North Korea-linked Lazarus APT Exploits Microsoft Zero-Day CVE-2024-38193

August 19, 2024

Microsoft has rectified a zero-day vulnerability identified as CVE-2024-38193 (with a CVSS score of 7.8), which has been actively exploited by the Lazarus APT group linked to North Korea. This vulnerability is a privilege escalation issue located in the Windows Ancillary Function Driver (AFD.sys) for WinSock. Microsoft released security updates in August 2024 to address this flaw, also warning that it was being exploited in attacks in the wild. The vulnerability allows an attacker to gain SYSTEM privileges. It was reported by Luigino Camastra and Milánek from Gen Digital.

“Gen Threat Labs recently uncovered and reported a major security flaw known as a zero-day vulnerability (CVE-2024-38193), which Microsoft has now fixed. This repair is important because it addresses a security issue that was being used by the Lazarus APT group, a North Korean hacker group known for targeting specific professionals.” Gen Digital reported in a post.

In June, Gen Digital researchers found that the Lazarus group was exploiting a zero-day vulnerability in the AFD.sys driver to gain unauthorized access to sensitive system areas. The group used a specific type of malware called Fudmodule to evade detection. The researchers noted that the vulnerability allowed attackers to bypass normal security restrictions and access sensitive system areas that are typically unreachable by most users and administrators. This type of attack is both sophisticated and resourceful, potentially costing several hundred thousand dollars on the black market.

The report further highlighted that the attacks targeted individuals in sensitive fields such as cryptocurrency engineering or aerospace, with the aim of gaining access to their employer’s networks and stealing cryptocurrencies to fund the attackers' operations.

In February 2024, Avast discovered a zero-day vulnerability in the AppLocker driver (appid.sys) being exploited in the wild. Microsoft promptly fixed this flaw, now known as CVE-2024-21338, in the February Patch Tuesday update. The Lazarus group exploited this zero-day to gain kernel-level access and disable security software. In previous attacks, threat actors achieved the same goal by using louder BYOVD (Bring Your Own Vulnerable Driver) techniques to cross the admin-to-kernel boundary. Lazarus exploited the vulnerability CVE-2024-21338 to perform direct kernel object manipulation with an updated version of their FudModule rootkit.

The researchers concluded that with their valuable admin-to-kernel zero-day exposed, Lazarus’s ability to bypass security has been significantly hampered. They must now decide between finding a new critical exploit or reverting to their older, less potent BYOVD tactics.

Related News

• Microsoft's August 2024 Patch Tuesday Addresses Nine Zero-Days, Six Currently Exploited
• North Korea's Lazarus Group Deploys New Kaolin RAT via Fake Job Lures
• CISA Lists Windows Kernel Bug Exploited by Lazarus Group in its Known Exploited Vulnerabilities Catalog
• North Korean Lazarus Group Exploited Windows Kernel Bug as Zero-Day for Six Months
• Lazarus Group Exploits Windows Zero-Day for Kernel-Level Access

Latest News

• Ivanti vTM Bug Exploit Attempts Detected, Experts Warn
• CISA Issues Warning: SolarWinds' RCE Vulnerability Being Exploited
• ValleyRAT Malware Campaign Targets Chinese Users with Sophisticated Techniques
• Microsoft Suspends BitLocker Security Patch, Recommends Manual Mitigation
• Black Basta Ransomware Group Linked to New Malware Campaign