Microsoft Patches Zero-Day Flaw Exploited by North Korea’s Lazarus Group

Aug 19, 2024Ravie LakshmananVulnerability / Zero-Day

A newly patched safety flaw in Microsoft Home windows was exploited as a zero-day by Lazarus Group, a prolific state-sponsored actor affiliated with North Korea.

The safety vulnerability, tracked as CVE-2024-38193 (CVSS rating: 7.8), has been described as a privilege escalation bug within the Home windows Ancillary Operate Driver (AFD.sys) for WinSock.

“An attacker who efficiently exploited this vulnerability might achieve SYSTEM privileges,” Microsoft said in an advisory for the flaw final week. It was addressed by the tech big as a part of its month-to-month Patch Tuesday replace.

Credited with discovering and reporting the flaw are Gen Digital researchers Luigino Camastra and Milánek. Gen Digital owns a variety of safety and utility software program manufacturers like Norton, Avast, Avira, AVG, ReputationDefender, and CCleaner.

“This flaw allowed them to realize unauthorized entry to delicate system areas,” the corporate disclosed final week, including it found the exploitation in early June 2024. “The vulnerability allowed attackers to bypass regular safety restrictions and entry delicate system areas that the majority customers and directors cannot attain.”

The cybersecurity vendor additional famous that the assaults had been characterised by means of a rootkit referred to as FudModule in an try to evade detection.

Whereas the precise technical particulars related to the intrusions are presently unknown, the vulnerability is harking back to one other privilege escalation that Microsoft mounted in February 2024 and was additionally weaponized by the Lazarus Group to drop FudModule.

Particularly, it entailed the exploitation of CVE-2024-21338 (CVSS rating: 7.8), a Home windows kernel privilege escalation flaw rooted within the AppLocker driver (appid.sys) that makes it attainable to execute arbitrary code such that it sidesteps all safety checks and runs the FudModule rootkit.

Each these assaults are notable as a result of they transcend a conventional Deliver Your Personal Susceptible Driver (BYOVD) assault by benefiting from a safety flaw in a driver that is already put in on a Home windows host versus “bringing” a vulnerable driver and utilizing it to bypass safety measures.

Earlier assaults detailed by cybersecurity agency Avast revealed that the rootkit is delivered via a distant entry trojan often known as Kaolin RAT.

“FudModule is just loosely built-in into the remainder of Lazarus’ malware ecosystem,” the Czech firm mentioned on the time, stating “Lazarus may be very cautious about utilizing the rootkit, solely deploying it on demand underneath the suitable circumstances.”