A fresh security loophole in Microsoft Windows was leveraged as a zero-day by Lazarus Group, an active state-sponsored faction linked with North Korea.
The security vulnerability, identified as CVE-2024-38193 (CVSS score: 7.8), is identified as a privilege escalation flaw in the Windows Ancillary Function Driver (AFD.sys) for WinSock.
“A successful exploit of this vulnerability could result in acquiring SYSTEM privileges,” Microsoft stated in a bulletin addressing the flaw last week. The tech giant rectified it as part of its regular Patch Tuesday update.
Credited with uncovering and disclosing the flaw are Gen Digital researchers Luigino Camastra and Milánek. Gen Digital possesses various security and utility software labels including Norton, Avast, Avira, AVG, ReputationDefender, and CCleaner.
“This vulnerability allowed unauthorized entry to critical system sectors,” the company revealed last week, stating it detected the exploitation in early June 2024. “The bug enabled attackers to bypass standard security measures and access critical system zones typically off-limits to most users and administrators.”
The security solutions provider additionally highlighted that the assaults were characterized by the deployment of a rootkit known as FudModule to avoid detection.
Although specifics regarding the intrusion tactics remain undisclosed, the flaw bears similarity to another privilege escalation flaw that Microsoft resolved in February 2024, which was also weaponized by Lazarus Group to distribute FudModule.
Specifically, the exploit involved taking advantage of CVE-2024-21338 (CVSS score: 7.8), a Windows kernel privilege escalation bug originating in the AppLocker driver (appid.sys) allowing the execution of arbitrary code to bypass all security checks and launch the FudModule rootkit.
Both these cyber intrusions stand out due to their distinct approach, moving beyond a conventional Bring Your Own Vulnerable Driver (BYOVD) attack by leveraging a flaw in a driver already present on a Windows machine rather than introducing a susceptible driver for evading security measures.
Prior attacks detailed by cybersecurity firm Avast indicated that the rootkit is distributed via a remote access trojan named Kaolin RAT.
“FudModule remains loosely integrated into the overall Lazarus malware ecosystem,” the Czech organization reported previously, highlighting that “Lazarus exercises caution in utilizing the rootkit, deploying it on a case-by-case basis under favorable conditions.”
About Author
