Over the past two weeks, hackers have infiltrated at least one organization by exploiting Windows vulnerabilities disclosed on the internet by a disgruntled security expert, as reported by a cybersecurity firm.

On Friday, Huntress, a cybersecurity firm, indicated in a series of posts on X that its analysts have observed hackers capitalizing on three Windows security vulnerabilities known as BlueHammer, UnDefend, and RedSun. 

It remains uncertain who the attack’s target is, as well as the identity of the hackers.

Out of the three vulnerabilities being exploited, BlueHammer is the sole issue that has been patched by Microsoft thus far. A remedy for BlueHammer was implemented earlier this week. 

The attackers seem to be taking advantage of the flaws by utilizing exploit code that the security researcher made public online. 

Earlier this month, a researcher named Chaotic Eclipse shared what they claimed was code to exploit an unpatched Windows vulnerability on their blog. The researcher hinted at a conflict with Microsoft as the reason behind releasing the code. 

“I wasn’t bluffing Microsoft and I’m doing it again,” they stated. “A big thanks to MSRC leadership for making this happen,” they added, referring to Microsoft’s Security Response Center, the division responsible for investigating cyberattacks and managing vulnerability reports.

Days later, Chaotic Eclipse released UnDefend, followed by RedSun earlier this week. The researcher posted exploit code for all three vulnerabilities on their GitHub page. 

These three vulnerabilities impact the Microsoft-developed antivirus, Windows Defender, enabling a hacker to obtain elevated or administrator access to a compromised Windows computer.

TechCrunch was unable to contact Chaotic Eclipse for a response.

In reply to a series of specific inquiries, Ben Hope, Microsoft’s communications director, stated that the company endorses “coordinated vulnerability disclosure, a widely recognized industry practice that ensures issues are thoroughly investigated and resolved before public announcement, benefiting both customer safety and the security research community.”

This situation exemplifies what the cybersecurity sector terms “full disclosure.” Researchers who uncover a flaw can notify the software creator to assist in rectifying the issue. Typically, the company acknowledges the report, and if the vulnerability is confirmed, they work on a patch. Often, a timeline is established between the company and researchers regarding when the researcher can publicly disclose their findings. 

At times, for various reasons, this communication fails, leading researchers to publicly reveal details about the vulnerability. In some instances, to validate the existence or seriousness of a flaw, researchers advance further and release “proof-of-concept” code capable of exploiting that vulnerability.

When this occurs, cybercriminals, state-sponsored hackers, and others can obtain the code and leverage it for their attacks, which forces cybersecurity defenders to rapidly address the repercussions. 

“With these being so readily accessible now, and already weaponized for simple use, for better or worse, I believe that ultimately puts us in another tug-of-war between defenders and cybercriminals,” stated John Hammond, one of the researchers at Huntress who has been monitoring the situation, to TechCrunch. 

“Circumstances like these compel us to race against our adversaries; defenders urgently attempt to safeguard against malicious actors who swiftly exploit these vulnerabilities… especially now as it is simply ready-made attacker tools,” Hammond remarked.