The infamous North Korean hacker gang Lazarus recently exploited a zero-day vulnerability in the Windows AFD.sys driver. They then installed a rootkit to disguise their activities. Microsoft has since patched the vulnerability.
Through a zero-day vulnerability in the Windows AFD.sys driver, North Korean (state) hackers from Lazarus APT group managed to manipulate privileges on affected systems. This then allowed them to install a FUDModule rootkit to cover up the breach. This was discovered by researchers from security specialist Gen Digital.
According to the security specialists, the zero-day vulnerability exploited was a so-called Bring Your Own Vulnerable Driver (BYOVD) vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys). This driver acts as an access point for the Windows Kernel for the Winsock protocol.
BYOVD attacks
A BYOVD attack lets hackers install drivers with known vulnerabilities. On the affected systems, these are then abused for kernel-level privileges. Drivers from other (software) providers, such as antivirus or hardware drivers, are often abused in this process. These types of drivers often require high privileges to contact the kernel.
According to the study, the vulnerability in AFD.sys was particularly dangerous because it was installed by default on all Windows devices. This allowed the hackers to carry out this attack without first installing an older vulnerable driver that could potentially be blocked and detected by Windows.
Resolved in Patch Tuesday update
Microsoft was aware of the new driver vulnerability and fixed it in the recent Patch Tuesday update for August 2024.
Also read: Lazarus Group strikes at kernel level via Windows AppLocker driver