Skip to content

North Korean Lazarus Group Exploiting Dell Driver Vulnerability

Table of Contents

The North Korea-backed Lazarus Group has been observed deploying a Windows rootkit by taking advantage of an exploit in a Dell firmware driver, highlighting new tactics adopted by the state-sponsored adversary.
The Bring Your Own Vulnerable Driver (BYOVD) attack, which took place in the autumn of 2021, is another variant of the threat actor's espionage-oriented activity called Operation In(ter)ception that's directed against aerospace and defense industries.
"The campaign started with spear-phishing emails containing malicious Amazon-themed documents and targeted an employee of an aerospace company in the Netherlands, and a political journalist in Belgium," ESET researcher Peter Kálnai said.
Attack chains unfolded upon the opening of the lure documents, leading to the distribution of malicious droppers that were trojanized versions of open source projects, corroborating recent reports from Google's Mandiant and Microsoft.
ESET said it uncovered evidence of Lazarus dropping weaponized versions of FingerText and sslSniffer, a component of the wolfSSL library, in addition to HTTPs-based downloaders and uploaders.
The intrusions also paved the way for the group's backdoor of choice dubbed BLINDINGCAN – also known as AIRDRY and ZetaNile – which an operator can use to control and explore compromised systems.
But what's notable about the 2021 attacks was a rootkit module that exploited a Dell driver flaw to gain the ability to read and write kernel memory. The issue, tracked as CVE-2021-21551, relates to a set of critical privilege escalation vulnerabilities in dbutil_2_3.sys.
Hackers Exploiting Dell Driver Vulnerability to Deploy Rootkit on Targeted Computers
North Korean Lazarus hackers have been observed deploying a Windows rootkit on targeted computers by exploiting a vulnerability in a Dell drivers.

#0Day #Firmware #Campaign #IoCs

Latest

2024-117: Zero-Day Vulnerabilities in Palo Alto Networks PAN-OS

2024-117: Zero-Day Vulnerabilities in Palo Alto Networks PAN-OS

Palo Alto Networks released security updates for two actively exploited zero-day vulnerabilities in Palo Alto Networks PAN-OS. If exploited, these vulnerabilities could allow a remote unauthenticated attacker to gain administrator privileges, or a PAN-OS administrator to perform actions on the firewall with root privileges. It recommended applying the updates and

Members Public
Modern zsarolóvírusok

Modern zsarolóvírusok

A Magyar Védelmi Beszerzési Ügnynökséget az INC Ransom csoport támadta és zsarolta meg 2024. októberében. Az elmúlt időszakban megszaporodtak azok a magyarországi zsarolóvírus támadások, amelyek során az INC és a vele csaknem 71%-ban azonos Lynx zsarolóvírusokat használták a támadók.

Members Public