In Microsoft’s latest Patch Tuesday update, they addressed a critical security vulnerability in the Windows Ancillary Function Driver (AFD.sys) for WinSock, identified as CVE-2024-38193. This flaw, which has a severity score of 7.8, could allow attackers to escalate their privileges to an administrator level on vulnerable systems. Microsoft warned that “an attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”
Unfortunately, the fix may have come too late, as some security researchers have reported that the bug was already being exploited in the wild as a zero-day vulnerability. Notably, experts from Gen Digital (the parent company of Norton, Avira, and Avast) have linked this exploitation to the notorious Lazarus Group, a North Korean state-sponsored hacking organization. According to their findings, Lazarus used this flaw to deploy a malicious rootkit named FudModule.
**Lazarus Group’s Latest Attack**
Gen Digital’s report highlighted the serious implications of this vulnerability, stating, “This flaw allowed them to gain unauthorized access to sensitive system areas.” By exploiting the bug, attackers could bypass standard security measures, gaining access to parts of the system that are typically off-limits to users and administrators alike.
The researchers emphasized the sophistication of this attack, noting that it likely required significant resources, potentially costing hundreds of thousands of dollars on the black market. The concern is particularly high because the targets are often individuals in critical sectors, such as cryptocurrency engineering or aerospace, where the goal is to infiltrate company networks and steal cryptocurrency to fund further operations.
Lazarus Group is well-known for conducting some of the most damaging cyberattacks in recent years. They are infamous for their fake job recruitment scams, where they create convincing LinkedIn profiles or impersonate well-known figures to lure software developers with lucrative job offers. One such attack against a blockchain developer led to the theft of approximately $600 million from a cryptocurrency project. It is believed that the stolen funds are being used to support North Korea’s government and its weapons development programs.
