Key Takeaways:
- Trend Micro’s Zero Day Initiative (ZDI) discovered a critical zero-day vulnerability in Windows.
- This vulnerability is being exploited through malicious shortcut (.lnk) files to deploy malware.
- Around 70% of these attacks are linked to nation-state actors.
Trend Micro’s Zero Day Initiative (ZDI) has discovered a critical Windows vulnerability that is actively being exploited by state-sponsored hacking groups. Cyber attackers from North Korea, Russia, China, and Iran are leveraging this flaw to infiltrate systems and conduct espionage.
How does the Windows shortcut vulnerability work?
According to a new report from Trend Micro, an unpatched Windows vulnerability (ZDI-CAN-25373) is being exploited through malicious shortcut (.lnk) files to download malware onto victims’ devices. This security flaw has been used in espionage and data theft campaigns since 2017. While Trend Micro detected around 1,000 compromised shortcut files, the actual number of attacks could be significantly higher.
Trend Micro researchers found that around 70% of these malicious shortcut files were created by state-sponsored hackers for espionage and data theft. North Korean actors were responsible for 46% of these attacks, while the remaining state-sponsored activity was linked to Russia, Iran, and China, each accounting for about 18%. The rest of the attacks were conducted by financially motivated groups seeking to steal money or valuable information.
Microsoft responds to Windows exploit but offers no immediate fix
Attackers targeted a wide range of organizations, including government agencies, financial institutions, telecom companies, military facilities, and energy providers. Trend Micro reported the vulnerability to Microsoft in September 2024, but Microsoft has no immediate plans to release a fix in the near future.
“This is one of many bugs that the attackers are using, but this is one that is not patched and that’s why we reported it as a zero day,” Dustin Childs, Head of threat awareness at the Zero Day Initiative, said in a statement to The Register. “We told Microsoft but they consider it a UI issue, not a security issue. So it doesn’t meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines.”
Microsoft says that it has already implemented security measures to protect customers against cyberattacks. Microsoft Defender can detect and block malicious activities and Smart App Control blocks malicious files downloaded from the Internet.
Microsoft advises users to avoid opening files from unknown sources and to follow security warnings. Organizations are also encouraged to strengthen endpoint security and use advanced threat intelligence tools to detect emerging threats.