If you’re a Windows user, you should go make sure that the malware protection on your computer is up-to-date. Microsoft has confirmed that a new zero-day exploit is currently making the rounds.
The exploit targets and spreads via Windows users who use USB memory sticks. A malicious .ink shortcut file is created to trick users into clicking on it, launching the attack.
This zero-day exploit isn’t brand new, however. VirusBlokAda, a security company located in Belarus, first detected the threat on the 17th of June. They discovered and reported that systems had been found to be infected via the use of infected USB keys, which deploy code to install a rootkit to hide the shortcuts. The drivers installed by the rootkit are signed with a Realtek certificate, which implies that the creators of the exploit were somehow able to access Reaktek’s private key. The certificate has now been revoked by Verisign, according to a report by Ars Technica.
While USB keys distributing the shortcuts are the primary vehicle of transmission for the vulnerability, network shares and local discs are also at risk. Industrial process control systems appear to be the main target of the attack, which makes calls to a Siemens SCADA WinCC + S7 database. Such systems are used in oil & gas refineries, power plants, and other manufacturing facilities.
Microsoft has released a security advisory outlining steps to disable shortcut icons and the WebClient service to reduce the spread of the exploit until a patch is released. All Windows operating systems are affected, but patches will not be released for Windows 2000 or XP SP2 as they are no longer officially supported. The next round of Windows patches are not scheduled to be released until August 18th, but one may come sooner if the threat is considered severe enough.
With refineries and power plant systems at risk of falling prey to this latest zero-day exploit, I would hope that Microsoft will make it a priority to get a patch pushed out as soon as possible.
