Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
The dangerous Zero-day was used long before the patch appeared.
On September 2, security researcher Sergey Kornienko of PixiePoint published an analysis and demonstration of the exploitation of a critical zero-day vulnerability in the Windows kernel known as CVE-2024-38106. This privilege escalation vulnerability is already being actively exploited by attackers, requiring urgent action by security professionals and users.
CVE-2024-38106 (CVSS base score: 7.0) is located in the Windows operating system kernel, more specifically in the «ntoskrnl.exe process." This process is a key component of Windows, enabling communication between hardware and software, as well as supporting many of the system's critical services.
The vulnerability is related to a Race Condition, a situation in which the result depends on the sequence or timing of events. An attacker who successfully exploits this vulnerability can escalate their privileges to the SYSTEM level, effectively giving them full control over the infected device.
The vulnerability was responsibly reported to Microsoft, and an update fixing CVE-2024-38106 has already been released. Kornienko also analyzed the update that fixes the vulnerability and noted important changes in two key functions: VslGetSetSecureContext() and NtSetInformationWorkerFactory(). These changes were necessary to address the Race Condition and improve the security of the system.
In particular, blocking mechanisms were introduced for operations related to the Virtualization-Based Security (VBS) kernel safe mode, and flag checking was added in the NtShutdownWorkerFactory() process, which reduced the likelihood of exploitation of the vulnerability.
Kornienko also posted a PoC exploit showing how attackers can use CVE-2024-38106 to escalate privileges. The publication of the exploit highlights the potential risks for home and corporate users if the vulnerability is not patched in a timely manner.
According to PixiePoint, the vulnerability was actively exploited by a North Korean hacker group known as Citrine Sleet. The reported attacks began by redirecting victims to the malicious website "voyagorclub[.]space". It is assumed that social engineering methods were used for this.
After hitting the site, the CVE-2024-7971 remote code execution vulnerability was exploited, which allowed attackers to gain access to the target system. Next, they downloaded and executed code aimed at exploiting the CVE-2024-38106 vulnerability to bypass the sandbox and escalate privileges. This made it possible to introduce malware called the FudModule rootkit.
A particular danger of the FudModule rootkit is the use of the Direct Kernel Object Manipulation (DKOM) technique, which allows attackers to modify the security mechanisms of the Windows kernel. This makes it extremely difficult to detect and remove.
Microsoft promptly released a patch for the CVE-2024-38106 vulnerability as part of the August 2024 update. However, the fact that the vulnerability had already been exploited in attacks before the update was released underscores the importance of timely patching and constant vigilance in the field of cybersecurity.
Source
On September 2, security researcher Sergey Kornienko of PixiePoint published an analysis and demonstration of the exploitation of a critical zero-day vulnerability in the Windows kernel known as CVE-2024-38106. This privilege escalation vulnerability is already being actively exploited by attackers, requiring urgent action by security professionals and users.
CVE-2024-38106 (CVSS base score: 7.0) is located in the Windows operating system kernel, more specifically in the «ntoskrnl.exe process." This process is a key component of Windows, enabling communication between hardware and software, as well as supporting many of the system's critical services.
The vulnerability is related to a Race Condition, a situation in which the result depends on the sequence or timing of events. An attacker who successfully exploits this vulnerability can escalate their privileges to the SYSTEM level, effectively giving them full control over the infected device.
The vulnerability was responsibly reported to Microsoft, and an update fixing CVE-2024-38106 has already been released. Kornienko also analyzed the update that fixes the vulnerability and noted important changes in two key functions: VslGetSetSecureContext() and NtSetInformationWorkerFactory(). These changes were necessary to address the Race Condition and improve the security of the system.
In particular, blocking mechanisms were introduced for operations related to the Virtualization-Based Security (VBS) kernel safe mode, and flag checking was added in the NtShutdownWorkerFactory() process, which reduced the likelihood of exploitation of the vulnerability.
Kornienko also posted a PoC exploit showing how attackers can use CVE-2024-38106 to escalate privileges. The publication of the exploit highlights the potential risks for home and corporate users if the vulnerability is not patched in a timely manner.
According to PixiePoint, the vulnerability was actively exploited by a North Korean hacker group known as Citrine Sleet. The reported attacks began by redirecting victims to the malicious website "voyagorclub[.]space". It is assumed that social engineering methods were used for this.
After hitting the site, the CVE-2024-7971 remote code execution vulnerability was exploited, which allowed attackers to gain access to the target system. Next, they downloaded and executed code aimed at exploiting the CVE-2024-38106 vulnerability to bypass the sandbox and escalate privileges. This made it possible to introduce malware called the FudModule rootkit.
A particular danger of the FudModule rootkit is the use of the Direct Kernel Object Manipulation (DKOM) technique, which allows attackers to modify the security mechanisms of the Windows kernel. This makes it extremely difficult to detect and remove.
Microsoft promptly released a patch for the CVE-2024-38106 vulnerability as part of the August 2024 update. However, the fact that the vulnerability had already been exploited in attacks before the update was released underscores the importance of timely patching and constant vigilance in the field of cybersecurity.
Source
