CISA confirms ransomware gangs exploiting Windows BlueHammer privilege escalation flaw
Tags AI · Enterprise
The Cybersecurity and Infrastructure Security Agency (CISA) confirmed that ransomware gangs are actively exploiting a Microsoft Defender privilege escalation vulnerability dubbed BlueHammer, which was previously known to be abused in zero-day attacks. The flaw allows attackers to escalate privileges on compromised Windows systems, enabling deployment of ransomware payloads. Microsoft Defender, which is built into Windows and enabled by default on most enterprise systems, is the attack vector. The confirmation by CISA means the vulnerability has been added to the Known Exploited Vulnerabilities catalog, requiring federal agencies to apply patches within specified deadlines.
Technical significance
The exploitation of a Microsoft Defender vulnerability by ransomware gangs is particularly concerning because Defender is the default endpoint protection on most enterprise Windows systems. This means the attack surface includes virtually every Windows enterprise deployment. Security teams should prioritize patching this vulnerability and monitor for indicators of compromise. The incident also raises questions about the security of security products themselves.