Microsoft Patches Zero-Day Flaw Exploited by North Korea’s Lazarus Group

Cyber Security

Aug 19, 2024Ravie LakshmananVulnerability / Zero-Day

A newly patched security flaw in Microsoft Windows was exploited as a zero-day by Lazarus Group, a prolific state-sponsored actor affiliated with North Korea.

The security vulnerability, tracked as CVE-2024-38193 (CVSS score: 7.8), has been described as a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said in an advisory for the flaw last week. It was addressed by the tech giant as part of its monthly Patch Tuesday update.

Credited with discovering and reporting the flaw are Gen Digital researchers Luigino Camastra and Milánek. Gen Digital owns a number of security and utility software brands like Norton, Avast, Avira, AVG, ReputationDefender, and CCleaner.

“This flaw allowed them to gain unauthorized access to sensitive system areas,” the company disclosed last week, adding it discovered the exploitation in early June 2024. “The vulnerability allowed attackers to bypass normal security restrictions and access sensitive system areas that most users and administrators can’t reach.”

The cybersecurity vendor further noted that the attacks were characterized by the use of a rootkit called FudModule in an attempt to evade detection.

While the exact technical details associated with the intrusions are presently unknown, the vulnerability is reminiscent of another privilege escalation that Microsoft fixed in February 2024 and was also weaponized by the Lazarus Group to drop FudModule.

Specifically, it entailed the exploitation of CVE-2024-21338 (CVSS score: 7.8), a Windows kernel privilege escalation flaw rooted in the AppLocker driver (appid.sys) that makes it possible to execute arbitrary code such that it sidesteps all security checks and runs the FudModule rootkit.

Both these attacks are notable because they go beyond a traditional Bring Your Own Vulnerable Driver (BYOVD) attack by taking advantage of a security flaw in a driver that’s already installed on a Windows host as opposed to “bringing” a susceptible driver and using it to bypass security measures.

Previous attacks detailed by cybersecurity firm Avast revealed that the rootkit is delivered by means of a remote access trojan known as Kaolin RAT.

“FudModule is only loosely integrated into the rest of Lazarus’ malware ecosystem,” the Czech company said at the time, stating “Lazarus is very careful about using the rootkit, only deploying it on demand under the right circumstances.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Articles You May Like

Steam Autumn Sale 2024 Best Deals: Metaphor: ReFantazio, Silent Hill 2, Baldur’s Gate 3, Psychonauts 2, More
Indonesia Expects $1 Billion Investment Commitment From Apple in a Week
Intel shares slide as Gelsinger exit leaves chipmaker without a ‘quick fix’
Sea Turtles Can Aid Scientists Map Under-Ocean Seagrass in an Attempt to Conserve Marine Ecology
Intel considers an outside CEO, taps headhunters, sources say