Lazarus Group Exploits Windows driver Zero-day Vulnerability
- SISA Weekly Threat Watch - August 26, 2024
In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include the discovery of multiple vulnerabilities in Kubernetes and PostgreSQL, a zero-day vulnerability in the Windows AFD.sys driver exploited by the Lazarus Group, a high-severity Chrome browser flaw (CVE-2024-7971) exposing users to remote code execution, and a widespread extortion campaign targeting cloud environments through publicly accessible `.env` files. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.
SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
1. Hackers Exploit Public Environment Variables in Cloud Extortion Campaign
A widespread extortion campaign has exploited publicly accessible `.env` files, which store credentials for cloud and social media applications, targeting over 110,000 domains. The attackers embedded their infrastructure within compromised Amazon Web Services (AWS) environments, using them to scan over 230 million targets globally. They harvested over 90,000 unique variables, including credentials linked to cloud services and social media accounts, and exfiltrated data from victims’ S3 buckets, leaving ransom notes instead of encrypting the data.
The attackers exploited the exposure of `.env` files rather than vulnerabilities in cloud service providers, gaining access through unsecured web applications. Once inside, they escalated privileges using AWS Identity and Access Management (IAM) keys, created new roles, and initiated automated scans to find more exposed credentials. The attackers focused on Mailgun credentials to send phishing emails from legitimate domains. Despite efforts to deploy cryptocurrency mining via new Elastic Cloud Compute (EC2) instances, these attempts were unsuccessful.
The identity of the threat actors remains unclear, with connections traced to Ukraine and Morocco. Unit 42’s analysis suggests the attackers used extensive automation and demonstrated advanced cloud architecture expertise.
Key recommendations to mitigate such threats include securing `.env` files to prevent unauthorized access, enforcing the principle of least privilege for all IAM roles and credentials, and regularly rotating credentials to reduce the risk of compromised keys being exploited.
2. Critical Design Flaw in Kubernetes Exposes Clusters to Command Injection Attacks
A newly discovered vulnerability in Kubernetes has raised significant concerns due to its potential for command injection attacks across default installations on major platforms like Amazon EKS, Azure AKS, and Google GKE. The flaw, identified by cybersecurity researchers, resides in the git-sync project—a sidecar container used to sync a pod with a Git repository. Inadequate input sanitization during synchronization opens the door for attackers to execute arbitrary commands and exfiltrate data.
Attackers can exploit this vulnerability by deploying a malicious YAML file to the Kubernetes cluster, a low-privilege action that can lead to command injection. Key parameters at risk include GITSYNC_GIT and GITSYNC_PASSWORD_FILE. The former can be manipulated to execute malicious binaries, while the latter can be used to steal sensitive information like access tokens.
The impact of this flaw is severe, enabling unauthorized command execution, data theft, and potentially compromising the entire Kubernetes cluster. Attackers could deploy crypto miners or other malicious binaries disguised as legitimate operations, bypassing security measures and executing stealthy attacks. The vulnerability is particularly dangerous for organizations with pre-authorized git-sync communication within their clusters, as attackers with minimal privileges could gain significant control.
To mitigate these risks, organizations should enhance monitoring of outgoing communications from Kubernetes pods, particularly those using git-sync, conduct regular audits of git-sync pods, and implement Open Policy Agent (OPA) rules to detect and block unauthorized changes. Additionally, restricting edit privileges can help minimize the attack surface.
3. Lazarus Group Exploits Windows driver Zero-day to deploy Rootkit
The Lazarus hacking group exploited a zero-day vulnerability in the Windows AFD.sys driver (CVE-2024-38193) to gain kernel-level privileges and install the FUDModule rootkit, which evades detection by disabling Windows monitoring features. This vulnerability, patched in August 2024, was used in a targeted campaign, likely linked to attacks on Brazilian cryptocurrency professionals. Lazarus, known for large-scale cyber-heists like the 2014 Sony Pictures hack and the 2017 WannaCry attack, utilized this flaw in a Bring Your Own Vulnerable Driver (BYOVD) attack. The AFD.sys driver, a default component on all Windows devices, made the attack particularly dangerous as it didn’t require additional vulnerable drivers that could be easily blocked.
The attack was uncovered by cyber security researchers in June 2024 and involved social engineering tactics, including fake job offers, to deliver a trojanized Python application that led to malware installation. This campaign is believed to be part of a broader operation in Brazil targeting cryptocurrency professionals. The AFD.sys vulnerability was one of several zero-day flaws patched by Microsoft in August 2024. Lazarus has a history of exploiting similar vulnerabilities in previous BYOVD attacks.
To mitigate these threats, organizations should ensure all systems are updated with the latest security patches, implement advanced monitoring solutions for kernel-level activities, and maintain strict control over driver installations, allowing only trusted and verified drivers. Employing endpoint protection that blocks known vulnerable drivers, utilizing application whitelisting, segmenting networks, and conducting regular security awareness training are also crucial measures.
4. CVE-2024-7971: Google Patches Actively Exploited Chrome Vulnerability
Google has released urgent security updates to address a high-severity vulnerability in its Chrome browser, identified as CVE-2024-7971. This flaw, a type confusion bug in the V8 JavaScript and WebAssembly engine, poses a significant risk, allowing remote attackers to exploit heap corruption through specially crafted HTML pages. Discovered and reported by Microsoft’s Threat Intelligence Center and Security Response Center on August 19, 2024, the vulnerability has already been actively exploited, making it imperative for users to update their browsers immediately.
CVE-2024-7971, with a CVSSv3 score of 8.8, is the third type confusion bug in V8 patched by Google this year, following CVE-2024-4947 and CVE-2024-5274. In 2024, Google has addressed nine zero-day vulnerabilities in Chrome, three of which were demonstrated at Pwn2Own 2024. The vulnerability affects all platforms running Google Chrome and other Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi.
To mitigate the risk, users should immediately upgrade to the latest version of Chrome (128.0.6613.84/.85 for Windows and macOS, and 128.0.6613.84 for Linux). Users of Chromium-based browsers should also apply the relevant updates as soon as they become available.
5. PG_MEM Malware Exploits PostgreSQL Weaknesses for Cryptocurrency Mining
Cybersecurity experts have identified a new malware strain called PG_MEM, which specifically targets PostgreSQL database instances to mine cryptocurrency. Attackers gain access by brute-forcing database credentials, exploiting weak passwords. PostgreSQL, an open-source relational database management system, is highly robust but vulnerable to brute-force attacks where weak passwords are guessed repeatedly. Once inside, attackers leverage the `COPY … FROM PROGRAM` SQL command to execute arbitrary shell commands on the host system, enabling malicious activities like data theft and malware deployment.
The attack typically targets misconfigured PostgreSQL databases. Attackers create an administrator role and use the `PROGRAM` feature to execute shell commands. This allows them to download two specific payloads—PG_MEM and PG_CORE—from a remote server at “128.199.77[.]96.” These payloads have malicious capabilities, including terminating competing processes like Kinsing, establishing persistence on the compromised host, and deploying the Monero cryptocurrency miner. The attack also involves removing superuser privileges from the “postgres” user to prevent other attackers from gaining access through the same brute-force method.
The misuse of the PostgreSQL `COPY` command, particularly its `PROGRAM` parameter, is central to this attack, allowing attackers to gain control over the server and execute shell commands. While cryptocurrency mining is the primary objective, compromised servers remain vulnerable to further exploitation. This campaign mainly targets PostgreSQL databases exposed to the internet and protected by weak passwords, often due to misconfiguration.
To mitigate these risks, it is recommended to implement strong, complex passwords for PostgreSQL accounts, regularly update all software, limit database exposure by using firewalls and VPNs, implement multi-factor authentication (MFA), secure PostgreSQL configurations, monitor and audit logs for unusual activity, and restrict privileges to apply the principle of least privilege.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.