Lazarus used 0-day on Windows to gain kernel level privileges

Avast researchers said that the North Korean group Lazarus exploited a privilege escalation vulnerability in Windows as a 0-day. This bug was fixed in February 2024, only six months after Microsoft reported that the vulnerability had already been exploited by hackers.

The CVE-2024-21338 vulnerability was discovered by Avast in the appid.sys Windows AppLocker driver, which they reported to Microsoft last August, warning that the vulnerability was already being actively exploited by attackers.< /p>

The problem affects systems running Windows 10 and Windows 11 (including the latest versions), as well as Windows Server 2019 and 2022. According to Microsoft, successful exploitation of this bug allows attackers with local access to gain SYSTEM level privileges. Moreover, the attack does not require user interaction.

“To exploit this vulnerability, an attacker must first log in to the system. Then he can launch a specially prepared application that exploits the vulnerability and gains control of the system,” the company reported.

Microsoft engineers fixed this issue on February 13, 2024, but it was only last week that Microsoft updated its security bulletin and confirmed that CVE-2024-21338 was being used by hackers.

According to Avast, the Lazarus group has been using this vulnerability as a 0-day since at least August 2023. The bug was used to gain kernel-level privileges and disable security tools, which made it possible to avoid more “noticeable” attacks such as BYOVD (Bring Your Own Vulnerable Driver). As a result, the updated version of the FudModule rootkit was able to perform direct manipulations with kernel objects.

“From an attacker’s point of view, moving from administrator to kernel opens up completely new possibilities. Having access at the kernel level, an attacker can disrupt the operation of security software, hide signs of infection (including files, network activity, processes, and so on), disable kernel-mode telemetry, protection tools, and much more, Avast says . “Additionally, since PPL (Protected Process Light) security relies on admin-to-kernel boundaries, it is also possible for a hypothetical attacker to interfere with protected processes or add protection to an arbitrary process. This can be especially effective if lsass is protected by RunAsPPL, since bypassing the PPL will allow you to obtain otherwise inaccessible credentials.”

As the researchers note, the new version of FudModule has good stealth and has received functional improvements, including new and updated methods for evading detection and disabling AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon and HitmanPro.

In addition, while analyzing these attacks, Avast discovered a previously unknown remote access trojan (RAT) used by Lazarus. The researchers promise to talk about this at the BlackHat Asia conference in April of this year.

0 / 5

Your page rank:

Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment