Hackers exploited the Windows vulnerability for 6 months after Microsoft learned about it

The Lazarus hacker group, linked to North Korea, has been exploiting a Windows security vulnerability for six months that Microsoft knew about but did not fix, Ars Technica reports.

Even after Microsoft patched the vulnerability last month, the company failed to mention that Lazarus had been exploiting it since at least August to install a hidden rootkit on vulnerable computers.

The zero-day vulnerability provided malware that had already gained administrator privileges with an easy and undetectable way to interact with the Windows kernel. Lazarus used this vulnerability to do just that.

Nevertheless, Microsoft has long stated that this elevation of administrator privileges to the kernel level does not constitute a security breach, which is a possible explanation for why it took the company so long to patch the vulnerability.

“When it comes to Windows security, there is a thin line between admin and kernel,” Jan Vojtěšek, a researcher with security firm Avast.

According to Microsoft’s security maintenance criteria, the transition from administrator to kernel is not a security boundary, which means that Microsoft reserves the right to patch vulnerabilities between administrator and kernel at its discretion. As a result, the Windows security model does not guarantee that it will prevent an attacker with administrator privileges from gaining direct access to the kernel.

Microsoft’s policy proved to be a boon for Lazarus when it installed FudModule, a special rootkit that Avast said was extremely stealthy and advanced. Rootkits are pieces of malware that have the ability to hide their files, processes, and other internal workings from the operating system itself, while still controlling the deepest levels of the operating system.

To work, they must first gain administrative privileges – a major achievement for any malware. Then they have to overcome another hurdle: interacting directly with the kernel, the most secretive part of the OS, reserved for the most sensitive functions.

In years past, Lazarus and other hacker groups have achieved this last threshold by generally using third-party system drivers that, by definition, already have access to the kernel. In order to work with supported versions of Windows, third-party drivers must be digitally signed by Microsoft, which confirms that they are trustworthy and meet security requirements.

If Lazarus or another attacker has already breached the administrative barrier and discovered a vulnerability in an approved driver, they can install it and exploit that vulnerability to gain access to the Windows kernel. This method, known as BYOVD (bring your own vulnerable driver), comes at a price, as it gives defenders a wide range of options for detecting the attack.

In August, Avast researchers sent Microsoft a description of the zero-day vulnerability along with code that demonstrated what happens when it is exploited. Microsoft fixed the vulnerability only last month. But even then, the active exploitation of CVE-2024-21338 and the details of the Lazarus rootkit were disclosed not by Microsoft in February, but by Avast 15 days later. A day later, Microsoft updated its patch bulletin to point out the exploit.

Since Microsoft hasn’t explained how it handled CVE-2024-21338, the world will likely never know. One thing is clear: now that the vulnerability is public, the risk of exploitation has increased. Windows users who have not updated their Windows security for a long time should do so as a matter of priority.