Security Flaw Exploited by Lazarus Group
A recent security vulnerability in Microsoft Windows has drawn attention due to its exploitation by the Lazarus Group, a well-known state-sponsored entity linked to North Korea. The flaw, identified as CVE-2024-38193, has garnered a CVSS score of 7.8 and is categorized as a privilege escalation bug within the Windows Ancillary Function Driver (AFD.sys) for WinSock.
According to Microsoft, “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” This critical issue was addressed during the tech giant’s monthly Patch Tuesday update, highlighting the urgency of the situation.
The discovery and reporting of this flaw were credited to researchers Luigino Camastra and Milánek from Gen Digital, a company that encompasses various security and utility software brands, including Norton, Avast, Avira, AVG, ReputationDefender, and CCleaner. The company revealed that it identified the exploitation of this vulnerability in early June 2024, stating, “This flaw allowed them to gain unauthorized access to sensitive system areas.” It emphasized that the vulnerability enabled attackers to bypass standard security restrictions, granting access to areas typically off-limits to most users and administrators.
In a notable twist, the attacks utilized a rootkit named FudModule, designed to evade detection. While the specific technical details of these intrusions remain unclear, the nature of the vulnerability echoes a previous privilege escalation flaw that Microsoft patched in February 2024. That earlier flaw, CVE-2024-21338, also exploited by the Lazarus Group, involved the AppLocker driver (appid.sys) and allowed arbitrary code execution, bypassing all security checks to deploy the FudModule rootkit.
These incidents are particularly significant as they transcend the conventional Bring Your Own Vulnerable Driver (BYOVD) attack model. Instead of introducing a vulnerable driver to exploit security measures, these attacks leverage an existing flaw in a driver already installed on the Windows host.
Further investigations by cybersecurity firm Avast have indicated that the rootkit is delivered through a remote access trojan known as Kaolin RAT. Avast noted, “FudModule is only loosely integrated into the rest of Lazarus’ malware ecosystem,” emphasizing that the group exercises caution in deploying the rootkit, utilizing it only under specific circumstances.
