Microsoft failed to update a zero-day vulnerability affecting Windows AppLocker that allowed attackers to bypass the admin-to-kernel boundary for months, despite being notified the flaw was under active exploitation, research shows.
A report from security specialists Avast outlined the details of the vulnerability, CVE-2024-21338, as well as the exploitation activities of the Lazarus Group.
The timeline of events shows Microsoft left the flaw unpatched for six months, giving the group time to develop a particularly stealthy and effective Proof of Concept (PoC) to inject FudModule malware onto target systems.
CVE-2024-21338, listed as high severity with a CVSS of 7.8 in the National Vulnerability database, is a Windows kernel elevation of privilege flaw that could be exploited to launch rootkit attacks, according to Avast.
In a security update released in February outlining the details of the flaw, Microsoft warned that if successfully exploited, the vulnerability could allow an attacker to gain system privileges.
Avast stated it developed and submitted a custom PoC exploit to Microsoft revealing the significant access the flaw could offer potential threat actors if exploited in the right way in August 2023.
The disclosure included information showing the flaw was being actively exploited by threat actors in the wild, according to Avast, leading to questions around what took Microsoft so long to remediate the threat.
A patch for the vulnerability was released in the February 2024 security update, but failed to include any information about the flaw being actively exploited by threat actors.
It took Avast publishing the details of the Lazarus exploit two weeks later for the hyperscaler to update its security release with relevant details on the attack technique.
Going beyond BYOVD to reach the “holy grail” of admin-to-kernel attacks
This particular flaw allows hackers to establish a kernel read/write primitive, which was used by the Lazarus group to perform direct kernel object manipulation in a new iteration of their data-only FudModule rootkit.
Avast said after its teams had completely reverse engineered the updated rootkit variant, it observed a number of improvements on previous versions with better functionality and stealth properties, and four totally new rootkit techniques.
One advancement in the new version is its use of a new handle table entry manipulation technique to suspend Protected Process Light (PPL) processes linked to popular antivirus software like Microsoft Defender, CrowdStrike Falcon, and HitmanPro.
Whereas the Lazarus Group were previously known for their use of bring your own vulnerable driver (BYOVD) techniques to gain kernel-level privilege escalation, in this instance they exploited a zero-day vulnerability already installed on the target machine and could therefore forgo the ‘much noisier’ approach.
Jan Vojtěšek, author of the Avast report, said the Lazarus Group continues to be one of the most successful and experienced hacking collectives in operation, noting the group is still able to surprise security researchers despite their tactics being well publicized.
“The Lazarus Group remains among the most prolific and long-standing advanced persistent threat actors. Though their signature tactics and techniques are well-recognized by now, they still occasionally manage to surprise us with an unexpected level of technical sophistication”, he said.
“The FudModule rootkit serves as the latest example, representing one of the most complex tools Lazarus holds in their arsenal.”
Vojtěšek said with the patch now neutralizing this specific opportunity, the group can choose to go back to their previous BYOVD attack methods, or continue looking for zero-days ready to be exploited.
“With their admin-to-kernel zero-day now burned, Lazarus is confronted with a significant challenge. They can either discover a new zero-day exploit or revert to their old BYOVD techniques.”