Kaspersky researchers Boris Larin and Mert Degirmenci identified an unknown vulnerability in early April 2024 in Windows which has been designated CVE-2024-30051. The discovery was made in the context of investigating the Windows DWM Core Library Elevation of Privilege vulnerability (CVE-2023-36033). The fix for this new vulnerability has been available since May 14th, within the update package released by Microsoft last Tuesday.
On April 1, 2024, a document uploaded to VirusTotal caught the attention of Kaspersky researchers. With a descriptive file name, it suggested a potential Windows operating system vulnerability. Despite broken English and a lack of details on how to trigger the vulnerability, the document described an exploitation process identical to the zero-day exploit found in 2023 (CVE-2023-36033), although they were different. Suspecting that this vulnerability was fictitious or unexploitable, the team continued with the investigation. A quick check revealed that it was something unknown (zero-day) and genuine, capable of increasing privileges on the attacked system.
Kaspersky immediately reported the findings to Microsoft, which verified the vulnerability and assigned the code CVE-2024-30051.
Following the report, Kaspersky began monitoring exploits and attacks using this previously unknown vulnerability. In mid-April, the team detected that this vulnerability had been exploited, through an exploit used in conjunction with the QakBot banking trojan and other pests, indicating that several groups had access to the vulnerability.
“We found the VirusTotal document intriguing due to its descriptive nature and decided to investigate further, which led us to discover this critical zero-day vulnerability,” said Boris Larin, principal security researcher at Kaspersky GReAT. “The speed at which cybercriminal groups are integrating this exploit into their arsenal highlights the importance of updates and vigilance in corporate security”.
Kaspersky will release more technical details of CVE-2024-30051 once most users update Windows.
Kaspersky products have been updated to detect exploits and attacks using CVE-2024-30051 with the following verdicts:
- PDM:Exploit.Win32.Generic
- PDM:Trojan.Win32.Generic
- UDS:DangerousObject.Multi.Generic
- Trojan.Win32.Agent.gen
- Trojan.Win32.CobaltStrike.gen
About QakBot, Kaspersky has been tracking this sophisticated banking trojan since its discovery in 2007. It originally stole banking credentials, but QakBot has evolved significantly, gaining new functionality such as email stealing, keylogging, and the ability to spread and install ransomware. The malware is known for its frequent updates and improvements, which makes it a persistent threat in the cybersecurity landscape. In recent years, QakBot has been observed to take advantage of other botnets such as Emotet for distribution.
Source: https://www.hardware.com.br/noticias/2024-05/kaspersky-descobre-ataques-que-exploram-vulnerabilidade-desconhecida-no-windows.html