A new vulnerability discovered in the Microsoft Windows operating system has been exploited as a zero-day attack by the Lazarus Group, a state-sponsored actor affiliated with North Korea. This vulnerability tracked as CVE-2024-38193, is identified as an elevation of a privilege bug in the Windows Ancillary Function Driver (AFD.sys) file for WinSock. The vulnerability was fixed as part of Microsoft’s monthly Patch Tuesday update and has been assigned a CVSS score of 7.8.
CVE-2024-38193 is an elevation of privilege flaw that allows attackers to bypass normal security restrictions and gain access to sensitive system areas that are inaccessible to most users and administrators. This vulnerability was exploited in attacks aimed at evading the detection of a rootkit called FudModule, which was used by the Lazarus Group.
While the technical details of this vulnerability are not fully known at this time, it is similar to another elevation of privilege vulnerability (CVE-2024-21338) that Microsoft patched in February 2024. CVE-2024-21338 is a Windows kernel elevation flaw in the AppLocker driver (appid.sys) that allows arbitrary code execution, bypassing all security checks and executing the FudModule rootkit.
These attacks go beyond the “Bring Your Own Vulnerable Driver” (BYOVD) strategy and involve exploiting a vulnerability in a driver that is already installed on the Windows host to circumvent security measures. Previous attacks detailed by Avast revealed that the rootkit was delivered via a remote access trojan called Kaolin RAT.
These attacks demonstrate the sophistication of the Lazarus Group in exploiting vulnerabilities in existing systems. The use of the FudModule rootkit only in special cases reveals the attackers’ careful strategy to evade security systems and avoid detection. The CVE-2024-38193 vulnerability poses a serious threat to all Windows users, and it is therefore critical that Microsoft’s patches are applied in a timely manner.
