A newly patched safety flaw in Microsoft Home windows was exploited as a zero-day by Lazarus Group, a prolific state-sponsored actor affiliated with North Korea.
The safety vulnerability, tracked as CVE-2024-38193 (CVSS rating: 7.8), has been described as a privilege escalation bug within the Home windows Ancillary Perform Driver (AFD.sys) for WinSock.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft mentioned in an advisory for the flaw final week. It was addressed by the tech big as a part of its month-to-month Patch Tuesday replace.
Credited with discovering and reporting the flaw are Gen Digital researchers Luigino Camastra and Milánek. Gen Digital owns quite a lot of safety and utility software program manufacturers like Norton, Avast, Avira, AVG, ReputationDefender, and CCleaner.
“This flaw allowed them to gain unauthorized access to sensitive system areas,” the corporate disclosed final week, including it found the exploitation in early June 2024. “The vulnerability allowed attackers to bypass normal security restrictions and access sensitive system areas that most users and administrators can’t reach.”
The cybersecurity vendor additional famous that the assaults have been characterised by way of a rootkit known as FudModule in an try to evade detection.
Whereas the precise technical particulars related to the intrusions are presently unknown, the vulnerability is harking back to one other privilege escalation that Microsoft mounted in February 2024 and was additionally weaponized by the Lazarus Group to drop FudModule.
Particularly, it entailed the exploitation of CVE-2024-21338 (CVSS rating: 7.8), a Home windows kernel privilege escalation flaw rooted within the AppLocker driver (appid.sys) that makes it doable to execute arbitrary code such that it sidesteps all safety checks and runs the FudModule rootkit.
Each these assaults are notable as a result of they transcend a conventional Deliver Your Personal Susceptible Driver (BYOVD) assault by making the most of a safety flaw in a driver that is already put in on a Home windows host versus “bringing” a vulnerable driver and utilizing it to bypass safety measures.
Earlier assaults detailed by cybersecurity agency Avast revealed that the rootkit is delivered by way of a distant entry trojan referred to as Kaolin RAT.
“FudModule is only loosely integrated into the rest of Lazarus’ malware ecosystem,” the Czech firm mentioned on the time, stating “Lazarus is very careful about using the rootkit, only deploying it on demand under the right circumstances.”
