August 19, 2024 at 03:15AM
A critical privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock, tracked as CVE-2024-38193, was exploited by North Korean state-sponsored actor Lazarus Group. The flaw allowed unauthorized access to sensitive system areas and was addressed in Microsoft’s Patch Tuesday update. The attacks also involved the use of the FudModule rootkit to evade detection.
Key Takeaways from the Meeting Notes:
– The meeting discussed a newly patched security flaw in Microsoft Windows, which was exploited as a zero-day by the Lazarus Group, an organization affiliated with North Korea.
– The security vulnerability, tracked as CVE-2024-38193, is a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock, allowing attackers to gain unauthorized access to sensitive system areas.
– Gen Digital researchers Luigino Camastra and Milánek discovered and reported the flaw. The attacks were characterized by the use of a rootkit called FudModule in an attempt to evade detection.
– The attacks are notable for going beyond a traditional Bring Your Own Vulnerable Driver (BYOVD) attack by taking advantage of a security flaw in a driver already installed on a Windows host.
– Lazarus Group also weaponized a previous privilege escalation flaw (CVE-2024-21338) to drop the FudModule rootkit.
– The rootkit is delivered by means of a remote access trojan known as Kaolin RAT.
Overall, the meeting notes highlighted the seriousness of the security vulnerability and the various tactics used by the Lazarus Group to exploit it for unauthorized access.