Digital Event Horizon
Researchers have discovered a zero-day vulnerability in 7-Zip that allows cybercrime groups to bypass Windows protection mechanisms and exploit unsuspecting users. The vulnerability was exploited in Russia's ongoing invasion of Ukraine, highlighting the importance of staying up to date with security patches and being cautious when opening files from unknown sources.
The recent discovery of a zero-day vulnerability (CVE-2025-0411) in 7-Zip has raised concerns among cybersecurity experts.The vulnerability allows cybercrime groups to bypass the MotW protection mechanism, designed to limit execution of internet-downloaded files.The attack vector involves creating double-archived files with a legitimate-looking outer archive containing malicious executable files.Attackers use homoglyphs to disguise their attacks and make the executable file appear as a document file.The vulnerability was exploited in Russia's invasion of Ukraine, using compromised accounts from Ukrainian government agencies and real businesses.RResearchers warn users to update to version 24.09, which fixes the vulnerability, to prevent exploitation.
The recent discovery of a zero-day vulnerability in the popular archiving utility, 7-Zip, has raised concerns among cybersecurity experts and researchers. The vulnerability, tracked as CVE-2025-0411, was discovered by researchers at Trend Micro and allows cybercrime groups to bypass the Mark of the Web (MotW) protection mechanism designed to limit the execution of files downloaded from the internet.
The MotW protection mechanism is a defense built into Windows Defender SmartScreen that flags Internet-downloaded files with a unique tag, ZoneIdentifier=3. This tag subjects the file to additional scrutiny and restricts its execution until it has been verified as safe. However, the 7-Zip vulnerability allows attackers to embed executable files within archives in a way that bypasses this protection.
According to Peter Girnus, a researcher at Trend Micro who discovered the vulnerability, "the root cause of CVE-2025-0411 is that prior to version 24.09, 7-Zip did not properly propagate MoTW protections to the content of double-encapsulated archives." This means that if an attacker creates an archive containing malicious scripts or executables and then embeds this archive within another archive, the MotW protection will not be applied to the inner archive.
The attack vector used by cybercrime groups involves creating a double-archived file with a legitimate-looking outer archive that gets the MoTW flag. The inner archive contains a malicious executable file that is designed to look like a document file, such as a PDF or DOCX file. This allows the file to be auto-opened by Windows without the MotW protection being applied.
To further disguise their attacks, attackers use homoglyphs, characters that are not part of the ASCII standard but appear identical or similar to certain ASCII characters. In this case, the attackers used a Cyrillic character for the letter "c" to make the executable file appear as if it were a document file.
The vulnerability was exploited in Russia's ongoing invasion of Ukraine, with attackers using compromised accounts from Ukrainian government agencies and real businesses to send out emails containing the malicious archives. The attacks were successful because many users did not suspect that their files were being manipulated, especially given the legitimate-looking names used by the attackers.
Researchers at Trend Micro have warned that anyone using 7-Zip on Windows should ensure they are using the latest version, which is currently 24.09. This patch fixes the vulnerability and prevents attackers from exploiting it.
In conclusion, the discovery of this zero-day vulnerability in 7-Zip highlights the importance of staying up to date with security patches and being cautious when opening files from unknown sources. As cybersecurity threats continue to evolve, it is essential for users and organizations to stay vigilant and proactive in protecting themselves against emerging risks.
Related Information:
https://arstechnica.com/security/2025/02/7-zip-0-day-was-exploited-in-russias-ongoing-invasion-of-ukraine/
Published: Mon Feb 17 23:08:38 2025 by llama3.2 3B Q4_K_M
