North Korean Hackers Exploit Windows Zero-Day for Six Months

In a major win for North Korean hackers, Microsoft left a Windows zero-day unpatched for six months while it was actively exploited by the threat group Lazarus. The vulnerability allowed for the installation of a stealthy rootkit on vulnerable computers, providing an easy and covert means for malware with administrative system rights to interact with the Windows kernel.

North Korean Hackers Exploit Windows Zero-Day for Six Months


In a major win for North Korean hackers, Microsoft left a Windows zero-day unpatched for six months while it was actively exploited by the threat group Lazarus. The vulnerability allowed for the installation of a stealthy rootkit on vulnerable computers, providing an easy and covert means for malware with administrative system rights to interact with the Windows kernel.

Admin-to-Kernel Vulnerabilities: A Security Boundary Blurred


Security firm Avast researcher Jan Vojtěšek highlighted the thin line between admin and kernel in Windows security. Microsoft's long-standing assertion that "administrator-to-kernel is not a security boundary" allowed for the delay in patching the vulnerability. This policy gave Lazarus the opportunity to deploy "FudModule," a sophisticated rootkit that excelled in stealth and advanced capabilities.

The Reader's Guide

BYOVD Technique vs. CVE-2024-21338


Historically, threat groups like Lazarus have exploited third-party system drivers to reach the Windows kernel. However, the vulnerability CVE-2024-21338, exploited by Lazarus, targeted appid.sys, a driver integral to the Windows AppLocker service. This approach provided a level of stealth that surpassed the BYOVD technique, making it a coveted "holy grail" for threat actors.

Delayed Patching and Active Exploitation Disclosure


Despite Avast researchers notifying Microsoft of the zero-day in August, the vulnerability remained unpatched until last month. The disclosure of active exploitation and details of the Lazarus rootkit came from Avast, not Microsoft. Only after Avast's revelation did Microsoft update its patch bulletin to acknowledge the exploitation.

In the ever-evolving landscape of cybersecurity threats, the delayed response to critical vulnerabilities poses significant risks to users worldwide. The incident underscores the importance of timely and transparent communication between security researchers and software vendors to mitigate the impact of malicious actors. Microsoft's handling of the zero-day raises questions about the effectiveness of its security servicing criteria and the need for a more proactive approach to addressing emerging threats. As cyber threats continue to evolve, collaboration and swift action are crucial to safeguarding digital environments against sophisticated adversaries like Lazarus.

Related News

Saadat Qureshi

Hey, I'm Saadat Qureshi, your guide through the exciting worlds of education and technology. Originally from Karachi and a proud alum of the University of Birmingham, I'm now back in Karachi, Pakistan, exploring the intersection of learning and tech. Stick around for my fresh takes on the digital revolution! Connect With Me