overview

Microsoft has recently patched a Windows Kernel privilege escalation flaw, tracked as CVE-2024-21338 (CVSS 7.8). This vulnerability, impacting various Windows operating systems, is being actively exploited by the notorious North Korean threat actor, Lazarus.  

The vulnerability affects the ‘appid.sys’ driver associated with Microsoft’s AppLocker security feature. Exploitation of CVE-2024-21338 allows for a fileless kernel attack. Threat actors are then able to evade the detection mechanism and escalate privileges. Lazarus utilized this exploit to establish kernel-level access and manipulate kernel objects with an updated version of the FudModule rootkit.  

According to Avast researchers, exploiting a zero-day vulnerability in a built-in driver provides attackers with unmatched stealth, eliminating the need for custom drivers and allowing fileless kernel attacks. This evasion of detection mechanisms extends to systems with driver allowlisting, despite the irony of CVE-2024-21338 affecting an AppLocker driver. 

Microsoft addressed the issue in their February 2024 Patch Tuesday updates, urging immediate system updates to prevent potential exploits. Lazarus has been exploiting CVE-2024-21338 since August 2023. Avertium recommends that users install the latest security updates from Microsoft as soon as possible.  

 

 

avertium's recommendationS

  • CVE-2024-21338 impacts various versions of various versions of Windows 10, Windows 11 and Windows Server.  
  • Avertium recommends that all users update to their systems as soon as possible. You may find guidance in Microsoft’s advisory.   

 

 

INDICATORS OF COMPROMISE (IoCs)

A YARA rule and Targeted ETW Provider GUIDs can be found here 

 

 

How Avertium is Protecting Our CUSTOMERS

  • Fusion MXDR for Microsoft combines Avertium's Fusion MXDR approach with Microsoft Security Solutions, creating the first MDR offering that integrates all aspects of security operations into an active and threat-informed XDR solution. Leveraging Microsoft's comprehensive and cost-effective technology, Fusion MXDR for Microsoft delivers a release of cyber energy, encompassing implementation, optimization, ongoing management, and tuning. 
  • Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:  
    • Risk Assessments 
    • Pen Testing and Social Engineering  
    • Infrastructure Architecture and Integration  
    • Zero Trust Network Architecture 
    • Vulnerability Management 

  • We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers. 




 

SUPPORTING DOCUMENTATION

Windows Zero-Day Exploited by North Korean Hackers in Rootkit Attack - SecurityWeek 

Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day - Avast Threat Labs 

ioc/FudModule at master · avast/ioc · GitHub 

CVE-2024-21338 - Security Update Guide - Microsoft - Windows Kernel Elevation of Privilege Vulnerability 

 
Chat With One of Our Experts



windows vulnerability Lazarus group microsoft Flash Notice Microsoft Vulnerability Lazarus Windows privilege escalation Critical Vulnerability privilege escalation vulnerability Blog