It turns out that the original targets for the highly-dangerous Windows Shell LNK Zero-Day Exploit were Siemens WinCC SCADA systems with hard-coded credentials used in large infrastructure systems like factories and power grids. Once the attacker had successfully executed the LNK exploit, they accessed the Siemens WinCC program and extracted sensitive data from the database the software uses. It is highly suspected that the exploit was explicitly used for espionage toward Iran and Indonesia at the very least, but by whom or what exact purpose is not clear. What is clear is that the Siemens WinCC software was targeted. The Siemens WinCC software has what is considered one of the top vulnerabilities in software according to CWE/SANS, which is the use of fixed-credentials. This type of vulnerability has been publicly disclosed for over two years and the password to this specific software (2WSXcder) has been publicly known since at least 2008. Siemens was made aware of the issue on July 14 and shortly started to asses the problem and notify customers.
In the meantime, a security researcher known as Ivanlef0u has posted a proof-of-concept of the exploit (site is in French), while Win32/TrojanDownloader.Chymine.A and Win32/Autorun.VB.RP are in the wild already actively actively using this exploit according to ESET. Expect to see this exploit to be a bit prolific due to its new and unique nature combined with the relative ineffectiveness of detection/removal systems thus far.
