DailyPost 2713

If you have not heard of zero day, you do not belong to the cyber security domain, and if you don’t know of Lazarus, you would be treated a cyber security greenhorn. Zero day is vulnerability located for the first time in any code and is bound to deliver a successful. The history of zero day in a way is also a history of code insecurity. Having roots in North Korea, the Lazarus group has wreaked havoc the world over for a decade now, initially financial institutions were a major targets, to ransomware to what not.

This notorious group has again come into limelight recently. Lazarus exploited a recently patched privilege escalation flaw in the Windows kernel. This was exploited like a zero day to obtain “kernel level access and disable security software on compromised hosts.” As all vulnerabilities have a unique identification code, the one question is CVE-2024-21338. This vulnerability could permit an attacker to gain SYSTEM privileges. It has been announced to have been resolved my Microsoft, earlier this month. On Wednesday, Redmond revised its “Exploitability assessment” for the flaw to “Exploitation Detected.”

At the time of the release of the updates there has not been any indication of active exploitation. Based on the current information available on the public domain it is not clear as to when did the attacks take place. What one is sure of is that the vulnerability has been introduced in Window 10, version 1703. Lazarus by weaponizing the flaw could “perform direct kernel level manipulation in an updated version of their data-only FudModule rootkit.” This infamous module was first reported in Oct 2022 having the capability of disabling the monitoring of all security solutions. This was done by what is known as Bring Your Own Vulnerability Driver (BYOVD) attack.

What makes the current attack a milestone is because it goes “beyond BYOVD by exploiting a zero-day driver that’s known to be already installed on the target machine.” The susceptible driver is critical to the functioning of AppLocker, that’s responsible for application control. In unison all cyber security experts across the globe express that Lazarus group remains among the “most prolific and long-standing advanced persistent threat actors.” Carrying the same tenor the “FudModule rootkit serves as the latest example, representing one of the most complex tools Lazarus holds in their arsenal.”

Sanjay Sahay

Have a nice evening.

Leave a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.

Scroll to Top