The well-known state-sponsored actor Lazarus Group, which has ties to North Korea, exploited a zero-day vulnerability in Microsoft Windows that was just fixed.
Lazarus Group, a well-known state-sponsored actor connected to North Korea, used a recently patched security hole in Microsoft Windows as a zero-day exploit. The security flaw in the Windows Ancillary Function Driver (AFD.sys) for WinSock has been identified as a privilege escalation bug. It is listed as CVE-2024-38193 (CVSS score: 7.8). Microsoft stated in a security alert about the issue last week that “an attacker who successfully exploited this vulnerability could gain system privileges.” The tech giant addressed it in its weekly Patch Tuesday update.
Researchers Luigino Camastra and Milánek from Gen Digital are credited with finding and reporting the problem. Several utility and security software companies, including ReputationDefender, AVG, Norton, Avast, and Avira, are owned by Gen Digital. The corporation said last week that “this flaw allowed them to gain unauthorized access to sensitive system areas,” adding that it found the exploitation early in June 2024.
“The vulnerability allowed attackers to bypass normal security restrictions and access sensitive system areas that most users and administrators can’t reach.” The cybersecurity provider added that the attacks were distinguished by the attempt to avoid detection through the deployment of a rootkit known as FudModule.
Although we do not yet know the precise technical details of the intrusions, the vulnerability is similar to another privilege escalation bug that Microsoft closed in February 2024 and that the Lazarus Group also used as a weapon to distribute FudModule. In particular, it involved the exploitation of a Windows kernel privilege escalation vulnerability called CVE-2024-21338 (CVSS score: 7.8), which is based in the AppLocker driver (appid.sys) and allows arbitrary code to be executed in order to circumvent security precautions and launch the FudModule rootkit.
These two attacks are noteworthy because, rather than “bringing” a susceptible driver and exploiting it to get around security measures, they leverage a security issue in a driver that is already installed on a Windows host, which is a step beyond the usual Bring Your Own Vulnerable Driver (BYOVD) attack. Previous attacks described by cybersecurity company Avast showed that the rootkit is distributed using the Kaolin RAT remote access trojan. “FudModule is only loosely integrated into the rest of Lazarus’ malware ecosystem,” the Czech business stated at the time. “Lazarus is very careful about using the rootkit, only deploying it on demand under the right circumstances.”
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.