// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of June 19, 2023
Signal Brief · Archived

Week of June 19, 2023

2023-06-19 — 2023-06-25 · 3 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of June 19, 2023, ColdRecon logged 3 public endpoint-security events from open-source reporting — 1 vuln disclosure, 1 incident, 1 research poc. Vendors in the record this week: Proofpoint.

The Week's Public Record

Events

2023-06-23
vuln disclosure
Proofpoint ITM Windows Agent Insecure Filesystem Permissions VulnerabilityCVE-2023-2818
Proofpoint disclosed CVE-2023-2818, an insecure filesystem permission vulnerability in the Insider Threat Management (ITM) Agent for Windows. Local unprivileged users can disrupt event reporting. The vulnerability affects versions prior to 7.14.3 and has been patched.
2023-06-21
incident
MULTI#STORM Campaign Uses Python Loader Masquerading as OneDrive to Drop Multiple RATsMULTI#STORM
Securonix Threat Labs identified the MULTI#STORM attack campaign delivering Warzone RAT and Quasar RAT via phishing emails. The attack begins with a password-protected ZIP containing an obfuscated JavaScript file that downloads and executes a Python-based loader from OneDrive. The loader establishes persistence and drops multiple RAT payloads, targeting victims in the US and India.
2023-06-21
research poc
Freeze: EDR Bypass Toolkit Using Suspended Processes and Direct SyscallsFreeze
Freeze is a payload toolkit that bypasses EDR detection by spawning a suspended process to obtain an unhooked copy of ntdll.dll's .text section, then overwrites the hooked .text section in its own process before executing shellcode via direct syscalls. It also patches ETW syscalls to suppress telemetry. The technique leverages the fact that ntdll.dll is loaded before EDR DLLs and that DLL base addresses are constant per boot due to ASLR behavior.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →