Kaspersky has identified a new zero-day vulnerability in Windows, called CVE-2024-30051. This discovery emerged while researchers were analyzing the Windows DWM core library elevation of privilege vulnerability (CVE-2023-36033) in early April 2024. The vulnerability was exploited by the QakBot banking Trojan and other threat actors.
An unexpected find
On April 1, 2024, a document uploaded to ‘VirusTotal’ caught the attention of researchers at Kaspersky. The document suggested a possible vulnerability in Windows. Although it was poorly worded and lacked details on how to activate the vulnerability, it described an exploitation process similar to the zero-day exploit detected in 2023. At first, researchers suspected that the vulnerability could be fictitious. However, after a quick check, they confirmed that it was a true zero-day vulnerability that allowed the privileges of the attacked system to be increased.
Collaboration with Microsoft
The researchers of Kaspersky, Boris Larin and Mert Degirmencithey quickly reported their findings to Microsoft, which verified the vulnerability and assigned it as CVE-2024-30051. After the report, Kaspersky began monitoring exploits and attacks using this previously unknown vulnerability. In mid-April, they detected that the vulnerability had been exploited alongside the QakBot banking Trojan and other malware, indicating that multiple threat actors had access to the vulnerability.
The importance of cybersecurity surveillance
Boris Larin commented: ‘We found the VirusTotal document interesting due to its descriptive nature and decided to investigate further, which led us to discover this critical zero-day vulnerability. The speed with which threat actors are integrating this exploit into their arsenal underscores the importance of timely updates and cybersecurity vigilance.’
Kaspersky will release more technical details of CVE-2024-30051 once enough time has passed for most users to update their Windows systems. The company thanked Microsoft for your quick review and patch release.
Updates and protection
The products of Kaspersky have been updated to detect exploits and attacks that use CVE-2024-30051 with the following verdicts:
- PDM:Exploit.Win32.Generic
- PDM:Trojan.Win32.Generic
- UDS:DangerousObject.Multi.Generic
- Trojan.Win32.Agent.gen
- Trojan.Win32.CobaltStrike.gen
QakBot: a persistent threat
As for QakBot, Kaspersky has been tracking this sophisticated banking Trojan since its discovery in 2007. Originally designed for the theft of banking credentials, QakBot has evolved significantly, gaining new functionality such as email theft, keylogging, and the ability to spread and install ransomware. Malware is known for its frequent updates and improvements, making it a persistent threat in the cybersecurity landscape. In recent years, QakBot has been observed leveraging other botnets such as Emotet for distribution.
Recommendations for users and companies
Given the risk that this new vulnerability represents, Kaspersky recommends users and companies update their Windows systems as soon as possible. In addition, it is crucial to keep security programs updated and be attentive to alerts of possible threats. Early detection and rapid response are essential to protect sensitive systems and information from cyber attacks.
Kaspersky continues its commitment to researching and identifying new threats, providing effective security solutions to protect its users. The detection of the CVE-2024-30051 vulnerability and the collaboration with Microsoft They demonstrate the importance of cooperation in the fight against cybercrime and the protection of global digital infrastructure.
