The infamous and very prolific organization of North Korea hackers, Lazarus, took advantage of a Windows security failure that raises the privileges of the administrator to the kernel in an updated edition of his Rootkit Fudmodule.
In a detailed investigation of the exploit lazarus and fudmodule rootkit, Jan vojtěšek of Avast Threat Labs explains how the researchers discovered the exploit for this vulnerability of zero day unknown in the past in the appl. Sys Applker of Windows controller.
Although the vulnerability itself, which is monitored as CVE-2024-21338, was reported to Microsoft by Avast in August 2023 along with a proof-of-concept exploit, it wasn’t patched until the February 13 Patch Tuesday updates were made available. However, when the updates were distributed, CVE-2024-21338 wasn’t listed as a zero-day with exploits in the wild.
“From an attacker’s point of view, going from administrator to kernel opens up a whole new set of possibilities,” Vojtěšek says. “With core-level access, an attacker can disrupt security software, hide signs of infection (including files, network activity, processes, processes), disable telemetry in core mode, disable mitigations, and much more. “
As for the fudmodule rootkit, Vojtěšek says it represents “one of the maximum complex equipment that Lazarus has in his arsenal. “
Microsoft has published an updated security advisory that identifies it as a zero-day vulnerability.
As it affects other versions of Windows 10, Windows 11, and Windows Server, users are asked to check the updated security advisory and apply the patch if they have not already done so.
That Microsoft has now issued a patch for this vulnerability means, the Avast analysis says, that Lazarus’ offensive operations will undoubtedly be disrupted.
“Although finding a zero-day from the administrator to the kernel is not as difficult as finding a zero-day on a more vulnerable attack surface (such as from a popular user to the kernel, or even sandboxed to the kernel),” he concludes Vojtěšek: “we have to locate one, Lazarus would still have to invest significant resources, which could divert its attention from attacking other unfortunate targets. “
A community. Many voices. Create a lazy account to pry your thoughts.
Our network is attached to other people through open and considered conversations. We need our readers to prove their reviews and exchange concepts and made in a space.
In order to do so, please follow the posting rules in our site’s Terms of Service. We’ve summarized some of those key rules below. Simply put, keep it civil.
Your message will be rejected if we realize that it turns out to contain:
User accounts will be blocked if we notice or believe that users are engaged in:
So, how can you be a user?
Thank you for reading our community guidelines. Read the full list of publishing regulations discovered in our site’s terms of use.