China, Russia, North Korea Hackers Exploit Windows Security Flaw
Almost a dozen state-sponsored threat groups from China, Russia, Iran, and North Korea are exploiting a security flaw in Microsoft Windows to steal information and spy on a broad array of targets around the world.
The bad actors since at least 2017 have targeted government, military, and critical infrastructure organizations in the United States, Canada, Europe, Asia, and elsewhere by abusing a vulnerability that allows the attackers to run hidden malicious commands on victims’ systems, according to threat researchers with Trend Micro’s Zero Day Initiative (ZDI).
The vulnerability, tracked by Trend Micro as ZDI-CAN-25373, allows hackers to exploit the way Windows displays content in LNK or .lnk files, which are used as shortcuts to files, folders, or applications that let users more easily access them from other parts of the system.
ZDI researchers uncovered almost 1,000 malicious .lnk files – though said the actual number of such files could be much higher – created by state-sponsored, state-adjacent, and financially motivated groups that exploit the vulnerability that are disguised as harmless types of files, such as a document, in hopes that the victims will manually execute them, which puts the malicious commands in motion.
‘Widespread Abuse’
“We discovered the widespread abuse of this vulnerability by numerous threat actors and APT [advanced persistent threat] groups,” ZDI researchers Peter Girnus and Aliakbar Zahravi wrote in a report this week. “These threats include a mix of state-sponsored as well as non-state-sponsored APT groups. Many of these groups demonstrated a high degree of sophistication in their attack chains and have a history of abusing zero-day vulnerabilities in the wild.”
In total, ZDI found 11 state-sponsored groups abusing the vulnerability, with almost 70% of identified campaigns being used primarily for espionage and information theft. Another 20% are financially targeted, though Girnus and Zahravi noted that some APT groups using the flaw for spying may fund those efforts through financially motivated attacks.
A small percentage of campaigns seem designed to cause damage, they added.
North Korea Setting the Pace
The bulk of the state-sponsored APT groups exploiting ZDI-CAN-25373 – 45.5% of them – come from North Korea, with others coming from Iran and Russia (both 18.2%) and China (18.1%).
“It is noteworthy that a significant majority of North Korea’s intrusion sets have targeted ZDI-CAN-25373 at various times,” they wrote. “This observation underscores a trend of cross-collaboration, technique, and tool sharing among different threat groups within North Korea’s cyber program.”
ZDI linked a number of state-sponsored groups to the campaigns, including Kimsuky (also known as APT43 and Earth Kumiho), Konni (Earth Imp), and APT37 (ScarCruft, InkySquid, Earth Manticore) from North Korea and Bitter (Earth Anansi), which has run campaigns targeting victims in Pakistan.
Also on the list of attackers is Evil Corp, a notorious Russian cybercrime group.
Lot of Targets in a Lot of Countries
There was a wide range of targeted industries, including government finance, think tanks, telecommunications, energy, and military and defense. The United States was the hardest hit country with 343 known attacks, followed by Canada with 39, Russia (25), and South Korea (23).
Attackers used the malicious .lnk files to deploy a variety of payloads, from malware-as-a-service (MaaS) and Lumma (an information stealer) to the GuLoader loader and Remcos remote access trojan (RAT).
Microsoft: No Patch Coming
Girnus and Zahravi wrote that ZDI notified Microsoft about the vulnerability but were told the vendor had no plans to patch it, rating the flaw as “low severity.” A Microsoft spokesperson told The Record that the company’s Defender security product can detect and block such threat activity. that its Smart App Control also will block malicious files and that trying to open a .lnk file downloaded from the internet automatically produces a warning suggesting users not to open it.
Thomas Richards, principal consultant and network and red team practice director at application security fim Black Duck, said it’s unusual for Microsoft to not release a security patch for this vulnerability given that it’s being exploited by nation-state groups.
“Actively exploited vulnerabilities are usually patched within a short period of time,” Richards said. “Microsoft should address the vulnerability immediately to manage software risk and prevent further attacks and compromises of systems throughout the world.”
ZDI also noted the ongoing threats from state-sponsored and cybercriminal groups, with Girnus and Zahravi noting that “as geopolitical tensions and conflicts escalate, an increase in the sophistication of threat actors and the utilization of zero-day vulnerabilities is anticipated to rise, as both nation-states and cybercriminals endeavor to gain a competitive advantage over their adversaries.”
“This growing prevalence of zero-day exploitation necessitates the implementation of comprehensive security solutions to safeguard critical assets and industries effectively,” they wrote.
