As part of its latest Patch Tuesday cumulative update, Microsoft fixed a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock. This bug is tracked as CVE-2024-38193, and carries a severity score of 7.8.
Abusing this flaw apparently grants attackers admin privileges on the vulnerable endpoint, with Microsoft noting, “an attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”
However, the patch may have come a little too late, since some researchers said hackers were already abusing the bug, while it was a zero-day. In fact, researchers from Gen Digital (owners of Norton, Avira, Avast, and others) claim Lazarus Group, the infamous North Korean state-sponsored organization, used it to drop a malware rootkit called FudModule.
Lazarus strikes again
“This flaw allowed them to gain unauthorized access to sensitive system areas,” Gen Digital said in a report. “The vulnerability allowed attackers to bypass normal security restrictions and access sensitive system areas that most users and administrators can’t reach.”
“This type of attack is both sophisticated and resourceful, potentially costing several hundred thousand dollars on the black market. This is concerning because it targets individuals in sensitive fields, such as those working in cryptocurrency engineering or aerospace to get access to their employer’s networks and steal crypto currencies to fund attackers’ operations,” the researchers concluded.
Lazarus is a known threat actor, responsible for some of the most devastating cyberattacks in recent history. It is most famous for its fake job campaigns, in which it creates fake LinkedIn profiles (or impersonates known figures) and then approaches software developers with offers of great jobs with amazing salaries.
One such attack, carried out against a blockchain developer, resulted in the theft of roughly $600 million from a cryptocurrency project. Some researchers claim North Korea is using the money to fund its state apparatus, as well as its weapons program.
Via The Hacker News