As part of its latest Patch Tuesday cumulative update, Microsoft has fixed a privilege escalation bug in the Windows Helper Functions (AFD.sys) driver for WinSock. This bug is known as CVE-2024-38193 and has a severity score of 7.8.
Abuse of this flaw apparently grants attackers administrator privileges on the vulnerable endpoint, and Microsoft noted that “an attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”
However, the patch may have come a little late, as some researchers said that hackers were already abusing the bug, while it was a zero-day. In fact, researchers at Gen Digital (owners of Norton, Avira, Avast, and others) claim that Lazarus Group, the infamous North Korean state-sponsored organization, used it to install a malware rootkit called FudModule.
Lazarus strikes again
“This flaw allowed them to gain unauthorized access to sensitive areas of the system,” Gen Digital said in a report. “The vulnerability allowed the attackers to bypass normal security restrictions and access sensitive areas of the system that most users and administrators cannot access.”
“This type of attack is sophisticated and highly inventive, and can fetch hundreds of thousands of dollars on the black market. It is concerning because it targets people in sensitive industries, such as those working in cryptocurrency engineering or the aerospace sector, to access their employers’ networks and steal cryptocurrency to fund the attackers’ operations,” the researchers concluded.
Lazarus is a well-known threat actor, responsible for some of the most devastating cyberattacks in recent history. It is most famous for its fake jobs campaigns, where it creates fake LinkedIn profiles (or impersonates well-known personalities) and then approaches software developers with offers of great jobs with incredible salaries.
One such attack, targeting a blockchain developer, resulted in the theft of approximately $600 million from a cryptocurrency project. Some researchers claim that North Korea is using the money to fund its state apparatus as well as its weapons program.
Through Hacker News
