In addition to QakBot, the Kaspersky researchers have seen other payloads deployed with the exploit for the new CVE-2024-30051 vulnerability, including the Cobalt Strike beacon. As a result, Kaspersky has concluded that the exploit is currently known and being used by multiple groups.

It’s worth noting that CVE-2024-30051 cannot be used to gain initial access. It is a privilege escalation flaw that enables attackers to gain full system control (SYSTEM privileges) once they’re already able to execute malware on a computer.

OLE security bypass

The second vulnerability exploited in the wild affects the Windows MSHTML platform, enabling attackers to bypass Microsoft Object Linking & Embedding (OLE) defenses in Microsoft 365 and Microsoft Office.

OLE allows Office documents to embed links to external objects and documents that could call other programs. Attackers have long been known to exploit this feature with techniques such as OLE template injection to execute malicious code from custom-crafted files. For this reason, Microsoft Office now has Protected View mode for files downloaded from the internet.

“An attacker would have to convince the user to load a malicious file onto a vulnerable system, typically by way of an enticement in an Email or Instant Messenger message, and then convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file,” Microsoft wrote in its advisory for CVE-2024-30040.

The vulnerability is flagged as “exploited” by Microsoft and is also included in the Known Exploited Vulnerabilities catalog maintained by the US Cybersecurity and Infrastructure Security Agency (CISA).