Microsoft has recently remedied a significant security vulnerability within its Windows operating system, a flaw that was actively manipulated as a zero-day exploit by the Lazarus Group, an infamously adept state-backed faction tied to North Korea.
The identified security gap, cataloged under CVE-2024-38193 with a CVSS rating of 7.8, is categorized as a privilege escalation loophole within the Windows Ancillary Function Driver (AFD.sys) for WinSock.
“Successful exploitation of this vulnerability could allow an adversary to acquire SYSTEM-level privileges,” Microsoft articulated in a security advisory issued the previous week. The issue was rectified by the technology behemoth as part of its routine Patch Tuesday maintenance cycle.
The flaw’s discovery and subsequent disclosure have been attributed to researchers Luigino Camastra and Milánek from Gen Digital, a company that oversees several security and utility software brands such as Norton, Avast, Avira, AVG, ReputationDefender, and CCleaner.
“This vulnerability provided unauthorized access to sensitive system regions,” the corporation revealed last week, noting that the exploitation was uncovered in early June 2024. “Attackers were able to circumvent standard security protocols, accessing critical system areas typically inaccessible to ordinary users and administrators.”
The cybersecurity firm further highlighted that the assaults were distinguished by the deployment of a rootkit named FudModule, which was utilized in an attempt to avoid detection.
While the intricate technical specifics of these breaches remain undisclosed, this vulnerability bears a resemblance to another privilege escalation flaw that Microsoft rectified in February 2024, which was similarly exploited by the Lazarus Group to disseminate the FudModule rootkit.
This earlier vulnerability, recorded as CVE-2024-21338 with a similar CVSS score of 7.8, was rooted in a privilege escalation flaw within the AppLocker driver (appid.sys). This flaw permitted the execution of arbitrary code, bypassing all security verifications, thereby facilitating the deployment of the FudModule rootkit.
These particular attacks are noteworthy as they transcend the conventional Bring Your Own Vulnerable Driver (BYOVD) method by exploiting a security vulnerability within an already installed driver on a Windows system, rather than importing a compromised driver to evade security defenses.
Earlier incidents detailed by cybersecurity firm Avast revealed that the rootkit was delivered via a remote access trojan known as Kaolin RAT.
“FudModule is sparingly integrated into the broader Lazarus malware framework,” the Czech firm commented at the time, emphasizing that “Lazarus exercises significant caution in deploying the rootkit, activating it only under specific conditions.”