InfoSecBulletin Cybersecurity for mankind
Threat actors are exploiting 3 new Windows security flaws in their attacks to get SYSTEM or higher administrator access. Since the beginning of the month, a security expert called “Chaotic Eclipse” or “Nightmare-Eclipse” has shared proof-of-concept exploit code for all three security problems.
Two of the flaws, called BlueHammer and RedSun, are in Microsoft Defender that let a user gain more privileges. The third one, named UnDefend, lets a regular user stop updates for Microsoft Defender.
OpenAI unveils its first custom chip, Named Jalapeño
Bajaj Auto System Hit by a Ransomware Attack
Cisco Unified CM flaw CVE-2026-20230 exploited in attacks
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
At the time of the leak, the security flaws these exploits targeted were considered zero-days by Microsoft’s definition, since they had no official patches or updates to address them.
Huntress Labs security researchers saw all three zero-day exploits being used in real life on Thursday. The BlueHammer flaw has been used since April 10.
They also spotted UnDefend and RedSun exploits on a Windows device that was breached using a compromised SSLVPN user, in attacks showing evidence of “hands-on-keyboard threat actor activity.”
“The Huntress SOC is observing the use of Nightmare-Eclipse’s BlueHammer, RedSun, and UnDefend exploitation techniques,” the researchers said.
Patch Status and Mitigations:
Attackers can use the RedSun exploit to get SYSTEM privileges on Windows 10, Windows 11, and Windows Server 2019 and newer. This can happen when Windows Defender is on, even after the April Patch Tuesday updates.
“When Windows Defender realizes that a malicious file has a cloud tag, for whatever stupid and hilarious reason, the antivirus that’s supposed to protect decides that it is a good idea to just rewrite the file it found again to it’s original location,” the researcher explained. “The PoC abuses this behaviour to overwrite system files and gain administrative privileges.”
“Microsoft has a customer commitment to investigate reported security issues and update impacted devices to protect customers as soon as possible,” a Microsoft spokesperson told Bleeping Computer earlier this week when contacted for more information on the disclosure issues reported by the anonymous researcher.
“We also support coordinated vulnerability disclosure, a widely adopted industry practice that helps ensure issues are carefully investigated and addressed before public disclosure, supporting both customer protection and the security research community.”
