Skip to content Skip to footer

Lazarus Group Exploits Windows Kernel Zero-Day CVE-2024-21338

Recently, the notorious Lazarus Group actors were found to have exploited a zero-day privilege escalation flaw in the Windows Kernel. The in question is CVE-2024-21338, which has a CVSS score 7.8. This flaw can allow an attacker to gain SYSTEM privileges and has been resolved by Microsoft as part of their Patch Tuesday updates. However, before the patch was released, the attackers could use this to obtain kernel-level access and turn off security software on compromised hosts.

An attacker must first log on to the system to exploit the . They could then run a specially crafted application to exploit the and take control of an affected system. While there were no indications of active exploitation of CVE-2024-21338 at the time of the release of the updates, Microsoft has since revised its “Exploitability assessment” for the flaw to “Exploitation Detected.”

It is currently unclear when the attacks occurred, but it is known that the was introduced in Windows 10, version 1703 (RS2/15063), when the 0x22A018 IOCTL handler was first implemented.

Cybersecurity vendor Avast discovered an in-the-wild admin-to-kernel exploit for the bug. The kernel read/write primitive achieved by weaponizing the flaw allowed the Lazarus Group to “perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit.” ESET and AhnLab first reported the FudModule rootkit in October 2022 as capable of turning off the monitoring of all security solutions on infected hosts using a Bring Your Own Vulnerable Driver (BYOVD) attack.

This attack is particularly significant because it goes beyond BYOVD by exploiting a zero-day in a driver known to be already installed on the target machine. That susceptible driver is appid.sys, crucial to functioning a Windows component called AppLocker, responsible for application control. This real-world exploit devised by the Lazarus Group entails using CVE-2024-21338 in the appid.sys driver to execute arbitrary code that bypasses all security checks and runs the FudModule rootkit.

FudModule is only loosely integrated into the rest of Lazarus' ecosystem, and the group is conscientious about its use, only deploying it on demand under the right circumstances. It is engineered to turn off specific security software such as AhnLab V3 Endpoint Security, CrowdStrike Falcon, HitmanPro, and Microsoft Defender Antivirus (formerly Windows Defender).

The development marks a new level of technical sophistication associated with North Korean groups, who continuously iterate their arsenal for improved stealth and functionality. The adversarial collective's cross-platform focus is also exemplified by the fact that it has been observed using bogus calendar meeting invite links to stealthily install on Apple systems, a campaign that SlowMist previously documented in December 2023.

Security researcher Jan Vojtěšek said, “Lazarus Group remains among the most prolific and long-standing advanced persistent threat actors. The FudModule rootkit is the latest example, representing one of the most complex tools Lazarus holds in their arsenal.” The 's elaborate techniques are designed to hinder detection and make tracking much harder.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

You're in trouble, program. Why don't you make it easy on yourself. Who's your user?Master Control Program

Deitasoft © 2024. All Rights Reserved.