Lazarus Hack Dell Devices Through Vulnerable Driver

Vulnerable Dell Driver
Written by Emma Davis

Bugs in a vulnerable Dell driver allow attackers to read and write kernel memory and North Korean hack group Lazarus was the first to exploit it.

Let me remind you that we also wrote that the North Korean hacker army is growing in strength, and also that Two dangerous vulnerabilities found in Dell Wyse Thin Client.

It all started with an investigation by experts from ESET, who investigated one of the Lazarus malware campaigns, during which the attackers used fake job offers at Amazon. It was an absolutely classic scheme, when a fake document is opened, the victim’s device is infected with droppers, backdoors, and other malware.

However, researchers were interested in a new tool that the attackers decided to use – a rootkit called FudModule, which uses the BYOVD (Bring Your Own Vulnerable Driver) method, which allows hackers to exploit the CVE-2021-21551 vulnerability in a Dell device driver.

The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver. This is the first ever recorded abuse of this vulnerability in the wild. The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way.ESET experts reported.

This vulnerability gives cybercriminals a free hand by allowing full access to kernel memory. Experts noted that this is the first time that CVE-2021-21551 has been used in the wild.

By gaining write access to kernel memory, attackers disable the mechanisms by which you can monitor the actions in Windows, thereby simply blinding any defense systems.

ESET experts clarified that in the attack they are investigating, Lazarus used CVE-2021-21551 in a Dell hardware driver (“dbutil_2_3.sys”). This driver is affected by five vulnerabilities that were only patched 12 years after they were discovered.

Vulnerable Dell Driver
A signed driver that was used by attackers.

It is worth noting the fact that researchers from Rapid 7 warned back in December 2021 about the possible threat posed by this driver. According to them, the reason for this was Dell’s strange patching policy and the very set of vulnerabilities that allows access to the kernel even on the latest signed versions.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.