Six months after being informed that the flaw was being exploited as a zero-day, Microsoft patched a high-stakes Windows Kernel privilege escalation vulnerability in February.
Jan Vojtek, a senior malware researcher for Avast, discovered the security flaw in the appid as CVE- 2024- 21338. The Sys Windows AppLocker driver and  was disclosed to Microsoft in August as a zero-day activity being actively exploited.
Windows Server 2019 and 2022 systems that run multiple versions of Windows 10 and Windows 11 ( including the most recent releases ) are affected by the vulnerability.
According to Microsoft, successful exploitation enables local attackers to gain SYSTEM privileges in low-complexity attacks that do n’t call for user interaction.
An attacker would first need to log into the system to exploit this vulnerability. According to Redmond, an attacker could then execute a specially engineered application that could exploit the vulnerability and overthrow control of the system.
The company fixed the vulnerability on February 13 and updated the advisory on Wednesday, February 28 to reflect that CVE- 2024- 21338 had been abused in the wild, but it did n’t provide any specifics about the attacks.
Six months after the initial report, patched.
Avast claimed for BleepingComputer that since at least August 2023, North Korean , Lazarus state hackers have been able to use easier-to-detect BYOVD ( Bring Your Own Vulnerable Driver ) techniques to gain kernel-level access and disable security tools.
Crossing from administrator to kernel opens a whole new world of possibilities, according to the attacker’s perspective. An attacker could compromise security software with kernel-level access and conceal infection indicators ( such as files, network activity, processes, etc. ) Turn off mitigations, turn off mitigations, turn off kernel-mode telemetry, and more,” Avast explained.
Our hypothetical attacker also has the ability to tamper with protected processes or add protection to an arbitrary process because the security of PPL ( Protected Process Light ) relies on the admin-to-kernel boundary. If RunAsPPL is used to protect lsass, this can be especially powerful because it makes it possible for an attacker to dump otherwise unreachable credentials.
A kernel read/write primitive was created by Lazarus, enabling a new FudModule rootkit version to execute direct kernel object manipulation.
Significant stealth and functionality improvements are included in this updated FudModule version, as well as new and updated rootkit techniques for avoiding detection and deactivating Windows Defender, CrowdStrike Falcon, and HitmanPro security protections.
Avast also discovered a previously undiscovered remote access trojan (RAT ) malware used by Lazarus, which will be the subject of an April BlackHat Asia presentation.
” Lazarus is confronted with a significant challenge because their admin-to-kernel zero-day is now burned.” According to Avast, they can either discover a new zero-day exploit or switch back to their traditional BYOVD methods.
As soon as possible, Windows users are advised to install the February 2024 Patch Tuesday updates in order to stop Lazarus ‘ CVE-2024-21338 attacks.