North Korean hacking group has exploited Windows zero-day security flaw
The notorious and highly prolific North Korean Lazarus criminal hacking group has been exploiting an admin-to-kernel privilege escalation Windows security flaw using an updated version of its FudModule rootkit.
In a detailed analysis of the exploit, Lazarus and the FudModule Rootkit, Jan Vojtěšek from the Avast Threat Labs explains how researchers found the exploit for this previously unknown zero-day vulnerability in the Windows appid.sys AppLocker driver.
Although the vulnerability itself, which is monitored as CVE-2024-21338, was reported to Microsoft by Avast in August 2023 along with a proof-of-concept exploit, it wasn’t patched until the February 13 Patch Tuesday updates were made available. However, when the updates were distributed, CVE-2024-21338 wasn’t listed as a zero-day with exploits in the wild.
“From the attacker’s perspective, crossing from admin to kernel opens a whole new realm of possibilities,” Vojtěšek says. “With kernel-level access, an attacker might disrupt security software, conceal indicators of infection (including files, network activity, processes,) disable kernel-mode telemetry, turn off mitigations, and more.”
As for the FudModule rootkit, Vojtěšek says this represents “one of the most complex tools Lazarus holds in their arsenal.”
Microsoft has now published an updated security advisory recognizes this as a zero-day vulnerability.
Impacting various versions of Windows 10, Windows 11 and Windows Server, users are advised to check the updated security advisory and apply the patch if they have not already done so.
According to Avast’s analysis, the patch that Microsoft has recently released for this vulnerability will undoubtedly cause disruption to Lazarus’ offensive operations.
Vojtěšek suggests that although discovering an admin-to-kernel zero-day may not be as challenging as finding a zero-day in a more attractive attack surface such as standard user-to-kernel, or even sandbox-to-kernel, it would still require Lazarus to invest significant resources. This could potentially divert their focus from attacking other targets.
Hudson Valley Host is premier provider of cutting-edge hosting solutions, specializing in delivering a seamless online experience for businesses and individuals. We offer a comprehensive range of hosting services, including Shared Hosting, VPS, Dedicated Servers, and Colocation. With 24/7 technical support, robust security measures, and user-friendly control panels, we empower clients in managing their online presence effortlessly. Hudson Valley Host is your trusted partner in achieving online success.
For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@hudsonvalleyhost.com.
