August 19, 2024Ravie LakshmananVulnerability / Zero-Day

A recently patched security flaw in Microsoft Windows was exploited as a zero-day by Lazarus Group, a prolific state-sponsored organization with ties to North Korea.

The vulnerability, followed as CVE-2024-38193 (CVSS score: 7.8) is described as a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock.

“An attacker who successfully exploits this vulnerability could gain SYSTEM privileges,” Microsoft said in an advisory about the flaw last week. The tech giant addressed it as part of its monthly Patch Tuesday update.

The discovery and reporting of the leak is attributed to Gen Digital researchers Luigino Camastra and Milánek. Gen Digital owns a number of security and utility software brands including Norton, Avast, Avira, AVG, ReputationDefender and CCleaner.

“This flaw allowed them to gain unauthorized access to sensitive system areas,” the company announced last week, adding that it discovered the exploit in early June 2024. “The vulnerability allowed attackers to bypass normal security restrictions and gain access to sensitive system areas that are off-limits to most users and administrators.”

The cybersecurity vendor further noted that the attacks were characterized by the use of a rootkit called FudModule in an attempt to evade detection.

While the exact technical details of the compromises are still unknown, the vulnerability is reminiscent of another privilege escalation vulnerability that Microsoft fixed in February 2024, which was also used by the Lazarus Group to remove FudModule.

Specifically, it involved the exploitation of CVE-2024-21338 (CVSS score: 7.8), a privilege escalation flaw in the Windows kernel rooted in the AppLocker driver (appid.sys). It could allow arbitrary code execution, bypassing all security checks and executing the FudModule rootkit.

Both attacks are notable in that they go beyond the traditional Bring Your Own Vulnerable Driver (BYOVD) attack by exploiting a vulnerability in a driver that is already installed on a Windows host, rather than “bringing” a vulnerable driver and using it to bypass security measures.

Previous attacks by cybersecurity firm Avast have shown that the rootkit is distributed via a remote access trojan known as Kaolin RAT.

“FudModule is only loosely integrated into the rest of the Lazarus malware ecosystem,” the Czech company said at the time. “Lazarus is very careful with the use of the rootkit and only deploys it on demand and under the right circumstances.”