AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

New critical exploit discovered in Windows kernel: security implications and solutions

How a zero-day exploit threatens Windows kernel security: analysis and mitigation

CVE-2024-38106 is a serious vulnerability in the Windows kernel, discovered by Sergei Kornienko. It allows attackers to gain SYSTEM privileges. Microsoft has released a patch to fix it. It has been actively exploited by the North Korean hacker group Citrine Sleet.

This pill is also available in Italian language

On September 2, PixiePoint security researcher Sergei Kornienko published an in-depth analysis and demonstration of an exploit that takes advantage of a critical zero-day vulnerability in the Windows kernel, identified as CVE-2024-38106. This security flaw, with a CVSS score of 7.0, is located in the Windows kernel and affects the process “ntoskrnl.exe,” which is essential for communication between hardware and software. The vulnerability is related to a Race Condition, a situation where the outcome of an operation depends on the timeline of events. If successfully exploited, this flaw could allow an attacker to gain SYSTEM-level privileges, essentially gaining full control over the vulnerable device. Kornienko responsibly disclosed the vulnerability to Microsoft, which has released an update to mitigate the issue.

Security updates and changes

The update released by Microsoft to address CVE-2024-38106 includes significant changes to two key functions: VslGetSetSecureContext() and NtSetInformationWorkerFactory(). These changes were necessary to eliminate the Race Condition and strengthen the security of the operating system. In particular, new blocking mechanisms have been introduced for operations related to the kernel's Virtualization Based Security (VBS) mode; furthermore, a flag check has been implemented in the NtShutdownWorkerFactory() process, reducing the likelihood of exploitation of the vulnerability.

Active exploitation of the vulnerability

Sergei Kornienko also published a Proof of Concept (PoC) exploit that demonstrates how attackers can leverage CVE-2024-38106 to achieve privilege escalation. The publication of the PoC exploit highlights the serious security risks for home and enterprise users if the vulnerability is not addressed promptly. According to PixiePoint, the vulnerability was actively exploited by a North Korean hacking group known as Citrine Sleet. The attacks began via redirects to a malicious website called “voyagorclub[.]space,” with social engineering methods used to trick victims into falling for the scam.

Consequences and recommendations

Once victims were redirected to the malicious site, the attackers exploited the CVE-2024-7971 vulnerability to gain access to the target system. They then downloaded and executed code to exploit CVE-2024-38106, thereby bypassing the sandbox and achieving elevation of privilege. This allowed the introduction of malware known as the FudModule rootkit, which uses the Direct Kernel Object Manipulation (DKOM) technique to modify the security mechanisms of the Windows kernel. This makes the malware extremely difficult to detect and remove. Microsoft quickly released a patch for the vulnerability as part of the August 2024 Update. This case highlights the importance of timely patching and maintaining constant cybersecurity vigilance to prevent abuse and minimize risks.

Follow us on WhatsApp for more pills like this

09/06/2024 09:44

Marco Verro

Last pills

Hacker attack in Lebanon: Hezbollah under fireTechnological shock and injuries: cyber warfare hits Hezbollah in Lebanon

Data breach: Fortinet faces new hack, 440GB of stolen informationFortinet under attack: hackers breach security and make information public. discover the details and the consequences for the privacy of involved users

Shocking cyber espionage discoveries: nation-state threatsHow state-of-state cyberwarfare is changing the game in the tech industry: Details and analysis of recent attacks

A new era for Flipper Zero with firmware 1.0Discover the revolutionary features of Flipper Zero firmware 1.0: performance improvements, JavaScript, and enhanced connectivity