Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

Windows Zero-Day Attack Linked to North Korea’s Lazarus APT

The vulnerability, tracked as CVE-2024-38193 and marked as ‘actively exploited’ by Microsoft, allows SYSTEM privileges on the latest Windows operating systems.

North Korea weapons funding

Security researchers at Gen Threat Labs are linking one of the exploited zero-days patched by Microsoft last week to North Korea’s Lazarus APT group.

The vulnerability, tracked as CVE-2024-38193 and marked as ‘actively exploited’ by Microsoft, allows SYSTEM privileges on the latest Windows operating systems.

Gen, which is a rollup of consumer brands Norton, Avast, LifeLock and Avira, posted a sparse note linking the exploitation to Lazarus via the use of the FudModule rootkit.  However, the company did not release any indicators or technical documentation to support the connection.

“In early June, Luigino Camastra and Milanek discovered that the Lazarus group was exploiting a hidden security flaw in a crucial part of Windows called the AFD.sys driver. This flaw allowed them to gain unauthorized access to sensitive system areas. We also discovered that they used a special type of malware called Fudmodule to hide their activities from security software,” the company said without providing additional details. 

Avast previously documented FudModule as part of the Lazarus APT toolkit that included an admin-to-kernel Windows zero-day exploit dating back to February.

This is one of six zero-days marked as exploited by Microsoft in the August Patch Tuesday bundle. Security experts also believe a second flaw (CVE-2024-38178) is being used by North Korean APT groups to target victims in South Korea.

That bug, a memory corruption vulnerability in the Windows Scripting Engine, allows remote code execution attacks if an authenticated client is tricked into clicking a link. Successful exploitation of this vulnerability requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode. 

This Scripting Engine zero-day was reported by Ahn Lab and the South Korea’s National Cyber Security Center, suggesting it was used in a nation-state APT compromise.  Microsoft did not release IOCs (indicators of compromise) or any other data to help defenders hunt for signs of infections.  

Advertisement. Scroll to continue reading.

Related: Zero-Click Exploit Concerns Drive Urgent Patching of Windows TCP/IP Flaw

Related: Microsoft Warns of Six Windows Zero-Days Being Actively Exploited

Related: Microsoft: China Flaw Disclosure Law Part of Zero-Day Exploit Surge

Related: Windows Update Flaws Allow Undetectable Downgrade Attacks

Related: Adobe Calls Attention to Massive Batch of Code Execution Flaws

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights