About Elevation of Privilege – Windows Ancillary Function Driver for WinSock (CVE-2024-38193) and other Windows EoP vulnerabilities from August Patch Tuesday. In total, in the August MSPT there were 3 EoPs with signs of exploitation in the wild. They have identical descriptions: an attacker can elevate privileges on the host to SYSTEM level. The vulnerability in Windows Kernel is more difficult to exploit, because it is necessary to win a race condition.
We only know the names of the attackers who exploited the EoP vulnerability in the Windows Ancillary Functions Driver (AFD.sys). It is exploited by the well-known group Lazarus. This was reported in a press release from Gen Digital, the company that owns Avira and Avast antiviruses. To neutralize information security products during an attack, Lazarus attackers use the Fudmodule rootkit. So, even if EDR is installed on the host, the host should be updated. 😏
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.