Microsoft has recently patched a critical vulnerability, CVE-2024-21338, in Windows that permitted a user to acquire escalated privileges. Notably, it was reported that North Korean hackers of the Lazarus group exploited this flaw for several months. The issue surfaced around six months ago, according to security firm Avast.
The above-mentioned vulnerability was identified in the appid.sys driver of the AppLocker utility by Avast experts. The bug allowed hackers with access to the targeted system to elevate privileges to the level of SYSTEM without having to interact with the victim. Devices with Windows 11, Windows 10, Windows Server 2022, and Windows Server 2019 were affected by the issue.
According to Avast, the exploitation of vulnerability CVE-2024-21338 requires the hacker to be logged into the system, and then initiate a specially configured application that uses the vulnerability to seize control of the device. Although the patch for fixing the vulnerability was released in the middle of the last month, Microsoft only updated the support page information a few days ago, confirming that the vulnerability CVE-2024-21338 was in fact being exploited by hackers.
Avast has reported that the Lazarus group exploited this bug at least since August of last year. The hackers used it to gain kernel-level privileges and disable protective mechanisms on the targeted systems. They ultimately managed to covertly introduce the FudModule rootkit into the targeted systems to manipulate kernel objects.