{"id":846,"date":"2024-02-29T15:50:44","date_gmt":"2024-02-29T13:50:44","guid":{"rendered":"https:\/\/techlance.ddns.net\/?p=846"},"modified":"2024-02-29T15:50:56","modified_gmt":"2024-02-29T13:50:56","slug":"lazarus-hakkerit-hyodynsivat-windowsin-nollapaivahaavoittuvuutta","status":"publish","type":"post","link":"https:\/\/techlance.ddns.net\/en\/lazarus-hakkerit-hyodynsivat-windowsin-nollapaivahaavoittuvuutta\/","title":{"rendered":"Lazarus-hakkerit hy\u00f6dynsiv\u00e4t Windowsin nollap\u00e4iv\u00e4haavoittuvuutta"},"content":{"rendered":"<p>Pohjoiskorealaisiksi uhkatoimijoiksi tunnetut Lazarus-ryhm\u00e4n j\u00e4senet hy\u00f6dynsiv\u00e4t Windows AppLocker -ajurin (appid.sys) virhett\u00e4 nollap\u00e4iv\u00e4haavoittuvuutena saadakseen ytimen tasolle p\u00e4\u00e4syn ja kytke\u00e4kseen turvallisuusty\u00f6kalut pois p\u00e4\u00e4lt\u00e4, mahdollistaen heid\u00e4n ohittaa meluisat BYOVD (Bring Your Own Vulnerable Driver) -tekniikat.<\/p>\n\n\n\n<p>T\u00e4m\u00e4n toiminnan havaitsivat Avastin analyytikot, jotka v\u00e4litt\u00f6m\u00e4sti raportoivat siit\u00e4 Microsoftille, johtaen virheen korjaamiseen, joka nyt seurataan tunnisteella CVE-2024-21338, osana helmikuun 2024 Patch Tuesdayta. Microsoft ei kuitenkaan ole merkinnyt virhett\u00e4 nollap\u00e4iv\u00e4ksi hy\u00f6dynnetyksi.<\/p>\n\n\n\n<p>Avast raportoi, ett\u00e4 Lazarus hy\u00f6dynsi CVE-2024-21338:aa luodakseen luku\/kirjoitus-ytimen primitiivin p\u00e4ivitetyss\u00e4 versiossaan FudModule-juurikitti\u00e4st\u00e4, jonka ESET ensin dokumentoi vuoden 2022 lopulla. Aiemmin juurikitti hy\u00f6dynsi Dell-ajuria BYOVD-hy\u00f6kk\u00e4yksiin.<\/p>\n\n\n\n<p>North Korean threat actors known as the Lazarus Group exploited a flaw in the Windows AppLocker driver (appid.sys) as a zero-day to gain kernel-level access and turn off security tools, allowing them to bypass noisy BYOVD (Bring Your Own Vulnerable Driver) techniques. This activity was detected by Avast analysts, who promptly reported it to Microsoft, leading to a fix for the flaw, now tracked as CVE-2024-21338, as part of the February 2024 Patch Tuesday. However, Microsoft has not marked the flaw as being exploited as a zero-day. Avast reports that Lazarus exploited CVE-2024-21338 to create a read\/write kernel primitive in an updated version of its FudModule rootkit, which ESET first documented in late 2022. Previously, the rootkit abused a Dell driver for BYOVD attacks.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/lazarus-hackers-exploited-windows-zero-day-to-gain-kernel-privileges\/\">https:\/\/www.bleepingcomputer.com\/news\/security\/lazarus-hackers-exploited-windows-zero-day-to-gain-kernel-privileges\/<\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>Pohjoiskorealaisiksi uhkatoimijoiksi tunnetut Lazarus-ryhm\u00e4n j\u00e4senet hy\u00f6dynsiv\u00e4t Windows AppLocker -ajurin (appid.sys) virhett\u00e4 nollap\u00e4iv\u00e4haavoittuvuutena saadakseen ytimen tasolle p\u00e4\u00e4syn ja kytke\u00e4kseen turvallisuusty\u00f6kalut pois [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[9],"tags":[15],"class_list":["post-846","post","type-post","status-publish","format-standard","hentry","category-security","tag-tietoturva"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/techlance.ddns.net\/en\/wp-json\/wp\/v2\/posts\/846","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techlance.ddns.net\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techlance.ddns.net\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techlance.ddns.net\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/techlance.ddns.net\/en\/wp-json\/wp\/v2\/comments?post=846"}],"version-history":[{"count":0,"href":"https:\/\/techlance.ddns.net\/en\/wp-json\/wp\/v2\/posts\/846\/revisions"}],"wp:attachment":[{"href":"https:\/\/techlance.ddns.net\/en\/wp-json\/wp\/v2\/media?parent=846"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techlance.ddns.net\/en\/wp-json\/wp\/v2\/categories?post=846"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techlance.ddns.net\/en\/wp-json\/wp\/v2\/tags?post=846"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}