The notorious North Korea-based Lazarus Group was observed abusing an admin-to-kernel zero-day Windows exploit that, once achieved, can let the threat actor do any number of malicious activities, including disrupting software, concealing infection indicators, and kernel-mode telemetry disabling.
In a Feb. 29 blog post, researchers at Avast said Microsoft addressed this vulnerability — CVE-2024-21338 — during February’s Patch Tuesday. The researchers said the goal of the exploitation was to establish a kernel read/write primitive, code that can be used to build more complex programs or interfaces
***
It’s important to note that Microsoft doesn’t always mention if a vulnerability is being actively exploited in its Patch Tuesday bulletins, explained Ashley Leonard, chief executive officer at Syxsense. Leonard said that’s because they want Patch Tuesday bulletins to focus on delivering the fix, and the focus might not be on elaborating on how the vulnerabilities are being exploited.
***
There were 72 fixes in Microsoft’s February Patch Tuesday drop, and they noted that five were critical, with two being weaponized — none of which were CVE-2024-21338. In fact, there were 29 vulnerabilities with severity ratings above CVE-2024-21338, noted Leonard.
“This underscores what we believe and continue to believe: that most vulnerabilities being exploited are not the headline-grabbing zero-days but vulnerabilities that are more middling in their severity scores,” said Leonard. “These vulnerabilities often get relegated to the backburner on the to-do list, because they aren’t grabbing headlines or attention. Without Avast’s public disclosure of their findings, CVE-2024-21338 would likely never have risen to the top of the headlines.”
Read the full story on SC Magazine.
