A newly patched security flaw in Microsoft Windows was exploited as a zero-day by the Lazarus Group, a state-sponsored actor affiliated with North Korea. The vulnerability, tracked as CVE-2024-38193, is a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock.
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges, allowing them to access sensitive system areas that most users and administrators can’t reach. The cybersecurity vendor Gen Digital discovered the exploitation in early June 2024 and noted that the attacks were characterized by the use of a rootkit called FudModule to evade detection.
This is not the first time Lazarus Group has exploited a Windows vulnerability. In February 2024, they weaponized another privilege escalation flaw, CVE-2024-21338, which was also fixed by Microsoft. Both attacks are notable because they go beyond traditional BYOVD attacks and take advantage of security flaws in drivers already installed on Windows hosts.
The rootkit used in these attacks is delivered by a remote access trojan known as Kaolin RAT. Lazarus Group is careful about using the rootkit, deploying it only under specific circumstances. The exploitation of this vulnerability highlights the importance of keeping software up-to-date and implementing robust security measures to prevent such attacks.
Source: https://thehackernews.com/2024/08/microsoft-patches-zero-day-flaw.html?m=1