top of page
Buscar

The Shortcut That Speaks

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 1 día
  • 2 Min. de lectura


Not every attack needs a click. In this campaign, a simple Windows shortcut becomes a silent trigger—initiating authentication, leaking credentials, and opening the door before the user even interacts. This is not about execution. It’s about trust being exploited at the protocol level.


Phase 1: The Lure 


The attack begins with a seemingly harmless LNK file. Delivered through targeted campaigns—particularly against Ukraine and EU entities—it appears legitimate enough to avoid suspicion.

There is no need for complex exploits at this stage. The file only needs to be present and parsed by the system.


Phase 2: The Hidden Call 


Once processed, the shortcut references a remote resource using a UNC path (e.g., \\attacker.com\share\payload.cpl).

Windows automatically attempts to resolve this path. This action alone triggers an outbound SMB connection to the attacker-controlled server.

No execution is required. The system initiates the communication by design.


Phase 3: The Silent Leak 


As part of the SMB connection, Windows performs an automatic NTLM authentication handshake.

This results in the victim’s Net-NTLMv2 hash being sent to the attacker. The user remains unaware—no prompts, no warnings.

This is where CVE-2026-32202 comes into play: an authentication coercion flaw left behind after the original patch.


Phase 4: The Exploit Chain 


Previously, APT28 leveraged CVE-2026-21510 and CVE-2026-21513 to achieve remote code execution and bypass SmartScreen protections.

While Microsoft patched the RCE vector, the authentication leakage remained. The chain evolved—from execution to credential theft.

The attack becomes quieter, but no less dangerous.


Phase 5: The Weaponization 


With captured hashes, attackers can:

  • Perform NTLM relay attacks

  • Attempt offline password cracking

  • Pivot into internal systems

This transforms a simple file interaction into a foothold within the network.


Conclusions


This campaign highlights a critical shift: exploitation is no longer always about code execution—it’s about abusing default behavior.

By leveraging how Windows handles network paths and authentication, attackers bypass traditional defenses entirely. The system itself becomes the trigger.

The lesson is clear: trust boundaries are no longer where we think they are. And sometimes, the most dangerous action is the one the system performs automatically.


Measures to Fend Off


  • Apply all relevant Microsoft patches immediately

  • Restrict or block outbound SMB traffic

  • Disable NTLM authentication where feasible

  • Monitor for suspicious UNC path resolutions

  • Detect anomalous authentication attempts

  • Harden endpoint policies against LNK abuse


The Hacker News


 
 
 

Comentarios

bottom of page