Major Security Flaw Exploited by North Korean Hackers
A significant victory was achieved by hackers supported by the North Korean government due to Microsoft’s delay in patching a critical Windows zero-day vulnerability that was actively being exploited for six months.
Unveiling the Security Breach
Despite Microsoft finally releasing a patch for the vulnerability, the company failed to disclose that the North Korean cyber threat group, Lazarus, had been utilizing the flaw to deploy a sophisticated rootkit on compromised systems since August. This flaw allowed malware with admin rights to interact with the Windows kernel in a discreet manner. Microsoft’s stance that such admin-to-kernel elevations do not breach security boundaries might explain the prolonged duration it took to address the vulnerability.
The Thin Line Between Admin and Kernel
According to Jan Vojtěšek from Avast, the distinction between administrator and kernel access in Windows security is minimal. Microsoft’s security guidelines have stated that “Administrator-to-kernel is not a security boundary,” giving the company the liberty to handle such vulnerabilities at its own discretion. Therefore, Windows security mechanisms do not guarantee protection against admin-level threats accessing the kernel directly.
The Rootkit Revelation
Lazarus took advantage of Microsoft’s policy by installing “FudModule,” a sophisticated rootkit that Avast described as highly stealthy and advanced. Rootkits are adept at concealing their presence from the operating system while controlling the deepest system levels. This necessitates the malware to first attain administrative privileges and then establish direct interaction with the kernel, posing a formidable challenge for any modern operating system.
Innovative Exploitation Techniques
Previously, threat actors like Lazarus exploited vulnerabilities in third-party system drivers to access the kernel. However, these drivers must be digitally signed by Microsoft for Windows compatibility, making them a recognizable target for defenders. The zero-day exploit by Lazarus (CVE-2024-21338) targeted appid.sys, a driver essential for the Windows AppLocker service, offering a much stealthier approach compared to traditional driver exploits.
Advancing Stealth in Cyber Attacks
The use of vulnerabilities like appid.sys signifies a significant advancement in cyber threat tactics, as it provides a level of stealthiness that traditional exploitation methods lack. Despite Avast notifying Microsoft about the zero-day exploit in August, the delay in patching the vulnerability allowed Lazarus to maintain its covert operations.
Read more on Ars Technica