Network Security, Patch/Configuration Management, Threat Intelligence

Lazarus Group observed exploiting an admin-to-kernel Windows zero-day

Computer keyboard, close-up button of the flag of North Korea.

The notorious North Korea-based Lazarus Group was observed abusing an admin-to-kernel zero-day Windows exploit that, once achieved, can let the threat actor do any number of malicious activities, including disrupting software, concealing infection indicators, and kernel-mode telemetry disabling.

In a Feb. 29 blog post, researchers at Avast said Microsoft addressed this vulnerability — CVE-2024-21338 — during February’s Patch Tuesday. The researchers said the goal of the exploitation was to establish a kernel read/write primitive, code that can be used to build more complex programs or interfaces.

The researchers said the primitive let Lazarus perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit, a previous version of which was analyzed by ESET and AhnLab.

After completely reverse engineering this updated rootkit, Avast identified substantial advancements in terms of functionality and stealth.

The security firm also pointed out that the updated rootkit differed from the "much noisier" Bring Your Own Vulnerability Driver (BYOVD) techniques Lazarus used in the past. The researchers said the Lazarus Group remains among the most prolific and long-standing advanced persistent threat actors (APTs) and although the group's signature tactics and techniques are well-recognized by now, it still occasionally manages to surprise researchers with an unexpected level of technical sophistication.

“The FudModule rootkit serves as the latest example, representing one of the most complex tools Lazarus holds in its arsenal,” wrote the researchers. “Recent updates examined in this blog show Lazarus’ commitment to keep actively developing this rootkit.”

Lionel Litty, chief security architect at Menlo Security, said the research illustrated that sophisticated attackers remain eager to get kernel-level control of the endpoint and are willing to invest time and effort to get there. Once there, Litty said they have free reign on the machine and can defeat device posture checks. This undermines zero-trust approaches, where a server relies on a client-side agent to determine the trustworthiness of the endpoint. Once satisfied, Litty said the server may then entrust the endpoint with secrets and sensitive data, trusting that endpoint software will protect this data.

“The attacker here can fool the agent and make it look like the endpoint is fine — even if the agent is measuring all the software loaded in the kernel and the endpoint is locked down,” said Litty. “For example, we have seen enterprise browsers that claim to do data redaction on the endpoint or protect files via local encryption. With kernel access, the attacker can see all the data in the clear, before the enterprise browser can redact or encrypt it. This is a reminder of how brittle such an approach is, especially on Windows platforms where a rich ecosystem of drivers makes protecting the kernel very challenging.”

It's important to note that Microsoft doesn't always mention if a vulnerability is being actively exploited in its Patch Tuesday bulletins, explained Ashley Leonard, chief executive officer at Syxsense. Leonard said that’s because they want Patch Tuesday bulletins to focus on delivering the fix, and the focus might not be on elaborating on how the vulnerabilities are being exploited.

Leonard added that another important point his team thinks should be reiterated is that while it’s being called a zero-day, Microsoft only rated CVE-2024-21338 at 7.8, which is technically high, but in comparison with the other vulnerabilities highlighted in February's Patch Tuesday update, it definitely did not get the attention it would have if it had been noted that it’s currently being weaponized or exploited, explained Leonard.

There were 72 fixes in Microsoft's February Patch Tuesday drop, and they noted that five were critical, with two being weaponized — none of which were CVE-2024-21338. In fact, there were 29 vulnerabilities with severity ratings above CVE-2024-21338, noted Leonard.

“This underscores what we believe and continue to believe: that most vulnerabilities being exploited are not the headline-grabbing zero-days but vulnerabilities that are more middling in their severity scores,” said Leonard. “These vulnerabilities often get relegated to the backburner on the to-do list, because they aren't grabbing headlines or attention. Without Avast's public disclosure of their findings, CVE-2024-21338 would likely never have risen to the top of the headlines.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.