In This Article:
This story was originally published on Cybersecurity Dive. To receive daily news and insights, subscribe to our free daily Cybersecurity Dive newsletter.
At least 11 state-sponsored threat groups since 2017 have been actively exploiting a Microsoft zero-day flaw allowing for abuse of Windows shortcut files to steal data and commit cyber espionage against organizations in various industries.
Researchers from Trend Micro's Trend Zero Day Initiative (ZDI) have identified nearly 1,000 malicious .lnk files abusing the flaw, tracked as ZDI-CAN-25373, which allows attackers to execute hidden malicious commands on a victim’s machine by leveraging crafted shortcut files.
"By exploiting this vulnerability, an attacker can prepare a malicious .lnk file for delivery to a victim," according to a Trend Micro blog post on Tuesday. "Upon examining the file using the Windows-provided user interface, the victim will not be able to tell that the file contains any malicious content."
The malicious files delivered by attackers include various payloads, including the Lumma infostealer and Remcos remote access Trojan (RAT), that expose organizations to risks of data theft and cyber espionage.
State-sponsored groups from North Korea, Iran, Russia and China as well as other non-state-affiliated actors are among those behind attacks on the flaw, which have affected organizations in the government, financial, telecommunications, military and energy sectors in in North America, Europe, Asia, South America and Australia.
North Korean actors were responsible for more than 45% of attacks, while about 18% each came from Iran, Russia and China. Some of the groups identified as perpetrators of attacks include known advanced persistent threat (APT) groups Evil Corp, Kimsuky, Bitter and Mustang Panda, among others.
So far, Microsoft has not acted to patch the flaw, according to Trend Micro, which said it submitted a proof-of-concept exploit through Trend ZDI's bug bounty program to Microsoft. Trend Micro did not immediately respond to an additional request for comment on their flaw discovery and submission timeline.
Microsoft's position remains not to address the flaw as described by Trend Micro at this time because it "does not meet the bar for immediate servicing under our severity classification guidelines," though the company "will consider addressing it in a future feature release,” a Microsoft spokesperson said via email Wednesday.
In the meantime, Microsoft Defender can detect and block the threat activity as described by Trend Micro, and the Windows Smart App Control blocks malicious files from the internet, according to Microsoft. Moreover, Windows identifies shortcut (.lnk) files as a potentially dangerous file type, with the system automatically triggering a warning if users attempt to download one.