Microsoft has recently addressed a critical zero-day vulnerability in Windows, which had been actively exploited by the Lazarus Group, a notorious state-sponsored hacker collective linked to North Korea.
The flaw, identified as CVE-2024-38193 with a CVSS score of 7.8, is a privilege escalation vulnerability affecting the Windows Ancillary Function Driver (AFD.sys) for WinSock. This issue could potentially allow attackers to elevate their privileges to SYSTEM level, granting them extensive control over the affected systems.
Microsoft’s advisory, released as part of their monthly Patch Tuesday update, confirmed that the vulnerability was patched last week. The flaw was initially discovered and reported by researchers Luigino Camastra and Milánek from Gen Digital, the company behind well-known security solutions including Norton, Avast, and CCleaner.
According to Gen Digital, the vulnerability enabled unauthorized access to sensitive areas of the system, bypassing standard security measures that are designed to protect such areas from unauthorized access. The company also revealed that they had first detected the exploitation of this flaw in early June 2024.
The attacks exploiting this vulnerability involved the use of a sophisticated rootkit known as FudModule, which was employed to evade detection. This rootkit was used in conjunction with a remote access trojan called Kaolin RAT to carry out the attacks. Notably, this technique represents a shift from traditional Bring Your Own Vulnerable Driver (BYOVD) attacks. Instead of introducing a vulnerable driver to exploit security gaps, the Lazarus Group exploited a flaw in a pre-existing driver installed on Windows systems.
This incident bears similarities to another privilege escalation vulnerability, CVE-2024-21338, which Microsoft patched in February 2024. That vulnerability, also targeted by the Lazarus Group, involved the exploitation of a flaw in the AppLocker driver (appid.sys) to execute arbitrary code and deploy the FudModule rootkit.
Cybersecurity experts highlight that these attacks are particularly concerning due to their ability to exploit existing drivers, making them harder to detect and defend against. The Lazarus Group’s careful and selective deployment of the FudModule underscores their sophisticated and strategic approach to cyber operations.
Microsoft’s swift response to this critical vulnerability underscores the ongoing efforts to protect users from sophisticated cyber threats and highlights the importance of timely security updates.
Related topics:
What Exactly Does Microsoft Do?