3.2 C
New York
Saturday, November 30, 2024

Microsoft Patches Zero-Day Flaw Exploited by North Korea’s Lazarus Group


Aug 19, 2024Ravie LakshmananVulnerability / Zero-Day

Microsoft Patches Zero-Day Flaw Exploited by North Korea’s Lazarus Group

A newly patched safety flaw in Microsoft Home windows was exploited as a zero-day by Lazarus Group, a prolific state-sponsored actor affiliated with North Korea.

The safety vulnerability, tracked as CVE-2024-38193 (CVSS rating: 7.8), has been described as a privilege escalation bug within the Home windows Ancillary Operate Driver (AFD.sys) for WinSock.

“An attacker who efficiently exploited this vulnerability might achieve SYSTEM privileges,” Microsoft stated in an advisory for the flaw final week. It was addressed by the tech large as a part of its month-to-month Patch Tuesday replace.

Cybersecurity

Credited with discovering and reporting the flaw are Gen Digital researchers Luigino Camastra and Milánek. Gen Digital owns plenty of safety and utility software program manufacturers like Norton, Avast, Avira, AVG, ReputationDefender, and CCleaner.

“This flaw allowed them to achieve unauthorized entry to delicate system areas,” the corporate disclosed final week, including it found the exploitation in early June 2024. “The vulnerability allowed attackers to bypass regular safety restrictions and entry delicate system areas that the majority customers and directors cannot attain.”

The cybersecurity vendor additional famous that the assaults had been characterised by means of a rootkit referred to as FudModule in an try and evade detection.

Whereas the precise technical particulars related to the intrusions are presently unknown, the vulnerability is harking back to one other privilege escalation flaw that Microsoft mounted in February 2024 and was additionally weaponized by the Lazarus Group to drop FudModule.

Particularly, it entailed the exploitation of CVE-2024-21338 (CVSS rating: 7.8), a Home windows kernel privilege escalation flaw rooted within the AppLocker driver (appid.sys) that makes it potential to execute arbitrary code such that it sidesteps all safety checks and runs the FudModule rootkit.

Cybersecurity

Each these assaults are notable as a result of they transcend a conventional Carry Your Personal Weak Driver (BYOVD) assault by making the most of a safety flaw in a driver that is already put in on a Home windows host versus “bringing” a vulnerable driver and utilizing it to bypass safety measures.

Earlier assaults detailed by cybersecurity agency Avast revealed that the rootkit is delivered by way of a distant entry trojan referred to as Kaolin RAT.

“FudModule is simply loosely built-in into the remainder of Lazarus’ malware ecosystem,” the Czech firm stated on the time, stating “Lazarus could be very cautious about utilizing the rootkit, solely deploying it on demand underneath the precise circumstances.”

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.



Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles