API security

Lazarus Group exploits Dell driver to bypass Windows security

Share
Microsoft fixes six critical bugs on Patch Tuesday

BleepingComputer reports that North Korean threat actor organization the Lazarus Group used a zero-day vulnerability in the Windows AppLocker driver (appid.sys) to obtain kernel-level access and disable security mechanisms.

The vulnerability, currently known as CVE-2024-21338, was fixed as part of the Microsoft February 2024 Patch Tuesday after Avast experts saw this activity and quickly reported it. According to Avast, Lazarus modified its FudModule rootkit, which ESET initially reported in late 2022, and used CVE-2024-21338 to construct a read/write kernel primitive. The rootkit was previously used to exploit a Dell driver for BYOVD attacks. The security tools that are being targeted are the HitmanPro anti-malware program, AhnLab V3 Endpoint Security, Windows Defender, and CrowdStrike Falcon. Avast also reported its discovery of additional capabilities and new stealth features in the latest rootkit version. These included enhanced tampering with Driver Signature Enforcement and Secure Boot. Microsoft, however, has not identified the vulnerability as a zero-day attack.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.