1 min read

Microsoft addresses zero-day vulnerability exploited by Qakbot malware

Picture of Farah Amod Farah Amod May 21, 2024

Healthcare cybersecurity news
microsoft logo

Microsoft took decisive action to address a zero-day vulnerability within the Windows Desktop Window Manager (DWM) core library, which had been actively exploited by the notorious QakBot malware.

 

What happened

While investigating another Windows DWM Core Library privilege escalation bug (CVE-2023-36033), researchers at Kaspersky stumbled upon an intriguing file uploaded to VirusTotal. This file, written in broken English, provided information about a previously unknown Windows DWM vulnerability that could be exploited to escalate privileges to the SYSTEM level. 

Kaspersky promptly shared their findings with Microsoft, leading to the assignment of the CVE-2024-30051 identifier and the subsequent patching of the vulnerability during the May 2024 Patch Tuesday.

In response to the discovery of CVE-2024-30051, Microsoft promptly released a security update. This update addressed the privilege escalation vulnerability in the Windows DWM core library, effectively closing the door on this attack vector exploited by QakBot and other malware.

 

Going deeper

The vulnerability, tracked as CVE-2024-30051, is a privilege escalation bug caused by a heap-based buffer overflow in the Windows DWM core library. This flaw, if successfully exploited, would allow attackers to gain SYSTEM-level privileges on the affected system. The DWM, introduced in Windows Vista, is a component responsible for hardware acceleration and rendering of graphical user interface elements.

The discovery of CVE-2024-30051 was not limited to Kaspersky alone. Security researchers from Google Threat Analysis Group, DBAPPSecurity WeBin Lab, and Google Mandiant also reported the zero-day vulnerability to Microsoft, indicating its widespread exploitation in various malware attacks.

 

In the know

QakBot has served as an initial infection vector for various ransomware gangs and their affiliates, including the more recent Black Basta. According to conservative estimates, the attacks linked to QakBot have caused hundreds of millions of dollars in damage worldwide, targeting companies, healthcare providers, and government agencies.

Despite a multinational law enforcement operation (Operation 'Duck Hunt') in 2023 that temporarily dismantled its infrastructure, QakBot has resurfaced in recent phishing campaigns targeting the hospitality industry.
Secure every email you send and receive HIPAA compliant. Threat-proof. Hassle-free.
Laptop screen displaying a red padlock with skull icon on blue digital code background

Barracuda urges immediate replacement of ESG appliances following Zero-day exploit

Picture of Dean Levitt Dean Levitt : June 08, 2023

Barracuda, an email and network security provider, has issued an urgent update regarding a previously identified vulnerability (CVE-2023-2868) in its...

Healthcare cybersecurity news
Read More
MacBook Air displaying Google homepage on desk with potted plant

Google Chrome under attack, reports zero-day vulnerability

Picture of Abby Grifno Abby Grifno : November 29, 2023

A zero-day alert has been reported, exploiting a vulnerability in Google Chrome and remaining active in the wild.

Healthcare cybersecurity news
Read More
google chrome on phone

Google addresses the fifth zero-day vulnerability in Chrome

Caitlin Anthoney : May 14, 2024

Google has patched a zero-day vulnerability in its Chrome browser, safeguarding users from potential exploitation by malicious actors.

Healthcare cybersecurity news
Read More

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.