Lazarus Group Exploited Windows Zero-Day Vulnerability Since June

Gen Threat Labs uncovered a zero-day vulnerability in Windows systems, actively exploited by the notorious Lazarus Group.

The vulnerability, identified as CVE-2024-38193, affects the Windows Ancillary Function Driver (AFD.sys), allowing attackers to gain unauthorized access to critical system areas. This discovery, made in early June 2024 by researchers Luigino Camastra and Milanek, highlights the persistent and evolving threat posed by this North Korean-linked advanced persistent threat (APT) group.

The Lazarus Group, linked to North Korea's Reconnaissance General Bureau, has been active since at least 2009 and is responsible for major cyberattacks like the 2014 Sony Pictures hack and the 2017 WannaCry outbreak.

Known for exploiting zero-day vulnerabilities, the group targets sectors ranging from financial institutions to critical infrastructure, focusing on espionage, financial theft, and cyber sabotage. Recently, they've intensified attacks on cryptocurrency exchanges, exploiting their assets with custom malware, making Lazarus one of the most dangerous APT groups today.

Lazarus elevating privileges

The Lazarus Group, known for its strategic and resourceful attacks, leveraged this hidden flaw in the AFD.sys driver to bypass standard security restrictions on Windows systems. The exploitation enabled the attackers to elevate their privileges, granting them access to sensitive areas of the operating system that are typically restricted even to administrators.

To conceal their malicious activities, they employed a custom malware strain named Fudmodule, designed to evade detection by security software. This level of sophistication underscores the group's capability to execute high-value attacks, often requiring substantial financial and technical resources.

The exploitation of CVE-2024-38193 is particularly concerning because of the high stakes involved. The vulnerability allowed the Lazarus Group to target professionals in sensitive industries, such as cryptocurrency engineering and aerospace. By infiltrating these sectors, the group aimed to gain access to networks of significant organizations with the ultimate goal of stealing cryptocurrencies.

The financial gains from such operations are likely used to fund further cyber activities and state-sponsored initiatives. This attack methodology aligns with Lazarus' historical focus on financial theft and sabotage, often serving geopolitical objectives.

Microsoft issued fixes

Following the discovery by Gen Threat Labs, Microsoft acted swiftly to address the flaw, releasing a critical patch as part of its August 2024 Patch Tuesday updates. This update, KB5041585, included fixes for nine zero-day vulnerabilities, with CVE-2024-38193 being one of the most critical due to its active exploitation in the wild. The patch resolves the vulnerability by correcting the privilege escalation flaw in the AFD.sys driver, thereby closing the access point that Lazarus exploited.

Users and organizations are strongly urged to apply the latest updates immediately to protect their systems from this and other vulnerabilities. Microsoft's quick response, aided by the detailed technical insights provided by Gen's researchers, has mitigated the threat, but the incident serves as a stark reminder of the operational capabilities of state-backed threat actors.

It's not improbable that CVE-2024-38193 was just one of the multiple zero-days Lazarus have in their arsenal, so maintaining good security practices and implementing multiple layers of security is crucial in defending against well-resourced and sophisticated threats. Apply updates, segment networks, employ strict access controls, and implement in-depth monitoring and activity logging.