The North Korean state-sponsored hacking outfit Lazarus Group has been observed exploiting a zero-day vulnerability in Microsoft Windows fixed by Microsoft as part of this month's Patch Tuesday release.
The flaw, tracked as CVE-2024-38193, is a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock, which can be exploited by a local attacker for code execution with elevated privileges.
According to cybersecurity researchers at Gen Digital, the Lazarus Group, known for its sophisticated cyber espionage campaigns, began exploiting this hidden flaw as early as June 2024. The researchers found that the AFD.sys driver was being used by the group to gain unauthorized access to highly sensitive system areas, bypassing standard security restrictions.
The vulnerability allowed Lazarus to escalate privileges on compromised systems, allowing them to execute arbitrary code in protected areas of the operating system. This unauthorized access could potentially allow the group to steal sensitive information, alter system configurations, or deploy additional malware without detection.
Further investigation revealed that Lazarus employed a specialized type of malware, dubbed FudModule, designed to conceal their activities from security solutions. The malware leveraged the AFD.sys vulnerability to remain hidden.
Earlier this year, the threat actor exploited a then zero-day vulnerability CVE-2024-21338 in the Windows kernel to deploy an updated version of the FudModule rootkit.
“This type of attack is both sophisticated and resourceful, potentially costing several hundred thousand dollars on the black market. This is concerning because it targets individuals in sensitive fields, such as those working in cryptocurrency engineering or aerospace to get access to their employer’s networks and steal crypto currencies to fund attackers’ operations,” noted the company’s blog post.
In addition to CVE-2024-38193, Microsoft patched another five zero-day vulnerabilities, one of which (CVE-2024-38213 aka Copy2Pwn) has been exploited by the threat actors behind the DarkGate operation since March 2024.