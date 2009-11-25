from the let's-be-careful-out-there dept.
Two Windows Vulnerabilities, One a 0-Day, are Under Active Exploitation
Both vulnerabilities are being exploited in wide-scale operations:
Two Windows vulnerabilities—one a zero-day that has been known to attackers since 2017 and the other a critical flaw that Microsoft initially tried and failed to patch recently—are under active exploitation in widespread attacks targeting a swath of the Internet, researchers say.
The zero-day went undiscovered until March, when security firm Trend Micro said it had been under active exploitation since 2017, by as many as 11 separate advanced persistent threats (APTs). These APT groups, often with ties to nation-states, relentlessly attack specific individuals or groups of interest. Trend Micro went on to say that the groups were exploiting the vulnerability, then tracked as ZDI-CAN-25373, to install various known post-exploitation payloads on infrastructure located in nearly 60 countries, with the US, Canada, Russia, and Korea being the most common.
Seven months later, Microsoft still hasn't patched the vulnerability, which stems from a bug in the Windows Shortcut binary format. The Windows component makes opening apps or accessing files easier and faster by allowing a single binary file to invoke them without having to navigate to their locations. In recent months, the ZDI-CAN-25373 tracking designation has been changed to CVE-2025-9491.
On Thursday, security firm Arctic Wolf reported that it observed a China-aligned threat group, tracked as UNC-6384, exploiting CVE-2025-9491 in attacks against various European nations. The final payload is a widely used remote access trojan known as PlugX. To better conceal the malware, the exploit keeps the binary file encrypted in the RC4 format until the final step in the attack.
"The breadth of targeting across multiple European nations within a condensed timeframe suggests either a large-scale coordinated intelligence collection operation or deployment of multiple parallel operational teams with shared tooling but independent targeting," Arctic Wolf said. "The consistency in tradecraft across disparate targets indicates centralized tool development and operational security standards even if execution is distributed across multiple teams."
With no patch available, Windows users are left with a limited number of options for fending off attacks. The most effective countermeasure is locking down .lnk functions by blocking or restricting the usage of .lnk files from untrusted origins. This can be done by setting the Windows Explorer to disable the automatic resolution of such files. The severity rating for CVE-2025-9491 is 7 out of 10.
The other Windows vulnerability was patched last week, when Microsoft issued an unscheduled update. CVE-2025-59287 carries a severity rating of 9.8. It resides in the Windows Server Update Services, which administrators use to install, patch, or delete apps on vast fleets of servers. Microsoft previously attempted to patch the potentially wormable remote code execution vulnerability, caused by a serialization flaw, a week earlier in its October Patch Tuesday release. Publicly released proof-of-concept code quickly proved that the attempted fix was incomplete
Around the same time that Microsoft released its second fix, security firm Huntress said it had observed the WSUS flaw being exploited starting on October 23. Security firm Eye reported the same finding shortly after.
NPM Flooded With Malicious Packages Downloaded More Than 86,000 Times
Packages downloaded from NPM can fetch dependencies from untrusted sites:
Attackers are exploiting a major weakness that has allowed them access to the NPM code repository with more than 100 credential-stealing packages since August, mostly without detection.
The finding, laid out Wednesday by security firm Koi, brings attention to an NPM practice that allows installed packages to automatically pull down and run unvetted packages from untrusted domains. Koi said a campaign it tracks as PhantomRaven has exploited NPM's use of "Remote Dynamic Dependencies" to flood NPM with 126 malicious packages that have been downloaded more than 86,000 times. Some 80 of those packages remained available as of Wednesday morning, Koi said.
"PhantomRaven demonstrates how sophisticated attackers are getting [better] at exploiting blind spots in traditional security tooling," Koi's Oren Yomtov wrote. "Remote Dynamic Dependencies aren't visible to static analysis."
Remote Dynamic Dependencies provide greater flexibility in accessing dependencies—the code libraries that are mandatory for many other packages to work. Normally, dependencies are visible to the developer installing the package. They're usually downloaded from NPM's trusted infrastructure.
RDD works differently. It allows a package to download dependencies from untrusted websites, even those that connect over HTTP, which is unencrypted. The PhantomRaven attackers exploited this leniency by including code in the 126 packages uploaded to NPM. The code downloads malicious dependencies from URLs, including http://packages.storeartifact.com/npm/unused-imports. Koi said these dependencies are "invisible" to developers and many security scanners. Instead, they show the package contains "0 Dependencies." An NPM feature causes these invisible downloads to be automatically installed.
Compounding the weakness, the dependencies are downloaded "fresh" from the attacker server each time a package is installed, rather than being cached, versioned, or otherwise static, as Koi explained:
This opens the door to sophisticated targeting. In theory, they could check the IP address of every request and serve different payloads: benign code to security researchers on VPNs, malicious code to corporate networks, specialized payloads for cloud environments. Or play the long game—return clean code for weeks to build trust and pass security scans, then flip a switch and start serving the malicious version.
[...] Anyone who regularly downloads packages from NPM should check the Koi post for a list of indicators that their system has been compromised through PhantomRaven. These indicators can be used in system scans to determine whether they've been targeted.
(Score: 0) by Anonymous Coward on Tuesday November 11, @05:07PM (2 children)
Is it really that difficult today for coders to NOT use these shared libraries and just code your own? I feel OLD. :P
(Score: 2) by epitaxial on Tuesday November 11, @06:53PM
Can anything be written in a modern language offline today?
How on earth did people ever code when all you had was a reference binder?
(Score: 2) by Thexalon on Tuesday November 11, @09:04PM
Or, at the very least, if you're using those shared libraries, I dunno, read them?
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin