Patrik S.’s Post

#Microsoft Patches 61 Flaws, Including Two Actively #Exploited Zero-Days Microsoft has addressed a total of 61 new #security flaws in its #software as part of its Patch Tuesday updates for May 2024, including two #zero-days which have been actively exploited in the wild. Of the 61 flaws, one is rated #Critical, 59 are rated Important, and one is rated Moderate in severity. This is in addition to 30 #vulnerabilities resolved in the #Chromium-based Edge browser over the past month, including two recently disclosed zero-days (CVE-2024-4671 and CVE-2024-4761) that have been tagged as exploited in attacks. The two security shortcomings that have been weaponized in the wild are below - CVE-2024-30040 (CVSS score: 8.8) - Windows MSHTML Platform Security Feature Bypass Vulnerability CVE-2024-30051 (CVSS score: 7.8) - Windows Desktop #Window Manager (DWM) Core Library Elevation of Privilege Vulnerability "An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious document at which point the attacker could execute arbitrary code in the context of the user," the tech giant said in an advisory for #CVE-2024-30040. However, successful exploitation requires an attacker to convince the user to load a specially crafted file onto a vulnerable system, distributed either via email or an instant message, and trick them into manipulating it. Interestingly, the victim doesn't have to click or open the malicious file to activate the infection. https://lnkd.in/dakeZEaP

Check out our latest blog on Progress MOVEit Transfer Authentication Bypass Vulnerability (CVE-2024-5806) and Data Exfiltration and our recommendations. https://lnkd.in/g7kuq7sY #cybersecurity #cyberawareness #cyberthreats #cyberdefense #malware #vmware #pickle #threats #exploits #malicious #attacks #gored #mitigate #excobalt #windows #macos #android #botnet #macoS #data #exfiltration #badspace #hackers #scattered #website #wordpress #account #authentication #sectors #cybergang #vulnerability

“A newly patched security flaw in Microsoft Windows was exploited as a zero-day by Lazarus Group, a prolific state-sponsored actor affiliated with North Korea.     The security vulnerability, tracked as CVE-2024-38193 (CVSS score: 7.8), has been described as a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock.     "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said in an advisory for the flaw last week. It was addressed by the tech giant as part of its monthly Patch Tuesday update.”    Researchers from Gen Digital, the company behind well-known security software like Norton and Avast, discovered a serious flaw that let attackers access sensitive parts of a computer system without proper authorization. This flaw, found in June 2024, allowed hackers to bypass normal security measures that protect critical areas of the system. The attackers also used a stealthy tool called "FudModule" to avoid being detected.     The flaw is particularly concerning because it allows access to highly sensitive areas of the system, which are usually well-protected. Ensure all systems are updated with the latest security patches to prevent exploitation of known vulnerabilities! https://lnkd.in/gMBVgfbn     #cybertronium #cybertroniummalaysia #vulnerability #zero-day 

The #Lazarus hackers exploited a #Windows zero-day in the AppLocker driver to gain kernel privileges, enabling them to disable security tools and evade detection techniques. #Avast alerted Microsoft about the flaw, leading to its inclusion in the February 2024 Patch Tuesday update. Despite Microsoft not initially recognizing it as a zero-day, the exploit allowed Lazarus to enhance its FudModule rootkit, enabling stealthier attacks and longer persistence on compromised systems. Implementing the February 2024 Patch Tuesday updates is crucial to mitigate the risk posed by Lazarus' sophisticated exploitation tactics. https://lnkd.in/eCUm8AuG

In a recent DEF CON presentation, Deep Instinct researcher Daniel Avinoam unveiled a critical vulnerability within the Windows Container Isolation Framework. This flaw allows hackers to bypass endpoint security by manipulating the framework, specifically through the use of the wcifs.sys mini-filter driver. This technique enables file system operations without triggering antivirus callbacks, though it requires administrative permissions and cannot override host system files. Additionally, the presentation highlighted another technique, NoFilter, which exploits the Windows Filtering Platform to elevate user privileges and execute malicious code. https://lnkd.in/gVqahCys

Lazarus hackers exploited Windows zero-day to gain Kernel privileges. North Korean threat actors known as the Lazarus Group exploited a flaw in the Windows AppLocker driver (appid.sys) as a zero-day to gain kernel-level access and turn off security tools, allowing them to bypass noisy BYOVD (Bring Your Own Vulnerable Driver) techniques. This activity was detected by Avast analysts, who promptly reported it to Microsoft, leading to a fix for the flaw, now tracked as CVE-2024-21338, as part of the February 2024 Patch Tuesday. However, Microsoft has not marked the flaw as being exploited as a zero-day. The malware exploited a vulnerability in Microsoft's 'appid.sys' driver, a Windows AppLocker component that provides application whitelisting capabilities. Lazarus exploits it by manipulating the Input and Output Control (IOCTL) dispatcher in the appid.sys driver to call an arbitrary pointer, tricking the kernel into executing unsafe code, thus bypassing security checks. The FudModule rootkit, built within the same module as the exploit, executes direct kernel object manipulation (DKOM) operations to turn off security products, hide malicious activities, and maintain persistence on the breached system. The targeted security products are AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and the HitmanPro anti-malware solution.

Fortinet has discovered active exploitation of CVE-2024-21412 in a new stealer campaign. This vulnerability allows attackers to deploy malware and steal sensitive information from compromised systems. Immediate action is required to secure your network. Read the full analysis and mitigation strategies: [Fortinet Blog](https://buff.ly/3WjnGS1). #CyberSecurity #ThreatResearch #CVE202421412

Lazarus Group exploits Windows zero-day to deploy stealthy rootkit According to a recent article by SC Media, the Lazarus Group, a well-known North Korean hacking group, has been abusing a zero-day vulnerability in Windows to install a complex rootkit on compromised systems. The FudModule rootkit enables attackers to carry out various malicious activities, such as disrupting software, hiding infection indicators, and disabling kernel-mode telemetry. The vulnerability, CVE-2024-21338, was fixed by Microsoft in February 2024. This is not the first time the Lazarus Group has demonstrated its technical prowess and persistence. The group has been active for over a decade, and has been involved in numerous high-profile cyberattacks, such as the Sony Pictures hack, the WannaCry ransomware outbreak, and the Bangladesh Bank heist. The group is also known for targeting various sectors, such as finance, defense, energy, and media. The FudModule rootkit is one of the most advanced tools in the Lazarus Group's arsenal, and shows their commitment to keep evolving their capabilities and techniques. The rootkit is designed to evade detection and analysis, and to maintain persistence and control over the infected systems. The rootkit also differs from the previous methods that the group used to exploit vulnerabilities, such as the Bring Your Own Vulnerability Driver (BYOVD) technique. The article highlights the urgency of updating to the latest version of Windows and the importance of robust security solutions and practices in place to protect against such sophisticated threats. The article also provides a detailed technical analysis of the FudModule rootkit and the exploitation process of the zero-day vulnerability. If you are interested in learning more about this topic, you can read the full article here: https://lnkd.in/gn22UZmC

The core issue with this vulnerability? It undermines the concept of a "fully patched" system. Attackers can bypass a critical Windows security feature called Driver Signature Enforcement (DSE), enabling them to create a persistent backdoor. Rootkits, in general, are particularly dangerous because they embed themselves deeply within the system, often remaining undetected for long periods. Even if an attacker gains only temporary admin access, installing a rootkit can grant them long-term control, making removal extremely challenging. In today’s threat landscape, staying secure requires preparation for increasingly sophisticated, hidden threats. The best defense? Comprehensive, adaptive cybersecurity that combines advanced technology with human experts. With 24/7 threat hunting and continuous incident response, skilled experts can identify unusual activities that automated systems might miss, allowing organizations to quickly neutralize threats. 🐾 #cybersecurity #riskmanagement #cyberresilience #MSP

JUST IN: Last week it was disclosed that Windows SmartScreen security has been compromised for years. Today #Microsoft revealed that a Mark of the Web security bypass vulnerability exploited by attackers as a zero-day to bypass SmartScreen protection was patched during the June 2024 Patch Tuesday. While the vulnerability (tracked as CVE-2024-38213) can be exploited remotely by unauthenticated threat actors in low-complexity attacks, it requires user interaction, making successful exploitation harder to achieve. https://lnkd.in/gKf5uUf3 #auguryit #cysec