A zero-day vulnerability recently patched in Windows has been traced to North Korean hackers.Earlier this week, Microsoft patched CVE-2024-38193, which the company warned was being actively exploited. At the time, Microsoft gave few details about the threat, including who might be abusing the flaw. But on Friday, Gen Digital, the parent company for antivirus brands NortonLifeLock and Avast, urged the public to install the Microsoft patch.”This repair is important because it addresses a security issue that was being used by the Lazarus APT group, a North Korean hacker group known for targeting specific professionals,” Gen Digital said. Lazarus is particularly notorious in the hacking world for allegedly staging the hack of Sony Pictures and stealing billions from cryptocurrency exchanges and banks. The flaw patched by Microsoft would have been a useful asset since it paves the way for an attacker to gain system privileges on Windows PCs, enabling them to overcome normal security restrictions and make major changes to a victim’s computer. Researchers for Gen Digital discovered the vulnerability in June when they spotted the North Korean hackers “exploiting a hidden security flaw in a crucial part of Windows called the AFD.sys driver,” the company said in a blog post. “This flaw allowed them to gain unauthorized access to sensitive system areas,” Gen Digital said. “We also discovered that they used a special type of malware called Fudmodule to hide their activities from security software.”
Recommended by Our Editors
It’s unclear how Lazarus learned about the vulnerability in Windows. But it’s not the first time North Korean hackers have abused previously unknown zero-day attacks, which shows their resourcefulness. In the case of CVE-2024-38193, Gen Digital notes the resulting attack could have sold for “several hundred thousand dollars on the black market.” The company also hinted that the North Koreans were targeting users involved in cryptocurrency engineering and aerospace. CVE-2024-38193 was one of six newly disclosed Windows vulnerabilities under active exploitation that Microsoft patched this week. Hence, users should install the fix as soon as possible, which usually occurs automatically through the Windows Update feature.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
About Michael Kan
Senior Reporter
I’ve been with PCMag since October 2017, covering a wide range of topics, including consumer electronics, cybersecurity, social media, networking, and gaming. Prior to working at PCMag, I was a foreign correspondent in Beijing for over five years, covering the tech scene in Asia.
Read Michael’s full bio
Read the latest from Michael Kan
