A newly patched security flaw in Microsoft Home windows was exploited as a zero-day by Lazarus Group, a prolific state-sponsored actor affiliated with North Korea.
The security vulnerability, tracked as CVE-2024-38193 (CVSS rating: 7.8), has been described as a privilege escalation bug within the Home windows Ancillary Perform Driver (AFD.sys) for WinSock.
“An attacker who efficiently exploited this vulnerability may acquire SYSTEM privileges,” Microsoft mentioned in an advisory for the flaw final week. It was addressed by the tech large as a part of its month-to-month Patch Tuesday replace.
Credited with discovering and reporting the flaw are Gen Digital researchers Luigino Camastra and Milánek. Gen Digital owns quite a few security and utility software program manufacturers like Norton, Avast, Avira, AVG, ReputationDefender, and CCleaner.
“This flaw allowed them to realize unauthorized entry to delicate system areas,” the corporate disclosed final week, including it found the exploitation in early June 2024. “The vulnerability allowed attackers to bypass regular security restrictions and entry delicate system areas that almost all customers and directors cannot attain.”
The cybersecurity vendor additional famous that the assaults have been characterised by means of a rootkit referred to as FudModule in an try and evade detection.
Whereas the precise technical particulars related to the intrusions are presently unknown, the vulnerability is paying homage to one other privilege escalation that Microsoft mounted in February 2024 and was additionally weaponized by the Lazarus Group to drop FudModule.
Particularly, it entailed the exploitation of CVE-2024-21338 (CVSS rating: 7.8), a Home windows kernel privilege escalation flaw rooted within the AppLocker driver (appid.sys) that makes it potential to execute arbitrary code such that it sidesteps all security checks and runs the FudModule rootkit.
Each these assaults are notable as a result of they transcend a standard Convey Your Personal Weak Driver (BYOVD) assault by profiting from a security flaw in a driver that is already put in on a Home windows host versus “bringing” a inclined driver and utilizing it to bypass security measures.
Earlier assaults detailed by cybersecurity agency Avast revealed that the rootkit is delivered by way of a distant entry trojan generally known as Kaolin RAT.
“FudModule is simply loosely built-in into the remainder of Lazarus’ malware ecosystem,” the Czech firm mentioned on the time, stating “Lazarus could be very cautious about utilizing the rootkit, solely deploying it on demand below the best circumstances.”
