North Korean Lazarus Group has weaponized this exact class of Microsoft-signed kernel driver
Contents
North Korean Lazarus Group has weaponized this exact class of Microsoft-signed kernel driver.
It is sitting on MILLIONS of Windows PCs right now.
It gives any local process full control from the deepest level of Windows.
5 lines of code. Zero validation.
Your antivirus can’t stop what runs below the OS.
One driver. 47 secret commands. Zero access control on any of them.
12 for arbitrary physical memory read/write
6 for raw port I/O at any address
2 for full PCI config space read/write
Dump LSASS. Walk page tables. Patch kernel memory. Disable protected security processes. Kill your EDR. Load unsigned code.
This is what ransomware gangs pay serious money for.
Dell ships it for free. Still officially signed and trusted by Microsoft. Still pushed through Windows Update right now.
I reported this to Dell through Bugcrowd.
They triaged it P2. Told me to take my tweet down. I did.
Weeks later they replied: “duplicate. no bounty. but we’ll credit you on the advisory.”
So …
It is sitting on MILLIONS of Windows PCs right now.
It gives any local process full control from the deepest level of Windows.
5 lines of code. Zero validation.
Your antivirus can’t stop what runs below the OS.
One driver. 47 secret commands. Zero access control on any of them.
12 for arbitrary physical memory read/write
6 for raw port I/O at any address
2 for full PCI config space read/write
Dump LSASS. Walk page tables. Patch kernel memory. Disable protected security processes. Kill your EDR. Load unsigned code.
This is what ransomware gangs pay serious money for.
Dell ships it for free. Still officially signed and trusted by Microsoft. Still pushed through Windows Update right now.
I reported this to Dell through Bugcrowd.
They triaged it P2. Told me to take my tweet down. I did.
Weeks later they replied: “duplicate. no bounty. but we’ll credit you on the advisory.”
So …