Microsoft Patches Zero-Day Vulnerability Exploited to Deliver QakBot and Other Malware
Microsoft has released a patch to fix a zero-day Windows vulnerability – CVE-2024-30051 – exploited in attacks delivering QakBot malware. Healthcare organizations should prioritize this patch as QakBot has been used in many attacks on the healthcare sector.
QakBot, aka QBot, was first identified in 2008 and was initially a banking trojan that was used to steal banking information and credentials. The malware has evolved over the years into a malware delivery service, with the operators acting as an initial access broker, selling access to infected companies to other threat actors, including ransomware groups. A law enforcement operation last summer successfully dismantled the QakBot botnet and took down its infrastructure; however, it was rebuilt and remains in operation.
Several threat groups are known to work with the QakBot operators, including the Black Basta ransomware group. A joint cybersecurity alert was recently issued by CISA and partners warning critical infrastructure entities about Black Basta ransomware attacks. Black Basta has been linked with the recent ransomware attack on Ascension, and the group has increased its attacks on the healthcare sector in recent months.
The heap-based buffer overflow vulnerability has been assigned a CVSS severity score of 7.8 (important) and is an elevation of privilege vulnerability in the core library of Windows DWM (Desktop Windows Manager). Successful exploitation of the vulnerability allows an attacker to gain SYSTEM privileges.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The vulnerability was identified by researchers at Kaspersky as part of an investigation of a different elevation of privilege vulnerability in DWM, CVE-2023-36033, a patch for which was released by Microsoft in December 2023. Microsoft was notified, and Kaspersky started searching for evidence of exploitation and identified an exploit for the vulnerability in April 2024. Kaspersky believes the vulnerability has been exploited by multiple threat actors to deliver QakBot and other malware.
CVE-2024-30051 is one of two actively exploited zero-day vulnerabilities patched by Microsoft on May 2024 Patch Tuesday, the other being CVE-2024-30040, a security feature bypass vulnerability in the Windows MSHTML platform. That vulnerability can be exploited by a threat actor by convincing a user to load a malicious file on an unpatched system. The file could be sent via email or Messenger, for instance, and the user would need to be convinced to manipulate, but not necessarily click or open, the malicious file. The attack could lead to remote code execution.
