Security researchers at Gen Threat Labs are linking one of the exploited zero-days patched by Microsoft last week to North Korea’s Lazarus APT group.
The vulnerability, tracked as CVE-2024-38193 and marked as ‘actively exploited’ by Microsoft, allows SYSTEM privileges on the latest Windows operating systems.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38193
This is one of six zero-days marked as exploited by Microsoft in the August Patch Tuesday bundle.
https://www.securityweek.com/microsoft-warns-of-six-windows-zero-days-being-actively-exploited/
Security experts also believe a second flaw (CVE-2024-38178) is being used by North Korean APT groups to target victims in South Korea.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38178
Gen, which is a rollup of consumer brands Norton, Avast, LifeLock and Avira, posted a sparse note linking the exploitation to Lazarus via the use of the FudModule rootkit
https://www.gendigital.com/blog/news/innovation/protecting-windows-users
Avast previously documented FudModule as part of the Lazarus APT toolkit that included an admin-to-kernel Windows zero-day exploit dating back to February.
https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/