Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Privilege Escalation. Show all posts
Windows Zero Day
BlueHammer Vulnerability Cyber Security Endpoint security Exploit Code Release Microsoft Security Flaw NTLM Hash Theft Privilege Escalation Vulnerability management Windows Zero Day

Over 1 Billion Users Potentially Impacted by Microsoft Zero Day Exposure


 

Informally known as BlueHammer, a newly discovered Windows zero-day vulnerability has drawn attention to the cybersecurity community because of its ability to quietly hand over control to attackers. As privilege escalation flaws are not uncommon, this particular vulnerability is noteworthy because of its ability to bridge the gap between restricted access and total system control so efficiently. 

A malicious adversary who has already gained access to a device may leverage this flaw to elevate privileges to NT AUTHORITY/SYSTEM, effectively bypassing the core safeguards designed to keep damage at bay. Additionally, an exploit code that was fully functional and disclosed by a security researcher on April 3, which had not been made available for official remediation or defensive guidance, further aggravated the situation. 

The lack of a CVE, no patch, and the minimal acknowledgement from Microsoft so far indicate that BlueHammer has created a volatile window of exposure which leaves defenders without clear direction. On the other hand, threat actors face considerably lowered barriers to exploitation. 

In addition to the previous analysis, BlueHammer was found to operate as a sophisticated local privilege escalation chain integrated within the Windows Defender signature update process, rather than exploiting traditional memory safety flaws by abusing trusted system components. To trigger a race condition between the time of check and the time of use, a coordinated interaction between the Volume Shadow Copy Service, Cloud Files API, and opportunistic locking mechanisms is orchestrated. 

Using file state transition manipulations during signature updates, the exploit can access protected resources without requiring kernel-level vulnerabilities or elevated privileges. After execution, the exploit extracts the Security Account Manager database using a Volume Shadow Copy snapshot, revealing the password hashes of local accounts corresponding to the NTLM protocol. 

By utilizing these credentials, an administrator can assume administrative control, which leads to the launch of a shell in SYSTEM context. It is noteworthy that the exploit incorporates a cleaning routine that reverts back to the original password hash after execution, which minimizes the likelihood of immediate detection and complicates forensic analysis. Independent validations have confirmed the threat's credibility. The exploit chain, despite minor reliability issues in the initial proof-of-concept, is functionally sound once corrected, according to Will Dormann, Tharros' principal vulnerability analyst. 

Other researchers have demonstrated successful end-to-end compromises in subsequent tests, demonstrating that operational barriers are lowering quickly. This risk profile is heightened by the fact that there is no available patch, which leaves organizations without a direct method of remediation, and by the fact that exploit code has been published to the public, which historically accelerates the adoption of ransomware and advanced persistent threat attacks. 

In addition to standard user-level access, slightly outdated Defender signatures are required for the attack to occur, lowering the entry threshold. Further, the exploit is constructed from a series of independent primitives that can be used again after targeted fixes have been introduced, indicating a longer-term impact beyond a single vulnerability cycle. Additionally, the circumstances surrounding the disclosure have attracted public attention. 

The exploit was released publicly by a researcher operating under the alias Chaotic Eclipse, who expressed dissatisfaction with Microsoft's handling of the problem. It is evident from the accompanying statements that both frustration and intent were evident, as the researcher declined to provide detailed technical explanations but implied that experienced practitioners would be able to grasp the underlying mechanics quickly. 

Although the original codebase contained bugs affecting stability, these limitations have been addressed within the research community already. Due to these developments, what began as a partially functional demonstration has quickly evolved into a reproducible attack path, reinforcing concerns that BlueHammer may be able to go from a proof-of-concept to an active exploitation scenario for real environments. 

According to emerging details surrounding the disclosure, Microsoft had already been informed of the BlueHammer vulnerability, however, unresolved concerns in the handling process appeared to have led the researcher to release the exploit publicly without having it assigned a formal CVE. It is clear that although the published proof-of-concept initially encountered minor implementation problems, it has since proven viable for practical use. 

During independent validation by Will Dormann, the exploit was confirmed to be reliable across a variety of environments, including Windows Server deployments, where it achieved administrative control even when full SYSTEM privileges were not consistently acquired.

Using technical refinements from Cyderes' Howler Cell team, the exploit chain was executed completely after addressing the PoC inconsistencies, emphasizing the rapid decline of operational barriers associated with the exploit. It is designed to manipulate Microsoft Defender to generate a Volume Shadow Copy, and then strategically interrupt that process at a specific execution point so that sensitive registry data can be accessed before cleanup routines are activated.

Through this controlled interruption, NTLM password hashes associated with local accounts may be extracted and decrypted, followed by unauthorized alteration of administrative credentials. By using token duplication techniques, the attacker inherits administrative security tokens, elevates them to SYSTEM integrity levels, and utilizes the Windows service creation mechanism to launch a secondary payload as a result of this compromise. 

As a result of this, an active user session is initiated by launching a command shell operating under the NT AUTHORITY/SYSTEM authority. As a means of obscuring evidence, the exploit then restores the original password hash, ensuring that user credentials remain unchanged while erasing immediate indicators of compromise. 

According to security practitioners, BlueHammer represents a broader class of exploitation in which unintended combinations of legitimate system features are combined with discrete software defects to create an exploit. 

Cyderes leadership has noted that the technique weaponizes Windows functionality in such a manner that it evades conventional detection logic, and current Defender signatures appear to identify only the binary originally published. It is possible to bypass these detections by simply modifying the codebase, retaining the underlying methodology in its original form. 

Due to the absence of vendor-provided patches, defensive efforts have shifted toward behavioral monitoring, such as abnormal interactions with Volume Shadow Copy mechanisms, irregular Cloud File API activity, and unexpected creations of Windows services originating from low-privileged contexts. 

A number of additional indicators indicate potential exploitation attempts, including transient changes to local administrator passwords followed by rapid restoration. There are no confirmed reports of active in-the-wild abuse at this point, however the public availability of the exploit dramatically reduces the timeline for potential weaponization.

In the past, ransomware groups and advanced threat actors have demonstrated the capability to operationalize these disclosures within days, often integrating them into more comprehensive intrusion frameworks. 

While the requirement for local access to the network at first is a constraint, it does not pose a significant barrier to determined adversaries, who routinely gain access through credential theft, phishing campaigns, or lateral movement within compromised networks. Thus, BlueHammer should be considered a proactive exposure window, not an isolated vulnerability, highlighting the risks inherent in complex system interactions as well as the challenges associated with defending against exploitation paths that do not rely on a single, easily remediable flaw to exploit.

In the absence of immediate remediation, a containment strategy and a reduction of exposure are necessary response strategies for BlueHammer. It is recommended that security teams prioritize environments where untrusted or potentially compromised code is already running, since vulnerabilities of this nature are most effective when they have established a solid foothold. It is possible to significantly reduce the available attack surface in the short term by enforcing least-privilege enforcement, eliminating unnecessary local administrative rights, and closely inspecting anomalous privilege escalation patterns. 

Detecting subtle indicators of post-compromise activity is also critical, including irregular access to sensitive account data, unexpected privilege transitions, and processes that deviate from baselines, which indicate that a compromise has occurred. Managing risk from a broader perspective requires a clear understanding of emerging vulnerabilities and exposed assets. 

As a result of context-driven approaches that correlate newly disclosed vulnerabilities with organizational infrastructure, remediation efforts can be prioritized where they have the greatest impact rather than applying uniform responses across all systems. There is a particular need for this in scenarios where there is no immediate vendor guidance available, requiring defenders to rely on situational awareness and adaptive monitoring strategies. 

Finally, BlueHammer illustrates how a vulnerability can quickly shift from controlled disclosure to operational risk if exploit code is available in the public domain before it is properly fixed. Response timelines are compressed by these conditions, and defenders are disadvantaged, even in the absence of widespread exploitation that has been confirmed. 

Furthermore, this underscores the persistent reality of Windows security: attackers are often not required to use sophisticated remote exploits to achieve meaningful compromise in Windows. If a limited foothold is combined with a reliable escalation path, it is sufficient to take full control of the system. 

However, when that pathway becomes public without mitigations, the risk profile increases dramatically, and affected organisms must maintain a disciplined defensive posture and maintain sustained attention. It emphasizes the importance of resilience when faced with incomplete information and delayed remediation as a result of BlueHammer. 

Organizations that prioritize proactive threat hunting, adhere to strict access controls, and continuously verify system behavior against expected norms are better prepared to mitigate emerging threats in such scenarios. For limiting the impact of evolving exploitation techniques, a multilayered defensive strategy incorporating visibility, control, and rapid response is necessary rather than only relying on vendor-driven fixes.
Read more »
Windows Utility Exploit
Cyber Threats Gigabyte Control Center Vulnerability Patch Management Privilege Escalation Remote Code Execution Windows Utility Exploit

Arbitrary File Write Bug in Gigabyte Control Center Sparks Security Alerts


 

It is becoming increasingly apparent that trusted system utilities are embedded with persistent security risks, as GIGABYTE Control Center, a widely deployed Windows-based management tool that is packaged with select devices, has been put under scrutiny following the disclosure of a critical security flaw. 

Inadvertently, the software designed to give users centralized control over essential hardware functions exposed a potential pathway for threat actors to alter system behavior on a fundamental level. Despite the fact that the vulnerability has been addressed, it is potential to exploit it in order to execute unauthorized code, write arbitrary files, and potentially disrupt system availability through denial-of-service. 

Since the utility is deeply entwined with device operations and is installed on GIGABYTE motherboards, the vulnerability has significant implications for users as well as enterprises, making it increasingly important to deploy patches and harden systems in a timely manner. Software vulnerable to this vulnerability is GIGABYTE Control Center, which is pre-installed on all laptops and supported motherboards, serving as a central point of configuration and oversight for the entire system.

Integrated with Windows, it provides a comprehensive set of operational controls for monitoring and managing hardware, adjusting thermal and fan curves, optimizing performance, customizing RGB lighting, and installing driver and firmware updates. 

The broad access to underlying system functions, which is intended to enhance user convenience, amplifies the potential impact of any vulnerabilities in the system. There is a particular concern regarding an integrated "pairing" feature designed to facilitate communication between host systems and external devices or services over a network. 

When enabled in versions of Control Center up to and including 25.07.21.01, this function significantly expands the application's interaction surface. Thus, it introduces a vulnerability that can be exploited under specific circumstances, increasing the attack surface of affected systems by creating a network-exposed vector. It is this feature that makes it an important focal point when assessing the overall risk profile associated with the vulnerability because it is linked to elevated system privileges and network-enabled communication. 

According to additional technical analysis, the issue may be related to the vulnerability CVE-2026-4415, which has a rating of 9.2 under CVSS 4.0 framework, and has been identified within the pairing mechanism within GIGABYTE Control Center versions 25.07.21.01 and earlier. As a result of insufficient safeguards regarding how the application handles network-initiated interactions, David Sprüngli is credited with discovering the vulnerability. 

The pairing feature provides an opportunity for unauthenticated remote actors to write arbitrary files across the system's file structure when it is active. With the utility's elevated privileges and close integration with system processes, such access is potentially useful for the execution of remote code, escalation of privileges, or disruption of system availability. 

A particularly concerning aspect of the vulnerability is its ability to bypass conventional trust boundaries, effectively creating a potential attack vector from a legitimate management feature. A new version of GIGABYTE's Control Center has been released, titled 25.12.10.01, which introduces a series of corrections across multiple functional layers, including download handling routines, message validation processes, and command-level encryption, as well as corrective measures for multiple functional layers. In combination, these enhancements mitigate the risks associated with the exposed pairing interface. 

According to the company's advisory, users should update immediately and obtain the patched version only through official software distribution channels, thereby reducing the possibility of compromised or tampered installers occurring. Such incidents reinforce the importance of treating vendor-supplied utilities the same way we'd treat any externally sourced software, especially when they're elevated privileges and have network access. 

The company and individual users should both adopt a proactive patch management strategy, audit pre-installed applications on a regular basis, and disable features not specifically required for use, such as remote pairing. The implementation of multiple security controls, including endpoint monitoring, network segmentation, and strict access policies, can significantly reduce exposure to similar threats. 

The integration of hardware ecosystems and software-driven management layers becomes increasingly complex, so maintaining vigilance over these trusted components is crucial to maintaining the integrity of the overall system.
Read more »
Vulnerabilities and Exploits
Android Security Update Cybersecurity Threats Mobile Security Patch Privilege Escalation Qualcomm Zero Day Remote Code Execution Vulnerabilities and Exploits

Qualcomm Zero Day Among 129 Issues Fixed in Android Security Push

 


With its latest security bulletin, Google has taken steps to address a broad range of Android vulnerabilities, releasing patches for 129 vulnerabilities spanning core platform components and third party modules. 

These vulnerabilities include ten that are rated critical, and one that is believed to have been exploited outside of controlled environments. Thus, the persistent pressure on mobile infrastructure is evident. CVE-2026-21385, a buffer over-read vulnerability related to an open-source Qualcomm module, was central to the update. 

The vulnerability has a severity score of 7.8 and is tracked as CVE-2026-21385. Input from a user is improperly handled without the possibility of verifying buffer space, which may result in memory corruption under certain circumstances. This advisory describes a vulnerability identified as CVE-2026-21385, which has a CVSS score of 7.8 and has been categorized as a buffer overread within the Graphics component. 

Qualcomm describes the vulnerability as an integer overflow that may result in memory corruption if user supplied data is appended without adequately validating the buffer space available. As stated by the chipmaker, the flaw was originally reported to Google's Android Security team on December 18, 2025, and downstream customers were notified on February 2, 2026 as a result. 

Even though Google has not disclosed technical information about actual real-world exploitation, it has acknowledged evidence of limited and targeted abuses, suggesting that this vulnerability may have been exploited in controlled attack scenarios rather than indiscriminate attacks. 

It is noteworthy that the March 2026 Android security update includes a comprehensive remediation effort that addresses 129 vulnerabilities across the entire system layer in addition to Qualcomm's defect. Furthermore, it contains a critical remote code execution vulnerability in the System component, identified as CVE-2026-0006, that can be exploited without requiring additional user interaction or additional privileges—a significantly increased risk profile.

Further, the update resolves the CVE-2026-0047 privilege escalation issue in the Framework component, the CVE-2025-48631 denial-of-service condition in the System module, and seven individual privilege escalation vulnerabilities in Kernel components. 

The vulnerabilities are identified as CVE-2024-43859, CVE-2026-0037, CVE-2026-0038, CVE-2026-0027, CVE-2026-0028, CVE-2026-0030, and CVE-2026-0031 identifiers. Due to the fragmented device ecosystem, Google retains its dual patch-level structure - 2026-03-01 and 2026-03-05 - so that original equipment manufacturers and silicon partners can deploy patches according to their deployment cycle. 

In addition to updating Android kernel components, this patch level also includes updates for third-party silicon and GPU vendors, such as Arm, Imagination Technologies, MediaTek, Qualcomm, and Unisoc, emphasizing the complexity of modern security governance mechanisms. 

Even though Google has not disclosed operational details regarding the observed activity, vulnerabilities of this nature have traditionally been of interest to commercial surveillance vendors as well as other actors capable of exploiting memory-handling vulnerabilities to gain covert access to data. A mitigation for CVE-2026-21385 has been included in the second tranche of this month's rollout, distributed under the level of security patch 2026-03-05. 

With this cumulative update, more than 60 new vulnerabilities have been addressed across the Kernel components and silicon partner ecosystems, including integrations with Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm, reflecting the multiple dependencies that are embedded within Android deployments. 

The earlier patch level, meanwhile, focuses primarily on Framework and System components, resolving over 50 security vulnerabilities. One of these vulnerabilities enables remote code execution without any level of elevated privileges or interaction with the user - a risk profile that places it among the most serious Android vulnerabilities.

According to Google, devices updated to 2026-03-05 security level or later are protected from the full set of disclosed vulnerabilities. Additionally, the company has announced patches for two vulnerabilities within Wear OS' Framework and System layers that affect Wear OS. It also incorporates all of the Android security patches outlined in the March 2026 security bulletin, ensuring alignment across Google's broader product lines. 

There have been no platform-specific security patches released for Android Automotive OS or Android XR this cycle, which indicates that those distributions have remained relatively stable during this time period of updates. This advisory reinforces the necessity of timely patch adoption across enterprise as well as consumer deployments from a defensive standpoint.

It is recommended that security teams verify whether devices are compliant with the March 2026 security patch levels, prioritize assets which are exposed to untrusted input vectors, and watch for unusual behavior that may be indicative of an exploitation attempt. 

Since memory corruption and privilege escalation issues are recurring patterns of targeted abuse, maintaining strict update governance, enforcing mobile device management controls, and restricting unnecessary application privileges remain critical measures for risk mitigation. 

As Android will continue to be dependent on a complex supply chain of silicon and software contributors, coordinated vulnerability disclosure and rapid patch integration will remain crucial to ensuring the platform's resilience over time.
Read more »
Web Shell
ASP C2 Infrastructure Cybersecurity IIS server LazarLoader Lazarus Group malware Privilege Escalation Web Shell

Lazarus Group Intensifies Attacks on South Korean Web Servers

 

Researchers have uncovered a series of highly sophisticated cyberattacks by the notorious Lazarus group, targeting web servers in South Korea.

The attackers have been infiltrating IIS servers to deploy ASP-based web shells, which serve as the first-stage Command and Control (C2) servers. These initial C2 servers act as intermediaries, relaying communications to secondary C2 infrastructure, allowing deeper penetration into compromised systems.

First identified in January 2025, these latest attacks showcase an advancement of similar methods observed in May 2024, highlighting the persistent and evolving strategies employed by this state-sponsored group. The Lazarus group has consistently exploited legitimate web servers to establish attack infrastructures, refining their approach over time.

According to the AhnLab Security Intelligence Centre (ASEC), the latest campaign involved the installation of multiple ASP-based web shells on vulnerable IIS servers. One notable addition is the modified version of the "RedHat Hacker" web shell, stored under the filename "function2.asp." Unlike previous versions that used "1234qwer" as the authentication password, the latest variant now requires "2345rdx," reflecting an enhancement in security measures.

Other deployed web shells, such as "file_uploader_ok.asp" and "find_pwd.asp," grant the attackers extensive control over compromised servers. These tools enable file manipulation, process execution, and even SQL query operations.

To evade detection, these web shells employ advanced obfuscation techniques, remaining encoded in VBE format even after initial decoding. This complexity makes security analysis and detection significantly more challenging.

The structure of the malicious code further demonstrates the sophistication of these attacks. Initialization packets are verified by checking whether the second and third bytes contain the string "OK," while the first byte serves as an encryption key.

C2 Script Enhancements

The C2 script utilized in the January 2025 campaign acts as an intermediary between compromised servers and the attackers' infrastructure. Unlike previous versions, the updated script supports both form data and cookie-based communication, demonstrating ongoing refinements in Lazarus’ toolset.

Depending on the "code" field in the form data, the script executes different commands, including:
  • "MidRequest" – Data redirection
  • "ProxyCheck" – Mid Info storage
  • "ReadFile" and "WriteFile" – File manipulation
  • "ClientHello" – Response handling with Mid Info

These commands enable attackers to exert comprehensive control over infiltrated systems.

Beyond web shells, the attackers deployed the LazarLoader malware to download additional payloads. This advanced loader decrypts and executes payloads directly in memory, utilizing a 16-byte key identified as "Node.Js_NpmStart."

The attack sequence typically begins with web shell installation, followed by LazarLoader deployment via the w3wp.exe IIS web server process. To escalate privileges, the attackers use a malware component named "sup.etl," which functions as a packer for bypassing User Account Control (UAC).

Security experts strongly advise administrators to inspect web servers for vulnerabilities that could permit unauthorized file uploads, particularly targeting ASP-based web shells.

To minimize risks, organizations should implement:
  • Strict access controls to prevent lateral movement post-compromise.
  • Regular password rotation for enhanced security.
  • Continuous monitoring for unusual process activity, especially instances where w3wp.exe spawns unexpected processes.
  • Timely security updates to detect and mitigate known 
As Lazarus continues to refine its attack methodologies, proactive security measures are essential in defending against this persistent and highly sophisticated threat actor targeting critical infrastructure worldwide.
Read more »
Vulnerabilities and Exploits
Iran hackers Microsoft Server OilRig Privilege Escalation Vulnerabilities and Exploits

Iranian Attackers Exploit Windows Bug to Elevate Privileges

 

The Iranian state-sponsored hacking outfit APT34, dubbed OilRig, has recently escalated its activity by launching new campaigns against government and vital infrastructure entities in the United Arab Emirates and the Gulf area. 

OilRig employed a new backdoor to target Microsoft Exchange servers and steal passwords, as well as exploiting the Windows CVE-2024-30088 vulnerabilities to escalate their privileges on affected devices, according to Trend Micro researchers. In addition to the activity, FOX Kitten, another Iran-based APT outfit involved in ransomware attacks, and OilRig have been linked by Trend Micro. 

The attacks observed by Trend Micro start with the exploitation of an unprotected web server to upload a web shell, enabling the hackers to execute remote code and PowerShell commands. Once the web shell is activated, OilRig uses it to launch additional tools, including a component that exploits the Windows CVE-2024-30088 bug. 

CVE-2024-30088 is a high-severity privilege escalation vulnerability that Microsoft patched in June 2024, allowing attackers to elevate their privileges to the SYSTEM level and gain significant control over the compromised devices. 

Microsoft has identified a proof-of-concept exploit for CVE-2024-30088, although it hasn't yet disclosed on its security portal that the vulnerability is being actively exploited. Furthermore, CISA has not listed it as having been previously exploited in its catalogue of known exploited vulnerabilities.

Following a password change event, OilRig downloads and installs 'ngrok,' a remote monitoring and management application that enables covert communications via secure tunnels. This allows the tool to intercept plaintext credentials. 

The use of on-premise Microsoft Exchange servers by threat actors as a means of credential theft and sensitive data exfiltration through fake, difficult-to-identify email traffic is another novel strategy. 

The exfiltration is accomplished using a new backdoor known as 'StealHook,' and Trend Micro claims that government infrastructure is frequently employed as a pivot point to make the operation appear authentic. 

"The key objective of this stage is to capture the stolen passwords and transmit them to the attackers as email attachments," notes Trend Micro in the report. "Additionally, we observed that the threat actors leverage legitimate accounts with stolen passwords to route these emails through government Exchange Servers.”
Read more »
Windows 11
Cyber Security DLL Search Order Hijacking Exploitation Malicious Code Privilege Escalation Security Bypass Security Joes Threat actors Windows 10 Windows 11

New DLL Search Order Hijacking Variant Evades Windows 10 and 11 Protections

 

Security researchers have outlined a fresh variant of a dynamic link library (DLL) search order hijacking technique, potentially enabling threat actors to circumvent security measures and execute malicious code on computers running Microsoft Windows 10 and Windows 11.

The new method, disclosed in a report by cybersecurity firm Security Joes and exclusively shared with The Hacker News, exploits executables commonly present in the trusted WinSxS folder, utilizing the classic DLL search order hijacking technique. By doing so, adversaries can avoid the need for elevated privileges when attempting to run malicious code on a compromised system, introducing potentially vulnerable binaries into the attack chain.

DLL search order hijacking involves manipulating the search order used to load DLLs, allowing the execution of malicious payloads for purposes such as defense evasion, persistence, and privilege escalation. This technique targets applications that do not specify the full path to required libraries, relying on a predefined search order to locate DLLs on disk.

Threat actors exploit this behavior by relocating legitimate system binaries into non-standard directories that contain malicious DLLs, named after legitimate ones. This tricks the system into loading the attack code-containing library instead of the authentic one.

The unique aspect introduced by Security Joes focuses on files within the trusted "C:\Windows\WinSxS" folder. WinSxS, short for Windows side-by-side, is a crucial Windows component used for OS customization and updates to ensure compatibility and integrity.

According to Ido Naor, co-founder and CEO of Security Joes, the discovery diverges from traditional cyber attack methods, providing a more subtle and stealthy exploitation technique. The strategy involves identifying vulnerable binaries in the WinSxS folder and combining them with DLL search order hijacking methods. This entails strategically placing a custom DLL with the same name as a legitimate DLL into an actor-controlled directory, triggering code execution when executing a vulnerable file in the WinSxS folder.

Security Joes emphasized the potential for additional binaries in the WinSxS folder susceptible to this DLL search order hijacking, urging organizations to take precautions. They recommended examining parent-child relationships between processes, particularly focusing on trusted binaries, and closely monitoring activities performed by binaries in the WinSxS folder, including network communications and file operations.
Read more »
Subscribe to: Posts (Atom)