// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of September 11, 2023
Signal Brief · Archived

Week of September 11, 2023

2023-09-11 — 2023-09-17 · 5 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of September 11, 2023, ColdRecon logged 5 public endpoint-security events from open-source reporting — 3 vuln disclosures, 1 incident, 1 research poc. Vendors in the record this week: Microsoft, STRANGETRINITY, Palo Alto.

The Week's Public Record

Events

2023-09-15
incident
Akira Ransomware Bypasses EDR by Launching Unmonitored VMs on Hyper-V HostsAkira ransomware VM-based EDR bypass
The Akira ransomware group has been observed deploying ransomware from newly created, unmonitored virtual machines on Windows Hyper-V hosts to evade endpoint detection and response (EDR) tools. This technique allows attackers to encrypt virtual disk files while bypassing security controls that are not installed on the attacker-created VMs. The group also attempted to use the open-source Terminator BYOVD tool to disable EDR, but it was detected and blocked.
2023-09-13
research poc
Research Demonstrates Tampering with STRANGETRINITY EDR Agent-Cloud Communication via COM InterfaceSTRANGETRINITY EDR Agent Communication Tampering
Researchers analyzed the STRANGETRINITY EDR agent's communication channel and discovered a COM interface method that, despite ACL restrictions, could be invoked to extract configuration details. This allowed them to intercept and tamper with agent-tenant communications, potentially enabling command execution or EDR disabling. The work highlights risks when an attacker has administrative access to the endpoint.
2023-09-13
vuln disclosure
ALPC Port Blocking Vulnerability Affects Multiple Windows EDR AgentsCVE-2023-3280
A denial-of-service vulnerability in multiple Windows EDR products allows a low-privileged user to permanently disable the agent after a reboot by preemptively registering an ALPC port name used by the EDR. The affected EDRs fail to handle the case where the port is already in use, causing user-mode components to crash or become non-functional. Kernel components remain running but lose detection/blocking capabilities in most cases.
Palo Alto · Microsoft · Check Point · Kaspersky · Trend Micro · Malwarebytes · SentinelOne · CrowdStrike ↗ labs.infoguard.ch (2025-02-24) ↗ github.com (2025-01-28) ↗ security.paloaltonetworks.com (2023-09-13)
2023-09-12
vuln disclosure
CVE-2023-38163: Windows Defender ASR Authentication Bypass VulnerabilityCVE-2023-38163
CVE-2023-38163 is a security feature bypass vulnerability in Microsoft Windows Defender Attack Surface Reduction (ASR) rules. It allows an attacker with local access and user interaction to circumvent ASR protections, potentially enabling malicious code execution. The flaw undermines a key endpoint defense layer used to block common attack techniques.
2023-09-11
vuln disclosure
CVE-2023-27470: N-able Take Control Agent TOCTOU Race Condition Allows Arbitrary File DeletionCVE-2023-27470
A TOCTOU race condition in N-able Take Control Agent's BASupSrvcUpdater.exe allows a local low-privileged attacker to delete arbitrary files via pseudo-symlink exploitation. The vulnerability affects versions through 7.0.41.1141 and can lead to denial of service, privilege escalation, or system compromise. Mitigation involves updating to version 7.0.43 or later.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →