Security News > 2024 > February > Lazarus hackers exploited Windows zero-day to gain Kernel privileges
North Korean threat actors known as the Lazarus Group exploited a flaw in the Windows AppLocker driver as a zero-day to gain kernel-level access and turn off security tools, allowing them to bypass noisy BYOVD techniques.
Avast reports that Lazarus exploited CVE-2024-21338 to create a read/write kernel primitive in an updated version of its FudModule rootkit, which ESET first documented in late 2022.
Sys driver to call an arbitrary pointer, tricking the kernel into executing unsafe code, thus bypassing security checks.
The FudModule rootkit, built within the same module as the exploit, executes direct kernel object manipulation operations to turn off security products, hide malicious activities, and maintain persistence on the breached system.
The targeted security products are AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and the HitmanPro anti-malware solution.
The only effective security measure is to apply the February 2024 Patch Tuesday updates as soon as possible, as Lazarus' exploitation of a Windows built-in driver makes the attack particularly challenging to detect and stop.
News URL
Related news
- RomCom hackers chained Firefox and Windows zero-days to deliver backdoor (source)
- Firefox and Windows zero-days exploited by Russian RomCom hackers (source)
- Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel (source)
- New Windows Themes zero-day gets free, unofficial patches (source)
- Windows Themes zero-day bug exposes users to NTLM credential theft (source)
- Hackers target critical zero-day vulnerability in PTZ cameras (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- How a Windows zero-day was exploited in the wild for months (CVE-2024-43451) (source)
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- Microsoft plans to boot security vendors out of the Windows kernel (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-02-13 | CVE-2024-21338 | Unspecified vulnerability in Microsoft products Windows Kernel Elevation of Privilege Vulnerability | 0.0 |