The notorious North Korean-based Lazarus hacking collective exploited a previously unknown vulnerability in Windows’ AFD.sys driver, leveraging it to elevate privileges and deploy the sophisticated FUDModule rootkit on targeted systems.
Microsoft acknowledged a critical vulnerability, designated CVE-2024-38193, and simultaneously addressed seven previously unknown zero-day flaws.
A local elevation of privilege vulnerability exists in the Windows Ancillary Function Driver for Winsock (afd.sys) due to out-of-bounds write in the BYOVD component, allowing an attacker to gain elevated privileges on a compromised system.
Researchers at Gen Digital discovered the vulnerability, which the Lazarus hacking group reportedly exploited using a zero-day attack to inject malware that disabled Windows monitoring features, thereby evading detection.
“In mid-June, researchers Luigino Camastra and Milanek discovered that the notorious Lazarus group was taking advantage of a previously unknown vulnerability in Windows’ AFD.sys driver, a critical system component.”
This vulnerability enabled unauthorised access to sensitive system areas. They also employed the Fudmodule type of malware to conceal their activities from safety software.
An attacker’s exploit of a weak driver vulnerability involves setting up malicious drivers on targeted systems with known weaknesses, which are subsequently leveraged to acquire elevated kernel-level access. Malicious actors often exploit vulnerabilities in third-party drivers, such as antivirus or hardware drivers that demand elevated privileges to interact with the kernel.
The explicit vulnerability’s potency stems from its presence in AFD.sys, a system driver pre-installed on all Windows home computers by default, rendering it a ubiquitous threat. The vulnerability enabled attackers to execute a denial-of-service attack without requiring an older, vulnerable driver that could be easily blocked or detected by Windows.
The notorious Lazarus group had previously employed BYOVD attacks to deploy the FUDModule.
The Lazarus hacking group
While details about the targeted entities and timing of the attacks remain undisclosed by Gen Digital, it is believed that the group focuses on conducting high-stakes cyberheists against financial and cryptocurrency companies, with profits allegedly being used to support the North Korean government’s weapons and cybersecurity initiatives worth millions.
The group achieved infamy following the 2016 WannaCry ransomware attack and their subsequent 2017 global cyber campaign, which crippled numerous corporations worldwide?
In April 2022, the US authorities responded to a major cyberattack on Axie Infinity, permitting threat actors to siphon off the value of cryptocurrencies stored in affected wallets.
US authorities seek recommendations on countermeasures to thwart North Korea’s hackers’ malicious activities and bring perpetrators to justice.
