A cybersecurity firm has reported that hackers have infiltrated at least one organization using Windows vulnerabilities disclosed online by a disgruntled security researcher over the past two weeks.
On Friday, the company Huntress revealed through a series of posts on X that its researchers observed hackers exploiting three Windows security flaws, named BlueHammer, UnDefend, and RedSun.
The identity of the attack’s target and the hackers remain unknown.
Microsoft has patched only BlueHammer among the three vulnerabilities being currently exploited. The fix was released earlier this week.
Hackers appear to be utilizing the exploit code that the security researcher published online.
Earlier this month, a researcher known as Chaotic Eclipse shared what they claimed was exploit code for an unpatched Windows vulnerability on their blog. The researcher hinted at a conflict with Microsoft as the reason for releasing the code.
“I was not bluffing Microsoft and I’m doing it again,” they wrote, expressing gratitude to Microsoft’s Security Response Center for the circumstances leading to this disclosure.
Days later, Chaotic Eclipse released UnDefend and then RedSun earlier this week. The researcher shared code exploiting all three vulnerabilities on their GitHub page.
All three vulnerabilities impact the Microsoft-developed antivirus Windows Defender, granting hackers high-level or administrator access to a Windows computer.
TechCrunch could not contact Chaotic Eclipse for comment.
In response to specific inquiries, Microsoft’s communications director Ben Hope stated that the company supports “coordinated vulnerability disclosure, a widely adopted industry practice that ensures issues are thoroughly investigated and addressed before public disclosure, benefiting both customer protection and the security research community.”
This situation exemplifies a “full disclosure” scenario within the cybersecurity industry. Researchers usually report a flaw to the affected software company, facilitating the development of a patch. Often, there’s a mutually agreed timeline for public disclosure of the findings.
However, these communications sometimes break down, leading researchers to publicly reveal details about the bug. Some researchers may release “proof-of-concept” code to demonstrate a flaw’s existence or severity.
In such cases, cybercriminals and government hackers might exploit this code for attacks, prompting cyber defenders to urgently address the situation.
“With these being so easily available now, and already weaponized for easy use, for better or for worse I think that ultimately puts us in another tug-of-war match between defenders and cybercriminals,” said John Hammond, a Huntress researcher tracking the matter.
“Scenarios like these cause us to race with our adversaries; defenders frantically try to protect against ill-intended actors who rapidly take advantage of these exploits… especially now as it is just ready-made attacker tooling,” Hammond added.