How North Korean Hackers Exploited a Windows Zero-Day Flaw That Microsoft Ignored for Months

North Korean hackers exploited a Windows zero-day for 6 months, exposing gaps in Microsoft's patching and disclosure process.

How North Korean Hackers Exploited a Windows Zero-Day Flaw That Microsoft Ignored for Months

Zero-Day to Six Months

North Korean hackers, supported by their government, achieved a significant breach by exploiting a zero-day vulnerability in Windows, which Microsoft neglected for six months after being alerted to its active use. This oversight allowed the hackers to deploy a discreet rootkit on the compromised systems, a detail Microsoft failed to disclose even after eventually patching the flaw. The North Korean group, known as Lazarus, had been utilizing this vulnerability since at least August, enabling them to stealthily interact with the Windows kernel, given their already established administrative system privileges.

The vulnerability in question facilitated an undemanding and covert pathway for the already installed malware to engage with the Windows kernel, a tactic employed by Lazarus. Despite this, Microsoft's historical viewpoint has been that elevations from administrator to kernel do not constitute a breach of a security boundary, which perhaps sheds light on their delayed response in rectifying the vulnerability. Research indicates that zero-day exploits can be actively leveraged by attackers for an average of 312 days before being discovered and patched, highlighting the potential window of opportunity for malicious actors.

The incident unearthed a rootkit, dubbed “FudModule” by the security firm Avast, which was characterized as both stealthy and advanced. Rootkits are a type of malware capable of hiding their existence from the operating system while controlling its core functions. To activate, they first require administrative rights, followed by a method to directly interact with the kernel, the central component of an operating system responsible for managing critical tasks. Studies show a 42% increase in targeted attacks like those conducted by Lazarus, emphasizing the growing sophistication and persistence of threat actors.

Previously, groups like Lazarus achieved this kernel access predominantly through the exploitation of third-party system drivers, which inherently have kernel access. To operate within supported Windows environments, these third-party drivers must be digitally signed by Microsoft, affirming their trustworthiness and adherence to security standards. In instances where a threat actor, like Lazarus, bypasses the administrative barriers and identifies a vulnerability in an approved driver, they can then install it and exploit the flaw to access the Windows kernel. This method, known as BYOVD (bring your own vulnerable driver), though effective, offers significant detection opportunities for cybersecurity defenses.

The exploited vulnerability, cataloged as CVE-2024-21338, provided a far more surreptitious approach than BYOVD by targeting appid.sys, a driver associated with the Windows AppLocker service that comes pre-installed in the OS. According to Avast, vulnerabilities like these are considered the “holy grail” for hackers due to their stealth compared to BYOVD.

In August, Avast researchers alerted Microsoft to the zero-day vulnerability, supplying proof-of-concept code that demonstrated its exploitation. Despite this early warning, Microsoft delayed patching the flaw until the following month. The disclosure of the active exploitation of CVE-2024-21338, along with details of the Lazarus rootkit, was initially not made by Microsoft but was revealed by Avast 15 days post-patch. Subsequently, Microsoft updated its patch bulletin to acknowledge the exploitation.

The reasons for Microsoft's delayed response and initial non-disclosure remain uncertain, as Microsoft did not promptly respond to inquiries regarding these actions. Regardless, the protracted period before addressing the vulnerability provided Lazarus an enhanced and more inconspicuous means to deploy FudModule. CodeLock could help by providing proactive vulnerability scanning and threat intelligence to detect such exploits before they cause significant damage. Once installed, the rootkit could circumvent significant Windows defenses, including Endpoint Detection and Response and Protected Process Light, which safeguards against tampering with endpoint protection processes, and prevents unprotected processes from reading memory and injecting code.

From the attackers' perspective, transitioning from administrative to kernel level access opens vast possibilities, enabling them to disrupt security software, conceal infection indicators, disable kernel-mode telemetry, and bypass other security measures. Particularly, overcoming the protections of Protected Process Light (PPL) could allow attackers to access otherwise unobtainable credentials, significantly enhancing their capabilities within the compromised system.

The exploitation of a built-in driver through a zero-day vulnerability, without the need for external custom drivers, represents a highly stealthy form of attack, allowing the kernel attack to remain virtually undetectable. This technique's inherent stealth, coupled with the absence of custom driver requirements, facilitates a fileless attack that evades most detection mechanisms and is viable even on systems with strict driver allowlisting protocols.

While the exact motives behind Lazarus’s preference for this exploitation method over BYOVD remain speculative, it is believed that the primary driver was the desire for increased stealth to avoid detection and extend the lifespan of their exploitation capabilities. The necessity for continuous adaptation and the potential for extended undetected operational periods likely influenced their strategic choice of vulnerability exploitation.

This incident underscores the complex nature of cybersecurity risk management and the critical need for timely vulnerability addressing. The average cost of a cybersecurity breach, including those stemming from zero-day exploits, has risen to over $3.86 million per incident, underscoring the financial impact and importance of timely threat mitigation. The delayed response and the intricacies surrounding the management and disclosure of such significant vulnerabilities spotlight the challenges faced by organizations in ensuring robust cybersecurity defenses.