Microsoft has fixed a zero-day vulnerability exploited in attacks to deliver QakBot and other malware payloads on vulnerable Windows systems.
Tracked as CVE-2024-30051, this privilege escalation bug is caused by a heap-based buffer overflow in the DWM core library.
Following successful exploitation, attackers can gain SYSTEM privileges.
Desktop Window Manager is a Windows service introduced in Windows Vista that allows the OS to use hardware acceleration when rendering graphical user interface elements such as glass window frames and 3D transition animations.
Kaspersky security researchers discovered the vulnerability while investigating another Windows DWM Core Library privilege escalation bug tracked as CVE-2023-36033 and also exploited as a zero-day in attacks.
While combing through data related to recent exploits and associated attacks, they stumbled upon an intriguing file uploaded to VirusTotal on April 1, 2024.
The file's names hinted that it contained details on a Windows vulnerability.
As they discovered, the file provided information regarding a Windows Desktop Window Manager vulnerability that could be exploited to escalate privileges to SYSTEM, with the outlined exploitation processing perfectly mirroring the one used in CVE-2023-36033 attacks, even though it described a distinct vulnerability.
Despite the document's subpar quality and some omissions on how the vulnerability could be exploited, Kaspersky confirmed the existence of a new zero-day privilege escalation vulnerability in the Windows DWM Core Library.
Microsoft assigned the CVE-2024-30051 CVE ID and patched the vulnerability during this month's Patch Tuesday.
Security researchers at Google Threat Analysis Group, DBAPPSecurity WeBin Lab, and Google Mandiant also reported the zero-day to Microsoft, pointing to likely widespread exploitation in malware attacks.
QakBot started as a banking trojan in 2008 and was used to steal banking credentials, website cookies, and credit cards to commit financial fraud.
Over time, QakBot evolved into a malware delivery service, partnering with other threat groups to provide initial access to enterprise and home networks for ransomware attacks, espionage, or data theft.
While its infrastructure was dismantled in August 2023 following a multinational law enforcement operation spearheaded by the FBI and known as Operation 'Duck Hunt,' the malware resurfaced in phishing campaigns targeting the hospitality industry in December.
Law enforcement linked QakBot to at least 40 ransomware attacks targeting companies, healthcare providers, and government agencies worldwide, which, according to conservative estimates, caused hundreds of millions of dollars in damage.
Throughout the years, Qakbot served as an initial infection vector for various ransomware gangs and their affiliates, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and, most recently, Black Basta.
Microsoft fixes two Windows zero-days exploited in malware attacks.
Apple backports fix for zero-day exploited in attacks to older iPhones.
Google Chrome emergency update fixes 6th zero-day exploited in 2024.
Google fixes fifth Chrome zero-day exploited in attacks this year.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 14 May 2024 18:20:48 +0000