this post was submitted on 05 Mar 2024
80 points (98.8% liked)

Cybersecurity News

1328 readers
1 users here now

Welcome to Cybersecurity News!

A community that collect news and other tidbits related to cybersecurity in all its domains.

There are no hard and fast rules regarding what to post here-- we are fine with both pop news articles and more technical pieces regarding cybersecurity.

We use a bot called flynnbot to repost some rss feed content but the majority of posts are human-curated.

New to Cybersecurity?

Here are some resources to get you started:

Related Communities

!security_cpe@infosec.pub
!cybersecurity@zerobytes.monster
!packetstorm@zerobytes.monster
!security@programming.dev
!secops@lemmy.world
!cybersecurity@sh.itjust.works
!netsec@zerobytes.monster
!securitynews@infosec.pub
!cloudsecurity@infosec.pub
!netsec@links.hackliberty.org
!cybersecurity@infosec.pub
!cybersecuritymemes@lemmy.world

founded 1 year ago
MODERATORS
top 7 comments
sorted by: hot top controversial new old
[–] stankmut@lemmy.world 16 points 8 months ago (2 children)

The exploit needed admin privileges to work, so it seems like Microsoft viewed it as low priority.

[–] LostXOR@fedia.io 11 points 8 months ago* (last edited 8 months ago)

If malware has admin privileges isn't the whole system already considered compromised? Seeing as admins can basically modify whatever they want without restriction.

[–] grue@lemmy.world 11 points 8 months ago

When your zero-day becomes a 180-day and still works.

[–] autotldr@lemmings.world 4 points 8 months ago (1 children)

This is the best summary I could come up with:


Hackers backed by the North Korean government gained a major win when Microsoft left a Windows zero-day unpatched for six months after learning it was under active exploitation.

The vulnerability provided an easy and stealthy means for malware that had already gained administrative system rights to interact with the Windows kernel.

The Microsoft policy proved to be a boon to Lazarus in installing “FudModule,” a custom rootkit that Avast said was exceptionally stealthy and advanced.

In years past, Lazarus and other threat groups have reached this last threshold mainly by exploiting third-party system drivers, which by definition already have kernel access.

To work with supported versions of Windows, third-party drivers must first be digitally signed by Microsoft to certify that they are trustworthy and meet security requirements.

This technique—known as BYOVD (bring your own vulnerable driver)—comes at a cost, however, because it provides ample opportunity for defenders to detect an attack in progress.


The original article contains 531 words, the summary contains 153 words. Saved 71%. I'm a bot and I'm open source!

[–] The_wild_card@lemmy.today 1 points 8 months ago
[–] Anticorp@lemmy.world 4 points 8 months ago

Very cool, very normal.