Microsoft failed to patch a zero-day vulnerability affecting Windows AppLocker that allowed attackers to bypass the boundary between the manager and the kernel for months, despite being notified that the flaw was under active exploitation, a report shows. investigation.
TO report Avast security specialists described the details of the vulnerability, CVE-2024-21338as well as the exploitation activities of the Lazarus Group.
The timeline of events shows that Microsoft left the flaw unpatched for six months, giving the group time to develop a particularly stealthy and effective proof of concept (PoC) for injecting the FudModule malware into target systems.
CVE-2024-21338, listed as high severity with a CVSS of 7.8 in the National Vulnerability Database, is a Windows kernel elevation of privilege flaw that could be exploited to launch rootkit attacks, according to Avast.
in a security update published in February describing the details of the flaw, Microsoft warned that if successfully exploited, the vulnerability could allow an attacker to gain system privileges.
Avast stated that it has developed and submitted a custom PoC exploit to Microsoft that reveals the significant access the flaw could offer potential threat actors if exploited correctly in August 2023.
The disclosure included information showing that the flaw was being actively exploited by threat actors in the wild, according to Avast, raising questions about why it took Microsoft so long to remediate the threat.
A patch for the vulnerability was released in the February 2024 security update, but it did not include any information about the flaw being actively exploited by threat actors.
It took Avast publishing the details of the Lazarus exploit two weeks later for the hyperscaler to update its security version with relevant details about the attack technique.
Beyond BYOVD to reach the “holy grail” of kernel administrator attacks
This particular flaw allows hackers to establish a kernel read/write primitive, which was used by the Lazarus group to perform direct manipulation of kernel objects in a new iteration of their data-only FudModule rootkit.
Avast said that after its teams fully reverse engineered the updated rootkit variant, it observed a number of improvements over previous versions with better functionality and stealth properties, and four entirely new rootkit techniques.
An advance in the new version is the use of a new identifier table entry manipulation technique to suspend Protected Process Light (PPL) processes linked to popular antivirus software such as Microsoft Defender, CrowdStrike Falcon, and HitmanPro.
While the Lazarus Group was previously known for using bring your own vulnerable driver (BYOVD) techniques to obtain privilege escalation at the kernel level, in this case they exploited a zero-day vulnerability already installed on the machine. destiny and were therefore able to give up the 'much noisier approach.
Jan Vojtěšek, author of the Avast report, said the Lazarus Group remains one of the most successful and experienced hacker collectives in operation, noting that the group is still able to surprise security researchers even though its tactics They are well advertised.
“The Lazarus Group remains one of the most prolific and long-standing advanced persistent threat actors. Although their signature tactics and techniques are already well recognized, they still occasionally manage to surprise us with an unexpected level of technical sophistication,” he said.
“The FudModule rootkit is the latest example and represents one of the most complex tools Lazarus has in its arsenal.”
Vojtěšek said that now that the patch neutralizes this specific opportunity, the group can choose to return to its previous BYOVD attack methods or continue searching for zero days ready to be exploited.
“With its manager-to-kernel zero-day now burned, Lazarus faces a significant challenge. They may discover a new zero-day exploit or revert to their old BYOVD techniques.”
