CISA Lists Windows Kernel Bug Exploited by Lazarus Group in its Known Exploited Vulnerabilities Catalog
March 5, 2024
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included the CVE-2024-21338 Microsoft Windows Kernel vulnerability in its Known Exploited Vulnerabilities catalog. This vulnerability, which can be exploited to gain system privileges, was discovered by an Avast researcher, Jan Vojtěšek.
An attacker would need to initially log in to the system and then execute a specially crafted application to exploit the vulnerability and take control of the system. The North Korea-linked Lazarus APT group has been observed using this exploit to gain kernel-level access and disable security software. In previous attacks, the group achieved similar results using the BYOVD (Bring Your Own Vulnerable Driver) techniques.
The Lazarus group exploited CVE-2024-21338 to directly manipulate kernel objects in an updated version of their FudModule rootkit. The flaw resides within the IOCTL (Input and Output Control) dispatcher of the driver appid.sys, a core component of the AppLocker application used to control which apps and files users can run. By manipulating the IOCTL dispatcher, the group could execute arbitrary code on the target system, bypassing security measures.
According to the Binding Operational Directive (BOD) 22-01, federal agencies must address the identified vulnerabilities by a specified due date to protect their networks against attacks exploiting the flaws in the catalog. Private organizations are also advised to review the Catalog and address the vulnerabilities in their infrastructure. CISA has set a deadline of March 25, 2024, for federal agencies to fix this vulnerability.
Related News
- North Korean Lazarus Group Exploited Windows Kernel Bug as Zero-Day for Six Months
- Lazarus Group Exploits Windows Zero-Day for Kernel-Level Access
Latest News
- Critical Vulnerabilities in TeamCity Pose Threat to Software Supply Chain
- Critical Exploit for TeamCity Auth Bypass Bug Available: Immediate Patching Recommended
- North Korean APT Group Kimsuky Exploits ScreenConnect Vulnerabilities to Deploy New ToddleShark Malware
- Phobos Ransomware Targets U.S. Critical Infrastructure: Government Agencies Issue Warning
- North Korean Lazarus Group Exploited Windows Kernel Bug as Zero-Day for Six Months
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.