Last month, Microsoft took crucial steps to address the CVE-2024-21338 vulnerability, a significant loophole in Windows that allowed for user privilege escalation. Notably, awareness of this issue surfaced approximately six months ago, with Avast reporting active exploitation by North Korean hackers affiliated with the Lazarus group in recent months.
Identification and Scope
Avast specialists pinpointed the vulnerability in the appid.sys driver of the AppLocker utility. The exploitation of this bug empowers attackers with access to the compromised system to elevate privileges to the SYSTEM level seamlessly. The impact extends to devices running Windows 11, Windows 10, Windows Server 2022, and Windows Server 2019.
Exploitation Method and Mitigation
To exploit CVE-2024-21338, an attacker must log in to the system and execute a specially configured application. This application capitalizes on the vulnerability, enabling the attacker to gain control of the device. Despite the patch release in the middle of the previous month, Microsoft confirmed the exploitation of CVE-2024-21338 by hackers only a few days ago, updating its support page, notes NIX Solutions.
Lazarus Group’s Persistent Exploitation
Avast’s statement revealed that the Lazarus group had been exploiting the vulnerability since at least August of the preceding year. The attackers utilized the vulnerability to attain kernel-level privileges, disabling security mechanisms on the targeted systems. Ultimately, they discreetly injected the FudModule rootkit into the systems, facilitating various manipulations with kernel objects.
In conclusion, the recent Microsoft update signifies a critical response to the active exploitation of CVE-2024-21338. Understanding the identification, scope, and methods of exploitation is crucial for users to safeguard their Windows systems from potential security threats. Stay informed and ensure prompt implementation of security patches to fortify system defenses.