1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Lazarus hackers return and hijack a Windows security flaw

    From TechnologyDaily@1337:1/100 to All on Thu Feb 29 17:15:05 2024
    Lazarus hackers return and hijack a Windows security flaw

    Date:
    Thu, 29 Feb 2024 17:05:16 +0000

    Description:
    North Korean hackers were seen disabling antivirus programs, possibly paving the way for more dangerous attacks.

    FULL STORY ======================================================================

    The infamous Lazarus Group is exploiting a zero-day vulnerability to disable antivirus programs on targeted Windows endpoints, new research has claimed.

    Cybersecurity experts from Avast said they observed a new campaign from the North Korean state-sponsored hackers, which now leverages a flaw in the Windows AppLocker driver. This flaw, tracked as CVE-2024-21338, allowed them to gain kernel-level access to the device. They used it to disable any antivirus programs installed on the device, opening the doors for more disruptive malware .

    The flaw was found in the appid.sys driver, a component of Windows AppLocker that handles whitelisting. Who are Lazarus Group?

    To exploit the zero-day, Lazarus used a new version of FudModule, its proprietary rootkit which was first spotted in late 2022. In previous
    attacks, the rootkit abused a Dell driver, in whats known as Bring Your Own Vulnerable Driver (BYOVD) attack. Now, FudModule is stealthier and more functional, offering more ways to avoid being detected and turn off endpoint protection solutions.

    Apparently, the group used it to disable products such as AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and the HitmanPro
    anti-malware solution.

    Avast notified Microsoft of its findings, which released a fix for the flaw
    as part of its February 2024 Patch Tuesday cumulative update. This is also
    the only way to remain secure, so applying the patch without hesitation is advised.

    Lazarus Group is one of the worlds most prominent, and infamous,
    cybercriminal organizations. Researchers believe it is under the direct control of the North Korean government, and it often uses its skills for cyber-espionage, but as well as money heists.

    The group is known for its fake job attacks, where they promote fake jobs on social media sites and engage in multiple rounds of negotiations with potential candidates, usually software developers. One such attack against a cryptocurrency business resulted in the theft of more than half a billion dollars in various crypto tokens.

    Via BleepingComputer More from TechRadar Pro Sinbad crypto mixer used by North Korean Lazarus Group seized by US government Here's a list of the best firewalls around today These are the best endpoint security tools right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/lazarus-hackers-return-and-hijack-a-win dows-security-flaw


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)