Skip to main content

Lazarus hackers exploited Windows zero-day to gain Kernel privileges

posted onFebruary 29, 2024
by l33tdawg
Bleeping Computer
Credit: Bleeping Computer

North Korean threat actors known as the Lazarus Group exploited a flaw in the Windows AppLocker driver (appid.sys) as a zero-day to gain kernel-level access and turn off security tools, allowing them to bypass noisy BYOVD (Bring Your Own Vulnerable Driver) techniques.

This activity was detected by Avast analysts, who promptly reported it to Microsoft, leading to a fix for the flaw, now tracked as CVE-2024-21338, as part of the February 2024 Patch Tuesday. However, Microsoft has not marked the flaw as being exploited as a zero-day.

Avast reports that Lazarus exploited CVE-2024-21338 to create a read/write kernel primitive in an updated version of its FudModule rootkit, which ESET first documented in late 2022. Previously, the rootkit abused a Dell driver for BYOVD attacks. The new version of FudModule features significant enhancements in stealth and functionality, including new and updated techniques for evading detection and turning off security protections like Microsoft Defender and CrowdStrike Falcon.

Source

Tags

Security

You May Also Like

Recent News

Tuesday, November 19th

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th