Security researchers at Gen Threat Labs are linking one of the exploited zero-days patched by Microsoft last week to North Korea’s Lazarus APT group.
The vulnerability, tracked as CVE-2024-38193 and marked as ‘actively exploited’ by Microsoft, allows SYSTEM privileges on the latest Windows operating systems.
Gen, which is a rollup of consumer brands Norton, Avast, LifeLock and Avira, posted a sparse note linking the exploitation to Lazarus via the use of the FudModule rootkit. However, the company did not release any indicators or technical documentation to support the connection.
“In early June, Luigino Camastra and Milanek discovered that the Lazarus group was exploiting a hidden security flaw in a crucial part of Windows called the AFD.sys driver. This flaw allowed them to gain unauthorized access to sensitive system areas. We also discovered that they used a special type of malware called Fudmodule to hide their activities from security software,” the company said without providing additional details.
Avast previously documented FudModule as part of the Lazarus APT toolkit that included an admin-to-kernel Windows zero-day exploit dating back to February.
This is one of six zero-days marked as exploited by Microsoft in the August Patch Tuesday bundle. Security experts also believe a second flaw (CVE-2024-38178) is being used by North Korean APT groups to target victims in South Korea.
That bug, a memory corruption vulnerability in the Windows Scripting Engine, allows remote code execution attacks if an authenticated client is tricked into clicking a link. Successful exploitation of this vulnerability requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode.
This Scripting Engine zero-day was reported by Ahn Lab and the South Korea’s National Cyber Security Center, suggesting it was used in a nation-state APT compromise. Microsoft did not release IOCs (indicators of compromise) or any other data to help defenders hunt for signs of infections.
Related: Zero-Click Exploit Concerns Drive Urgent Patching of Windows TCP/IP Flaw
Related: Microsoft Warns of Six Windows Zero-Days Being Actively Exploited
Related: Microsoft: China Flaw Disclosure Law Part of Zero-Day Exploit Surge
Related: Windows Update Flaws Allow Undetectable Downgrade Attacks
Related: Adobe Calls Attention to Massive Batch of Code Execution Flaws