Lawrence Person's BattleSwarm Blog

“Patch Tuesday” is when Microsoft (and other software companies) regularly release patches for their software on the second Tuesday of a month. A “zero day exploit” is a serious, previously undisclosed security flaw in a shipping piece of software. Not every Patch Tuesday includes a zero day fix, and sometimes the release only fixes one or two.

The latest Microsoft Patch Tuesday fix, released last Tuesday, fixes ten zero day vulnerabilities, six of which were already being exploited in the wild.

Attackers are actively exploiting as many as six of the 90 vulnerabilities that Microsoft disclosed in its security update for August, making them a top priority for administrators this Patch Tuesday.

Another four CVEs in Microsoft’s update were publicly known before the Aug. 13 disclosure, which also make them zero-days of a sort, even though attackers have not yet begun exploiting them. Among them, an elevation of privilege (EoP) bug in Windows Update Stack, tracked as CVE-2024-38202, is particularly troubling because Microsoft does not yet have a patch for it.

The unpatched flaw allows an attacker with “basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS),” according to Microsoft. The company has assessed the bug as being only of moderate severity because an attacker would need to trick an administrator or user with delegated permissions into performing a system restore.

However, Scott Caveza, staff research engineer at Tenable, says that if an attacker were to chain CVE-2024-38202 with CVE-2024-21302 (an EoP flaw in the current update that affects Windows Secure Kernel), they would be able to roll back software updates without the need for any interaction with a privileged user. “CVE-2024-38202 does require ‘additional interaction by a privileged user,’ according to Microsoft,” he says. “However, the chaining of CVE-2024-21302 allows an attacker to downgrade or roll back software versions without the need for interaction from a victim with elevated privileges.”

Caveza says each vulnerability can be exploited separately, but when combined, they could potentially have a more significant impact.

In all, seven of the bugs that Microsoft disclosed this week are rated as critical. The company rated 79 CVEs — including the zero-days that attackers are actively exploiting — as “Important,” or of medium severity, because they involve some level of user interaction or other requirement for an attacker to exploit. “While this isn’t the biggest release, it is unusual to see so many bugs listed as public or under active attack in a single release,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative (ZDI), in a blog post.

This is, to use a technical term, “bad.”

I’m not an expert in Windows security, but ten zero day exploits sounds like a new record.

And just who is exploiting this vulnerability in the wild? Well, in one case, North Korea.

A Windows zero-day vulnerability recently patched by Microsoft was exploited by hackers working on behalf of the North Korean government so they could install custom malware that’s exceptionally stealthy and advanced, researchers reported Monday.

Getting pwned by North Korea is like getting arrested for knocking over a liquor store because you posted a picture of yourself in front of the store holding up the stolen cash on Facebook.

The vulnerability, tracked as CVE-2024-38193, was one of six zero-days—meaning vulnerabilities known or actively exploited before the vendor has a patch—fixed in Microsoft’s monthly update release last Tuesday. Microsoft said the vulnerability—in a class known as a “use after free”—was located in AFD.sys, the binary file for what’s known as the ancillary function driver and the kernel entry point for the Winsock API. Microsoft warned that the zero-day could be exploited to give attackers system privileges, the maximum system rights available in Windows and a required status for executing untrusted code.

Microsoft warned at the time that the vulnerability was being actively exploited but provided no details about who was behind the attacks or what their ultimate objective was. On Monday, researchers with Gen—the security firm that discovered the attacks and reported them privately to Microsoft—said the threat actors were part of Lazarus, the name researchers use to track a hacking outfit backed by the North Korean government.

“The vulnerability allowed attackers to bypass normal security restrictions and access sensitive system areas that most users and administrators can’t reach,” Gen researchers reported. “This type of attack is both sophisticated and resourceful, potentially costing several hundred thousand dollars on the black market. This is concerning because it targets individuals in sensitive fields, such as those working in cryptocurrency engineering or aerospace to get access to their employer’s networks and steal cryptocurrencies to fund attackers’ operations.”

Monday’s blog post said that Lazarus was using the exploit to install FudModule, a sophisticated piece of malware discovered and analyzed in 2022 by researchers from two separate security firms: AhnLab and ESET. Named after the FudModule.dll file that once was present in its export table, FudModule is a type of malware known as a rootkit. It stood out for its ability to operate robustly in the deep in the innermost recess of Windows, a realm that wasn’t widely understood then or now. That capability allowed FudModule to disable monitoring by both internal and external security defenses.

Rootkits are pieces of malware that have the ability to hide their files, processes, and other inner workings from the operating system itself and, at the same time, control the deepest levels of the operating system. To work, rootkits must first gain system privileges and go on to directly interact with the kernel, the area of an operating system reserved for the most sensitive functions. The FudModule variants discovered by AhnLabs and ESET were installed using a technique called “bring your own vulnerable driver,” which involves installing a legitimate driver with known vulnerabilities to gain access to the kernel.

Earlier this year, researchers from security firm Avast spotted a newer FudModule variant that bypassed key Windows defenses such as Endpoint Detection and Response, and Protected Process Light. Microsoft took six months after Avast privately reported the vulnerability to fix it, a delay that allowed Lazarus to continue exploiting it.

Whereas Lazarus used “bring your own vulnerable driver” to install earlier versions of FudModule, group members installed the variant discovered by Avast by exploiting a bug in appid.sys, a driver enabling the Windows AppLocker service, which comes preinstalled in Windows. Avast researchers said at the time the Windows vulnerability exploited in those attacks represented a holy grail for hackers because it was baked directly into the OS rather than having to be installed from third-party sources.

As I’ve noted before, Internet security is hard. Neither Mac nor Linux are entirely free of such exploits, but they seem to be a lot less frequent. Log4J wasn’t a Linux kernel exploit, but everyone (rightly) freaked out over it because Log4j was used everywhere and it let attackers install malicious code on your server.

Microsoft patching ten zero day exploits suggests that there’s a big problem up in Redmond. You would think the zero day vulnerability numbers would be going down, not up. I wonder if we might be seeing that start of widespread AI use to find vulnerabilities in software.