Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Showing posts with label Microsoft Defender vulnerability. Show all posts

BlueHammer Microsoft Defender Vulnerability Linked to Ransomware Attacks After CISA Confirms Active Exploitation

 

Microsoft Defender users are advised to update their software after discovering a security flaw known as BlueHammer was used in ransomware attacks. The weakness with identifier CVE-2026-33825 has been added to the list of flaws actively used by malicious actors. It is part of the growing trend of ransomware attackers using zero-day issues. 

The issue was uncovered after the cybersecurity researcher, otherwise known as Chaotic Eclipse or Nightmare Eclipse, shared the information regarding another vulnerability before the update was released. The same individual has criticized Microsoft several times over their approach to disclosure of security weaknesses. The researcher has published multiple posts about actively used problems prior to the official date of their resolution. 

Microsoft published the details regarding BlueHammer on April 2nd, whereas the security update was released on April 14th. The flaw was categorized as a privilege escalation vulnerability with the ability to escalate the privileges of an authenticated attacker. However, Microsoft updated the description, specifying the risk as more likely than not, while refraining from officially acknowledging active exploitation. 

According to the independent security researchers, the vulnerability was actively used by ransomware operators before the release of the mentioned security update. The evidence came from the report by the Huntress team, which discovered multiple attacks that incorporated CVE-2026-33825 as a zero-day exploit. This information has prompted the addition of the weakness to the CISA’s Known Exploited Vulnerabilities (KEV) list on April 22nd, with the updated listing providing the additional context of ransomware attacks. 

Despite the confirmation of ransomware attacks, the one issued by CISA does not indicate what group may be responsible for them. There is no public evidence linking BlueHammer to any known ransomware group or family. In spite of that, the weakness has been actively used in ransomware operations. At the same time, it is unclear whether other ransomware groups have used it or may be using it currently. The issue has also prompted the debate over the response to such incidents, with the critics suggesting that the defenders and security researchers are not notified when the weaknesses are added to the ransomware operations. 

In practice, the CISA only updates the KEV list periodically. It does not provide threat intelligence and response support for individual organizations every time when the weakness is added to the list. Some security experts have stated that the better alternative would be to notify the defenders directly. In the meantime, a threat intelligence company GreyNoise has announced the availability of a free service that monitors the KEV list for changes, indicating when the weakness is updated to include the details of a ransomware attack. 

The discovery of BlueHammer presents an illustrative example of how fast the ransomware attackers can adopt and incorporate the newly discovered vulnerabilities into their operations. Experts advise the defenders to always remain alert, apply the Microsoft security updates in a timely manner and monitor the threats intelligence channels for the relevant weaknesses. The ransomware operators continue to pursue the opportunities, which render the prompt response to the updates crucial.

Microsoft Defender “Red Sun” Flaw Raises Questions Over Antivirus Reliability and Disclosure Practices

 

Microsoft Defender Antivirus, widely used as the default protection layer for Windows systems, is facing scrutiny after a newly disclosed vulnerability suggested it may fall short in certain scenarios. Despite its role as a frontline defense against malware, recent findings indicate that the tool might not always behave as expected—and critics say Microsoft has not shown urgency in addressing the concern.

A cybersecurity researcher operating under the name Chaotic Eclipse revealed the flaw, calling it “Red Sun.” The researcher shared that a proof-of-concept (PoC) demonstrates how attackers could potentially bypass Defender’s protections. They also warned that threat actors may already be experimenting with the vulnerability.

The issue appears to originate from how Defender processes suspicious files tagged with a “cloud” marker. Under certain circumstances, the antivirus may restore or rewrite these files back to their original locations. According to the PoC, this behavior could be manipulated to overwrite critical system files, potentially allowing privilege escalation.

"I think anti-malware products are supposed to remove malicious files not be sure they are there but that's just me," remarked Chaotic Eclipse.

Earlier in the month, the same researcher disclosed another zero-day vulnerability named BlueHammer. He claimed that Microsoft Security Response Center did not consider it a major threat, prompting him to release the PoC publicly. In a follow-up discussion on Red Sun, Chaotic Eclipse said his interactions with the MSRC team have worsened, accusing Microsoft developers of unprofessional conduct.

"It was soo bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer but it seems to be a collective decision," he said.

The researcher further alleged that Microsoft’s security division has, at times, discouraged independent vulnerability reporting rather than supporting it. He also pointed to previous cases where other researchers voiced dissatisfaction with how MSRC handled their disclosures.

Despite the controversy, Red Sun is being treated as a valid security concern within the cybersecurity community. Analysts have also flagged possible real-world exploitation attempts targeting BlueHammer, Red Sun, and another vulnerability referred to as UnDefend.

Chaotic Eclipse identified the Red Sun flaw while reviewing fixes tied to CVE-2026-33825, which was addressed in Microsoft’s latest Patch Tuesday update. Additional patches may follow as further related issues come to light, even as discussions continue around Microsoft’s response to vulnerability reports.

Meanwhile, some experts suggest users consider third-party antivirus tools instead of relying solely on Microsoft Defender, though opinions differ. The researcher himself mentioned a preference for Bitdefender Antivirus Free, describing it as a lightweight solution built on a widely adopted malware detection engine.