Lazarus - Rootkit - Dell - CVE-2021-21551

The Lazarus group deploys a rootkit thanks to a Dell vulnerability

In 2021, cybercriminal group Lazarus used an attack tactic that leveraged a vulnerability in Dell firmware to deploy a rootkit on Windows. As a reminder, this is a group sponsored by North Korea.

ESET security researchers discovered and analyzed malicious tools used by the Lazarus hacker group during the fall of 2021. Based on Amazon-branded emails, this Lazarus group campaign targeted an employee of a Dutch aerospace company and a Belgian political journalist. This campaign is associated with the name “Bring Your Own Vulnerable Driver“.

In this report published by ESETwe learn that one of these tools uses the CVE-2021-21551 vulnerability which affects the DBUtil driver, directly linked to the BIOS (firmware) of Dell machines. This security flaw has been fixed by Dell in May 2021 (see this article: Dell – 5 vulnerabilities discovered in the DBUtil driver, used since 2009).

By exploiting this security flaw with their FudModule toolcybercriminals from the Lazarus group are able to disable all protection features of the compromised Windows machine. ESET researchers elaborate: “It uses techniques against Windows kernel mechanisms that have never been seen in malware before.– A particularly dreadful rootkit, although the exploitation of vulnerabilities in drivers and firmware is nothing new in itself.

As part of this campaign, the Lazarus group used other malicious tools, including their “HTTPS” backdoor dubbed “BLINDINGCAN” (also known as AIRDRY and ZetaNile). Thanks to it, the hacker can control a previously compromised system, because it serves as a connection point.

The various tools and techniques used by the Lazarus group show once again that they are well organized, and that they act in three areas of cybersecurity: the pursuit of financial gain, cyber espionage and cyber sabotage.



#Lazarus #group #deploys #rootkit #Dell #vulnerability

Leave a Comment

Your email address will not be published. Required fields are marked *