codes for Space (\x20), Horizontal Tab (\x09), Linefeed (\x0A), Vertical Tab (\x0B), Form Feed (\x0C), and other special characters.
The fact that this vulnerability has been exploited by multiple state-backed hacking groups highlights the need for increased vigilance in the security community. It is essential to keep software up-to-date with the latest security patches and to exercise caution when downloading files from unknown sources.