Kaspersky, a cybersecurity firm, has recently reported that they have detected the operators of the QakBot botnet exploiting a Windows zero-day vulnerability back in April. This zero-day vulnerability was actively being used by hackers affiliated with the QakBot botnet. Microsoft, in response to this alarming discovery, issued a patch on Tuesday to address and mitigate this security flaw.

The QakBot botnet, also known as Qbot, was dismantled by U.S. authorities in August as a result of a successful antimalware campaign named Operation Duck Hunt. However, despite the takedown, malware analysts noted a resurgence of the botnet in the following months, similar to what has been observed with other major Trojans after infrastructure takedowns.

According to researchers from Kaspersky, the QakBot operators were observed leveraging the Windows zero-day, identified as CVE-2024-30051, in mid-April. This elevation of privilege vulnerability, rated as “important” on the CVSS scale, was exploited by multiple threat actors, as indicated by telemetry data collected by Kaspersky. In addition to Kaspersky’s findings, researchers from DBAPPSecurity, Google, and Mandiant, a subsidiary of Google, also reported the vulnerability to Microsoft.

The zero-day flaw was found within the Desktop Window Manager, a crucial function in Microsoft operating systems since Vista. This function provides an off-screen buffer for each window to facilitate the rendering of displays and apply various visual effects. Dustin Childs of the Zero Day Initiative highlighted that bugs like these are typically used in conjunction with code execution vulnerabilities to take control of a target system, often by ransomware operators.

During their research into the zero-day vulnerability, Kaspersky researchers came across another patched Windows flaw in the Desktop Window Manager, further emphasizing the importance of addressing such security gaps promptly. The discovery of the zero-day vulnerability was initiated by the identification of a suspicious document uploaded to VirusTotal on April 1, containing instructions on how to exploit the flaw to gain system privileges.

Originally developed as a banking Trojan in 2008, QakBot’s operators have since transitioned into serving as initial access brokers for other cybercriminals. They have been known to offer access to criminal groups, including Russian-speaking ransomware operations. Microsoft’s latest Patch Tuesday release included fixes for two active zero-day vulnerabilities, with the CVE-2024-30040 being the other vulnerability addressed alongside the one exploited by QakBot.CVE-2024-30040 is also rated as “important” on the CVSS scale and resides in the browser engine MSHTML, which is still active in operating systems for compatibility purposes despite Internet Explorer’s deprecation.

In conclusion, the recent detection and mitigation of the Windows zero-day vulnerability exploited by QakBot operators underscore the persistent threat posed by cybercriminals and the necessity for proactive security measures to safeguard systems and data. Collaborative efforts between cybersecurity firms, researchers, and software vendors are crucial in identifying and addressing such vulnerabilities to enhance overall cyber resilience.

Source link