Angry hacker drops more Windows 0-Days in ongoing campaign.
NurPhoto via Getty Images
The day following the Microsoft Patch Tuesday security updates rollout is known in cybersecurity circles as Exploit Wednesday. This month, there is more reason than ever to take that very seriously indeed. While Microsoft didn’t patch any “in the wild” vulnerabilities this time, an angry hacker known by the monikers Chaotic Eclipse and Nightmare Eclipse decided to synchronize the public disclosure of no less than two zero-day exploits with the official release. Here’s what you need to know, and do, about the YellowKey and GreenPlasma exploits.
What You Need To Know About The YellowKey And GreenPlasma Microsoft Windows Zero-Day Exploits
Hell hath no fury like a security researcher scorned. Well, that appears to be so in the case of a bug bounty hacker known as Chaotic Eclipse, who has a history when it comes to posting Windows zero-days after being unhappy over communications with the Microsoft Security Response Center. Having publicly released exploit code for a zero-day in April, that went by the name of BlueHammer and turned Microsoft Defender’s own update workflow into a credential theft mechanism, they are now at it again.
“Microsoft has chosen to make this worse instead of resolving the situation like adults,” Chaotic Eclipse said, “they pulled every childish game possible. My patience is running out you’re making everyone else paying for it.” The security researcher on a mission went on to address Microsoft security directly, saying, “I’m not sure what type of reaction you expected from me when you threw more gas on the fire after BlueHammer,” warning that the “fire will go as long as you want, unless you extinguish it or until there nothing left to burn.”
The latest fuel comes in the form of two new zero-day exploits called YellowKey and GreenPlasma. The first is a Windows BitLocker encryption bypass, the second a Windows CTFMON arbitrary section creation elevation of privileges vulnerability. Together, within 24 hours of the public proof of exploit code being published, they have already been used in active attack campaigns.
“Both of the released exploit POCs suggest significant, potentially systemic flaws in how modern Windows operating system features handle path trust (GreenPlasma) and recovery (YellowKey),” Gavin Knapp, cyber threat intelligence principal lead at Bridewell, said. Microsoft is not the only vendor suffering from such issues, as is evident in my exclusive report on architectural failings in security mechanisms designed to protect Google Drive and Gmail users. Historical system vulnerabilities are being found rapidly, Knapp wanted, “which is likely due to skilled researchers leveraging AI to expedite and scale vulnerability research and exploit development.”
Organizations should treat this as an active threat, Neena Sharma, a cybersecurity specialist at Filigree, told me, advising them to “assess their exposure immediately, particularly for devices in high-risk physical access scenarios such as field devices, and shared workstations.” Because immediate patching isn’t possible at the time of writing, Sharma suggested implementing “compensating controls like restricting USB boot access.”
Meanwhile, Chaotic Eclipse has issued the following warning to the Microsoft Security Response Center: “Your recent actions made me take the difficult decision to drag other companies into this, be prepared to answer questions.
Next Patch Tuesday will have a big surprise for you, Microsoft. And remember, I never failed to deliver a promise.”
