North Korean Hackers Exploit Unpatched Windows Zero-Day for Six Months, Microsoft Silent
In a major win for hackers backed by the North Korean government, Microsoft left a Windows zero-day vulnerability unpatched for six months after discovering it was being actively exploited. The vulnerability, known as CVE-2024-21338, allowed the threat group Lazarus to install a stealthy rootkit called “FudModule” on vulnerable computers. This rootkit was described by security firm Avast as exceptionally advanced and stealthy, making it difficult to detect.
The vulnerability exploited by Lazarus was particularly significant because it targeted appid.sys, a driver enabling the Windows AppLocker service. This meant that the malware could bypass key Windows defenses and gain kernel-level access, allowing attackers to disrupt security software, conceal indicators of infection, disable kernel-mode telemetry, and more. The ability to tamper with protected processes or add protection to an arbitrary process further enhanced the attacker’s capabilities.
Avast researchers first alerted Microsoft to the zero-day vulnerability in August, providing proof-of-concept code to demonstrate its exploitation. However, Microsoft did not release a patch until last month. Surprisingly, Microsoft did not disclose the active exploitation of the vulnerability or provide details about the Lazarus rootkit. Instead, this information came from Avast 15 days later. It remains unclear why there was a delay in patching the vulnerability or why Microsoft initially failed to disclose its exploitation.
The delay in patching the vulnerability gave Lazarus an extended period to exploit it and install FudModule. This rootkit allowed Lazarus to bypass Windows defenses such as Endpoint Detection and Response, Protected Process Light, and prevention of reading memory and code injection by unprotected processes. The stealthy nature of FudModule made it difficult for defenders to detect the attack.
While some researchers criticized Microsoft’s handling of the vulnerability, others acknowledged that delays in patching vulnerabilities are common. Will Dormann, a senior vulnerability analyst at security firm Analygence, suggested that Microsoft may have had legitimate reasons for the delay, such as prioritizing other security fixes or considering admin-to-kernel as not a security boundary. However, Dormann also noted that waits of six months to fix vulnerabilities may not be acceptable.
With the disclosure of the vulnerability and the Lazarus rootkit, the risk of it being more widely exploited has increased. Windows users are advised to prioritize patching their systems to mitigate this risk. The exact reasons behind Microsoft’s handling of the vulnerability remain unknown, leaving room for speculation. Nevertheless, the importance of promptly addressing vulnerabilities and maintaining robust security measures cannot be overstated.