Microsoft recently addressed a zero-day vulnerability in its AppLocker software by releasing an update to fix the exploit in the appidsys driver.
Description
This vulnerability, known as CVE-2024-21338 [3] [4], was exploited by the Lazarus Group [1] [2] [3] [4], a North Korean state-backed group [6], to establish a kernel read/write primitive and manipulate processes using an updated version of their FudModule rootkit [1]. Avast researchers discovered the flaw and noted that FudModule now has new capabilities [6], such as handle table entry manipulation to target PPL-protected processes [1]. The updated rootkit also enables the suspension of protected processes in security platforms. In response to this exploit, Microsoft released a recent update to address the vulnerability. Additionally, Avast identified a new remote access Trojan (RAT) attributed to Lazarus in the infection chain leading to the deployment of the rootkit. The Lazarus Group has demonstrated technical sophistication in developing tools like FudModule and has shifted from using a bring your own vulnerable driver (BYOVD) tactic to leveraging zero-day exploits. Avast analysts detected the zero-day exploit in the Windows AppLocker driver (appidsys) used by the Lazarus Group to gain kernel-level access and disable security tools [2], bypassing BYOVD techniques [2] [5]. This activity was reported to Microsoft [2] [5], leading to the fix for CVE-2024-21338 in February 2024 [2]. The Lazarus Group exploited this vulnerability to enhance their FudModule rootkit [2], which now includes stealthier techniques for evading detection and disabling security protections [2] [5]. Additionally, Avast uncovered a new remote access trojan (RAT) used by Lazarus [2] [5], promising to share more details at BlackHat Asia in April [2] [5].
Conclusion
The exploitation of this vulnerability highlights the importance of timely updates and patches to address security flaws. Organizations should remain vigilant against advanced threat actors like the Lazarus Group and continuously monitor for new threats and vulnerabilities. Collaboration between security researchers and software vendors is crucial in identifying and mitigating potential risks. The evolving tactics of threat actors underscore the need for proactive security measures to protect against sophisticated cyber threats.
References
[1] https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyond-byovd-with-an-admin-to-kernel-zero-day/
[2] https://ciso2ciso.com/lazarus-hackers-exploited-windows-zero-day-to-gain-kernel-privileges-source-www-bleepingcomputer-com/
[3] https://securityaffairs.com/159728/apt/lazarus-exploited-zero-day-windows-applocker-driver.html
[4] https://www.bankinfosecurity.com/lazarus-group-exploits-windows-applocker-driver-zero-day-a-24482
[5] https://luckyeso.wordpress.com/2024/02/29/lazarus-hackers-exploited-windows-zero-day-to-gain-kernel-privileges/
[6] https://www.darkreading.com/vulnerabilities-threats/microsoft-zero-day-used-by-lazarus-in-rootkit-attack
