In a concerning development for cybersecurity, the anonymous researcher known as Nightmare-Eclipse has unveiled two new vulnerabilities affecting Windows systems, just after Microsoft’s latest Patch Tuesday update. These vulnerabilities, dubbed YellowKey and GreenPlasma, pose significant risks to organizations relying on BitLocker for data protection.
YellowKey is described by Nightmare-Eclipse as a “BitLocker bypass,” allowing attackers to gain unrestricted shell access to machines that are otherwise protected. This exploit requires physical access to the device, which adds a layer of complexity, yet the implications are profound. Rik Ferguson, VP of security intelligence at Forescout, emphasized that if the claims surrounding YellowKey are validated, it transforms the theft of a laptop from a mere hardware issue into a serious breach notification scenario.
Gavin Knapp, cyber threat intelligence principal lead at Bridewell, echoed these concerns, labeling YellowKey as a “huge security problem” for organizations utilizing BitLocker. He suggested that implementing a BitLocker PIN and a BIOS password lock could serve as potential mitigations against this vulnerability.
Nightmare-Eclipse has also hinted at the possibility of YellowKey functioning as a backdoor, allegedly introduced by Microsoft. However, experts remain skeptical, noting that such claims cannot be substantiated with the current information available. In addition to YellowKey, the researcher has released partial exploit code for GreenPlasma, which is a privilege escalation flaw. Ferguson pointed out that while the code is available, attackers will need to invest time in weaponizing it, as it currently triggers a User Account Control (UAC) consent prompt in default Windows configurations.
Knapp warned that privilege escalation vulnerabilities like GreenPlasma are often exploited by attackers once they have established an initial foothold in a system. These vulnerabilities can facilitate lateral movement within networks, allowing for the discovery and harvesting of credentials and sensitive data, ultimately leading to data theft or ransomware deployment.
MORE CONTEXT
As of now, there is no known mitigation for GreenPlasma, making it imperative for organizations to patch their systems promptly once Microsoft addresses the issue. YellowKey and GreenPlasma are the latest additions to a troubling series of five zero-day vulnerabilities disclosed by Nightmare-Eclipse this year. The researcher first gained notoriety with the release of BlueHammer, which was patched by Microsoft in April.
Nightmare-Eclipse has characterized their actions as a response to a perceived violation of trust, stating that they were compelled to leak these vulnerabilities after being wronged. Their earlier disclosures, including RedSun and UnDefend, have already been exploited in real-world attacks, raising alarms within the cybersecurity community.
Ferguson characterized the release of YellowKey and GreenPlasma as part of an escalating campaign against Microsoft, warning that more vulnerabilities may be on the horizon. The researcher has indicated the existence of a “dead man’s switch,” suggesting that additional disclosures could follow if their demands are not met.
