Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Microsoft took six months to patch an actively exploited Windows kernel zero-day. Successful exploitation of CVE-2024-21338 gives attackers system privileges over the infected device.
The patch for this flaw is available in the February 2024 Patch Tuesday updates. Security researchers urge Windows users to apply patches as soon as possible, to avoid privilege escalation.
Windows kernel zero-day risks
CVE-2024-21338 got a severity score of 7.8, which is high. In the FAQs section, Microsoft said:
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
Source – Microsoft Security Response Center
Having kernel-level access means you can:
- Turn off security software
- Misconfigure security settings
- hide Indicators of Compromise (IoCs)
- disable kernel-mode telemetry
- share hardware resources, etc.
North Korean threat group Lazarus exploited CVE-2024-21338
Soon after Microsoft released the patch for CVE-2024-21338, researchers announced that Lazarus threat group successfully exploited the flaw.
Reportedly, the attackers first used the Windows kernel zero-day in August 2023. Their aim was to install an updated FudModule rootkit version. The rootkit can disable all security tools that the infected system uses.
Patch now and stay safe
The first thing you should do to stay safe from the Windows kernel flaw is patch. Apply updates available in the February Patch Tuesday to close CVE-2024-21338 and avoid Lazarus gaining kernel privileges on your system. Premium patch management softwares can help automate processes, so you can apply patches in only two clicks.
However, the best approach is to enforce a multi-layered security strategy. Hackers could only use CVE-2024-21338 on an already compromised device. So, once you patched, go to the basics:
- educate employees about the risks of phishing attacks
- use a DNS filtering tool to block malicious communication
- enforce a Zero-trust policy and apply the principle of least privilege
- use multi-factor authentication
- enforce a strong password policy
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
