Mar 24 2025

State-Sponsored Hackers Exploit Link Files for Espionage

Category: Cyber Espionage,Hacking,Information Securitydisc7 @ 10:42 am

Critical Vulnerability in Microsoft Windows Exposed: State-Sponsored Hackers Exploit Link Files for Espionage

A critical vulnerability has been discovered in Microsoft Windows, actively exploited by state-sponsored hackers from North Korea, Russia, Iran, and China. These cyber attackers are leveraging a flaw in Windows’ handling of shortcut (LNK) files to conduct espionage operations.

The exploitation involves crafting malicious LNK files that, when opened, execute arbitrary code without the user’s knowledge. This method allows hackers to infiltrate systems, access sensitive information, and maintain persistent control over compromised networks.

Microsoft has acknowledged the vulnerability and is working on a security patch to address the issue. In the meantime, users and organizations are advised to exercise caution when handling LNK files, especially those received from untrusted sources.

To mitigate potential risks, it is recommended to disable the display of icons for shortcut files and enable the “Show file extensions” option to identify potentially malicious LNK files. Regularly updating antivirus software and conducting system scans can also help detect and prevent exploitation attempts.

This incident underscores the importance of maintaining robust cybersecurity practices and staying informed about emerging threats. Organizations should prioritize timely software updates and employee training to recognize and avoid potential security risks.

As cyber threats continue to evolve, collaboration between software vendors, security researchers, and users is crucial in identifying and addressing vulnerabilities promptly. Proactive measures and vigilance are essential to safeguard against sophisticated cyber espionage activities.

To mitigate this risk, users and organizations are advised to exercise caution with LNK files from untrusted sources, disable icon displays for shortcut files, enable the “Show file extensions” option to identify potentially malicious LNK files, and regularly update antivirus software.

This incident highlights the importance of robust cybersecurity practices and staying informed about emerging threats. Collaboration between software vendors, security researchers, and users is crucial to promptly identify and address vulnerabilities.

For further details, access the article here

The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics 

Cyber Mercenaries: The State, Hackers, and Power

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: and Power, Cyber Mercenaries: The State, hackers, State-Sponsored Hackers, The Hacker and the State

Oct 03 2022

State-Sponsored Hackers Used MS Exchange 0-Day Bugs to Attack At least 10 Orgs

Category: Hacking,Zero dayDISC @ 8:44 am
State-Sponsored Hackers Used MS Exchange 0-Day Bugs to Attack At least 10 Orgs

In August 2022, hackers launched a limited wave of attacks that targeted at least 10 organizations around the world. 

There are two newly disclosed zero-day vulnerabilities being exploited by the hackers in these attacks in order to gain access to and compromise Exchange servers in these attacks.

Chopper web shell was installed during these attacks in order to make hands-on keyboard access more convenient. Attackers utilize this technique to gain access to Active Directory in order to perform reconnaissance and exfiltration of data.

As a result of these wild exploits, it is likely that these vulnerabilities will be weaponized further in the coming days due to the growing trend toward weaponizing them.

0-Day Flaws Exploited

Here below we have mentioned the two 0-Day flaws exploited by the hackers in the wild to attack 10 organizations:-

  • CVE-2022-41040: Microsoft Exchange Server Elevation of Privilege Vulnerability with CVSS score: 8.8.
  • CVE-2022-41082: Microsoft Exchange Server Remote Code Execution Vulnerability with CVSS score: 8.8.

The combination of these two zero-day vulnerabilities together has been named “ProxyNotShell.” The exploitation of these vulnerabilities is possible by using a standard account with a standard authentication process.

In many different ways, it is possible to acquire the credentials of standard users. While the GTSC, a Vietnamese cybersecurity company, was the first to discover the vulnerabilities that have been exploited.

It is suspected that these intrusions were carried out by a Chinese threat actor.

Mitigation

No action is required on the part of Microsoft Exchange Online customers. Microsoft recommended reviewing the URL Rewriting Instructions for Microsoft Exchange customers using on-premises Exchange and also recommended users implement them immediately.

If you are a Microsoft Exchange Server user using Microsoft 365 Defender, then you have to follow the following checklist provided by Microsoft:-

  • Enable cloud-based protection in Microsoft Defender Antivirus.
  • Protect security services from being interrupted by attackers by enabling tamper protection.
  • Microsoft Defender for Endpoint can detect malicious artifacts when EDR is operating in block mode.
  • Protect the Internet network from malicious domains and other malicious content by enabling network protection.
  • Enable full automation for investigation and remediation. By doing so Microsoft Defender for Endpoint can be notified of breaches immediately, allowing it to take immediate action.
  • Discovering your network’s devices will allow you to have greater visibility into what’s going on.

While as additional prevention measures they also recommended users to:-

  • Enable multi-factor authentication (MFA)
  • Legacy authentication must be disabled
  • Do not accept suspicious or unknown 2FA prompts
  • Make sure to use complex passwords

Tags: MS Exchange 0-Day, State-Sponsored Hackers