朝鲜黑客组织进行Windows漏洞零日攻击

The notorious Lazarus Group actors exploited a recently patched privilege escalation flaw in the Windows Kernel as a zero-day to obtain kernel-level access and disable security software on compromised hosts.

臭名昭著的Lazarus Group行动者利用了Windows Kernel中最近修补的权限升级漏洞作为零日漏洞，以获得内核级别访问权限并禁用受损主机上的安全软件。

The vulnerability in question is CVE-2024-21338 (CVSS score: 7.8), which can permit an attacker to gain SYSTEM privileges. It was resolved by Microsoft earlier this month as part of Patch Tuesday updates.

问题中的漏洞是CVE-2024-21338（CVSS评分：7.8），可以允许攻击者获得SYSTEM特权。Microsoft在本月早些时候作为"Patch Tuesday更新"的一部分解决了这个问题。

"To exploit this vulnerability, an attacker would first have to log on to the system," Microsoft said. "An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system."

"要利用此漏洞，攻击者首先必须登录系统，"Microsoft说。"然后，攻击者可以运行一个特制的应用程序，该应用程序可以利用漏洞并控制受影响系统。"

While there were no indications of active exploitation of CVE-2024-21338 at the time of the release of the updates, Redmond on Wednesday revised its "Exploitability assessment" for the flaw to "Exploitation Detected."

It’s currently not clear when the attacks took place, but the vulnerability is said to have been introduced in Window 10, version 1703 (RS2/15063) when the 0x22A018 IOCTL (short for input/output control) handler was first implemented.

目前尚不清楚攻击何时发生，但据说此漏洞是在Windows 10版本1703（RS2/15063）引入的，当时首次实施了0x22A018 IOCTL（输入/输出控制）处理程序。

Cybersecurity vendor Avast, which discovered an in-the-wild admin-to-kernel exploit for the bug, said the kernel read/write primitive achieved by weaponizing the flaw allowed the Lazarus Group to "perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit."

The FudModule rootkit was first reported by ESET and AhnLab in October 2022 as capable of disabling the monitoring of all security solutions on infected hosts by means of what's called a Bring Your Own Vulnerable Driver (BYOVD) attack, wherein an attacker implants a driver susceptible to a known or zero-day flaw to escalate privileges.

What makes the latest attack significant is that it goes "beyond BYOVD by exploiting a zero-day in a driver that's known to be already installed on the target machine." That susceptible driver is appid.sys, which is crucial to the functioning of a Windows component called AppLocker that's responsible for application control.

最新攻击的重要性在于它"超越了BYOVD，通过利用已知已安装在目标机器上的驱动程序中的零日漏洞来实施攻击。"那个易受攻击的驱动程序是appid.sys，它对一个名为AppLocker的Windows组件的功能至关重要，该组件负责应用程序控制。

The real-world exploit devised by the Lazarus Group entails using CVE-2024-21338 in the appid.sys driver to execute arbitrary code in a manner that bypasses all security checks and runs the FudModule rootkit.

Lazarus Group设计的真实世界利用CVE-2024-21338是利用appid.sys驱动程序中的任意代码执行来绕过所有安全检查并运行FudModule rootkit。

"FudModule is only loosely integrated into the rest of Lazarus' malware ecosystem and that Lazarus is very careful about using the rootkit, only deploying it on demand under the right circumstances," security researcher Jan Vojtěšek said, describing the malware as under active development.

"FudModule只能松散地集成到Lazarus的恶意软件生态系统中，而Lazarus非常谨慎地使用rootkit，只在适当的情况下按需部署它。"安全研究员Jan Vojtěšek描述了这种恶意软件正在积极开发中。

Besides taking steps to sidestep detection by disabling system loggers, FudModule is engineered to turn off specific security software such as AhnLab V3 Endpoint Security, CrowdStrike Falcon, HitmanPro, and Microsoft Defender Antivirus (formerly Windows Defender).

除了采取措施来规避检测以禁用系统记录器外，FudModule还被设计为关闭特定安全软件，如AhnLab V3 Endpoint Security、CrowdStrike Falcon、HitmanPro和Microsoft Defender Antivirus（以前称为Windows Defender）。

The development marks a new level of technical sophistication associated with North Korean hacking groups, continuously iterating its arsenal for improved stealth and functionality. It also illustrates the elaborate techniques employed to hinder detection and make their tracking much harder.

这一发展标志着朝鲜黑客组织与技术上的新水平，不断更新其武器库以提高隐秘性和功能性。它还说明了用于阻止检测并使其跟踪更加困难的复杂技术。

The adversarial collective's cross-platform focus is also exemplified by the fact that it has been observed using bogus calendar meeting invite links to stealthily install malware on Apple macOS systems, a campaign that was previously documented by SlowMist in December 2023.

"Lazarus Group remains among the most prolific and long-standing advanced persistent threat actors," Vojtěšek said. "The FudModule rootkit serves as the latest example, representing one of the most complex tools Lazarus holds in their arsenal."

Jan Vojtěšek表示:"Lazarus Group仍然是最具生产力和持久的高级持续性威胁行动者之一。""FudModule rootkit是最新的示例，代表着Lazarus在武器库中持有的最复杂工具之一。"

原文始发于微信公众号（知机安全）：朝鲜黑客组织进行Windows漏洞零日攻击