Windows 0-Day Flaw Exploited by Lazarus to Gain Unauthorized Access

Security researchers at Avast have uncovered evidence that the notorious North Korean hacker group Lazarus exploited a previously unknown zero-day vulnerability in the Windows AFD.sys driver to gain kernel-level access to targeted systems.

The flaw tracked as CVE-2024-38193, was reported to Microsoft and patched as part of the company’s June 2024 Patch Tuesday updates.

The notorious Lazarus Group, a North Korean advanced persistent threat (APT) group, has actively exploited this flaw to gain unauthorized access to sensitive system areas. Microsoft has since issued a patch to address the vulnerability, underscoring the significance of this security breach.

The Lazarus Group, also known as APT38, is a highly sophisticated hacker collective believed to be backed by the North Korean government. Active since at least 2009, the group has been involved in numerous high-profile cyberattacks worldwide, targeting a wide range of industries, including financial institutions, government entities, and businesses.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Researchers Luigino Camastra and Milanek first uncovered the vulnerability in early June. They observed the Lazarus Group exploiting the AFD.sys driver, a crucial component of Windows that is responsible for handling advanced file operations.

The flaw allowed attackers to bypass security restrictions, granting them access to system areas typically off-limits to users and administrators. To conceal their activities, Lazarus employed a stealthy malware known as Fudmodule, which effectively evaded detection by security software.

The exploitation of this zero-day vulnerability is particularly concerning due to its potential impact on high-stakes industries. Targets included professionals in the cryptocurrency engineering and aerospace sectors, where attackers aimed to infiltrate networks and steal cryptocurrencies to fund their operations.

The sophisticated nature of this attack, combined with its high market value, highlights the increasing resourcefulness of cybercriminals in targeting sensitive fields.

In response to the threat, Microsoft has released a patch to rectify the vulnerability, thanks to the proactive efforts of Gen Threat Labs. The team provided Microsoft with detailed exploit code, enabling a swift resolution to the flaw.

According to Microsoft, “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”

This patch is crucial for protecting Windows users from potential attacks, and Microsoft urges all users to update their systems promptly to ensure continued security.

As cyber threats continue to evolve, individuals and organizations must remain vigilant and proactive in their cybersecurity measures. Regular system updates and awareness of potential vulnerabilities are essential steps in protecting against sophisticated cyber attacks, such as those orchestrated by the Lazarus Group.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces