Security researchers are warning that threat actors are actively exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges on compromised Windows systems. The ongoing campaign, which leverages vulnerabilities released as zero-day proofs-of-concept, highlights a critical window of risk for users worldwide as two of the three flaws currently lack official patches from Microsoft.

Details of the Exploited Vulnerabilities

The activity involves the exploitation of three specific vulnerabilities codenamed BlueHammer, RedSun, and UnDefend. These security flaws were publicly disclosed as zero-day proof-of-concept exploits by a security researcher known as Chaotic Eclipse. According to reports from the cybersecurity firm Huntress, malicious actors have now incorporated these exploits into their attacks to bypass security controls and achieve higher levels of system access.

Microsoft Defender, the built-in antivirus and anti-malware solution for Windows, is designed as a core layer of protection. Exploiting vulnerabilities within it can allow attackers to disable security features, execute malicious code with elevated privileges, and establish a stronger foothold within a network. The fact that these exploits target the security software itself makes the threat particularly severe.

Current Patch Status and Mitigations

As of the latest reports, only one of the three vulnerabilities has received an official patch from Microsoft. The company addressed the flaw tracked as CVE-2024-2131, related to the “UnDefend” issue, in its February 2024 Patch Tuesday security updates. However, the two other vulnerabilities, BlueHammer and RedSun, remain unpatched, leaving systems potentially exposed to attacks that use these specific methods.

In the absence of comprehensive patches, security experts emphasize applying standard mitigation strategies. These include restricting local administrator privileges, implementing robust network segmentation, and closely monitoring endpoint detection and response (EDR) systems for suspicious activity related to Microsoft Defender processes. Organizations are advised to review the specific guidance from Microsoft regarding these vulnerabilities.

Broader Implications for Enterprise Security

This incident underscores a persistent challenge in cybersecurity: the weaponization of publicly released proof-of-concept code. When researchers disclose vulnerabilities, particularly with working exploit code, it provides a double-edged sword. While it alerts vendors and the public to risks, it also equips malicious actors with a blueprint for attack before a fix is widely deployed.

The targeting of Microsoft Defender is significant due to its ubiquitous presence on hundreds of millions of Windows devices globally. A successful compromise of this trusted security component can undermine an entire organization’s defense posture, facilitating further malware deployment, data theft, or ransomware attacks.

Looking Ahead: Expected Response and Updates

The cybersecurity community anticipates that Microsoft will issue patches for the remaining two zero-day vulnerabilities, BlueHammer and RedSun, in an upcoming security update, potentially out-of-cycle if the threat is deemed severe enough. Until then, the active exploitation is expected to continue. Users and system administrators are advised to monitor official communications from Microsoft’s Security Response Center (MSRC) for the latest advisories and patch announcements. The situation remains fluid, and applying all available security updates promptly remains the most critical defensive action.

Source: Huntress, Microsoft Security Advisory