[ad_1]
Microsoft patched a high-severity Home windows Kernel privilege escalation vulnerability in February, six months after being knowledgeable that the flaw was being exploited as a zero-day.
Tracked as CVE-2024-21338, the safety flaw was discovered by Avast Senior Malware Researcher Jan Vojtěšek within the appid.sys Home windows AppLocker driver and reported to Microsoft final August as an actively exploited zero-day.
The vulnerability impacts methods operating a number of variations of Home windows 10 and Home windows 11 (together with the newest releases), in addition to Home windows Server 2019 and 2022.
Microsoft explains that profitable exploitation permits native attackers to achieve SYSTEM privileges in low-complexity assaults that do not require person interplay.
“To take advantage of this vulnerability, an attacker would first have to go online to the system. An attacker may then run a specifically crafted software that might exploit the vulnerability and take management of an affected system,” Redmond says.
The corporate patched the vulnerability on February 13 and up to date the advisory on Wednesday, February 28, to substantiate that CVE-2024-21338 had been exploited within the wild, nevertheless it did not disclose any particulars relating to the assaults.
Patched six months after preliminary report
Nonetheless, Avast advised BleepingComputer that the North Korean Lazarus state hackers have been exploiting the flaw in assaults as a zero-day since at the very least August 2023 to achieve kernel-level entry and switch off safety instruments, permitting them to keep away from utilizing easier-to-detect BYOVD (Convey Your Personal Susceptible Driver) methods
“From the attacker’s perspective, crossing from admin to kernel opens an entire new realm of prospects. With kernel-level entry, an attacker would possibly disrupt safety software program, conceal indicators of an infection (together with recordsdata, community exercise, processes, and many others.), disable kernel-mode telemetry, flip off mitigations, and extra,” Avast defined.
“Moreover, because the safety of PPL (Protected Course of Gentle) depends on the admin-to-kernel boundary, our hypothetical attacker additionally positive aspects the flexibility to tamper with protected processes or add safety to an arbitrary course of. This may be particularly highly effective if lsass is protected with RunAsPPL as bypassing PPL may allow the attacker to dump in any other case unreachable credentials.”
Lazarus exploited the flaw to determine a kernel learn/write primitive, enabling an up to date FudModule rootkit model to carry out direct kernel object manipulation.
This new FudModule model comes with vital stealth and performance enhancements, together with new and up to date rootkit methods for evading detection and turning off AhnLab V3 Endpoint Safety, Home windows Defender, CrowdStrike Falcon, and the HitmanPro safety protections.
Whereas analyzing the assaults, Avast additionally found a beforehand unknown distant entry trojan (RAT) malware utilized by Lazarus, which would be the focus of a BlackHat Asia presentation in April.
“With their admin-to-kernel zero-day now burned, Lazarus is confronted with a major problem. They’ll both uncover a brand new zero-day exploit or revert to their previous BYOVD methods,” Avast stated.
Home windows customers are suggested to put in the February 2024 Patch Tuesday updates as quickly as doable to dam Lazarus’ CVE-2024-21338 assaults.