Nation-state groups hit hundreds of organizations with Microsoft Windows zero-day
Cybercriminals working on behalf of at least six nation-states are actively exploiting a zero-day vulnerability in Microsoft Windows to commit espionage, steal data and cryptocurrency, according to Trend Micro researchers.
The vulnerability, which Trend Micro tracks as ZDI-CAN-25373, allows attackers to execute hidden malicious commands due to the way Windows displays the contents of shortcut .lnk files, also known as shell link files, researchers said in a report released Tuesday. A CVE has not been assigned to the vulnerability and Microsoft hasn’t made any commitments to patch or remediate the issue.
State-sponsored groups have been exploiting the zero-day since 2017, largely targeting governments, but also think tanks and organizations in the finance, cryptocurrency, telecom, military and energy sectors, according to researchers. Trend Micro discovered and reported the defect to Microsoft in September.
“We know of at least 300 different organizations that have been affected by this,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. Thousands of devices, including several within the same targeted organizations, have been infected with malware delivered via ZDI-CAN-25373 exploits, he said.
“The exploits are ongoing with most activity coming out of the North Korean groups, APT43 and APT37. We’re getting new and live samples every day,” Childs said. The total number of attacks linked to the zero-day vulnerability are likely two-to-three times the amount observed by Trend Micro.
Nearly half of the attacks attributed to nation-state groups are linked to North Korean state-sponsored attackers, according to Trend Micro’s research. “Whenever we see activity out of North Korea, it tends to be financially motivated and crypto,” Childs said. “It’s almost like their gross domestic product is ransomware.”
State-backed groups from Iran, Russia and China are each linked to roughly 1 in 5 attacks observed by researchers to date. Trend Micro has also attributed attacks to groups working on behalf of India, Pakistan and financially motivated cybercriminals.
“As a security best practice, we encourage customers to exercise caution when downloading files from unknown sources as indicated in security warnings, which have been designed to recognize and warn users about potentially harmful files,” a Microsoft spokesperson said in a statement.
“While the user interface experience described in the report does not meet the bar for immediate servicing under our severity classification guidelines, we will consider addressing it in a future feature release,” the spokesperson said.
Exploits date back to 2017
It is rare, but not unprecedented, for cybercriminals to exploit a zero-day for many years prior to discovery — eight years in the case of ZDI-CAN-25373.
Yet, “it’s very unusual that there are so many different groups using this in different ways with different purposes,” Childs said. “Once multiple groups start using the same bug, of course that’s more people sharing the secret. And the more people sharing the secret, the more likely the secret is to get out.”
Trend Micro has attributed exploits to the Russian-based cybercrime group Evil Corp, a suspected South Asian espionage group called Bitter, Konni malware and others. Threat groups backed by India and Pakistan are “essentially using it against each other, pretty much in an identical form,” Childs said.
Cybercriminals are exploiting ZDI-CAN-25373 to target governments for espionage and data theft at more than twice the rate of financially motivated attacks.
The attacks spread across the globe and researchers fear the footholds gained by this yearslong campaign persist.
“They’ve been so prolific that we haven’t been able to clean them all out everywhere,” Childs said. “It’s highly likely that they are still in many systems around the world.”
Novel malware payload
The proof-of-exploit Trend Micro submitted to Microsoft illustrates the novel path cybercriminals are taking to exploit ZDI-CAN-25373. Attackers are exploiting the vulnerability by making shortcut .lnk files look like a different file type and tricking victims into opening executable code embedded in those files.
The user interface problem is such that Windows depicts a file type users expect, but the .lnk appended to the end of the file, which links to a malicious payload, is hidden. Attackers achieve this by hiding command line arguments in malicious whitespace padding that Windows doesn’t display in the allotted space in the user interface, according to Trend Micro.
“That’s the first time I’ve seen that, although I’m continuously surprised at the ingenuity of hackers and criminals,” Childs said.
Researchers question Microsoft’s response
Microsoft said it appreciates Trend Micro’s research and disclosure, but noted the methods described in the report are of limited practical use to an attacker. Moreover, Microsoft disputes the need for a prompt — or, perhaps, any response.
Shortcut files are considered a potentially dangerous file type, and Windows automatically triggers a warning when users try to open a .lnk file downloaded from the internet, the company said.
Companies have to draw a line somewhere between where their responsibility to mitigate risk ends and users’ begins, said Andrew Grotto, research scholar at Stanford University’s Center for International Security and Cooperation.
Yet, Grotto added, Microsoft has a long history of actively exploited zero-day vulnerabilities and threat groups taking advantage of what the company describes as user-interface issues.
“Even if it doesn’t consider this to be a vulnerability in the traditional sense of the word, the fact that it’s been actively exploited, it means there’s still a problem in the product of some kind,” Grotto said.
Addressing this defect and others like it would require Microsoft to fundamentally change how .lnk files work, Childs said.
“It is very frustrating that Microsoft has chosen not to fix this, either through a security update or saying, ‘yes, we’re going to do it in the next version,’” Childs said. “But hopefully with the publication of this, we give the defenders out there enough information to protect their systems and maybe put a little pressure on Microsoft to provide something.”
