During this month patch Tuesday, microsoft addressed nearly 90 flaws, some of which have already been exploited by hackers.
One specific vulnerability, CVE-2024-38193 with a CVSS score of 7.8, is a Bring Your Own Vulnerable Driver (BYOVD) flaw, located in the binary file of the Windows Ancillary Function Driver (AFD.sys), which serves as a kernel entry point for the Winsock API.
Upon the exploitation, threat actor can gain system-level privileges, including the highest privilege in the Windows system, known as SYSTEM access, enabling them to execute untrusted code. Microsoft said it’s been exploited; however no further information is provided at that time.
Gen Digital, discovered and reported the vulnerability to Microsoft, stated that this flaw allows attackers to bypass normal security restrictions and access sensitive system areas that are typically inaccessible to most users and administrators. This attack is both complex and cunning, potentially worth hundreds of thousands of dollars on the black market.
The researchers attributed the exploitation to the Lazarus Group for installing malware known as FudModule, highly sophisticated malware detected by researchers from AhnLab and ESET in 2022.
Earlier this year, Avast discovered a variant of FudModule that can bypass critical Windows defenses, such as Endpoint Detection and Response (EDR) and Protected Processes. after notifying this flaw to Microsoft, it took six months to patch the vulnerability, extending the Lazarus Group’s window of attack by half a year.
This variant also exploits a vulnerability in appid.sys for installation, a driver file for the Windows AppLocker service, which comes pre-installed on Windows systems. This makes it easier for threat actors to deploy the variant.
