Bugs in a vulnerable Dell driver allow attackers to read and write kernel memory and North Korean hack group Lazarus was the first to exploit it.
Let me remind you that we also wrote that the North Korean hacker army is growing in strength, and also that Two dangerous vulnerabilities found in Dell Wyse Thin Client.It all started with an investigation by experts from ESET, who investigated one of the Lazarus malware campaigns, during which the attackers used fake job offers at Amazon. It was an absolutely classic scheme, when a fake document is opened, the victim’s device is infected with droppers, backdoors, and other malware.
However, researchers were interested in a new tool that the attackers decided to use – a rootkit called FudModule, which uses the BYOVD (Bring Your Own Vulnerable Driver) method, which allows hackers to exploit the CVE-2021-21551 vulnerability in a Dell device driver.
This vulnerability gives cybercriminals a free hand by allowing full access to kernel memory. Experts noted that this is the first time that CVE-2021-21551 has been used in the wild.
By gaining write access to kernel memory, attackers disable the mechanisms by which you can monitor the actions in Windows, thereby simply blinding any defense systems.
ESET experts clarified that in the attack they are investigating, Lazarus used CVE-2021-21551 in a Dell hardware driver (“dbutil_2_3.sys”). This driver is affected by five vulnerabilities that were only patched 12 years after they were discovered.
A signed driver that was used by attackers.
It is worth noting the fact that researchers from Rapid 7 warned back in December 2021 about the possible threat posed by this driver. According to them, the reason for this was Dell’s strange patching policy and the very set of vulnerabilities that allows access to the kernel even on the latest signed versions.