Lazarus Group: Microsoft Patch Exploit Infamous Hackers Used

The Lazarus Group is a North Korean state-sponsored hacking organisation that has been active for over two decades
Microsoft have patched a exploit that the infamous hacking group the Lazarus Group prviously managed to exploit

Microsoft has released a patch for a critical zero-day vulnerability in Windows that had previously been exploited by the infamous Lazarus Group, a state-sponsored hacking collective linked to North Korea. 

Addressed as part of its monthly Patch Tuesday update, Microsoft shipped fixes to address a total of 90 security flaws, the issue was discovered by software company Gen Digital researchers Luigino Camastra and Milánek.

The flaw, identified as CVE-2024-38193 with a CVSS score of 7.8, is a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock.

"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said following the announcement. 

The Lazarus Group had even exploited a recently patched privilege escalation flaw in the Windows Kernel as a zero-day to obtain kernel-level access and disable security software on compromised hosts.

Yet, this recent attack with Microsoft represents a more milder form of their hacks. Film studios, banks, healthcare - the group has a history of high-profile targets that have made its infamy stretch beyond the cybersphere and into the wider world.

A look at the Lazarus Group

The Lazarus Group is a North Korean state-sponsored hacking organisation that has been active for over two decades, with their earliest known attack taking place from 2009.

The hacking collective is an exonym derived from the name of the biblical figure Lazarus, and is named due to the group reappearing under different identities for various cyber campaigns. 

Well known in the cybersecurity sector for the development of their own malware and the use of innovative attack techniques, they became widely known following the 2014 hack on Sony Pictures, believed to be in response to a film of their parodying North Korea and its leader Kim Jong Un, and caused US$15m in damages. 

Youtube Placeholder

In 2016, they issued thirty-five fraudulent instructions via the SWIFT network to illegally transfer close to US$1bn from the Federal Reserve Bank of New York account belonging to the central bank of Bangladesh. Five of the thirty-five fraudulent instructions were successful in transferring US$101m.

But it didn’t stop there. The group were also responsible for the 2017 WannaCry ransomware attack, which crippled many NHS trusts forcing them to cancel hundreds of appointments, and affected nearly 200,000 computers in 150 countries.

Tactics to be aware of 

Unlike many other state-sponsored groups, the Lazarus Group is heavily financially motivated, using cybercrime to bolster North Korea's struggling economy.

Lazarus employs a range of sophisticated tactics, known for their methodical approach, often remaining undetected within systems for extended periods. Their operations include disruption, financial theft, and espionage, often using tools such as DDoS attacks, wipers, and remote access trojans.

In fact, their WannaCry attack was one of the first major cyber attacks using a cryptoworm. These worms are a class of malware that travels between computers using networks. To be infected, there is no need to click on a bad link - the malware can spread autonomously, from a computer to a connected printer, and then beyond to adjacent computers. 

WannaCry exploited the port 445 vulnerability to move freely across intranets

Equally what separates them is their efforts to clean up evidence of their presence after an attack. They use anti-forensics techniques to cover their tracks, such as deleting event logs and wiping master file table records.

And they try to then misdirect investigators by disguising their operations as hacktivist activities or plant false flags to confuse attribution efforts. 

The Lazarus Group represents a significant and ongoing cyber threat. Microsoft’s patch is closing in the walls in which groups like these can exploit, yet with new updates, come new possible vulnerabilities. 

******

Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024

******

Cyber Magazine is a BizClik brand

Share

Featured Articles

Why the UK is Listing Data Centres as Critical Cyber Assets

Being Western Europe's leader in number of Data Centres, the UK has decided to take steps to ensure they receive adequate protection from cyber threats

Trustwave Reveals the Financial Sector's Cyber Threats

Although it's not new to think that financial services organisations are prime targets for cybercriminals, the threat landscape they find themselves in is

TCS and Google Cloud Join for Solution to Secure the Cloud

TCS partners with Google Cloud to launch a range of AI-powered cybersecurity solutions to help businesses secure their clouds against advanced threats

Cybersecurity Conglomerate Reveals Threats Facing Consumers

Cyber Security

Decoding the US' Most Misunderstood Data Security Terms

Cyber Security

Orange Cyberdefense's Wicus Ross Talks Cyber Extortion Trend

Hacking & Malware