Security
Headlines
HeadlinesLatestCVEs

Headline

Hackers Exploiting Dell Driver Vulnerability to Deploy Rootkit on Targeted Computers

The North Korea-backed Lazarus Group has been observed deploying a Windows rootkit by taking advantage of an exploit in a Dell firmware driver, highlighting new tactics adopted by the state-sponsored adversary. The Bring Your Own Vulnerable Driver (BYOVD) attack, which took place in the autumn of 2021, is another variant of the threat actor’s espionage-oriented activity called Operation In(ter)

The Hacker News
#vulnerability#mac#windows#google#microsoft#amazon#git#backdoor#dell#ssl#The Hacker News

The North Korea-backed Lazarus Group has been observed deploying a Windows rootkit by taking advantage of an exploit in a Dell firmware driver, highlighting new tactics adopted by the state-sponsored adversary.

The Bring Your Own Vulnerable Driver (BYOVD) attack, which took place in the autumn of 2021, is another variant of the threat actor’s espionage-oriented activity called Operation In(ter)ception that’s directed against aerospace and defense industries.

“The campaign started with spear-phishing emails containing malicious Amazon-themed documents and targeted an employee of an aerospace company in the Netherlands, and a political journalist in Belgium,” ESET researcher Peter Kálnai said.

Attack chains unfolded upon the opening of the lure documents, leading to the distribution of malicious droppers that were trojanized versions of open source projects, corroborating recent reports from Google’s Mandiant and Microsoft.

ESET said it uncovered evidence of Lazarus dropping weaponized versions of FingerText and sslSniffer, a component of the wolfSSL library, in addition to HTTPS-based downloaders and uploaders.

The intrusions also paved the way for the group’s backdoor of choice dubbed BLINDINGCAN – also known as AIRDRY and ZetaNile – which an operator can use to control and explore compromised systems.

But what’s notable about the 2021 attacks was a rootkit module that exploited a Dell driver flaw to gain the ability to read and write kernel memory. The issue, tracked as CVE-2021-21551, relates to a set of critical privilege escalation vulnerabilities in dbutil_2_3.sys.

"[This] represents the first recorded abuse of the CVE‑2021‑21551 vulnerability," Kálnai noted. “This tool, in combination with the vulnerability, disables the monitoring of all security solutions on compromised machines.”

Named FudModule, the previously undocumented malware achieves its goals via multiple methods “either not known before or familiar only to specialized security researchers and (anti-)cheat developers,” according to ESET.

“The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing, etc., basically blinding security solutions in a very generic and robust way,” Kálnai said. “Undoubtedly this required deep research, development, and testing skills.”

This is not the first time the threat actor has resorted to using a vulnerable driver to mount its rootkit attacks. Just last month, AhnLab’s ASEC detailed the exploitation of a legitimate driver known as “ene.sys” to disarm security software installed in the machines.

The findings are a demonstration of the Lazarus Group’s tenacity and ability to innovate and shift its tactics as required over the years despite intense scrutiny of the collective’s activities from both law enforcement and the broader research community.

“The diversity, number, and eccentricity in implementation of Lazarus campaigns define this group, as well as that it performs all three pillars of cybercriminal activities: cyber espionage, cyber sabotage, and pursuit of financial gain,” the company said.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related news

Exploits and TrickBot disrupt manufacturing operations

Categories: Threat Intelligence September 2021 saw a huge spike of exploit detections against the manufacturing industry, with a distributed spread between California, Florida, Ohio, and Missouri. This is combined with heavy detections of unseen malware, identified through our AI engine, spiking in May as well as September 2021. (Read more...) The post Exploits and TrickBot disrupt manufacturing operations appeared first on Malwarebytes Labs.

Business Services industry targeted across the country for backdoor access

Categories: Threat Intelligence High detections of hacking tools for the Business Services industry shows that attackers likely sought to infect businesses and install backdoors for future access to their customers. (Read more...) The post Business Services industry targeted across the country for backdoor access appeared first on Malwarebytes Labs.

Attackers waited until holidays to hit US government

Categories: Threat Intelligence In the first quarter of 2021, the US public sector dealt with heavy-hitting breaches against local, federal, and state government networks. (Read more...) The post Attackers waited until holidays to hit US government appeared first on Malwarebytes Labs.

Education hammered by exploits and backdoors in 2021 and 2022

Categories: News Categories: Threat Intelligence Tags: Education Beyond spikes in detections, the education sector has dealt with an onslaught of attacks ranging from spyware and denial of service tools to ransomware. (Read more...) The post Education hammered by exploits and backdoors in 2021 and 2022 appeared first on Malwarebytes Labs.

CVE-2021-21551: DSA-2021-088: Dell Client Platform -suojauspäivitys: Dellin dbutil-ohjaimen riittämätön käytön hallinta -haavoittuvuus

Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.