The hacker group Lazarus recently exploited a patched, zero-day flaw in Microsoft Windows. The vulnerability, tracked as CVE-2024-38193 with a CVSS score of 7.8, is a Bring Your Own Vulnerable Driver (BYOVD) vulnerability for Winsock. Continue reading this Cybersecurity Threat Advisory to mitigate your risk and protect your system.
What is the threat?
CVE-2024-38193 is a privilege escalation vulnerability in the AFD.sys driver, which comes pre-installed on all Windows devices. This vulnerability allows attackers to bypass normal security restrictions and gain unauthorized access to sensitive system areas. It also enables users to access system areas that are typically restricted.
Why is it noteworthy?
The attack is particularly dangerous because the AFD.sys driver is a core component of Windows. Its exploitation does not require the introduction of additional drivers. This method of attack goes beyond the typical BYOVD approach, where attackers bring their own vulnerable drivers to bypass security measures.
The flaw is reminiscent of a previous privilege escalation vulnerability, CVE-2024-21338, which involved the AppLocker driver and allowed similar unauthorized access. The Lazarus Group has demonstrated a pattern of exploiting such privilege escalation flaws, including using the FudModule rootkit to evade detection.
What is the exposure or risk?
The Lazarus Group strategically deploys the FudModule rootkit under specific circumstances to maximize its impact, showcasing their selective and calculated approach. This careful deployment strategy, combined with the broad reach of the affected driver, makes CVE-2024-38193 a critical vulnerability.
What are the recommendations?
Barracuda MSP recommends the following actions to mitigate any risk caused by CVE-2024-38193:
- Install the latest update patch as soon as possible and verify that automatic updates are functioning correctly to ensure timely application of critical security fixes.
- Conduct thorough background checks on potential hires and use identity verification services to prevent infiltration by threat actors using social engineering tactics.
- Audit and review security configurations to ensure that access controls and permissions are set and updated correctly.
References
For more in-depth information on the above recommendations, please visit the following links:
- https://thehackernews.com/2024/08/microsoft-patches-zero-day-flaw.html
- https://www.msn.com/en-us/money/other/microsoft-patches-windows-security-flaw-exploited-by-north-korean-hackers-but-is-it-too-late/ar-AA1p4o0p?ocid=BingNewsVerp
- https://www.msn.com/en-us/money/other/zero-day-windows-bug-linked-to-north-korean-hacking-group-lazarus/ar-AA1oVKtu?ocid=BingNewsVerp
- https://winbuzzer.com/2024/08/20/north-korean-hackers-use-windows-zero-day-to-deploy-rootkit-xcxwbn/
- https://www.securityweek.com/windows-zero-day-attack-linked-to-north-koreas-lazarus-apt/
- https://www.bleepingcomputer.com/news/microsoft/windows-driver-zero-day-exploited-by-lazarus-hackers-to-install-rootkit/
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
