Security News > 2024 > February > Lazarus hackers exploited Windows zero-day to gain Kernel privileges
North Korean threat actors known as the Lazarus Group exploited a flaw in the Windows AppLocker driver as a zero-day to gain kernel-level access and turn off security tools, allowing them to bypass noisy BYOVD techniques.
Avast reports that Lazarus exploited CVE-2024-21338 to create a read/write kernel primitive in an updated version of its FudModule rootkit, which ESET first documented in late 2022.
Sys driver to call an arbitrary pointer, tricking the kernel into executing unsafe code, thus bypassing security checks.
The FudModule rootkit, built within the same module as the exploit, executes direct kernel object manipulation operations to turn off security products, hide malicious activities, and maintain persistence on the breached system.
The targeted security products are AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and the HitmanPro anti-malware solution.
The only effective security measure is to apply the February 2024 Patch Tuesday updates as soon as possible, as Lazarus' exploitation of a Windows built-in driver makes the attack particularly challenging to detect and stop.
News URL
Related news
- New Windows Server 2012 zero-day gets free, unofficial patches (source)
- New Windows zero-day exposes NTLM credentials, gets unofficial patch (source)
- U.S. Charges Chinese Hacker for Exploiting Zero-Day in 81,000 Sophos Firewalls (source)
- Windows kernel bug now exploited in attacks to gain SYSTEM privileges (source)
- Microsoft: macOS bug lets hackers install malicious kernel drivers (source)
- Microsoft fixes actively exploited Windows Hyper-V zero-day flaws (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-02-13 | CVE-2024-21338 | Unspecified vulnerability in Microsoft products Windows Kernel Elevation of Privilege Vulnerability | 0.0 |