Microsoft Fixes Windows Kernel Bug Exploited as Zero-Day Since August

Microsoft

Microsoft has recently patched a critical privilege escalation vulnerability in the Windows Kernel that was actively exploited as a zero-day for six months. Tracked as CVE-2024-21338, the flaw was discovered by Jan Vojtěšek, a Senior Malware Researcher at Avast, in the appid.sys Windows AppLocker driver. Avast reported the vulnerability to Microsoft in August 2023, confirming ongoing exploitation.

The vulnerability affects various versions of Windows, including Windows 10, Windows 11 (including the latest releases), as well as Windows Server 2019 and 2022. Successful exploitation of the flaw allows local attackers to gain SYSTEM privileges through low-complexity attacks that do not require user interaction.

Microsoft stated that an attacker would need to log into the system first, followed by running a specially crafted application to exploit the vulnerability and take control of the affected system. The company released a patch for the vulnerability on February 13, and on February 28, they updated the advisory to confirm that CVE-2024-21338 had been exploited in the wild. However, Microsoft did not provide specific details about the attacks.

Avast revealed that the North Korean Lazarus state hackers have been actively exploiting the vulnerability as a zero-day since at least August 2023. They utilized the flaw to gain kernel-level access, disabling security tools and evading detection. This allowed them to manipulate kernel objects and employ an updated version of the FudModule rootkit, which includes enhanced stealth and functionality to bypass security protections from AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and HitmanPro.

As part of their analysis, Avast also discovered a previously unknown remote access trojan (RAT) malware used by the Lazarus group, which will be presented at BlackHat Asia in April.

With the zero-day exploit now patched, Lazarus faces a significant challenge and must either discover a new zero-day or revert to their old BYOVD techniques, according to Avast.

To protect against Lazarus’ CVE-2024-21338 attacks, Windows users are strongly advised to install the February 2024 Patch Tuesday updates without delay.