At least 11 state-sponsored threat groups since 2017 have been actively exploiting a Microsoft zero-day flaw allowing for abuse of Windows shortcut files to steal data and commit cyber espionage against organizations in various industries.
Researchers from Trend Micro's Trend Zero Day Initiative (ZDI) have identified nearly 1,000 malicious .lnk files abusing the flaw, tracked as ZDI-CAN-25373, which allows attackers to execute hidden malicious commands on a victim’s machine by leveraging crafted shortcut files.
"By exploiting this vulnerability, an attacker can prepare a malicious .lnk file for delivery to a victim," according to a Trend Micro blog post on Tuesday. "Upon examining the file using the Windows-provided user interface, the victim will not be able to tell that the file contains any malicious content."
The malicious files delivered by attackers include various payloads, including the Lumma infostealer and Remcos remote access Trojan (RAT), that expose organizations to risks of data theft and cyber espionage.
State-sponsored groups from North Korea, Iran, Russia and China as well as other non-state-affiliated actors are among those behind attacks on the flaw, which have affected organizations in the government, financial, telecommunications, military and energy sectors in in North America, Europe, Asia, South America and Australia.
North Korean actors were responsible for more than 45% of attacks, while about 18% each came from Iran, Russia and China. Some of the groups identified as perpetrators of attacks include known advanced persistent threat (APT) groups Evil Corp, Kimsuky, Bitter and Mustang Panda, among others.
So far, Microsoft has not acted to patch the flaw, according to Trend Micro, which said it submitted a proof-of-concept exploit through Trend ZDI's bug bounty program to Microsoft. Trend Micro did not immediately respond to an additional request for comment on their flaw discovery and submission timeline.
Microsoft's position remains not to address the flaw as described by Trend Micro at this time because it "does not meet the bar for immediate servicing under our severity classification guidelines," though the company "will consider addressing it in a future feature release,” a Microsoft spokesperson said via email Wednesday.
In the meantime, Microsoft Defender can detect and block the threat activity as described by Trend Micro, and the Windows Smart App Control blocks malicious files from the internet, according to Microsoft. Moreover, Windows identifies shortcut (.lnk) files as a potentially dangerous file type, with the system automatically triggering a warning if users attempt to download one.
Patch delay concerns
Still, that an actively exploited flaw would go unpatched for so long is "unusual," as they are typically patched within a short period of time, Thomas Richards, a principal consultant and red team practice director at security firm Black Duck, said via email.
While vendors may have a legitimate reason for not patching a vulnerability, this decision "can be frustrating" for organizations that have "limited access to clear guidance on how to prepare for imminent exploitation and build mitigation tactics," former computer network operator for the National Security Agency (NSA) Evan Dornbush said in an email.
And while it can be difficult to prioritize what gets patched, "clearly Microsoft got this one wrong," AppSOC chief scientist and co-founder Mali Gorantla noted via email.
Organizations should mitigate the flaw themselves by scanning for any exploits, remaining vigilant against suspicious .lnk files and ensuring comprehensive endpoint and network protection measures are in place to detect and respond to threats of exploit, according to Trend Micro.
