430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Experts published unpatched Windows zero-day BlueHammer

A researcher leaked the unpatched Windows zero-day “BlueHammer,” letting attackers gain SYSTEM rights; no patch exists yet. A disgruntled researcher released the BlueHammer Windows zero-day, a privilege escalation flaw that allows attackers to gain SYSTEM or admin rights, Bleeping Computer reports. The researcher privately reported the vulnerability to Microsoft but criticized the way the Microsoft’s Security […]

Microsoft YellowKey

A researcher leaked the unpatched Windows zero-day “BlueHammer,” letting attackers gain SYSTEM rights; no patch exists yet.

A disgruntled researcher released the BlueHammer Windows zero-day, a privilege escalation flaw that allows attackers to gain SYSTEM or admin rights, Bleeping Computer reports.

The researcher privately reported the vulnerability to Microsoft but criticized the way the Microsoft’s Security Response Center (MSRC) managed the disclosure process. On April 3rd, the expert published the BlueHammer exploit on GitHub under the alias Nightmare-Eclipse. Microsoft hasn’t released a patch, so the flaw qualifies as a zero-day and leaves Windows systems open to potential attacks.

“I’m just really wondering what was the math behind their decision, like you knew this was going to happen and you still did whatever you did ? Are they serious ?” reads the description published in the Github repository hosting the BlueHammer vulnerability.

Nightmare-Eclipse pointed out that he inserted a few bugs in the PoC exploit code that could prevent it from working.

Popular cybersecurity experts Will Dormann confirmed that the BlueHammer exploit works. It’s a local privilege escalation (LPE) flaw combining TOCTOU and path confusion. The exploitation is not easy, however it can let a local attacker access the Security Account Manager (SAM) database with password hashes. With this access, attackers can escalate to SYSTEM privileges, potentially fully compromising the machine and spawning SYSTEM-level shells to control the system.

“There’s a new Windows 0day LPE that has been disclosed called BlueHammer [github.com]. The reporter suggests [deadeclipse666.blogspot.com] that it’s being disclosed due to how MSRC operates these days.” Dormann wrote on Mastodon. “MSRC used to be quite excellent to work with.
But to save money Microsoft fired the skilled people, leaving flowchart followers.
I wouldn’t be surprised if Microsoft closed the case after the reporter refused to submit a video of the exploit, since that’s apparently an MSRC requirement now.”

Even though BlueHammer needs local access, it poses a serious risk, attackers can reach the system via social engineering, stolen credentials, or by exploiting other vulnerabilities

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BlueHammer)