Microsoft has addressed a zero-day vulnerability, tracked as\u00a0CVE-2024-38193\u00a0(CVSS score: 7.8), which has been exploited by the North Korea-linked Lazarus<\/a> APT group.
Microsoft addressed the vulnerability with Path Tuesday security updates released in August 2024<\/a>, the IT giant also warned that the flaw was exploited in attacks in the wild.<\/p>\n\n\n\n
“Gen Threat Labs recently uncovered and reported a major security flaw known as a zero-day\u00a0vulnerability<\/a>\u00a0(CVE-2024-38193), which Microsoft has now fixed. This repair is important because it addresses a security issue that was being used by the\u00a0Lazarus APT group<\/a>, a North Korean hacker group known for targeting specific professionals.” reads the post<\/a> published by Gen Digital.<\/em>
In early June, Gen Digital researchers discovered that the North Korea-linked APT Lazarus was exploiting a zero-day in the AFD.sys driver to gain unauthorized access to sensitive system areas. The attackers used a “special type of malware” called Fudmodule<\/a> to avoid detection.\u00a0<\/p>\n\n\n\n
In February 2024, Avast discovered<\/a> an in-the-wild exploit for a previously unknown zero-day vulnerability in the AppLocker driver (appid.sys). Microsoft quickly fixed this vulnerability, now tracked as CVE-2024-21338<\/a>, in the February Patch Tuesday update. The Lazarus Group exploited<\/a> the zero-day to gain kernel-level access and disable security software. In past attacks threat actors achieved the same goal by using much noisier\u00a0BYOVD<\/a>\u00a0(Bring Your Own Vulnerable Driver) techniques to cross the admin-to-kernel boundary.\u00a0<\/p>\n\n\n\n
Lazarus exploited the vulnerability CVE-2024-21338 to perform direct kernel object manipulation in an updated version of their FudModule<\/a> rootkit.<\/p>\n\n\n\n
\u201cthe holy grail of admin-to-kernel is going beyond BYOVD by exploiting a zero-day in a driver that\u2019s known to be already installed on the target machine. To make the attack as universal as possible, the most obvious target here would be a built-in Windows driver that\u2019s already a part of the operating system.\u201d reads the analysis<\/strong><\/a> published by Avast.<\/p>\n\n\n\n
The flaw CVE-2024-21338 resides within the IOCTL (Input and Output Control) dispatcher of the driver appid.sys. This driver is a core component of the AppLocker<\/a> application, which is used to control which apps and files users can run. <\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0OpenAI, Lazarus)<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"