Trend Micro Finds Global Windows Shortcut Flaw

Trend Micro’s Zero Day Initiative (ZDI) found Microsoft Windows’ major vulnerability, ZDI-CAN-25373. North Korean, Iranian, Russian, and Chinese state-sponsored APT organizations are exploiting this vulnerability.

The exploitation has targeted government entities, financial institutions, telecommunications businesses, military sites, and energy suppliers worldwide. Many occurrences have been confirmed, notably in Pakistan.

Threat: What to Know
This vulnerability targets malicious Windows shortcut (.lnk) files. These innocent files are used by attackers to discreetly execute instructions on victims’ systems. These.lnk files seem normal, so threat actors may use them to get into vital systems, steal data, and conduct sophisticated espionage without discovery.

Microsoft has declared it has no plans to issue a security fix for this major vulnerability, adding urgency. Businesses and organizations worldwide are subject to continual attacks unless independent and proactive security measures are quickly established.

Threat Size and Scope Trend Micro found approximately 1,000 malicious.lnk files exploiting ZDI-CAN-25373. This large figure illustrates the scope and intensity of the assaults, indicating the danger will expand without immediate response.

This zero-day vulnerability has been exploited by North Korean, Iranian, Russian, and Chinese APT organizations. The coordinated assaults indicate state-sponsored attempts to strike important sectors worldwide, posing cybersecurity dangers. Due to these threat actors’ constant evolution, improved detection and mitigation technologies are essential.

Inaction by Microsoft Increases Vulnerabilities Microsoft’s failure to offer a fix despite widespread and documented exploitation worsens this problem. Critical vulnerabilities left unpatched offer significant threats to enterprises worldwide in the present cybersecurity context. Without an official patch or vendor-supported remedy, enterprises must secure systems themselves, complicating cybersecurity efforts and increasing risk.

Security Measures: The danger is significant, thus urgent and strong response is needed. Cybersecurity experts advocate these steps:

The most direct danger vector is.lnk files, therefore scan and prevent them immediately.
Make sure endpoint and network security solutions can identify and block harmful activity.
Use sophisticated threat intelligence technologies to discover new threats and IOCs.
Maintain a “assume breach” mentality and watch systems for odd activity, particularly with command-line tools like cmd.exe or PowerShell, which attackers often employ to hide their operations.
Protection Available to Trend Micro customers: Trend Micro protects consumers immediately with tailored rules:

Trend Vision One™ Network Security: Rule 44844 addresses the issue.

According to Trend Vision One™ – Endpoint Security, Rules 5351, 1012182, and 1012183 identify and prevent attacks on HTTP and SMB protocols.
High-risk sectors Detailed Trend Micro telemetry demonstrates numerous state-sponsored and cybercriminal threat actors attacking several important industries. These targeted attacks have targeted government organizations, financial services, telecommunications companies, military sites, and energy infrastructures, highlighting the wide and coordinated nature of this threat.