BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Small Business Growth In The Digital Age
Elon Musk Fact-Checked On X After Surprise Messaging Warning
The Evolving Landscape Of Security Operations Centers
Streamlining Cash Flow Management With AI
New FBI Warning As Hackers Strike: Email Senders Must Do This 1 Thing
3 Million Hacked Hotel Keycards – What Could Go Wrong?
Edit Story
ForbesInnovationCybersecurity

Dangerous Windows 10, 11 And Server Rootkit Exploited By Hackers

Davey Winder
Senior Contributor
Opinions expressed by Forbes Contributors are their own.
Veteran cybersecurity and tech analyst, journalist, hacker, author
Following

The notorious and highly prolific North Korean Lazarus criminal hacking group has been exploiting an admin-to-kernel privilege escalation Windows security flaw using an updated version of its FudModule rootkit.

What Is CVE-2024-21338 And Why Is It So Dangerous?

In a detailed analysis of the exploit, Lazarus and the FudModule Rootkit, Jan Vojtěšek from the Avast Threat Labs explains how researchers found the exploit for this previously unknown zero-day vulnerability in the Windows appid.sys AppLocker driver.

Although the vulnerability itself, which is monitored as CVE-2024-21338, was reported to Microsoft by Avast in August 2023 along with a proof-of-concept exploit, it wasn’t patched until the February 13 Patch Tuesday updates were made available. However, when the updates were distributed, CVE-2024-21338 wasn’t listed as a zero-day with exploits in the wild.

“From the attacker’s perspective, crossing from admin to kernel opens a whole new realm of possibilities,” Vojtěšek says. “With kernel-level access, an attacker might disrupt security software, conceal indicators of infection (including files, network activity, processes,) disable kernel-mode telemetry, turn off mitigations, and more.”

As for the FudModule rootkit, Vojtěšek says this represents “one of the most complex tools Lazarus holds in their arsenal.”

MORE FROMFORBES ADVISOR

Best High-Yield Savings Accounts Of 2024

By
Kevin Payne
Contributor

Best 5% Interest Savings Accounts of 2024

By
Cassidy Horton
Contributor

Microsoft Issued Fix As Part Of February Patch Tuesday

Microsoft has now published an updated security advisory recognizes this as a zero-day vulnerability.

Impacting various versions of Windows 10, Windows 11 and Windows Server, users are advised to check the updated security advisory and apply the patch if they have not already done so.

That Microsoft has now issued a patch for this vulnerability means, the Avast analysis says, that Lazarus’ offensive operations will undoubtedly be disrupted.

“While discovering an admin-to-kernel zero-day may not be as challenging as discovering a zero-day in a more attractive attack surface (such as standard user-to-kernel, or even sandbox-to-kernel),” Vojtěšek concludes, “we believe that finding one would still require Lazarus to invest significant resources, potentially diverting their focus from attacking some other unfortunate targets.”

ForbesRussia Targets Ukraine With Hybrid CyberattackBy Davey Winder
Follow me on Twitter or LinkedInCheck out my website or some of my other work here
Davey Winder
Davey Winder
Following

Join The Conversation

Comments 

One Community. Many Voices. Create a free account to share your thoughts. 

Read our community guidelines .

Forbes Community Guidelines

Our community is about connecting people through open and thoughtful conversations. We want our readers to share their views and exchange ideas and facts in a safe space.

In order to do so, please follow the posting rules in our site's Terms of Service.  We've summarized some of those key rules below. Simply put, keep it civil.

Your post will be rejected if we notice that it seems to contain:

  • False or intentionally out-of-context or misleading information
  • Spam
  • Insults, profanity, incoherent, obscene or inflammatory language or threats of any kind
  • Attacks on the identity of other commenters or the article's author
  • Content that otherwise violates our site's terms.

User accounts will be blocked if we notice or believe that users are engaged in:

  • Continuous attempts to re-post comments that have been previously moderated/rejected
  • Racist, sexist, homophobic or other discriminatory comments
  • Attempts or tactics that put the site security at risk
  • Actions that otherwise violate our site's terms.

So, how can you be a power user?

  • Stay on topic and share your insights
  • Feel free to be clear and thoughtful to get your point across
  • ‘Like’ or ‘Dislike’ to show your point of view.
  • Protect your community.
  • Use the report tool to alert us when someone breaks the rules.

Thanks for reading our community guidelines. Please read the full list of posting rules found in our site's Terms of Service.