Windows 0-day was exploited by North Korea to install advanced rootkit
North Korean hackers exploited a Windows zero-day vulnerability, CVE-2024-38193, to install the undetectable FudModule rootkit, targeting sensitive sectors while Microsoft delayed patching for six months.
Read original article
A recently patched Windows zero-day vulnerability, tracked as CVE-2024-38193, was exploited by North Korean hackers associated with the Lazarus group to install a sophisticated rootkit known as FudModule. This vulnerability, categorized as a "use after free" flaw in the AFD.sys driver, allowed attackers to gain system privileges and bypass standard security measures. Researchers from Gen, who discovered the attacks, noted that the exploitation targeted individuals in sensitive sectors, such as cryptocurrency and aerospace, to infiltrate networks and potentially steal funds. The FudModule rootkit operates deeply within the Windows operating system, enabling it to evade detection by security systems. Earlier variants of FudModule were installed using a method called "bring your own vulnerable driver," while the latest variant exploited a bug in appid.sys, a driver integral to Windows AppLocker. Despite the vulnerability being reported to Microsoft, it took six months for a fix to be implemented, allowing continued exploitation by Lazarus. The exact timeline of the exploitation and the number of targeted organizations remain unclear, as do the detection capabilities of endpoint protection services against this latest variant.
- North Korean hackers exploited a Windows zero-day vulnerability to install advanced malware.
- The vulnerability allowed attackers to bypass security measures and gain system privileges.
- The FudModule rootkit can operate undetected within the Windows operating system.
- Microsoft took six months to patch the vulnerability after it was reported.
- The attacks primarily targeted individuals in sensitive industries like cryptocurrency and aerospace.
Related
Hackers bypass Windows SmartScreen flaw to launch malware
Cybercriminals are exploiting a Microsoft Defender vulnerability (CVE-2024-21412) to install malware undetected. Many systems remain unpatched, making them vulnerable. Users should update Windows and be cautious with email attachments.
The Wild West of Proof of Concept Exploit Code (PoC)
CVE-2024-6387 is a serious unauthenticated remote code execution vulnerability in OpenSSH, with complex exploitation requiring knowledge of system architecture. The exploit code contains malicious elements, emphasizing risks of untrusted code.
Secure Boot useless on PCs from major vendors after key leak
A study by Binarily found that hundreds of PCs from major manufacturers are vulnerable due to a leaked 12-year-old test platform key, allowing attackers to bypass Secure Boot protections.
Almost unfixable "Sinkclose" bug affects AMD chips
Researchers discovered a major security vulnerability in AMD processors, named "Sinkclose," affecting millions of chips since 2006, allowing undetectable malware installation and posing severe risks to system security.
Zero-click Windows TCP/IP RCE impacts all systems with IPv6 enabled, patch now
Microsoft warns of a critical TCP/IP vulnerability (CVE-2024-38063) affecting all IPv6-enabled Windows systems, allowing remote code execution. Users should prioritize patching to mitigate risks, as the exploit is wormable.
10 commentsMostly running Windows 7 Professional with latest patches from Microsoft. Had an HP Laptop with Windows 10 Home Edition where the hard disk failed. So, got another HP, with Windows 11 Home.
I'm a traditional Windows user and am writing software in .NET, IIS, ASP.NET, SQL Server. My most important tools are Rexx for a scripting language and KEdit for my text editor. I don't want Windows to be more like a smartphone.
Microsoft made a lot of changes from 10 to 11, and for my traditional usage made Windows too different to use. Bluntly I have to regard 11 as unacceptable for my traditional usage on 7 and 10 and am eager to replace 11 with 10.
Sooooo, I'm ready to pull hair and scream trying to find a way to install a genuine, 100% authentic, dyed in the wool, DVD, SSD, SEO, whatever, I can use to install 10 on my new HP.
HELP!!!!!
Not true. A privileged few have very fast internet access via fibre cable from China. And they have cyber offensive teams that do attacks like this.
I find it fascinating they are able to detect these things and report them to Microsoft. The security companies obviously have to be on the endpoints to see any of this. However, it doesn’t seem like this depth of detection extends to protecting customers.
The attribution to North Korea, which was after all the headline does not appear substantiated in the information given.
[1]https://arstechnica.com/information-technology/2024/05/micro...
Only by North Korea ? /s
Unacceptable to have so much non provably safe code exploitable like this.
Related
Hackers bypass Windows SmartScreen flaw to launch malware
Cybercriminals are exploiting a Microsoft Defender vulnerability (CVE-2024-21412) to install malware undetected. Many systems remain unpatched, making them vulnerable. Users should update Windows and be cautious with email attachments.
The Wild West of Proof of Concept Exploit Code (PoC)
CVE-2024-6387 is a serious unauthenticated remote code execution vulnerability in OpenSSH, with complex exploitation requiring knowledge of system architecture. The exploit code contains malicious elements, emphasizing risks of untrusted code.
Secure Boot useless on PCs from major vendors after key leak
A study by Binarily found that hundreds of PCs from major manufacturers are vulnerable due to a leaked 12-year-old test platform key, allowing attackers to bypass Secure Boot protections.
Almost unfixable "Sinkclose" bug affects AMD chips
Researchers discovered a major security vulnerability in AMD processors, named "Sinkclose," affecting millions of chips since 2006, allowing undetectable malware installation and posing severe risks to system security.
Zero-click Windows TCP/IP RCE impacts all systems with IPv6 enabled, patch now
Microsoft warns of a critical TCP/IP vulnerability (CVE-2024-38063) affecting all IPv6-enabled Windows systems, allowing remote code execution. Users should prioritize patching to mitigate risks, as the exploit is wormable.