- Trend Micro warns of an old Windows zero-day still in use today
- Many nation-states are abusing the bug to run espionage campaigns
- Microsoft doesn’t deem it critical
A Windows zero-day vulnerability which has remained unpatched for eight years has been exploited by 11 nation-state attackers, and countless financially motivated groups, experts have warned.
Trend Micro’s Zero Day Initiative (ZDI) criticized Microsoft for downplaying the importance of the findings into the vulnerability, tracked as ZDI-CAN-25373, which is a flaw in Windows that allows attackers to craft malicious shortcut (.lnk) files, enabling the execution of hidden commands when a user interacts with these files.
This exploit can be abused by embedding harmful code within the .lnk file, which the victim then unknowingly runs when opening the shortcut. The vulnerability was used in data theft attacks, espionage, and malware distribution.
“Very detailed information”
The researchers said the bug has been in use since 2017, and that they found some 1,000 weaponized .LNK files recently. The total number, obviously, is much bigger.
After sifting through the files, ZDI said the majority came from nation-state actors (70%), and were used in espionage or data theft. Of that number, almost half (46%) were built by North Korean actors, followed by Russia, Iran, and China, with roughly 18% each. The rest fell to financially motivated groups.
That being said, most victims are government agencies, followed by firms in the private sector, financial organizations, think tanks, and telecommunications firms.
The researchers also slammed Microsoft for allegedly downplaying the issue: “We told Microsoft but they consider it a UI issue, not a security issue. So it doesn’t meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines,” Dustin Childs, head of threat awareness at the Zero Day Initiative, told The Register.
“We consider that a security thing. Again, not a critical security thing, but certainly worth addressing through a security update,” Childs opined.
Microsoft seems to agree, at least about the “not critical” part. A spokesperson told The Register: “While the UI experience described in the report does not meet the bar for immediate servicing under our severity classification guidelines, we will consider addressing it in a future feature release.”
Leave a comment