As part of the latest cumulative Patch Tuesday update, Microsoft fixed a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock. This bug is tracked as CVE-2024-38193 and has a severity rating of 7.8.
Exploitation of this flaw appears to grant attackers administrative privileges on the vulnerable endpoint. Microsoft notes that “an attacker who successfully exploits this vulnerability could gain SYSTEM privileges.”
The patch may have come a little too late, however, as some researchers said that hackers were already exploiting the bug, even though it was a zero-day. In fact, researchers from Gen Digital (owners of Norton, Avira, Avast and others) claim that Lazarus Group, the notorious North Korean state organization, used the patch to drop a malware rootkit called FudModule.
Lazarus Strikes Again
“This flaw gave them the ability to gain unauthorized access to sensitive system areas,” Gen Digital said in a report. “The vulnerability allowed attackers to bypass normal security restrictions and gain access to sensitive system areas that most users and administrators cannot reach.”
“This type of attack is both sophisticated and ingenious, potentially costing hundreds of thousands of dollars on the black market. This is concerning as it targets individuals in sensitive industries, such as those working in cryptocurrency engineering or aerospace, to gain access to their employers’ networks and steal cryptocurrency to fund attackers’ operations,” the researchers concluded.
Lazarus is a well-known threat actor, responsible for some of the most devastating cyberattacks in recent history. It is best known for its fake job campaigns, in which it creates fake LinkedIn profiles (or impersonates public figures) and then approaches software developers with offers of great jobs with great salaries.
One such attack, carried out against a blockchain developer, resulted in the theft of approximately $600 million from a cryptocurrency project. Some researchers allege that North Korea used the money to fund its state apparatus and weapons program.
Via The Hacker News