Along with QakBot, the Kaspersky researchers have seen different payloads deployed with the exploit for the brand new CVE-2024-30051 vulnerability, together with the Cobalt Strike beacon. Because of this, Kaspersky has concluded that the exploit is at present identified and being utilized by a number of teams.
It’s value noting that CVE-2024-30051 can’t be used to realize preliminary entry. It’s a privilege escalation flaw that permits attackers to realize full system management (SYSTEM privileges) as soon as they’re already capable of execute malware on a pc.
OLE security bypass
The second vulnerability exploited within the wild impacts the Home windows MSHTML platform, enabling attackers to bypass Microsoft Object Linking & Embedding (OLE) defenses in Microsoft 365 and Microsoft Workplace.
OLE permits Workplace paperwork to embed hyperlinks to exterior objects and paperwork that would name different packages. Attackers have lengthy been identified to take advantage of this characteristic with strategies comparable to OLE template injection to execute malicious code from custom-crafted recordsdata. Because of this, Microsoft Workplace now has Protected View mode for recordsdata downloaded from the web.
“An attacker must persuade the consumer to load a malicious file onto a susceptible system, sometimes by the use of an enticement in an E mail or On the spot Messenger message, after which persuade the consumer to control the specifically crafted file, however not essentially click on or open the malicious file,” Microsoft wrote in its advisory for CVE-2024-30040.
The vulnerability is flagged as “exploited” by Microsoft and can be included within the Recognized Exploited Vulnerabilities catalog maintained by the US Cybersecurity and Infrastructure Safety Company (CISA).