The Lazarus group, a hacking collective with ties to North Korea, has been identified leveraging a zero-day flaw in the Windows AFD.sys driver to elevate privileges and install the FUDModule rootkit. The vulnerability, cataloged as CVE-2024-38193, has since been patched by Microsoft.
Technical Details of the Exploit
The defect lies within the Windows Ancillary Function Driver for WinSock (AFD.sys), an essential interface between the Winsock protocol and the Windows Kernel. Gen Digital’s Luigino Camastra and Milanek found that the Lazarus attackers employed this flaw to introduce the FUDModule rootkit, which is designed to bypass detection by disabling security monitoring functions. The attack strategy—known as Bring Your Own Vulnerable Driver (BYOVD)—entails using a compromised driver to gain kernel-level access.
This is not the first time the Lazarus group has exploited such vulnerabilities. Their previous endeavors include targeting the appid.sys and Dell’s dbutil_2_3.sys kernel drivers in BYOVD attacks for the same rootkit deployment. These attacks pose severe risks due to the AFD.sys driver’s ubiquitous presence on Windows systems, allowing easier exploitation without requiring the installation of obsolete, vulnerable drivers which might be blocked.
Targeted Sectors and History of Attacks
The Lazarus group is infamous for attacks on financial and cryptocurrency sectors. Their portfolio includes the 2014 Sony Pictures breach and the 2017 WannaCry ransomware assault. More recently, in April 2022, they were implicated in a major cryptocurrency theft from Axie Infinity, stealing over $617 million. The U.S. government has announced a reward up to $5 million for information leading to the apprehension of these hackers.
The identification of this vulnerability and its use by the Lazarus group highlights the persistent threat from state-sponsored cybercriminals. Researchers emphasize the critical nature of this flaw and its potential ramifications for global cybersecurity. Microsoft has called on users to update their systems without delay to mitigate possible exploits.
Call to Action for Users
Microsoft’s fix for CVE-2024-38193 was included in their August 2024 Patch Tuesday, which also addressed seven other zero-day vulnerabilities. Users are strongly urged to apply these patches to protect their systems. The continuous targeting of Windows vulnerabilities by the Lazarus group underscores the significance of timely software updates and robust security protocols.
Last Updated on November 7, 2024 3:14 pm CET