Security News > 2024 > February > Lazarus hackers exploited Windows zero-day to gain Kernel privileges

North Korean threat actors known as the Lazarus Group exploited a flaw in the Windows AppLocker driver as a zero-day to gain kernel-level access and turn off security tools, allowing them to bypass noisy BYOVD techniques.

Avast reports that Lazarus exploited CVE-2024-21338 to create a read/write kernel primitive in an updated version of its FudModule rootkit, which ESET first documented in late 2022.

Sys driver to call an arbitrary pointer, tricking the kernel into executing unsafe code, thus bypassing security checks.

The FudModule rootkit, built within the same module as the exploit, executes direct kernel object manipulation operations to turn off security products, hide malicious activities, and maintain persistence on the breached system.

The targeted security products are AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and the HitmanPro anti-malware solution.

The only effective security measure is to apply the February 2024 Patch Tuesday updates as soon as possible, as Lazarus' exploitation of a Windows built-in driver makes the attack particularly challenging to detect and stop.

News URL

https://www.bleepingcomputer.com/news/security/lazarus-hackers-exploited-windows-zero-day-to-gain-kernel-privileges/