Angry Researcher Drops Two Windows Zero-Day Exploits, Citing Frustration with Microsoft's MSRC
Researcher Leaks Two Windows Zero-Day Exploits, 'YellowKey' and 'GreenPlasma', Amid Dispute with Microsoft
Related Entities
Threat Actors
Organizations
Products & Tech
Other
Full Report
Executive Summary
A security researcher, using the alias Chaotic Eclipse, has publicly released proof-of-concept (PoC) code for two previously unknown, or zero-day, vulnerabilities in Microsoft Windows. The exploits, dubbed YellowKey and GreenPlasma, were dropped on social media following a public dispute with the Microsoft Security Response Center (MSRC). This act of non-coordinated disclosure places all Windows users at immediate risk, as there are no official patches available. Reports indicate that other threat actors have already begun incorporating the exploits into active attack campaigns. The incident highlights the volatile nature of vulnerability disclosure and the significant danger posed when the process breaks down.
Vulnerability Details
Details are emerging, but the disclosed vulnerabilities are described as:
- YellowKey: A Windows BitLocker encryption bypass vulnerability. This type of flaw could potentially allow an attacker with physical or privileged access to a machine to bypass BitLocker drive encryption and access the data on the disk. This poses a significant threat to data confidentiality on stolen or lost devices.
- GreenPlasma: An elevation of privilege (EoP) vulnerability in the Windows CTFMON process. The flaw is related to how Windows handles path trust and arbitrary section creation. A local attacker could exploit this to execute code with higher privileges, likely SYSTEM, allowing them to take full control of a compromised machine.
Exploitation Status
CRITICAL: These vulnerabilities are reportedly being actively exploited in the wild.
The researcher's public release of working PoC code has enabled other malicious actors to weaponize the exploits rapidly. Reports suggest that active attacks leveraging YellowKey and GreenPlasma began within 24 hours of the disclosure. This is a classic zero-day scenario where defenders have no patch and must rely on mitigations and detection.
Threat Actor Profile
The researcher, Chaotic Eclipse (also known as Nightmare Eclipse), has a history of similar disclosures, including a previous zero-day named "BlueHammer." Their stated motivation is frustration with MSRC's handling of their vulnerability submissions. While their actions may stem from a desire to force a response from Microsoft, the result is a dangerous situation for the entire Windows user base. This behavior blurs the line between security research and malicious activity.
Impact Assessment
- Immediate Risk of Compromise: With public exploits and active attacks, any unpatched Windows system is potentially vulnerable. The GreenPlasma EoP flaw is particularly dangerous as it can be chained with other, less severe vulnerabilities (like a simple remote code execution bug in a browser) to achieve full system compromise.
- Data Confidentiality at Risk: The YellowKey BitLocker bypass, if effective, undermines a cornerstone of Windows data protection. It could allow attackers to access sensitive data on encrypted drives, nullifying a critical security control for mobile workforces and high-security environments.
- Erosion of Coordinated Disclosure: This incident damages the trust-based system of coordinated vulnerability disclosure (CVD), where researchers work with vendors to fix flaws before they are made public. It may encourage other researchers to follow a similar path, leading to a more chaotic and dangerous security environment.
IOCs — Directly from Articles
No specific Indicators of Compromise (IPs, domains, hashes) were mentioned in the source articles.
Cyber Observables — Hunting Hints
Security teams should immediately begin hunting for signs of exploitation:
ctfmon.exectfmon.exe spawning unusual child processes (e.g., cmd.exe, powershell.exe) or exhibiting anomalous behavior, which could indicate exploitation of GreenPlasma.manage-bde.exe, from an unexpected user context.Detection & Response
Since no patch is available, detection and mitigation are key.
- Endpoint Detection and Response (EDR): EDR solutions with strong behavioral detection capabilities are the best defense. Configure EDR to alert on suspicious process chains originating from
ctfmon.exeand on any process attempting to tamper with BitLocker or access raw disk contents. - Threat Hunting: Proactively hunt for the observables listed above. Search for any signs of privilege escalation attempts that do not follow known patterns.
- Isolate Suspicious Systems: If a system is suspected of being compromised using these exploits, it should be immediately isolated from the network to prevent lateral movement.
Mitigation
As there are no patches, only temporary compensating controls are available:
- Application Control: Use application control solutions (like AppLocker or Windows Defender Application Control) to restrict the execution of unauthorized code. This can prevent an attacker from running their payload even if they successfully exploit the GreenPlasma EoP.
- Limit Local Admin Rights: Enforce the principle of least privilege. The GreenPlasma exploit requires an attacker to first have local access. By limiting user privileges, you reduce the number of accounts that could potentially trigger the exploit.
- Physical Security: For the YellowKey BitLocker bypass, reinforcing physical security for laptops and other devices is crucial. An attacker needs access to the device to exploit this flaw.
- Monitor Vendor Communications: Closely monitor all communications from Microsoft for an out-of-band patch or official mitigation guidance.
Timeline of Events
MITRE ATT&CK Mitigations
Behavior Prevention on Endpoint
Use an EDR with strong behavioral analysis to detect anomalies like ctfmon.exe spawning a shell, which could indicate exploitation of GreenPlasma.
Execution Prevention
Implement application control policies to prevent unauthorized executables from running, which can block the attacker's payload post-privilege-escalation.
Privileged Account Management
Restrict local administrator rights. The GreenPlasma exploit requires an attacker to already have local code execution, so limiting user privileges reduces the attack surface.
D3FEND Defensive Countermeasures
Given that GreenPlasma is an Elevation of Privilege (EoP) flaw in the ctfmon.exe process, the most critical defensive measure is behavioral process analysis via an Endpoint Detection and Response (EDR) solution. Security teams must immediately create and deploy high-priority detection rules that monitor for any anomalous behavior originating from ctfmon.exe. A legitimate ctfmon.exe process should not be spawning child processes like cmd.exe, powershell.exe, or any other executable. A rule to detect ParentProcess: ctfmon.exe -> ChildProcess: * would be a high-fidelity indicator of compromise for this specific zero-day. This moves the defense from a signature-based approach (which doesn't exist yet) to a behavioral one, which is essential for combating unknown threats.
To mitigate the impact of the GreenPlasma EoP, organizations should deploy application control or executable allowlisting using tools like Windows Defender Application Control (WDAC) or AppLocker. An EoP vulnerability is only useful to an attacker if they can run a subsequent payload with the elevated privileges. By creating a policy that only allows known, trusted, and signed executables to run on a system, you can prevent the attacker's malicious payload from executing, even if they successfully exploit the vulnerability to gain SYSTEM-level context. This effectively breaks the attack chain and contains the threat, rendering the privilege escalation useless.
For the YellowKey BitLocker bypass, defenders must focus on detecting tampering with the BitLocker configuration and state. This can be achieved through advanced system file and configuration analysis. Configure File Integrity Monitoring (FIM) and EDR tools to place a high-priority alert on any modifications to BitLocker-related registry keys under HKLM\SOFTWARE\Policies\Microsoft\FVE and HKLM\SYSTEM\CurrentControlSet\Control\BitLocker. Furthermore, use auditpol to enable detailed logging of authentication and policy change events, and monitor the BitLocker-API and BitLocker-DrivePreparationTool event logs for any unexpected suspension, decryption, or recovery key access events. An attacker exploiting YellowKey would have to interact with these components, and robust logging provides the best chance of detecting that interaction.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.