Listen to this Post
A New Cybersecurity Threat Ignored by Microsoft
A newly uncovered Windows vulnerability, tracked as ZDI-CAN-25373, has been actively exploited by at least 11 state-backed hacking groups from North Korea, Iran, Russia, and China since 2017. These groups have leveraged this flaw in cyber espionage and data theft campaigns, targeting victims across North America, South America, Europe, East Asia, and Australia. Despite the severity of the issue, Microsoft has refused to release a security patch, citing that it does not meet their “bar for servicing.”
Security researchers Peter Girnus and Aliakbar Zahravi from Trend Micro’s Zero Day Initiative (ZDI) revealed that the vulnerability allows attackers to execute arbitrary code on affected Windows systems by exploiting how Windows displays shortcut (.lnk) files. The flaw has been used in widespread attacks by state-sponsored threat groups such as Evil Corp, APT43 (Kimsuky), Bitter, APT37, Mustang Panda, SideWinder, RedHotel, and Konni.
How ZDI-CAN-25373 is Being Exploited
- Attackers use Windows shortcut files (.lnk) to conceal malicious command-line arguments using hidden whitespace characters (e.g., space, tab, linefeed).
- When users inspect these .lnk files, the hidden commands remain invisible, preventing them from detecting the threat.
- Victims must interact with a malicious file or visit a compromised page for the exploit to take effect.
Once executed, attackers can gain full control over the affected system, steal sensitive information, and deploy malware payloads such as Ursnif, Gh0st RAT, and Trickbot. These campaigns have primarily focused on espionage (70% of cases), with financial motives playing a smaller role (20%).
Microsoft’s Controversial Stance on the Vulnerability
Despite Trend Micro’s proof-of-concept exploit and their bug bounty program submission, Microsoft declined to address the issue with a security patch. The vulnerability has not been assigned a CVE-ID, leaving affected users without an official fix.
This case is reminiscent of CVE-2024-43461, another Windows vulnerability that allowed hackers to use encoded braille whitespace characters to hide malware. Unlike ZDI-CAN-25373, Microsoft eventually patched CVE-2024-43461 in September 2024, after it was actively exploited by the Void Banshee APT hacking group.
What Undercode Says:
The refusal of Microsoft to patch this vulnerability raises serious concerns about its security response strategy. Here’s a deeper look at why this issue is alarming:
1. The Growing Trend of State-Sponsored Cyber Warfare
State-backed cyber groups are increasingly sophisticated in their attack methods, often leveraging unpatched vulnerabilities to conduct long-term cyber espionage. Given that ZDI-CAN-25373 has been actively exploited since 2017, the scope of potential damage is staggering.
2. The Hidden Danger of .LNK Exploits
The ability to hide malicious commands within seemingly normal shortcut files is a major security risk. Unlike traditional malware that can be detected via antivirus tools, this exploit relies on a stealthy manipulation of Windows’ user interface, making it significantly harder to detect.
3.
Microsoft’s “not meeting the bar for servicing” reasoning is problematic. This vulnerability has been used in the wild for years, affecting both individual users and organizations. Their reluctance to patch it could be due to cost-cutting decisions, resource allocation issues, or a misjudgment of the threat level.
- The Link Between ZDI-CAN-25373 and Other Windows Exploits
The similarity between ZDI-CAN-25373 and CVE-2024-43461 indicates a pattern in Windows security flaws where attackers exploit hidden characters to bypass user awareness and security tools. Since Microsoft patched CVE-2024-43461, it’s unclear why they are not taking the same approach with ZDI-CAN-25373.
5. The Rising Threat of Malware-as-a-Service (MaaS)
The presence of malware-as-a-service (MaaS) platforms in these campaigns suggests that more threat actors will gain access to this exploit, making it easier for even lower-tier cybercriminals to deploy sophisticated attacks.
6. The Lack of Transparency in Cybersecurity Disclosures
Microsoft has not provided clear reasoning for its decision to ignore this exploit. Without transparency, businesses and individual users are left vulnerable, unaware of the risks they face.
7. The Need for Immediate Mitigation Strategies
Since Microsoft is unlikely to patch ZDI-CAN-25373, users and organizations must take proactive measures:
– Disable the use of .lnk files from untrusted sources
– Monitor suspicious file activity with advanced threat detection tools
– Implement strict security policies for handling external files
Without urgent action, this vulnerability will continue to be a significant threat for years to come.
Fact Checker Results
- Microsoft declined to patch the vulnerability, as confirmed by Trend Micro’s Zero Day Initiative.
- ZDI-CAN-25373 has been actively exploited since at least 2017 by multiple state-sponsored hacking groups.
- A similar Windows exploit, CVE-2024-43461, was patched by Microsoft, but ZDI-CAN-25373 remains unpatched.
This situation highlights the ongoing cybersecurity risks associated with unpatched Windows vulnerabilities and the urgent need for Microsoft to take responsibility for addressing them.
References:
Reported By: https://www.bleepingcomputer.com/news/security/new-windows-zero-day-exploited-by-11-state-hacking-groups-since-2017/
Extra Source Hub:
https://www.digitaltrends.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2
