• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
hackers exploiting dell driver vulnerability to deploy rootkit on targeted

Hackers Exploiting Dell Driver Vulnerability to Deploy Rootkit on Targeted Computers

You are here: Home / General Cyber Security News / Hackers Exploiting Dell Driver Vulnerability to Deploy Rootkit on Targeted Computers
October 3, 2022

The North Korea-backed Lazarus Team has been observed deploying a Windows rootkit by taking gain of an exploit in a Dell firmware driver, highlighting new tactics adopted by the state-sponsored adversary.

The Convey Your Own Susceptible Driver (BYOVD) attack, which took location in the autumn of 2021, is another variant of the danger actor’s espionage-oriented action called Procedure In(ter)ception that is directed towards aerospace and defense industries.

“The campaign started out with spear-phishing emails containing malicious Amazon-themed files and targeted an personnel of an aerospace enterprise in the Netherlands, and a political journalist in Belgium,” ESET researcher Peter Kálnai explained.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


CyberSecurity

Attack chains unfolded on the opening of the lure documents, main to the distribution of malicious droppers that were being trojanized versions of open resource assignments, corroborating recent reports from Google’s Mandiant and Microsoft.

ESET claimed it uncovered proof of Lazarus dropping weaponized variations of FingerText and sslSniffer, a ingredient of the wolfSSL library, in addition to HTTPs-primarily based downloaders and uploaders.

The intrusions also paved the way for the group’s backdoor of alternative dubbed BLINDINGCAN – also known as AIRDRY and ZetaNile – which an operator can use to control and check out compromised systems.

But what is actually noteworthy about the 2021 attacks was a rootkit module that exploited a Dell driver flaw to obtain the capability to go through and publish kernel memory. The issue, tracked as CVE-2021-21551, relates to a set of critical privilege escalation vulnerabilities in dbutil_2_3.sys.

“[This] signifies the initial recorded abuse of the CVE‑2021‑21551 vulnerability,” Kálnai pointed out. “This device, in mix with the vulnerability, disables the monitoring of all security alternatives on compromised equipment.”

Named FudModule, the earlier undocumented malware achieves its ambitions by means of multiple techniques “either not regarded prior to or familiar only to specialised security researchers and (anti-)cheat builders,” according to ESET.

CyberSecurity

“The attackers then utilised their kernel memory publish accessibility to disable 7 mechanisms the Windows working procedure gives to watch its actions, like registry, file procedure, course of action generation, party tracing, and so on., basically blinding security answers in a really generic and strong way,” Kálnai reported. “Definitely this expected deep research, advancement, and screening skills.”

This is not the first time the danger actor has resorted to using a susceptible driver to mount its rootkit attacks. Just previous thirty day period, AhnLab’s ASEC in-depth the exploitation of a authentic driver recognised as “ene.sys” to disarm security computer software installed in the equipment.

The results are a demonstration of the Lazarus Group’s tenacity and skill to innovate and shift its practices as necessary more than the years regardless of powerful scrutiny of the collective’s functions from both legislation enforcement and the broader study community.

“The diversity, variety, and eccentricity in implementation of Lazarus strategies determine this group, as nicely as that it performs all three pillars of cybercriminal activities: cyber espionage, cyber sabotage, and pursuit of financial obtain,” the business mentioned.

Discovered this short article exciting? Observe THN on Facebook, Twitter  and LinkedIn to study a lot more exceptional articles we article.


Some pieces of this write-up are sourced from:
thehackernews.com

Previous Post: «ex nsa employee arrested for trying to sell u.s. secrets to Ex-NSA Employee Arrested for Trying to Sell U.S. Secrets to a Foreign Government
Next Post: ‘Systemic ID problems for 10 million Australians’ after Optus breach, warns minister 'systemic id problems for 10 million australians’ after optus breach,»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Qilin Ransomware Adds “Call Lawyer” Feature to Pressure Victims for Larger Ransoms
  • Iran’s State TV Hijacked Mid-Broadcast Amid Geopolitical Tensions; $90M Stolen in Crypto Heist
  • 6 Steps to 24/7 In-House SOC Success
  • Massive 7.3 Tbps DDoS Attack Delivers 37.4 TB in 45 Seconds, Targeting Hosting Provider
  • 67 Trojanized GitHub Repositories Found in Campaign Targeting Gamers and Developers
  • New Android Malware Surge Hits Devices via Overlays, Virtualization Fraud and NFC Theft
  • BlueNoroff Deepfake Zoom Scam Hits Crypto Employee with MacOS Backdoor Malware
  • Secure Vibe Coding: The Complete New Guide
  • Uncover LOTS Attacks Hiding in Trusted Tools — Learn How in This Free Expert Session
  • Russian APT29 Exploits Gmail App Passwords to Bypass 2FA in Targeted Phishing Campaign

Copyright © TheCyberSecurity.News, All Rights Reserved.