Lazarus Group Exploits Windows Vulnerability, Microsoft Issues Patch

The Lazarus Group Strikes Again

The infamous Lazarus hacking group from North Korea has once again made headlines, this time by exploiting a zero-day vulnerability in the Windows AFD.sys driver. This flaw has allowed them to elevate privileges and install the FUDModule rootkit on targeted systems, raising significant concerns within the cybersecurity community.

Microsoft addressed this vulnerability, designated as CVE-2024-38193, during its August 2024 Patch Tuesday, alongside seven other zero-day vulnerabilities. The flaw is categorized as a Bring Your Own Vulnerable Driver (BYOVD) vulnerability, which means that attackers can leverage known vulnerabilities in drivers to gain unauthorized access to sensitive system areas.

The AFD.sys driver, which serves as an entry point into the Windows Kernel for the Winsock protocol, was identified by researchers from Gen Digital. They reported that the Lazarus group exploited this flaw to install the FUDModule rootkit, a sophisticated piece of malware designed to evade detection by disabling Windows monitoring features. “In early June, Luigino Camastra and Milanek discovered that the Lazarus group was exploiting a hidden security flaw in a crucial part of Windows called the AFD.sys driver,” Gen Digital warned. “This flaw allowed them to gain unauthorized access to sensitive system areas. We also discovered that they used a special type of malware called Fudmodule to hide their activities from security software.”

Understanding BYOVD Attacks

BYOVD attacks involve the installation of drivers with known vulnerabilities on targeted machines, which are then exploited to gain kernel-level privileges. Attackers often take advantage of third-party drivers, such as those for antivirus software or hardware, which require elevated privileges to interact with the kernel. The AFD.sys vulnerability is particularly perilous because it is installed by default on all Windows devices, enabling threat actors to execute their attacks without needing to install older, vulnerable drivers that might be blocked by Windows and easily detected.

The Lazarus Hacking Group

While Gen Digital has not disclosed specific details regarding the targets of this recent attack or the timeline of the incidents, the Lazarus group has a well-documented history of targeting financial and cryptocurrency firms in high-stakes cyberheists, often to fund the North Korean government’s weapons and cyber initiatives. Their notoriety surged following the 2014 Sony Pictures hack and the 2017 global WannaCry ransomware attack, which disrupted businesses across the globe.

In April 2022, the US government linked the Lazarus group to a cyberattack on Axie Infinity, resulting in the theft of over $7 million worth of cryptocurrency. In response to their ongoing malicious activities, the US government has offered a reward of up to $5 million for information that could help identify or locate these DPRK hackers.

Where to download axie infinity?

You can download Axie Infinity from the official website at axieinfinity.com. Scroll down to the 'Play Now' section or click on 'Get Started' to find the download links for different platforms, such as Windows, Mac, iOS, or Android. Ensure that you download the application from the official website to avoid any security risks or scams.

Where to buy axie infinity?

You can buy Axie Infinity (AXS) on various cryptocurrency exchanges, including Binance, Coinbase, Kraken, KuCoin, and others. To purchase, you will need to create an account on one of these exchanges, complete any necessary verification processes, deposit funds, and then place an order for AXS. Always use reputable exchanges to ensure the security of your transactions.