Microsoft has finally addressed a high severity vulnerability that it reportedly knew was being exploited for at least half a year.
The flaw, identified as CVE-2024-21338, was first discovered by cybersecurity researchers at Avast about six months ago.
Described as a Windows kernel privilege escalation vulnerability, the flaw was discovered in the Windows AppLocker appid.sys driver. It affected several versions of the Windows 10 and Windows 11 operating systems. It was also found in Windows Server 2019 and 2022.
Patch Tuesday to the rescue
Last year, Avast researchers notified Microsoft about the flaw, saying it was being used as a zero-day vulnerability. Since then, some of the world's largest and most dangerous threat actors have been actively using the flaw, including the North Koreans.
We recently reported on Lazarus Group, a threat actor known to have ties to the North Korean government, abusing this same flaw to gain kernel-level access to vulnerable devices and disable antivirus programs.
To exploit the zero-day, Lazarus used a new version of FudModule, its proprietary rootkit that was first detected in late 2022. In previous attacks, the rootkit abused a Dell driver, in what is known as the Bring Your attack. Own Vulnerable Driver (BYOVD). . Now, FudModule is stealthier and more functional, offering more ways to avoid detection and disable endpoint protection solutions.
The group apparently used it to disable products such as AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and the HitmanPro anti-malware solution.
Now, in mid-February 2024, a patch for the flaw is available. Microsoft also updated its advisory about the vulnerability last week, confirming that the flaw is being abused in the wild. However, no details about the attackers were shared. “To exploit this vulnerability, an attacker would first need to log in to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system,” Microsoft explained.
Users should install the February patch cumulative update, Microsoft recommended.
Through beepcomputer
