Microsoft recently addressed a critical zero-day vulnerability that cyber attackers were exploiting to distribute malware, including QakBot, on vulnerable Windows systems. The vulnerability, identified as CVE-2024-30051, is a privilege escalation flaw in the Desktop Window Manager (DWM) core library. This flaw allows attackers to gain “SYSTEM privileges,” according to Microsoft.
The Desktop Window Manager (dwm.exe) is a window manager introduced in Windows Vista that handles GUI effects like transparent windows and live taskbar thumbnails. It works by combining window images into a composite view before displaying them on the monitor, allowing for various visual effects in Windows.
Kaspersky researchers discovered this vulnerability while investigating another similar bug in the Windows DWM Core Library. They found a file uploaded to VirusTotal containing information about a privilege escalation vulnerability in the DWM core library. Further analysis confirmed the legitimacy of the zero-day vulnerability, leading to its designation as CVE-2024-30051 and subsequent patching by Microsoft.
After reporting the zero-day to Microsoft, Kaspersky observed exploits involving QakBot and other malware that took advantage of this vulnerability. Security researchers from various organizations also reported the zero-day to Microsoft, indicating potential widespread exploitation in malware attacks.
The U.S. Cybersecurity and Infrastructure Security Agency included CVE-2024-30051 in its Known Exploited Vulnerabilities catalog and urged all federal agencies to apply the patch by June 4. Kaspersky plans to disclose technical details of the vulnerability once users have had sufficient time to update their systems.
QakBot, initially a banking trojan, has evolved into an initial access broker, facilitating ransomware attacks and espionage by providing access to compromised networks. Despite previous law enforcement efforts to dismantle its infrastructure, QakBot re-emerged in phishing campaigns targeting the hospitality industry.
In addition to CVE-2024-30051, Microsoft also patched another zero-day flaw in its May 2024 Patch Tuesday release. This flaw, tracked as CVE-2024-30040, is a security feature bypass vulnerability in the Windows MSHTML platform. It allows a hacker to execute arbitrary code by bypassing OLE mitigations in Microsoft 365 and Office applications.
Overall, the recent Microsoft patches address critical vulnerabilities exploited by cyber attackers to distribute malware and escalate privileges. It is crucial for users and organizations to apply these patches promptly to safeguard their systems against potential threats.