Lazarus Group: Microsoft Patch Exploit Infamous Hackers Used
Microsoft has released a patch for a critical zero-day vulnerability in Windows that had previously been exploited by the infamous Lazarus Group, a state-sponsored hacking collective linked to North Korea.
Addressed as part of its monthly Patch Tuesday update, Microsoft shipped fixes to address a total of 90 security flaws, the issue was discovered by software company Gen Digital researchers Luigino Camastra and Milánek.
The flaw, identified as CVE-2024-38193 with a CVSS score of 7.8, is a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock.
"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said following the announcement.
The Lazarus Group had even exploited a recently patched privilege escalation flaw in the Windows Kernel as a zero-day to obtain kernel-level access and disable security software on compromised hosts.
Yet, this recent attack with Microsoft represents a more milder form of their hacks. Film studios, banks, healthcare - the group has a history of high-profile targets that have made its infamy stretch beyond the cybersphere and into the wider world.
A look at the Lazarus Group
The Lazarus Group is a North Korean state-sponsored hacking organisation that has been active for over two decades, with their earliest known attack taking place from 2009.
The hacking collective is an exonym derived from the name of the biblical figure Lazarus, and is named due to the group reappearing under different identities for various cyber campaigns.
Well known in the cybersecurity sector for the development of their own malware and the use of innovative attack techniques, they became widely known following the 2014 hack on Sony Pictures, believed to be in response to a film of their parodying North Korea and its leader Kim Jong Un, and caused US$15m in damages.
In 2016, they issued thirty-five fraudulent instructions via the SWIFT network to illegally transfer close to US$1bn from the Federal Reserve Bank of New York account belonging to the central bank of Bangladesh. Five of the thirty-five fraudulent instructions were successful in transferring US$101m.
But it didn’t stop there. The group were also responsible for the 2017 WannaCry ransomware attack, which crippled many NHS trusts forcing them to cancel hundreds of appointments, and affected nearly 200,000 computers in 150 countries.
Tactics to be aware of
Unlike many other state-sponsored groups, the Lazarus Group is heavily financially motivated, using cybercrime to bolster North Korea's struggling economy.
Lazarus employs a range of sophisticated tactics, known for their methodical approach, often remaining undetected within systems for extended periods. Their operations include disruption, financial theft, and espionage, often using tools such as DDoS attacks, wipers, and remote access trojans.
In fact, their WannaCry attack was one of the first major cyber attacks using a cryptoworm. These worms are a class of malware that travels between computers using networks. To be infected, there is no need to click on a bad link - the malware can spread autonomously, from a computer to a connected printer, and then beyond to adjacent computers.
Equally what separates them is their efforts to clean up evidence of their presence after an attack. They use anti-forensics techniques to cover their tracks, such as deleting event logs and wiping master file table records.
And they try to then misdirect investigators by disguising their operations as hacktivist activities or plant false flags to confuse attribution efforts.
The Lazarus Group represents a significant and ongoing cyber threat. Microsoft’s patch is closing in the walls in which groups like these can exploit, yet with new updates, come new possible vulnerabilities.
******
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Cyber Magazine is a BizClik brand
- Howden: How Cyber Attacks cost UK Companies $55bn in 5 YearsHacking & Malware
- Examining the 'Worst' Telco Cyber Attack in US HistoryCyber Security
- Netskope SSE: Unifying Microsoft Entra Suite SecurityNetwork Security
- Microsoft: What Satya Nadella's $5m Pay Cut Says About CyberCyber Security