A high-severity vulnerability in the Windows Kernel (CVE-2024-21338) has been actively exploited by threat actors, allowing them to gain SYSTEM-level access on vulnerable systems. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, urging immediate remediation.
Vulnerability Details:
- CVE-ID: CVE-2024-21338
- Severity: High
- Affected Systems: Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022
- Vulnerability Type: Privilege Escalation
- Impact: Allows attackers to escalate privileges to SYSTEM level, manipulate the core of the operating system, disable security software, and deploy additional malware.
Threat Actor:
- Group: Lazarus (state-sponsored, linked to North Korea)
- Tactics: The group has been using this zero-day vulnerability in a campaign that began in August 2023, showcasing significant upgrades in their attack techniques, including a sophisticated rootkit (FudModule) and a stealthy new remote access trojan (RAT).
Mitigation:
- Microsoft has released patches for this vulnerability as part of the February 2024 Patch Tuesday updates. It is critical for organizations to apply these patches immediately to protect against potential exploitation.
Recommendations:
- Patch Management: Ensure that all affected systems are updated with the latest security patches released by Microsoft.
- Monitoring: Increase monitoring of network traffic and system logs for any suspicious activity that may indicate exploitation attempts or successful breaches.
- Security Awareness: Educate employees about the potential risks and encourage them to report any unusual system behavior or security alerts.
Conclusion:
The active exploitation of CVE-2024-21338 poses a significant risk to organizations using vulnerable Windows systems. Prompt patching and vigilant monitoring are essential to mitigate the threat posed by this vulnerability and the sophisticated tactics employed by the Lazarus group.
