When your zero-day becomes a 180-day and still works.
Very cool, very normal.
The exploit needed admin privileges to work, so it seems like Microsoft viewed it as low priority.
This is the best summary I could come up with:
Hackers backed by the North Korean government gained a major win when Microsoft left a Windows zero-day unpatched for six months after learning it was under active exploitation.
The vulnerability provided an easy and stealthy means for malware that had already gained administrative system rights to interact with the Windows kernel.
The Microsoft policy proved to be a boon to Lazarus in installing “FudModule,” a custom rootkit that Avast said was exceptionally stealthy and advanced.
In years past, Lazarus and other threat groups have reached this last threshold mainly by exploiting third-party system drivers, which by definition already have kernel access.
To work with supported versions of Windows, third-party drivers must first be digitally signed by Microsoft to certify that they are trustworthy and meet security requirements.
This technique—known as BYOVD (bring your own vulnerable driver)—comes at a cost, however, because it provides ample opportunity for defenders to detect an attack in progress.
The original article contains 531 words, the summary contains 153 words. Saved 71%. I’m a bot and I’m open source!
