Windows Kernel bug fixed last month exploited as zero-day since August

Microsoft patched a high-severity Windows Kernel privilege escalation vulnerability in February, six months after being informed that the flaw was being exploited as a zero-day.

Tracked as CVE-2024-21338, the security flaw was found by Avast Senior Malware Researcher Jan Vojtěšek in the appid.sys Windows AppLocker driver and reported to Microsoft last August as an actively exploited zero-day.

The vulnerability impacts systems running multiple versions of Windows 10 and Windows 11 (including the latest releases), as well as Windows Server 2019 and 2022.

Microsoft explains that successful exploitation enables local attackers to gain SYSTEM privileges in low-complexity attacks that don't require user interaction.

"To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system," Redmond says.

The company patched the vulnerability on February 13 and updated the advisory on Wednesday, February 28, to confirm that CVE-2024-21338 had been exploited in the wild, but it didn't disclose any details regarding the attacks.

Patched six months after initial report

However, Avast told BleepingComputer that the North Korean Lazarus state hackers have been exploiting the flaw in attacks as a zero-day since at least August 2023 to gain kernel-level access and turn off security tools, allowing them to avoid using easier-to-detect BYOVD (Bring Your Own Vulnerable Driver) techniques

"From the attacker's perspective, crossing from admin to kernel opens a whole new realm of possibilities. With kernel-level access, an attacker might disrupt security software, conceal indicators of infection (including files, network activity, processes, etc.), disable kernel-mode telemetry, turn off mitigations, and more," Avast explained.

"Additionally, as the security of PPL (Protected Process Light) relies on the admin-to-kernel boundary, our hypothetical attacker also gains the ability to tamper with protected processes or add protection to an arbitrary process. This can be especially powerful if lsass is protected with RunAsPPL as bypassing PPL could enable the attacker to dump otherwise unreachable credentials."

Lazarus exploited the flaw to establish a kernel read/write primitive, enabling an updated FudModule rootkit version to perform direct kernel object manipulation.

This new FudModule version comes with significant stealth and functionality improvements, including new and updated rootkit techniques for evading detection and turning off AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and the HitmanPro security protections.

While analyzing the attacks, Avast also discovered a previously unknown remote access trojan (RAT) malware used by Lazarus, which will be the focus of a BlackHat Asia presentation in April.

"With their admin-to-kernel zero-day now burned, Lazarus is confronted with a significant challenge. They can either discover a new zero-day exploit or revert to their old BYOVD techniques," Avast said.

Windows users are advised to install the February 2024 Patch Tuesday updates as soon as possible to block Lazarus' CVE-2024-21338 attacks.

Source