A newly discovered cyber vulnerability, ZDI-CAN-25373, has been actively exploited by 11 state-sponsored threat groups from North Korea, Iran, Russia and China since 2017.
According to the Trend Zero Day Initiative (ZDI) threat hunting team, the vulnerability – which affects Windows Shell Link (.lnk) files – has been leveraged primarily for cyber-espionage and data theft.
The new research, published on Tuesday, uncovered nearly 1000 samples of malicious .lnk files exploiting ZDI-CAN-25373. However, Trend Micro believes the total number of exploitation attempts is much higher.
Despite the significant risk posed by this vulnerability, Microsoft reportedly declined to release a security patch after it was disclosed through Trend ZDI’s bug bounty program.
State-Sponsored APT Groups Exploiting ZDI-CAN-25373
Analysis of the attack campaigns revealed that ZDI-CAN-25373 has been widely abused by both state-backed and independent advanced persistent threat (APT) groups.
Nearly half of the state-sponsored attacks linked to this vulnerability originate from North Korea. The research also indicates that North Korean threat actors frequently share tools and techniques, highlighting a high level of collaboration within the country’s cyber program.
No tags.
