A newly patched security flaw in Microsoft Windows was exploited as a zero-day by Lazarus Group, a prolific state-sponsored actor affiliated with North Korea.
The security vulnerability, tracked as CVE-2024-38193 (CVSS score: 7.8), has been described as a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said in an advisory for the flaw last week. It was addressed by the tech giant as part of its monthly Patch Tuesday update.
Credited with discovering and reporting the flaw are Gen Digital researchers Luigino Camastra and Milánek. Gen Digital owns a number of security and utility software brands like Norton, Avast, Avira, AVG, ReputationDefender, and CCleaner.
“This flaw allowed them to gain unauthorized access to sensitive system areas,” the company disclosed last week, adding it discovered the exploitation in early June 2024. “The vulnerability allowed attackers to bypass normal security restrictions and access sensitive system areas that most users and administrators can’t reach.”
The cybersecurity vendor further noted that the attacks were characterized by the use of a rootkit called FudModule in an attempt to evade detection.
While the exact technical details associated with the intrusions are presently unknown, the vulnerability is reminiscent of another privilege escalation that Microsoft fixed in February 2024 and was also weaponized by the Lazarus Group to drop FudModule.
Specifically, it entailed the exploitation of CVE-2024-21338 (CVSS score: 7.8), a Windows kernel privilege escalation flaw rooted in the AppLocker driver (appid.sys) that makes it possible to execute arbitrary code such that it sidesteps all security checks and runs the FudModule rootkit.
Both these attacks are notable because they go beyond a traditional Bring Your Own Vulnerable Driver (BYOVD) attack by taking advantage of a security flaw in a driver that’s already installed on a Windows host as opposed to “bringing” a susceptible driver and using it to bypass security measures.
Previous attacks detailed by cybersecurity firm Avast revealed that the rootkit is delivered by means of a remote access trojan known as Kaolin RAT.
“FudModule is only loosely integrated into the rest of Lazarus’ malware ecosystem,” the Czech company said at the time, stating “Lazarus is very careful about using the rootkit, only deploying it on demand under the right circumstances.”
