Microsoft took decisive action to address a zero-day vulnerability within the Windows Desktop Window Manager (DWM) core library, which had been actively exploited by the notorious QakBot malware.
While investigating another Windows DWM Core Library privilege escalation bug (CVE-2023-36033), researchers at Kaspersky stumbled upon an intriguing file uploaded to VirusTotal. This file, written in broken English, provided information about a previously unknown Windows DWM vulnerability that could be exploited to escalate privileges to the SYSTEM level.
Kaspersky promptly shared their findings with Microsoft, leading to the assignment of the CVE-2024-30051 identifier and the subsequent patching of the vulnerability during the May 2024 Patch Tuesday.
In response to the discovery of CVE-2024-30051, Microsoft promptly released a security update. This update addressed the privilege escalation vulnerability in the Windows DWM core library, effectively closing the door on this attack vector exploited by QakBot and other malware.
The vulnerability, tracked as CVE-2024-30051, is a privilege escalation bug caused by a heap-based buffer overflow in the Windows DWM core library. This flaw, if successfully exploited, would allow attackers to gain SYSTEM-level privileges on the affected system. The DWM, introduced in Windows Vista, is a component responsible for hardware acceleration and rendering of graphical user interface elements.
The discovery of CVE-2024-30051 was not limited to Kaspersky alone. Security researchers from Google Threat Analysis Group, DBAPPSecurity WeBin Lab, and Google Mandiant also reported the zero-day vulnerability to Microsoft, indicating its widespread exploitation in various malware attacks.
QakBot has served as an initial infection vector for various ransomware gangs and their affiliates, including the more recent Black Basta. According to conservative estimates, the attacks linked to QakBot have caused hundreds of millions of dollars in damage worldwide, targeting companies, healthcare providers, and government agencies.
Despite a multinational law enforcement operation (Operation 'Duck Hunt') in 2023 that temporarily dismantled its infrastructure, QakBot has resurfaced in recent phishing campaigns targeting the hospitality industry.