{"id":2423,"date":"2025-03-20T12:38:22","date_gmt":"2025-03-20T12:38:22","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2423"},"modified":"2025-03-20T12:38:22","modified_gmt":"2025-03-20T12:38:22","slug":"new-windows-zero-day-feared-abused-in-widespread-espionage-for-years","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2423","title":{"rendered":"New Windows zero-day feared abused in widespread espionage for years"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A zero-day vulnerability stemming from how Windows User Interface handles its shortcut (.lnk) files has been exploited by at least 11 nation-state actors in widespread threat campaigns.<\/p>\n

According to an analysis by Trend Zero Day Initiative (ZDI), the bug bounty and vulnerability disclosure program that first found and reported the flaw to Microsoft, the vulnerability exposes systems to significant risks of data theft and cyber espionage.<\/p>\n

\u201cZDI identified nearly 1000 malicious .lnk files abusing ZDI-CAN-25373, a vulnerability that allows attackers to execute hidden malicious commands on a victim machine by leveraging crafted shortcut files,\u201d said the ZDI team in a blog post<\/a>.<\/em><\/p>\n

The zero-day vulnerability<\/a>, tracked as ZDI-CAN-25373, has yet to be publicly acknowledged and assigned a CVE-ID by Microsoft.<\/p>\n

A fix is far from sight\u00a0<\/h2>\n

ZDI-CAN-25373 has to do with the way Windows displays the contents of .lnk files, a type of binary file used by Windows to act as a shortcut to a file, folder, or application, through the Windows UI.<\/p>\n

A threat actor can prepare a malicious .lnk file (with command line arguments) and deliver it to the victim who inspects it with the faulty Windows-provided user interface. The UI fails to flag the underlying malicious content, setting off code execution on the victim machine.<\/p>\n

The flaw was issued a medium severity, CVSS 7 out of 10, rating by NVD because of its requirement for user interaction where the victim must visit a malicious page or open a malicious file.<\/p>\n

Microsoft, however, reportedly declined<\/a> to take further action citing the case as not \u201cmeeting the bar servicing.\u201d<\/p>\n

\u201cWe submitted a proof-of-concept exploit through Trend ZDI\u2019s bug bounty program to Microsoft, who declined to address this vulnerability with a security patch.\u201d ZDI team said.<\/p>\n

Requests sent to Microsoft for comments did not receive a response until the publishing of this article.<\/p>\n

North Korea, Iran, Russia among top abusers<\/h2>\n

ZDI reports widespread abuse of the vulnerability by multiple APT groups<\/a>, including state-sponsored actors like Evil Corp, Kimsuky<\/a> (APT43), Earth Imp (Konni), Earth Anasi (Bitter), and Earth Manticore.<\/p>\n

\u201cOur analysis revealed that 11 state-sponsored groups from North Korea, Iran, Russia, and China have employed ZDI-CAN-25373 in operations primarily motivated by cyber espionage and data theft.\u201d ZDI team added. ZDI identified large-scale instances of the exploit across a variety of campaigns dating back to 2017.<\/p>\n

Almost half (45.5%) of these attacks originated from North Korea, followed by Iran (18.2%), and Russia (18.2%), the ZDI report added. A majority (68.2%) of these actors are known for their motivation towards information theft\/ espionage, while 22.7% were found operating for financial gain. Quite obviously, over a fifth (22.8%) of the exploitation targeted systems in the Government sector, with 8.8% targeting those in the financial sector.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A zero-day vulnerability stemming from how Windows User Interface handles its shortcut (.lnk) files has been exploited by at least 11 nation-state actors in widespread threat campaigns. According to an analysis by Trend Zero Day Initiative (ZDI), the bug bounty and vulnerability disclosure program that first found and reported the flaw to Microsoft, the vulnerability […]<\/p>\n","protected":false},"author":0,"featured_media":2424,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2423","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2423"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2423"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2423\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2424"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2423"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2423"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2423"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}