Threat Bulletin

Blackwell Helix Threat Bulletin: Windows Kernel-Mode Driver Elevation of Privilege Vulnerability (CVE-2024-35250)

By: Bryan Zatezalo
December 17, 2024
BWS-Threat-Bulletin-Image

Key Alert:

CVE-2024-35250, a Windows kernel vulnerability, is now being actively exploited to gain SYSTEM privileges. Initially identified by the DEVCORE Research Team, this flaw targets the Microsoft Kernel Streaming Service (MSKSSRV.SYS) and has been weaponized in attacks against Windows systems. Due to the significant risks this vulnerability poses, CISA has issued warnings for federal agencies to secure their systems before January 6, 2025. Due to the significance of this threat, Blackwell recognizes that healthcare is likely to be impacted and has adjusted the bulletin to include Healthcare impacts.

Threat Overview:

CVE-2024-35250 is a high-severity local privilege escalation vulnerability in Windows systems caused by an untrusted pointer dereference weakness. Exploiting this flaw allows attackers to escalate privileges and execute arbitrary commands with SYSTEM-level access.

Key aspects of CVE-2024-35250 include:

  • Targeted Component: Vulnerability resides in MSKSSRV.SYS, the Microsoft Kernel Streaming Service.
  • Proof-of-Concept (PoC): Exploitation demonstrated by DEVCORE researchers during Pwn2Own Vancouver 2024.
  • Exploitation in the Wild: Initially patched in June 2024, active exploitation has been reported following the release of PoC exploit code in October 2024.

Healthcare Impacts:

The exploitation of CVE-2024-35250 presents significant risks to healthcare organizations, where Windows systems are integral to critical services. Key impacts include:

  • Loss of Access to Clinical Applications: SYSTEM-level access could allow attackers to disable critical healthcare software, including Electronic Health Records (EHR) systems, delaying patient care workflows and impacting treatment outcomes.
  • Targeted Data Theft: Privileged access may be used to exfiltrate sensitive Protected Health Information (PHI), exposing patients to identity theft and organizations to HIPAA violations with significant financial penalties.
  • Operational Disruption: Administrative tools, scheduling systems, and medical device interfaces reliant on Windows infrastructure could be compromised, delaying surgeries, lab diagnostics, and supply chain operations.
  • Ransomware Deployment: SYSTEM-level privileges allow attackers to deploy ransomware payloads, encrypting critical systems and demanding ransom payments to restore access. Downtime can lead to life-threatening consequences for patients requiring urgent care.
  • Compromised Endpoint Security: SYSTEM access may allow attackers to disable antivirus solutions and endpoint detection systems, increasing vulnerability to subsequent attacks.

Exploitation Method:

Attackers leverage CVE-2024-35250 to escalate privileges by exploiting the MSKSSRV kernel streaming component. No user interaction is required, and the attack complexity remains low, making it an attractive vector for malicious actors.

Affected Products and Versions:

  • Microsoft Kernel Streaming Service (MSKSSRV.SYS) in Windows: All supported versions, including Windows 10, Windows 11, and Windows Server.
  • Microsoft Security Advisory: CVE-2024-35250

Indicators of Compromise (IoCs):

  • Unusual Login Activity: Increased logins from unexpected locations or IP addresses.
  • Suspicious System File Access: Unexpected access or modifications to system-critical files.
  • Unusual Network Traffic: Anomalies suggesting lateral movement or exploitation attempts.

(No public IOCs have been widely shared; security teams should monitor emerging threat intelligence feeds closely.)

Tactics, Techniques, and Procedures (TTPs):

TacticsTechniques
Initial AccessExploitation of Windows Kernel Driver Vulnerabilities (T1190)
Privilege EscalationExploitation of Privileged Access (T1068)
Defense EvasionExploit Protection Bypass (T1211)
ExecutionSystem Execution (T1070)

Recommendations for Healthcare Organizations:

Immediate Actions:

  1. Patch Systems: Apply Microsoft-provided patches to all vulnerable systems as specified in their security advisory.
  2. Enhanced Monitoring: Implement EDR solutions to detect suspicious behavior, such as unusual login attempts or system access patterns.
  3. Network Segmentation: Isolate affected systems from broader networks to reduce the risk of lateral movement.

Long-Term Defense:

  • Access Controls: Minimize administrative privileges and review access permissions to limit exposure.
  • Staff Training: Educate IT and security personnel on kernel vulnerabilities and the importance of timely patching.
  • Incident Response Plans: Ensure robust incident response strategies are in place to rapidly contain and mitigate exploitation attempts.

Leadership Guidance:

Healthcare executives and security leaders should prioritize addressing high-severity vulnerabilities like CVE-2024-35250 by integrating them into overarching risk management strategies. Focus resources on proactive patch management, enhanced monitoring solutions, and network segmentation to mitigate exploitation risks. Collaborate closely with software vendors and cybersecurity providers to maintain up-to-date threat intelligence and system patches. Strengthen incident response capabilities through routine testing, rapid containment strategies, and continuous refinement of security controls to safeguard sensitive healthcare data and operations.

Blackwell Security MHXDR Customers:

Blackwell Security’s continues to deliver proactive monitoring and real-time threat detection to identify and mitigate potential exploitation of CVE-2024-35250. For those customers that send full endpoint logs, Blackwell is looking inside your system logs for Event ID 41, Event ID 1001, and evaluating new processes created by Event ID 4688. If you are experiencing memory dumps or BSOD events or have identified kernal stack traces referencing MSKSSRV.SYS, please contact the BLackwell IR team.

References:

Tags
Blackwell Helix
About the Author
Bryan Zatezalo Profile Picture
Bryan Zatezalo
Cyber Threat Intelligence Analyst
Bryan Zatezalo is a Cyber Threat Intelligence Analyst for Blackwell Security and previously served in the United States Army as an Intelligence Analyst, where he specialized in intelligence operations. Driven by a deep passion for threat intelligence, he is committed to uncovering critical information and providing organizations with the tools and knowledge needed to strengthen their defenses. His experience has instilled a strong appreciation for the value of well-executed threat intelligence in mitigating risks and enabling proactive decision-making.
More from this author
Back to Resources
Related Resources
View all
BWS-Threat-Bulletin-Image
Threat Bulletin
Blackwell Helix Threat Bulletin: Windows Kernel-Mode Driver Elevation of Privilege Vulnerability (CVE-2024-35250)
December 17, 2024
December 17, 2024
Read More
BWS-Threat-Bulletin-Image
Threat Bulletin
Blackwell Helix Threat Bulletin: Ivanti CSA Authentication Bypass Vulnerability (CVE-2024-11639)
December 16, 2024
December 16, 2024
Read More
Regulatory Advisory Graphic.
Blog
Annual HIPAA Security Risk Assessment: Key Requirements and Deadlines
December 15, 2024
December 15, 2024
Read More
Blackewll logo
Blackwell is cybersecurity made for healthcare.

Our comprehensive security platform and expert managed services provide the most complete protection for healthcare organizations. Leading providers across North America trust Blackwell to reduce cyber risk, stay compliant, and build trusted experiences across the care continuum.

© 2024 Blackwell Security | Privacy Policy | Sitemap