Dangerous Windows 10, 11, Server Zero-Day Exploited By Lazarus Hackers
North Korean hacking group has exploited Windows zero-day security flaw
The notorious and highly prolific North Korean Lazarus criminal hacking group has been exploiting an admin-to-kernel privilege escalation Windows security flaw using an updated version of its FudModule rootkit.
What Is CVE-2024-21338 And Why Is It So Dangerous?
In a detailed analysis of the exploit, Lazarus and the FudModule Rootkit, Jan Vojtěšek from the Avast Threat Labs explains how researchers found the exploit for this previously unknown zero-day vulnerability in the Windows appid.sys AppLocker driver.
Although the vulnerability itself, which is monitored as CVE-2024-21338, was reported to Microsoft by Avast in August 2023 along with a proof-of-concept exploit, it wasn’t patched until the February 13 Patch Tuesday updates were made available. However, when the updates were distributed, CVE-2024-21338 wasn’t listed as a zero-day with exploits in the wild.
“From the attacker’s perspective, crossing from admin to kernel opens a whole new realm of possibilities,” Vojtěšek says. “With kernel-level access, an attacker might disrupt security software, conceal indicators of infection (including files, network activity, processes,) disable kernel-mode telemetry, turn off mitigations, and more.”
As for the FudModule rootkit, Vojtěšek says this represents “one of the most complex tools Lazarus holds in their arsenal.”
Microsoft Issued Fix As Part Of February Patch Tuesday
Microsoft has now published an updated security advisory recognizes this as a zero-day vulnerability.
Impacting various versions of Windows 10, Windows 11 and Windows Server, users are advised to check the updated security advisory and apply the patch if they have not already done so.
That Microsoft has now issued a patch for this vulnerability means, the Avast analysis says, that Lazarus’ offensive operations will undoubtedly be disrupted.
“While discovering an admin-to-kernel zero-day may not be as challenging as discovering a zero-day in a more attractive attack surface (such as standard user-to-kernel, or even sandbox-to-kernel),” Vojtěšek concludes, “we believe that finding…
