Lazarus exploiting Windows Applocker Zero-day Vulnerability

North Korean group of hackers, Lazarus, are exploiting an old zero-day vulnerability in Microsoft Window’s Applocker app. The details of the vulnerability and the cyber-attacks are shared below.

Salient points

  • New exploitation attempts are being tracked for the vulnerability CVE-2024-21338 affecting the Microsoft Windows Applocker driver.
  • The vulnerability is a Windows Kernel Elevation of Privilege Vulnerability.
  • It has a CVSS rating of 7.8 and IMPORTANT severity.
  • The vulnerability was first detected last year. Subsequently, Microsoft patched the vulnerability in the February 2024 Patch Tuesday program. However, Microsoft recently updated the security advisory. It confirmed the new exploitation attempts for CVE-2024-21338.
  • Lazarus uses malware to exploit a vulnerability in Microsoft’s ‘appid.sys‘ driver. This driver is a Windows AppLocker component for application whitelisting capabilities.
  • Lazarus Group targeted to establish a kernel read/write primitive through the Applocker exploit. This primitive allowed the hackers to enhance their malicious FudModule rootkit.
  • This vulnerability was detected by Jan Vojtěšek with Avast.
  • Avast developed a custom PoC (Proof of Concept) exploit and submitted it in August 2023 as part of a vulnerability report to Microsoft. This led to a security advisory for CVE-2024-21338 in the February Patch Tuesday update program.

What versions of Windows are affected?

The Applocker vulnerability CVE-2024-21338 affects the following versions of Windows:

CVE-2024-21338 Vulnerability

Windows VersionBuild NumberFixed in Security Update
Windows Server 2022, 23H2 Edition (Server Core installation)10.0.25398.709KB5034769
Windows 11 Version 23H2 for x64-based Systems10.0.22631.3155KB5034765
Windows 11 Version 23H2 for ARM64-based Systems10.0.22631.3155KB5034765
Windows 10 Version 22H2 for 32-bit Systems10.0.19045.4046KB5034763
Windows 10 Version 22H2 for ARM64-based Systems10.0.19045.4046KB5034763
Windows 10 Version 22H2 for x64-based Systems10.0.19045.4046KB5034763
Windows 11 Version 22H2 for x64-based Systems10.0.22621.3155KB5034765
Windows 11 Version 22H2 for ARM64-based Systems10.0.22621.3155KB5034765
Windows 10 Version 21H2 for x64-based Systems10.0.19044.4046KB5034763
Windows 10 Version 21H2 for ARM64-based Systems10.0.19044.4046KB5034763
Windows 10 Version 21H2 for 32-bit Systems10.0.19044.4046KB5034763
Windows 11 version 21H2 for ARM64-based Systems10.0.22000.2777KB5034766
Windows 11 version 21H2 for x64-based Systems10.0.22000.2777KB5034766
Windows Server 2022 (Server Core installation)10.0.20348.2322KB5034770
Windows Server 202210.0.20348.2322KB5034770
Windows Server 2019 (Server Core installation)10.0.17763.5458KB5034768
Windows Server 201910.0.17763.5458KB5034768
Windows 10 Version 1809 for ARM64-based Systems10.0.17763.5458KB5034768
Windows 10 Version 1809 for x64-based Systems10.0.17763.5458KB5034768
Windows 10 Version 1809 for 32-bit Systems10.0.17763.5458KB5034768

The vulnerability is fixed in the corresponding security updates released on 9 February 2024.

About CVE-2024-21338

We share brief details of the CVE-2024-21338 vulnerability below:

  • CVSS Score is 7.8
  • Severity is IMPORTANT
  • Impact is ‘Escalation of Privileges’

Description of the vulnerability:

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Microsoft recommends installing the security updates that correspond to affected versions of Windows operating systems.

The vulnerability resides in IOCTL (Input and Output Control) dispatcher in the appid.sys file.

Avast posted a blog about CVE-2024-21338 vulnerability.

“By exploiting such a vulnerability, the attacker is in a sense living off the land with no need to bring, drop, or load any custom drivers, making it possible for a kernel attack to be truly fileless. This not only evades most detection mechanisms but also enables the attack on systems where driver allowlisting is in place,” Avast stated in the blog post.

By exploiting CVE-2024-21338, Lazarus hackers were able to elevate their privileges on the compromised system and establish a kernel read/write primitive. This enabled them to perform direct kernel object manipulation in an updated version of the FudModule rootkit, which came to light in 2022. 

More Cyber-security stories

You may like to read more cyber-security stories below:

How useful was this post?

Click on a star to rate it!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.