North Korean Lazarus Group Exploited Windows Kernel Bug as Zero-Day for Six Months

March 2, 2024

Last month, Microsoft remedied a high-risk Windows Kernel privilege escalation vulnerability, CVE-2024-21338, half a year after being notified that it was being actively exploited. The flaw was discovered in the appid.sys Windows AppLocker driver by Jan Vojtěšek, a Senior Malware Researcher at Avast, and reported to Microsoft in August 2023 as a zero-day. The vulnerability has implications for systems running various iterations of Windows 10 and Windows 11, including the most recent releases, as well as Windows Server 2019 and 2022.

Successful exploitation of the vulnerability allows local attackers to gain SYSTEM privileges in low-complexity attacks that do not necessitate user interaction. As Microsoft explained, 'To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.'

On February 13, Microsoft patched the vulnerability and later confirmed on February 28 that CVE-2024-21338 had been exploited in the wild. However, the company did not provide any specifics about the attacks. Avast, on the other hand, informed that the North Korean Lazarus state hackers had been exploiting the flaw since at least August 2023 to gain kernel-level access and disable security tools.

According to Avast, 'From the attacker's perspective, crossing from admin to kernel opens a whole new realm of possibilities. With kernel-level access, an attacker might disrupt security software, conceal indicators of infection (including files, network activity, processes, etc.), disable kernel-mode telemetry, turn off mitigations, and more.' The Lazarus Group used the flaw to establish a kernel read/write primitive, thereby enabling an updated FudModule rootkit version to perform direct kernel object manipulation.

Avast also discovered a previously unknown remote access trojan (RAT) malware used by Lazarus during their analysis of the attacks. This will be the subject of a presentation at BlackHat Asia in April. Avast commented, 'With their admin-to-kernel zero-day now burned, Lazarus is confronted with a significant challenge. They can either discover a new zero-day exploit or revert to their old BYOVD techniques.' Windows users are urged to install the February 2024 Patch Tuesday updates as soon as possible to prevent Lazarus' CVE-2024-21338 attacks.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.