Tag: CISA

  • CISA Sets June 3 Deadline for Windows Defender Patch

    CISA Sets June 3 Deadline for Windows Defender Patch

    Key Takeaway

    – Federal agencies must patch RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) by June 3 to comply with CISA’s Binding Operational Directive 22-01.
    – RedSun grants SYSTEM privileges via the Defender tiering engine; UnDefend blinds Defender entirely, enabling ransomware or lateral movement.
    – Verify Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7 in Windows Security before the deadline.
    – Three unpatched zero-days remain: YellowKey (BitLocker bypass), GreenPlasma (CTFMON privilege escalation), and MiniPlasma (cldflt.sys exploit, works on fully patched Windows 11/Server 2022/2025).
    – Mitigate YellowKey immediately by disabling WinRE’s autofstx.exe and switching BitLocker from TPM-only to TPM+PIN.

    Federal Agencies Face Urgent Microsoft Defender Patches Deadline

    Federal agencies have until June 3 to apply fixes for two actively exploited Microsoft Defender vulnerabilities tied to the Nightmare Eclipse disclosure campaign. With that deadline 48 hours away, three additional Windows zero-days from the same researcher remain unpatched, and June 9 is the next opportunity Microsoft has to address them. The current situation demands immediante action from IT departments managing government systems.

    Background on the Nightmare Eclipse Campaign and CISA Involvement

    The saga began in early April when Nightmare Eclipse dropped BlueHammer (CVE-2026-33825), patched in the April 14 Patch Tuesday with its CISA deadline passing in early May. The current countdown is anchored by a separate CISA action on May 20, adding RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) to the Known Exploited Vulnerabilities catalog after Huntress confirmed active exploitation in real-world attacks. CISA mandated remediation under Binding Operational Directive 22-01 with a 14-day window. Thesse vulnerabilities are being actively used in attacks right now according to security researchers.

    Technical Details of RedSun and UnDefend Vulnerabilities

    RedSun targets the Defender tiering engine to escalate privileges to SYSTEM. UnDefend triggers a denial-of-service condition in the Antimalware Platform, blinding Defender entirely and creating a window for ransomware deployment or lateral movement without triggering alerts. Both vulnerabilities allow attackers to bypass critical security features in Windows Defender. The impact is severe for enterprise environments where Defender is a primary line of defense.

    Required Version Numbers for Patching

    Both are fixed in Malware Protection Engine 1.1.26040.8 and Antimalware Platform 4.18.26040.7. Verify those version numbers in Windows Security settings before June 3. Administrators should check these version numbers manually to ensure updates have been applied correctly. Failure to meet this deadline could result in compliance violations for federal agencies.

    Additional Unpatched Zero-Days From Nightmare Eclipse

    YellowKey (CVE-2026-45585) bypasses BitLocker on TPM-only systems via the Windows Recovery Environment, allowing physical access to unlock encrypted drives without a recovery key. GreenPlasma is a CTFMON privilege escalation flaw with no CVE and no patch. MiniPlasma re-exploits CVE-2020-17103 in cldflt.sys, a 2020 flaw whose patch was either incomplete or silently regressed. These vulnerabilities present serious risks for organisations that rely on BitLocker for data protection.

    Confirmed Exploitation on Modern Windows Systems

    ThreatLocker and Will Dormann confirmed it still produces a SYSTEM shell on fully patched Windows 11 and Windows Server 2022 and 2025. Windows 10 is unaffected, which matters for teams managing mixed fleets. This discrepency means administrators cannot assume all systems are equally vulnerable. Testing should be conducted on relevant operating systems to understand exposure.

    Mitigation Steps for YellowKey BitLocker Bypass

    For YellowKey, run reagentc /disable, mount the offline WinRE registry hive, remove autofstx.exe from BootExecute under ControlSet001ControlSession Manager, then run reagentc /enable to commit the change. Transition BitLocker from TPM-only to TPM+PIN wherever possible. This manual process is required until Microsoft releases an official patch. Organisations should prioritise this mitigation for high-security systems.

    Future Timeline for Remaining Vulnerabilities

    Nightmare Eclipse has signalled a July 14 release targeting that month’s Patch Tuesday. This provides a timeline for planning additional security updates. Cisa.gov Microsoft/CVE-2026-41091 Microsoft/CVE-2026-45498

    Sources
    Tags: , , , ,
  • Cyberattack on Poland’s Wind and Solar Farms Sparks Global Alarm

    Cyberattack on Poland’s Wind and Solar Farms Sparks Global Alarm

    Key Takeaways

    1. CISA issued a security alert following a cyberattack on Poland’s renewable energy systems, emphasizing risks from weak internet-connected devices in operational technology (OT).
    2. The attack affected around 30 sites of wind and solar power, with tools linked to a Russian-associated threat group.
    3. Attackers accessed systems through unpatched edge devices and used wiper malware to damage critical operational technology components.
    4. CISA is urging U.S. federal agencies to eliminate unsupported edge devices and strengthen cybersecurity measures in industrial control systems (ICS).
    5. Security experts highlight this attack as a significant escalation, specifically targeting distributed energy resources that often have weaker cybersecurity.

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a security alert after a major cyberattack on Poland’s renewable energy systems. This incident highlights the dangers of weak internet-connected edge devices in operational technology settings.

    Details of the Attack

    This warning comes after a report from Poland’s Computer Emergency Response Team (CERT-Polska) on January 30, which revealed that a cyber incident in December affected around 30 sites of wind and solar power. The Polish agency indicated that the tools used in the attack were linked to a Russian-associated threat group known by various names, including Static Tundra, Berserk Bear, Ghost Blizzard, and Dragonfly.

    Implications for Industrial Systems

    CISA pointed out that this incident illustrates the increasing dangers to industrial control systems (ICS) and operational technology (OT), which are commonly used in energy production, utilities, and manufacturing industries. The agency explained that the attackers first accessed the systems through unpatched or outdated internet-facing edge devices like routers and firewalls.

    According to CISA, the attackers used wiper malware that harmed remote terminal units (RTUs), wiped data from human-machine interfaces (HMIs), and compromised the firmware of operational technology devices. While the generation of energy continued, operators temporarily lost the ability to monitor and control the affected installations.

    Steps to Mitigate Risks

    Recently, CISA has heightened its efforts to mitigate risks related to vulnerable networking devices. Just last week, the agency issued a binding directive mandating U.S. federal agencies to eliminate unsupported edge devices from their networks.

    Security experts at Dragos described the attack as a major escalation, noting that it is one of the first known cyber operations that specifically targeted distributed energy resources, including smaller wind, solar, and combined heat-and-power setups. Unlike traditional power plants, these distributed systems depend heavily on remote connections and typically receive less funding for cybersecurity.

    Officials from the United Kingdom’s National Cyber Security Centre have also called on operators of critical infrastructure to enhance their protective measures in response to the incident.

    CISA recommends that infrastructure operators examine CERT-Polska’s technical findings and adhere to federal advice aimed at reducing vulnerabilities in OT and ICS environments.

    Tags: , ,
  • US Cybersecurity Chief Leaks Confidential Documents to ChatGPT

    US Cybersecurity Chief Leaks Confidential Documents to ChatGPT

    Key Takeaways

    1. The Acting Director of CISA, Madhu Gottumukkala, uploaded sensitive government documents to a public version of ChatGPT, triggering security alerts.
    2. Gottumukkala received a special exemption to use the AI tool, despite the documents being labeled “For Official Use Only.”
    3. The incident raises concerns about data exposure, as public AI tools like ChatGPT send inputs to OpenAI, unlike secure internal tools.
    4. CISA is investigating the incident, with conflicting statements about the timeline of Gottumukkala’s use of the tool.
    5. This incident adds to ongoing controversies surrounding Gottumukkala, including previous issues with a polygraph test related to counterintelligence.

    The Acting Director of the Cybersecurity and Infrastructure Security Agency (CISA), which is the main US agency for cybersecurity, was involved in a security incident last year. Madhu Gottumukkala uploaded sensitive government documents to a public version of ChatGPT. Information from four officials at the Department of Homeland Security (DHS) obtained by Politico revealed that this action set off several automated security alerts. These alerts are designed to stop the theft or accidental release of government materials from federal networks. Reports indicate that alarms were triggered multiple times during the first week of August alone.

    Accessing the AI Tool

    Gottumukkala obtained a special exemption to use the AI chatbot, which he requested from CISA’s Chief Information Officer soon after he started his role in May. At that point, the application was only available to regular employees of the Department of Homeland Security. Although the files he uploaded were not classified, they were labeled “For Official Use Only,” indicating that they contained sensitive information not meant for the public.

    Controversy Over the Incident

    This incident has raised eyebrows, especially because of the technical nature of the tool involved. When using the public version of ChatGPT, inputs are sent to the developer OpenAI, and there is a possibility that this data could be used to enhance the model or answer questions for other users. In contrast, the AI tools approved for use within the Department of Security, like the internal “DHSChat,” are set up to ensure that no data or search queries can leave the secured federal networks. OpenAI claims that their service currently has over 700 million active users, which emphasizes the risk of information exposure.

    CISA’s Response

    In response to the situation, CISA is attempting to clarify matters. Spokeswoman Marci McCarthy stated that the use of the chatbot was approved, short-term, limited, and conducted under security measures. She also disputed the timeline, claiming that the director last used the tool in mid-July. This contradicts previous statements from officials who said security alerts were still detecting uploads in early August. An internal investigation is now underway to find out if the incident resulted in any real harm. This case is just one of many controversies involving Gottumukkala, who has reportedly previously failed a polygraph test related to counterintelligence.

    IOL, Politico.

    Source:
    Link

     

    Tags: , ,