// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of February 26, 2024
Signal Brief · Archived

Week of February 26, 2024

2024-02-26 — 2024-03-03 · 8 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of February 26, 2024, ColdRecon logged 8 public endpoint-security events from open-source reporting — 4 research pocs, 2 incidents, 2 vuln disclosures. Vendors in the record this week: Microsoft, ConnectWise, Apple.

The Week's Public Record

Events

2024-03-01
incident
CVE-2024-1709 Exploited in Play Ransomware and LockBit Supply Chain AttacksCVE-2024-1709
Attackers exploited a critical authentication bypass vulnerability (CVE-2024-1709) in ConnectWise ScreenConnect to deploy Play ransomware and attempt a LockBit supply chain attack via an MSP. The vulnerability allows unauthenticated creation of administrative users, granting full system control. Multiple ransomware strains were observed in the wild within days of disclosure.
2024-03-01
research poc
Aladdin Tool Bypasses WDAC and AppLocker via .NET Remoting DeserializationAladdin
A new tool named Aladdin was released that bypasses Windows Defender Application Control (WDAC) and AppLocker by exploiting a .NET remoting deserialization issue in addinprocess.exe. It combines a known bypass for a 2019 Microsoft patch with a technique to execute arbitrary code, allowing red teamers to run payloads on systems with application control enabled.
2024-02-29
research poc
Public PoC Script Bypasses macOS MDM Enrollment During SetupBypass-MDM
A public proof-of-concept script automates bypassing Mobile Device Management (MDM) enrollment during macOS setup by creating a local admin account and blocking MDM domains from Recovery Mode. The script works up to macOS Tahoe 26.3 and could allow users to evade enterprise device management controls.
2024-02-29
vuln disclosure
Elastic Agent Tamper Protection Bypass via Force Flag EnrollmentElastic-Agent-Tamper-Protection-Bypass-Force-Flag
A weakness in Elastic Agent allows a local administrator to enroll a new agent over an existing installation using the force flag, bypassing Agent Tamper Protection that requires an uninstall token for removal. This could let an attacker replace a protected agent with one under their control, undermining endpoint security.
2024-02-29
research poc
Rust-based DLL unhooking tool published to bypass EDR/AV hooksdll_unhook
A new open-source tool named dll_unhook, written in Rust, has been released on GitHub. It uses in-memory disassembly to detect and revert DLL modifications made by EDR/AV software, allowing execution of original code. The project is a proof-of-concept for bypassing endpoint security hooks.
2024-02-28
incident
CACTUS Ransomware Group Executes Coordinated Attack on Two Companies via Ivanti MobileIron Sentry VulnerabilityCACTUS Ransomware Coordinated Attack
The CACTUS ransomware group exploited CVE-2023-38035 in Ivanti MobileIron Sentry within 24 hours of its disclosure to compromise two separate companies simultaneously. The attack involved data exfiltration, encryption of workstations, and subsequent encryption of virtual machines including domain controllers on both ESXi and Hyper-V hosts. Some machines protected by Bitdefender remained unharmed, while the primary security software from an undisclosed vendor was bypassed.
Ivanti · Undisclosed security vendor ↗ businessinsights.bitdefender.com (2024-02-28)
2024-02-27
research poc
CSx4Ldr: Cobalt Strike Plugin for Antivirus EvasionCSx4Ldr
CSx4Ldr is a Cobalt Strike plugin that generates beacons designed to evade antivirus detection, specifically bypassing Windows Defender. It is a proof-of-concept tool intended for red team operations and security research.
2024-02-27
vuln disclosure
CVE-2023-7016: Thales SafeNet Authentication Client Local Privilege EscalationCVE-2023-7016
A local privilege escalation vulnerability (CVE-2023-7016) exists in Thales SafeNet Authentication Client prior to version 10.8 R10 on Windows. The flaw allows a low-privileged local attacker to execute arbitrary code with SYSTEM privileges, potentially leading to full system compromise. The vulnerability is due to improper privilege management (CWE-269) in the client's Windows components.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →