Security News > 2024 > March > Windows Kernel bug fixed last month exploited as zero-day since August
Microsoft patched a high-severity Windows Kernel privilege escalation vulnerability in February, six months after being informed that the flaw was being exploited as a zero-day.
Sys Windows AppLocker driver and reported to Microsoft last August as an actively exploited zero-day.
The vulnerability impacts systems running multiple versions of Windows 10 and Windows 11, as well as Windows Server 2019 and 2022.
Avast told BleepingComputer that the North Korean Lazarus state hackers have been exploiting the flaw in attacks as a zero-day since at least August 2023 to gain kernel-level access and turn off security tools, allowing them to avoid using easier-to-detect BYOVD techniques.
"From the attacker's perspective, crossing from admin to kernel opens a whole new realm of possibilities. With kernel-level access, an attacker might disrupt security software, conceal indicators of infection, disable kernel-mode telemetry, turn off mitigations, and more," Avast explained.
Lazarus exploited the flaw to establish a kernel read/write primitive, enabling an updated FudModule rootkit version to perform direct kernel object manipulation.
News URL
Related news
- Microsoft patches Windows Kernel zero-day exploited since 2023 (source)
- Unpatched Windows Zero-Day Flaw Exploited by 11 State-Sponsored Threat Groups Since 2017 (source)
- New Windows zero-day exploited by 11 state hacking groups since 2017 (source)
- APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373) (source)
- EncryptHub linked to MMC zero-day attacks on Windows systems (source)
- New Windows zero-day leaks NTLM hashes, gets unofficial patch (source)
- EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware (source)