Microsoft fixes three zero-day vulnerabilities, two actively exploited

/in


Exploit discovered by chance

The DWM vulnerability was discovered by researchers from antivirus vendor Kaspersky Lab while they were searching for exploits for an older vulnerability in the same Windows component that was patched last year. That vulnerability, tracked as CVE-2023-36033, was also disclosed as a zero-day and was used in attacks.

When searching for different patterns related to that exploit to identify new samples and attacks it might have been used in, the Kaspersky researchers found a document uploaded to the Virus Total online scanning engine on April 1. That document, written in broken English, seemed to describe a new DWM vulnerability for which the exploitation steps were nearly identical to those for the older CVE-2023-36033 flaw.

“Judging by the quality of the writing and the fact that the document was missing some important details about how to actually trigger the vulnerability, there was a high chance that the described vulnerability was completely made up or was present in code that could not be accessed or controlled by attackers,” Kaspersky’s researchers wrote in a blog post. “But we still decided to investigate it, and a quick check showed that this is a real zero-day vulnerability that can be used to escalate privileges.”

After reporting their findings to Microsoft and confirming that it was a real exploit for a new vulnerability, the Kaspersky researchers started looking through its telemetry for signs that it might have been used in attacks and it wasn’t long until they found some.

In mid-April they started seeing the exploit used in attacks that deployed QakBot, aka Qbot, a trojan program and botnet that has long been used as a malware distribution platform by many cybercriminal groups, including ransomware gangs. FBI and CISA issued an alert last week about the Black Basta ransomware group targeting healthcare and critical infrastructure organizations; QakBot is one of the methods used by Black Basta affiliates to gain access to corporate networks.

Source…