Lazarus Group: Microsoft Patch Exploit Infamous Hackers Used

Share
The Lazarus Group is a North Korean state-sponsored hacking organisation that has been active for over two decades
Microsoft have patched a exploit that the infamous hacking group the Lazarus Group prviously managed to exploit

Microsoft has released a patch for a critical zero-day vulnerability in Windows that had previously been exploited by the infamous Lazarus Group, a state-sponsored hacking collective linked to North Korea. 

Addressed as part of its monthly Patch Tuesday update, Microsoft shipped fixes to address a total of 90 security flaws, the issue was discovered by software company Gen Digital researchers Luigino Camastra and Milánek.

The flaw, identified as CVE-2024-38193 with a CVSS score of 7.8, is a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock.

"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said following the announcement. 

The Lazarus Group had even exploited a recently patched privilege escalation flaw in the Windows Kernel as a zero-day to obtain kernel-level access and disable security software on compromised hosts.

Yet, this recent attack with Microsoft represents a more milder form of their hacks. Film studios, banks, healthcare - the group has a history of high-profile targets that have made its infamy stretch beyond the cybersphere and into the wider world.

A look at the Lazarus Group

The Lazarus Group is a North Korean state-sponsored hacking organisation that has been active for over two decades, with their earliest known attack taking place from 2009.

The hacking collective is an exonym derived from the name of the biblical figure Lazarus, and is named due to the group reappearing under different identities for various cyber campaigns. 

Well known in the cybersecurity sector for the development of their own malware and the use of innovative attack techniques, they became widely known following the 2014 hack on Sony Pictures, believed to be in response to a film of their parodying North Korea and its leader Kim Jong Un, and caused US$15m in damages. 

Youtube Placeholder

In 2016, they issued thirty-five fraudulent instructions via the SWIFT network to illegally transfer close to US$1bn from the Federal Reserve Bank of New York account belonging to the central bank of Bangladesh. Five of the thirty-five fraudulent instructions were successful in transferring US$101m.

But it didn’t stop there. The group were also responsible for the 2017 WannaCry ransomware attack, which crippled many NHS trusts forcing them to cancel hundreds of appointments, and affected nearly 200,000 computers in 150 countries.

Tactics to be aware of 

Unlike many other state-sponsored groups, the Lazarus Group is heavily financially motivated, using cybercrime to bolster North Korea's struggling economy.

Lazarus employs a range of sophisticated tactics, known for their methodical approach, often remaining undetected within systems for extended periods. Their operations include disruption, financial theft, and espionage, often using tools such as DDoS attacks, wipers, and remote access trojans.

In fact, their WannaCry attack was one of the first major cyber attacks using a cryptoworm. These worms are a class of malware that travels between computers using networks. To be infected, there is no need to click on a bad link - the malware can spread autonomously, from a computer to a connected printer, and then beyond to adjacent computers. 

WannaCry exploited the port 445 vulnerability to move freely across intranets

Equally what separates them is their efforts to clean up evidence of their presence after an attack. They use anti-forensics techniques to cover their tracks, such as deleting event logs and wiping master file table records.

And they try to then misdirect investigators by disguising their operations as hacktivist activities or plant false flags to confuse attribution efforts. 

The Lazarus Group represents a significant and ongoing cyber threat. Microsoft’s patch is closing in the walls in which groups like these can exploit, yet with new updates, come new possible vulnerabilities. 

******

Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024

******

Cyber Magazine is a BizClik brand

Share

Featured Articles

SonicWall and CrowdStrike Unite for SMB Security Service

SonicWall partners with endpoint protection specialist CrowdStrike to offer managed detection and response capabilities through managed service providers

FS-ISAC CISO Talks Cyber Strategies for Financial Providers

FS-ISAC CISO JD Denning explains the cyber strategies financial providers need to adopt in order to stay afloat in the wave of cyber attacks

Darktrace Reports 692% Surge in Black Friday Cyber Scams

AI cybersecurity firm Darktrace reveals increase in brand impersonation attacks targeting retailers, with holiday-themed phishing attacks rising 327%

KnowBe4 Launches AI Agents to Counter Phishing Threats

Technology & AI

Gen Reports 614% Rise in Command Prompt Manipulation Scams

Cyber Security

SAVE THE DATE – Cyber LIVE London 2025

Cyber Security