{"id":8563,"date":"2024-02-29T15:36:54","date_gmt":"2024-02-29T06:36:54","guid":{"rendered":"https:\/\/cyberenso.jp\/?p=8563"},"modified":"2024-11-19T15:39:08","modified_gmt":"2024-11-19T06:39:08","slug":"a-north-korean-linked-apt-group-exploited-a-zero-day-vulnerability-in-the-windows-applocker-driver-appid-sys-to-gain-kernel-level-access-to-a-target-system","status":"publish","type":"post","link":"https:\/\/cyberenso.jp\/en\/a-north-korean-linked-apt-group-exploited-a-zero-day-vulnerability-in-the-windows-applocker-driver-appid-sys-to-gain-kernel-level-access-to-a-target-system\/","title":{"rendered":"A North Korean-linked APT group exploited a zero-day vulnerability in the Windows AppLocker driver (appid.sys) to gain kernel-level access to a target system"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"8563\" class=\"elementor elementor-8563\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-0265fc0 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"0265fc0\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-935e05a\" data-id=\"935e05a\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-0f154f9 elementor-widget elementor-widget-text-editor\" data-id=\"0f154f9\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>An APT group linked to North Korea is exploiting a zero-day vulnerability in the appid.sys AppLocker driver using an admin-to-kernel exploit. A zero-day exploit, identified as CVE-2024-21338, was addressed by Microsoft in February.<br \/><br \/>The flaw CVE-2024-21338 resides within the IOCTL (Input and Output Control) dispatcher of the driver appid.sys. In the AppLocker application, this driver controls which apps and files users can run. Lazarus exploited the zero-day in the appid.sys driver by manipulating the Input and Output Control (IOCTL) dispatcher. As a result of this manipulation, they can execute arbitrary code on the target system, bypassing security mechanisms.<br \/><br \/>Japanese organizations must follow the instructions provided by Microsoft Security Response Center and also install drivers and apply patches to old applications and software.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>An APT group linked to North Korea is exploiting a zero-day vulnerability in the appid.sys AppLocker driver using an admin-to-kernel exploit. A zero-day exploit, identified as CVE-2024-21338, was addressed by Microsoft in February. The flaw CVE-2024-21338 resides within the IOCTL (Input and Output Control) dispatcher of the driver appid.sys. In the AppLocker application, this driver controls which apps and files<span class=\"excerpt-hellip\"> [\u2026]<\/span><\/p>\n","protected":false},"author":1,"featured_media":8568,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[225,6,10,12,2,7,1],"tags":[],"class_list":["post-8563","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-heavy-industry","category-latest_news","category-latest_vulnerabilities","category-read_article","category-ce_news","category-by_country","category-uncategorized"],"acf":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/cyberenso.jp\/wp-content\/uploads\/2024\/11\/Picture2.jpg?fit=602%2C344&ssl=1","_links":{"self":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts\/8563"}],"collection":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/comments?post=8563"}],"version-history":[{"count":5,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts\/8563\/revisions"}],"predecessor-version":[{"id":8570,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts\/8563\/revisions\/8570"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/media\/8568"}],"wp:attachment":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/media?parent=8563"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/categories?post=8563"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/tags?post=8563"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}