Along with QakBot, the Kaspersky researchers have seen different payloads deployed with the exploit for the brand new CVE-2024-30051 vulnerability, together with the Cobalt Strike beacon. Because of this, Kaspersky has concluded that the exploit is at present recognized and being utilized by a number of teams.
It’s value noting that CVE-2024-30051 can’t be used to achieve preliminary entry. It’s a privilege escalation flaw that allows attackers to achieve full system management (SYSTEM privileges) as soon as they’re already in a position to execute malware on a pc.
OLE safety bypass
The second vulnerability exploited within the wild impacts the Home windows MSHTML platform, enabling attackers to bypass Microsoft Object Linking & Embedding (OLE) defenses in Microsoft 365 and Microsoft Workplace.
OLE permits Workplace paperwork to embed hyperlinks to exterior objects and paperwork that might name different packages. Attackers have lengthy been recognized to take advantage of this characteristic with strategies akin to OLE template injection to execute malicious code from custom-crafted recordsdata. For that reason, Microsoft Workplace now has Protected View mode for recordsdata downloaded from the web.
“An attacker must persuade the consumer to load a malicious file onto a susceptible system, usually by the use of an enticement in an E mail or Immediate Messenger message, after which persuade the consumer to govern the specifically crafted file, however not essentially click on or open the malicious file,” Microsoft wrote in its advisory for CVE-2024-30040.
The vulnerability is flagged as “exploited” by Microsoft and can be included within the Identified Exploited Vulnerabilities catalog maintained by the US Cybersecurity and Infrastructure Safety Company (CISA).
