Rewterz Threat Update – North Korean Lazarus Group Abused Zero-Day Windows Kernel Vulnerability in Recent Attacks

Severity

High

Analysis Summary

The infamous Lazarus Group exploited a privilege escalation vulnerability present in the Windows Kernel as a zero-day to gain kernel-level access and turn off security software on infected systems. Microsoft recently patched this flaw earlier this month as part of Patch Tuesday updates.

The security flaw is tracked as CVE-2024-21338 with a CVSS score of 7.8, which can allow a threat actor to gain SYSTEM privileges. To exploit this vulnerability, the attacker would first need to log into the system. The malicious user then can run a specially crafted application that could abuse the security flaw and take full control of a compromised machine. There were no indications at the time of the patch release that CVE-2024-21338 was being actively exploited. It’s unclear right now when these attacks occurred, but the flaw is believed to have been introduced in Windows 10 version 1703 (RS2/15063) after the first implementation of the 0x22A018 IOCTL (input/output control) handler.

Security researchers reported, “The exploitation activity was orchestrated by the notorious Lazarus Group, with the end goal of establishing a kernel read/write primitive. This primitive enabled Lazarus to perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit.”

The FudModule rootkit was first uncovered in October 2022, showing the ability to shut down the monitoring of all security solutions on compromised systems using a Bring Your Own Vulnerable Driver (BYOVD) attack, in which a threat actor implants a driver that is vulnerable to a zero-day or known flaw for privilege escalation.

The recent attack, however, goes further than just BYOVD by exploiting a zero-day in a driver that is known to have already been installed on the targeted system. The vulnerable driver in question is appid.sys, an important driver that helps in the functioning of AppLocker, a Windows component responsible for controlling applications.

Lazarus Group devised a real-world exploit that leverages CVE-2024-21338 in the appid.sys driver to run arbitrary code in a way to bypass all security software checks to run the FudModule rootkit. The rootkit is not used much by Lazarus and only deploys on demand under certain circumstances as it is only loosely integrated into the rest of the malware ecosystem of Lazarus Group. FudModule is designed to turn off specific security software like CrowdStrike Falcon, AhnLab V3 Endpoint Security, and Microsoft Defender Antivirus, besides taking additional steps to evade detection by disabling system loggers.

This incident shows a new level of technical sophistication in the North Korean advanced persistent threat (APT) groups and how they are constantly improving their arsenal for better functionality and stealth. It also highlights the advanced techniques employed to make detection and tracking difficult for cybersecurity defenders. Lazarus Group continues to be one of the most prolific and long-standing APT actors, and the FudModule rootkit can be seen as the latest example that represents one of the most complicated tools that Lazarus has in their arsenal.

Impact

• Privilege Escalation
• Code Execution
• Exposure to Sensitive Data

Indicators of Compromise

CVE

• CVE-2024-21338

Remediation

• Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.
• Always be suspicious about emails sent by unknown senders.
• Never click on links/attachments sent by unknown senders.
• Ensure that general security policies are employed including implementing strong passwords, correct configurations, and proper administration security policies
• Use multi-factor authentication: Implement multi-factor authentication for all accounts to make it more difficult for attackers to gain access to sensitive systems and data.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets
• Ensure that all software is kept up-to-date with the latest security patches to minimize the risk of vulnerabilities being exploited.
• Monitor network traffic for unusual or suspicious activity, which may indicate an attack is underway.
• Provide regular security training to all employees to ensure they are aware of the latest threats and how to protect against them.
• Conduct regular security assessments to identify vulnerabilities and weaknesses that could be exploited by attackers.