- Trend Micro warns of an old Windows zero-day still in use today
- Many national states abuse the mistake of running espionage campaigns
- Microsoft does not find it critical
A Windows zero-day vulnerability that has been unmatched for eight years has been exploited by 11 nation-state attacks and countless financially motivated groups, experts have warned.
Trend Micros Zero Day Initiative (ZDI) criticized Microsoft for taking down the importance of the results in the vulnerability, the track like ZDI-CAN-25373, which is a mistake in Windows that allows attackers to prepare malicious shortcut (.lnk) files that enable the execution of hidden commands when a user interacts with these files.
This utilization can be abused by the embedding of harmful code in the .lnk file, which the victim then unconsciously runs when opening the shortcut. The vulnerability was used in data theft attacks, espionage and malware distribution.
“Much detailed information”
The researchers said the error has been in use since 2017 and that they found approx. 1,000 weaponed .lnk files recently. The total number is of course much larger.
After charging through the files, ZDI said the majority came from national state actors (70%) and was used in espionage or data theft. Of this number, almost half (46%) was built by North Korean players, followed by Russia, Iran and China, with approx. 18% each. The rest fell to financially motivated groups.
That said, most victims are state agencies, followed by companies in the private sector, financial organizations, think tanks and telecommunications companies.
The researchers also slammed Microsoft for allegedly trimming the question: “We told Microsoft, but they consider it a UI problem, not a security problem. So it does not meet their bar for service as a security update, but it can be resolved in a later OS version, or something along these lines,” Dustin Childs, chief of threat of threat at the Zero Day, Registered.
“We consider it a security thing. Again, not a critical security thing, but definitely worth tackling through a security update,” Opined Childs.
Microsoft seems to agree, at least about the “not critical” part. Told a spokesman Registered: “While the UI experience described in the report does not meet the line for immediate service under our guidelines for severity classification, we will consider addressing it in a future functional release.”
