CVE-2024-21338: Microsoft Defender Zero-Day Exploited by Lazarus
- [01] Threat actors are exploiting kernel vulnerabilities in Microsoft Defender to disable security software and elevate system privileges to the highest levels.
- [02] Affected systems include various Windows versions where the appid.sys driver or SmartScreen services are present and unpatched.
- [03] Administrators must apply the February 2024 security updates immediately to protect against active exploitation of these vulnerabilities.
Overview of Defender Zero-Day Exploitation
Microsoft has released security patches addressing two vulnerabilities within the Windows ecosystem that have been actively exploited as a Zero-Day in the wild. According to BleepingComputer, these flaws allowed threat actors to bypass security warnings and gain elevated privileges on targeted systems. The primary CVE under scrutiny, CVE-2024-21338, is a Privilege Escalation vulnerability in the Windows Kernel-Mode Driver (specifically appid.sys), while CVE-2024-21412 involves a security feature bypass related to Internet Shortcut files.
The exploitation of these vulnerabilities highlights a sophisticated TTP used by advanced persistent threats to undermine system integrity. When successfully exploited, these flaws allow attackers to transition from a low-privilege environment to SYSTEM-level access, effectively neutralizing EDR solutions and other security monitoring tools. This report provides a technical breakdown of the vulnerabilities and the necessary steps for remediation.
Technical Analysis: CVE-2024-21338 and CVE-2024-21412
Microsoft Defender kernel driver vulnerability
The most significant of the two disclosures is CVE-2024-21338, which carries a CVSS score of 7.8. This flaw resides in the appid.sys driver, which is associated with AppLocker. The Lazarus Group, a North Korean APT, has been identified as the primary threat actor utilizing this vulnerability. By exploiting a lack of proper input validation in the driver, the attackers can perform arbitrary memory read/write operations.
This specific exploitation falls under the “Bring Your Own Vulnerable Driver” category, though in this case, the vulnerability existed within a native, trusted Windows driver already present on the system. This makes the attack harder to detect by traditional SOC monitoring, as the driver is digitally signed by Microsoft. Once the attacker achieves kernel-level access, they can terminate security processes and hide their presence, facilitating further Lateral Movement within the network.
Lazarus Group exploitation of CVE-2024-21412
CVE-2024-21412 represents a bypass of the Mark-of-the-Web (MotW) security feature. This vulnerability is often leveraged during the initial access phase of an attack, frequently delivered via Phishing campaigns. By crafting a malicious .url file that points to another shortcut file on a remote share, attackers can trick Windows into executing the payload without displaying the standard security warnings that inform users the file originated from the internet.
Security researchers observed this bypass being used to deliver the DarkMe malware. The combination of an initial bypass (CVE-2024-21412) followed by a kernel-level privilege escalation (CVE-2024-21338) creates a highly effective infection chain. The MITRE ATT&CK framework classifies these actions under techniques such as Exploitation for Privilege Escalation (T1068) and Impair Defenses (T1562).
Detection and Mitigation Strategies
To defend against these threats, organizations must move beyond simple patch management and implement multi-layered detection. Defending against kernel-level threats requires deep visibility into system calls and driver behavior.
How to detect CVE-2024-21338 exploit
Security teams can identify potential exploitation attempts by monitoring for unusual activity related to the appid.sys driver. Specifically, look for processes that are not part of the standard Windows boot sequence or AppLocker management attempting to communicate with the driver’s IOCTL (Input/Output Control) codes. Organizations should configure their SIEM to alert on unexpected privilege transitions where a user process suddenly gains SYSTEM context without a corresponding valid service start event.
Key IoC indicators include:
- Unexpected termination of EDR or antivirus service processes.
- Presence of modified or replaced system drivers in
%SystemRoot%\System32\drivers. - Network traffic to known C2 infrastructure following the opening of suspicious shortcut files.
Remediation and Patching
The most effective mitigation is the immediate application of the Microsoft February 2024 cumulative updates. These updates contain the necessary logic to prevent the unauthorized IOCTL calls in the kernel driver and fix the shortcut file processing logic. Furthermore, organizations should adopt a Zero Trust architecture, ensuring that even if an attacker gains initial access, their ability to move through the network and escalate privileges is severely limited by strict access controls and micro-segmentation.
Advertisement