Microsoft has patched a critical zero-day vulnerability (CVE-2024-38193) that the notorious North Korean hacker group Lazarus APT actively exploited. Gen Threat Labs discovered and reported the flaw, which posed a severe threat to Windows users worldwide.
The vulnerability, identified in early June 2024, affected the Windows Ancillary Function Driver (AFD.sys) for WinSock. This critical Windows operating system component became an unexpected gateway for unauthorized access to sensitive system areas.
Gen Digital researchers Luigino Camastra and Milánek, who uncovered the vulnerability, noted that the attacks specifically targeted individuals in sensitive fields such as cryptocurrency engineering and aerospace.
The vulnerability stems from a race condition between two functions in the afd.sys driver:
- AfdRioGetAndCacheBuffer()
- AfdRioDereferenceBuffer()
This race condition can lead to a use-after-free scenario, where the system still uses a freed RIOBuffer structure.
The vulnerability affects the Registered I/O (RIO) extension for Windows sockets. This extension is used in socket programming to reduce the number of system calls made by userland programs when sending and receiving packets.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Vulnerability Exploitation by Lazarus
The Lazarus group, known for its sophisticated cyberattacks, leveraged this flaw to bypass normal security restrictions and gain elevated privileges.
What makes this exploit particularly alarming is the use of a specialized malware called FudModule. This rootkit, deployed by Lazarus, was designed to evade detection by security software, allowing the attackers to operate undetected within compromised systems.
The FudModule rootkit demonstrates the evolving tactics of state-sponsored threat actors and their ability to craft highly sophisticated tools for cyber espionage.
The vulnerability’s severity is underscored by its CVSS score of 7.8, indicating a high-risk security flaw. Microsoft’s advisory warned that successful exploitation could grant an attacker SYSTEM privileges, essentially giving them complete control over the affected device.
This targeting strategy suggests that the Lazarus group’s motives extended beyond mere system compromise, potentially aiming to access corporate networks and steal cryptocurrencies to fund their operations.
Microsoft’s prompt response to the reported vulnerability is commendable. The tech giant included a fix for CVE-2024-38193 in its August 2024 Patch Tuesday update, effectively closing this security loophole across all vulnerable Windows devices.
As cyber threats continue to evolve, the collaboration between security researchers, software vendors, and end-users remains vital in safeguarding digital ecosystems against sophisticated attacks.
An independent security researcher, Nephster, has published proof-of-concept (PoC) code on GitHub. This PoC demonstrates a reliable method for attackers to achieve privilege escalation on systems that have not been patched against this vulnerability.
The publication of this PoC code significantly increases the risk for unpatched systems, as it provides a blueprint for malicious actors to exploit the vulnerability. This development underscores the importance of promptly applying security updates to mitigate potential threats.
Analyse Real-World Malware & Phishing Attacks With ANY.RUN – Get up to 3 Free Licenses
Source: cybersecuritynews.com