North Korean group of hackers, Lazarus, are exploiting an old zero-day vulnerability in Microsoft Window’s Applocker app. The details of the vulnerability and the cyber-attacks are shared below.
Salient points
- New exploitation attempts are being tracked for the vulnerability CVE-2024-21338 affecting the Microsoft Windows Applocker driver.
- The vulnerability is a Windows Kernel Elevation of Privilege Vulnerability.
- It has a CVSS rating of 7.8 and IMPORTANT severity.
- The vulnerability was first detected last year. Subsequently, Microsoft patched the vulnerability in the February 2024 Patch Tuesday program. However, Microsoft recently updated the security advisory. It confirmed the new exploitation attempts for CVE-2024-21338.
- Lazarus uses malware to exploit a vulnerability in Microsoft’s ‘appid.sys‘ driver. This driver is a Windows AppLocker component for application whitelisting capabilities.
- Lazarus Group targeted to establish a kernel read/write primitive through the Applocker exploit. This primitive allowed the hackers to enhance their malicious FudModule rootkit.
- This vulnerability was detected by Jan Vojtěšek with Avast.
- Avast developed a custom PoC (Proof of Concept) exploit and submitted it in August 2023 as part of a vulnerability report to Microsoft. This led to a security advisory for CVE-2024-21338 in the February Patch Tuesday update program.
What versions of Windows are affected?
The Applocker vulnerability CVE-2024-21338 affects the following versions of Windows:
CVE-2024-21338 Vulnerability
| Windows Version | Build Number | Fixed in Security Update |
|---|---|---|
| Windows Server 2022, 23H2 Edition (Server Core installation) | 10.0.25398.709 | KB5034769 |
| Windows 11 Version 23H2 for x64-based Systems | 10.0.22631.3155 | KB5034765 |
| Windows 11 Version 23H2 for ARM64-based Systems | 10.0.22631.3155 | KB5034765 |
| Windows 10 Version 22H2 for 32-bit Systems | 10.0.19045.4046 | KB5034763 |
| Windows 10 Version 22H2 for ARM64-based Systems | 10.0.19045.4046 | KB5034763 |
| Windows 10 Version 22H2 for x64-based Systems | 10.0.19045.4046 | KB5034763 |
| Windows 11 Version 22H2 for x64-based Systems | 10.0.22621.3155 | KB5034765 |
| Windows 11 Version 22H2 for ARM64-based Systems | 10.0.22621.3155 | KB5034765 |
| Windows 10 Version 21H2 for x64-based Systems | 10.0.19044.4046 | KB5034763 |
| Windows 10 Version 21H2 for ARM64-based Systems | 10.0.19044.4046 | KB5034763 |
| Windows 10 Version 21H2 for 32-bit Systems | 10.0.19044.4046 | KB5034763 |
| Windows 11 version 21H2 for ARM64-based Systems | 10.0.22000.2777 | KB5034766 |
| Windows 11 version 21H2 for x64-based Systems | 10.0.22000.2777 | KB5034766 |
| Windows Server 2022 (Server Core installation) | 10.0.20348.2322 | KB5034770 |
| Windows Server 2022 | 10.0.20348.2322 | KB5034770 |
| Windows Server 2019 (Server Core installation) | 10.0.17763.5458 | KB5034768 |
| Windows Server 2019 | 10.0.17763.5458 | KB5034768 |
| Windows 10 Version 1809 for ARM64-based Systems | 10.0.17763.5458 | KB5034768 |
| Windows 10 Version 1809 for x64-based Systems | 10.0.17763.5458 | KB5034768 |
| Windows 10 Version 1809 for 32-bit Systems | 10.0.17763.5458 | KB5034768 |
The vulnerability is fixed in the corresponding security updates released on 9 February 2024.
About CVE-2024-21338
We share brief details of the CVE-2024-21338 vulnerability below:
- CVSS Score is 7.8
- Severity is IMPORTANT
- Impact is ‘Escalation of Privileges’
Description of the vulnerability:
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Microsoft recommends installing the security updates that correspond to affected versions of Windows operating systems.
The vulnerability resides in IOCTL (Input and Output Control) dispatcher in the appid.sys file.
Avast posted a blog about CVE-2024-21338 vulnerability.
“By exploiting such a vulnerability, the attacker is in a sense living off the land with no need to bring, drop, or load any custom drivers, making it possible for a kernel attack to be truly fileless. This not only evades most detection mechanisms but also enables the attack on systems where driver allowlisting is in place,” Avast stated in the blog post.
By exploiting CVE-2024-21338, Lazarus hackers were able to elevate their privileges on the compromised system and establish a kernel read/write primitive. This enabled them to perform direct kernel object manipulation in an updated version of the FudModule rootkit, which came to light in 2022.
More Cyber-security stories
You may like to read more cyber-security stories below:
- CISA adds ConnectWise ScreenConnect vulnerability to the KEV database
- Microsoft Edge version 122.0.2365.52 – 23 Feb 2024
- Avast accused of Selling Customer Browsing Data to Advertisers
- CISA adds Microsoft Exchange vulnerability to the KEV database
- CISA adds Cisco ASA vulnerability to KEV Catalog
- Microsoft reports 73 security vulnerabilities in Patch Tuesday – Feb 2024
- Adobe reports CRITICAL security vulnerabilities in multiple products
- Data breach at France’s data protection agency CNIL
- Bank of America Data Breach at Infosys McCamish Systems
- CISA adds Roundcube Webmail XSS Vulnerability to KEV catalog
- Zero-day vulnerability in FortiOS – CVE-2024-21762
- Critical Security Vulnerabilities in Cisco Expressway Series
- 2 Critical Vulnerabilities reported by Fortinet
- Verizon Data Breach – Feb 2024
- AnyDesk Cyberattack incident – February 2024
- Cloudflare Data Breach – November 2023
- Ivanti VPN Vulnerabilities – Jan 2024
- Mercedes Source Code Leak – Jan 2024
- Schneider Electric Ransomware attack – Jan 2024
- Android Security Update – Feb 2024
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.