A recent zero-day exploit in Microsoft Windows [2], identified as CVE-2024-38193 [2] [3] [5] [7] [8], was leveraged by hackers associated with the North Korean government’s Lazarus APT group.
Description
This vulnerability, a privilege escalation flaw in the Windows Ancillary Function Driver (AFDsys) for WinSock [2] [5] [6] [8], enabled threat actors to elevate their privileges to SYSTEM level and deploy the FudModule [1] [3] [4] [5] [6] [7] [8] rootkit on targeted Windows systems. By utilizing a technique known as “bring your own vulnerable driver,” the attackers were able to exploit weaknesses in drivers like appidsys to evade detection. FudModule, operating at a deep level within Windows, disabled security mechanisms and granted attackers access to critical system areas. The attacks were aimed at individuals in sectors such as cryptocurrency engineering and aerospace. Discovered by Gen Digital researchers in June [7], the attacks began at an unspecified date and targeted multiple organizations. This incident is reminiscent of a previous attack by the Lazarus Group using CVE-2024-21338 to selectively deploy the FudModule rootkit. Microsoft has since addressed this vulnerability with security updates released during Patch Tuesday in August 2024, urging users to update their systems to safeguard against potential threats [6].
Conclusion
The exploitation of this vulnerability highlights the importance of timely security updates and patches to protect against sophisticated cyber threats. Organizations and individuals in high-risk sectors should remain vigilant and ensure their systems are up to date to mitigate the risk of similar attacks in the future.
References
[1] https://arstechnica.com/security/2024/08/windows-0-day-was-exploited-by-north-korea-to-install-advanced-rootkit/
[2] https://cyber.vumetric.com/security-news/2024/08/19/microsoft-patches-zero-day-flaw-exploited-by-north-koreas-lazarus-group/
[3] https://me.pcmag.com/en/security/25354/zero-day-windows-bug-linked-to-north-korean-hacking-group-lazarus
[4] https://cybersecuritynews.com/windows-0-day-flaw-exploited/
[5] https://securityaffairs.com/167246/apt/microsoft-zero-day-cve-2024-38193-lazarus.html
[6] https://www.techworm.net/2024/08/microsoft-patch-zero-day-flaw-lazarus-group.html
[7] https://thehackernews.com/2024/08/microsoft-patches-zero-day-flaw.html
[8] https://www.techradar.com/pro/security/microsoft-patches-windows-security-flaw-exploited-by-north-korean-hackers-but-is-it-too-late