// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of October 16, 2023
Signal Brief · Archived

Week of October 16, 2023

2023-10-16 — 2023-10-22 · 6 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of October 16, 2023, ColdRecon logged 6 public endpoint-security events from open-source reporting — 3 vuln disclosures, 2 research pocs, 1 incident. Vendors in the record this week: Cobalt Strike, Datadog, Palo Alto Networks.

The Week's Public Record

Events

2023-10-21
research poc
AceLdr: Cobalt Strike UDRL for Memory Scanner EvasionAceLdr
AceLdr is a user-defined reflective loader (UDRL) for Cobalt Strike that evades multiple memory scanners by encrypting heap allocations, obfuscating code, and spoofing return addresses. It was tested against tools like Hunt-Sleeping-Beacons, BeaconHunter, BeaconEye, Patriot, Moneta, PE-sieve, and MalMemDetect, producing zero detections. The technique demonstrates a practical bypass of endpoint memory scanning defenses.
2023-10-20
vuln disclosure
Datadog Agent bundles vulnerable OpenSSL version flagged by Azure Cloud DefenderCVE-2023-4807
A user reported that Datadog Agent 7.54.1.0 on Windows includes OpenSSL 3.0.8 DLLs vulnerable to CVE-2023-4807 and other CVEs, as detected by Azure Cloud Defender. The issue persisted through multiple agent updates until Datadog confirmed all CVEs were patched in version 7.64.3.
2023-10-18
vuln disclosure
CVE-2023-3282: Local Privilege Escalation in Cortex XSOAR Engine on LinuxCVE-2023-3282
A local privilege escalation vulnerability exists in Palo Alto Networks Cortex XSOAR engine software on Linux. An attacker with shell access to the engine can execute programs with elevated privileges. The issue is fixed in updated engine installers from Cortex XSOAR 6.10 build B250144 and later.
2023-10-18
incident
MATA Malware Framework Exploits EDR in Attacks on Defense FirmsMATA EDR Exploitation
Between August 2022 and May 2023, an updated MATA backdoor framework targeted defense and oil/gas firms in Eastern Europe via spear-phishing. Attackers gained access to endpoint security admin panels and used them to surveil infrastructure and distribute malware. They bypassed EDR using a public exploit for CVE-2021-40449 (CallbackHell) and BYOVD techniques.
2023-10-17
vuln disclosure
CSIS Discloses Weakness in Microsoft Defender for Endpoint Allowing Undetected Malicious ActivityMDE Bypass Technique (CSIS)
CSIS Security Group discovered a bypass technique in Microsoft Defender for Endpoint (MDE) during an incident response engagement. The weakness allowed attackers to operate undetected on compromised servers with domain admin privileges. CSIS has reported the issue to Microsoft and will disclose full details after a fix is available.
2023-10-16
research poc
VEH2: Vectored Exception Handling Abuse to Bypass EDR and AMSIVEH2
Researchers presented a technique called VEH2 that abuses Windows Vectored Exception Handling to bypass EDR/XDR monitoring and AMSI. The method uses multiple Vectored Exception Handlers to alter control flow and execute malicious code discreetly. This poses challenges for detection and analysis by security products.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →