A newly patched safety flaw in Microsoft Home windows was exploited as a zero-day by Lazarus Group, a prolific state-sponsored actor affiliated with North Korea.
The safety vulnerability, tracked as CVE-2024-38193 (CVSS rating: 7.8), has been described as a privilege escalation bug within the Home windows Ancillary Operate Driver (AFD.sys) for WinSock.
“An attacker who efficiently exploited this vulnerability may acquire SYSTEM privileges,” Microsoft stated in an advisory for the flaw final week. It was addressed by the tech big as a part of its month-to-month Patch Tuesday replace.
Credited with discovering and reporting the flaw are Gen Digital researchers Luigino Camastra and Milánek. Gen Digital owns numerous safety and utility software program manufacturers like Norton, Avast, Avira, AVG, ReputationDefender, and CCleaner.
“This flaw allowed them to realize unauthorized entry to delicate system areas,” the corporate disclosed final week, including it found the exploitation in early June 2024. “The vulnerability allowed attackers to bypass regular safety restrictions and entry delicate system areas that almost all customers and directors cannot attain.”
The cybersecurity vendor additional famous that the assaults have been characterised by means of a rootkit known as FudModule in an try to evade detection.
Whereas the precise technical particulars related to the intrusions are presently unknown, the vulnerability is paying homage to one other privilege escalation flaw that Microsoft fastened in February 2024 and was additionally weaponized by the Lazarus Group to drop FudModule.
Particularly, it entailed the exploitation of CVE-2024-21338 (CVSS rating: 7.8), a Home windows kernel privilege escalation flaw rooted within the AppLocker driver (appid.sys) that makes it attainable to execute arbitrary code such that it sidesteps all safety checks and runs the FudModule rootkit.
Each these assaults are notable as a result of they transcend a conventional Convey Your Personal Susceptible Driver (BYOVD) assault by benefiting from a safety flaw in a driver that is already put in on a Home windows host versus “bringing” a prone driver and utilizing it to bypass safety measures.
Earlier assaults detailed by cybersecurity agency Avast revealed that the rootkit is delivered via a distant entry trojan generally known as Kaolin RAT.
“FudModule is just loosely built-in into the remainder of Lazarus’ malware ecosystem,” the Czech firm stated on the time, stating “Lazarus may be very cautious about utilizing the rootkit, solely deploying it on demand below the precise circumstances.”
