North Korean Lazarus Group Exploited Windows Kernel Bug as Zero-Day for Six Months

March 2, 2024

Last month, Microsoft remedied a high-risk Windows Kernel privilege escalation vulnerability, CVE-2024-21338, half a year after being notified that it was being actively exploited. The flaw was discovered in the appid.sys Windows AppLocker driver by Jan Vojtěšek, a Senior Malware Researcher at Avast, and reported to Microsoft in August 2023 as a zero-day. The vulnerability has implications for systems running various iterations of Windows 10 and Windows 11, including the most recent releases, as well as Windows Server 2019 and 2022.

Successful exploitation of the vulnerability allows local attackers to gain SYSTEM privileges in low-complexity attacks that do not necessitate user interaction. As Microsoft explained, 'To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.'

On February 13, Microsoft patched the vulnerability and later confirmed on February 28 that CVE-2024-21338 had been exploited in the wild. However, the company did not provide any specifics about the attacks. Avast, on the other hand, informed that the North Korean Lazarus state hackers had been exploiting the flaw since at least August 2023 to gain kernel-level access and disable security tools.

According to Avast, 'From the attacker's perspective, crossing from admin to kernel opens a whole new realm of possibilities. With kernel-level access, an attacker might disrupt security software, conceal indicators of infection (including files, network activity, processes, etc.), disable kernel-mode telemetry, turn off mitigations, and more.' The Lazarus Group used the flaw to establish a kernel read/write primitive, thereby enabling an updated FudModule rootkit version to perform direct kernel object manipulation.

Avast also discovered a previously unknown remote access trojan (RAT) malware used by Lazarus during their analysis of the attacks. This will be the subject of a presentation at BlackHat Asia in April. Avast commented, 'With their admin-to-kernel zero-day now burned, Lazarus is confronted with a significant challenge. They can either discover a new zero-day exploit or revert to their old BYOVD techniques.' Windows users are urged to install the February 2024 Patch Tuesday updates as soon as possible to prevent Lazarus' CVE-2024-21338 attacks.

Related News

• Lazarus Group Exploits Windows Zero-Day for Kernel-Level Access

Latest News

• U.S. Judge Orders NSO Group to Disclose Pegasus Spyware Source Code to Meta
• CISA Issues Alert on Microsoft Streaming Bug Exploited in Malware Attacks
• Five Eyes Intelligence Alliance Issues Warning on Ivanti Gateway Vulnerabilities
• CISA Warns of Persistent Threats on Hacked Ivanti VPN Appliances Even After Factory Resets
• Cisco Fixes Serious Bugs in Data Center Operating Systems