// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of May 6, 2024
Signal Brief · Archived

Week of May 6, 2024

2024-05-06 — 2024-05-12 · 6 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of May 6, 2024, ColdRecon logged 6 public endpoint-security events from open-source reporting — 3 research pocs, 3 incidents. Vendors in the record this week: Zscaler, Apple, Kaseya.

The Week's Public Record

Events

2024-05-11
research poc
Floro: macOS SIP Bypass via InstallAssistant.pkg Symlink AttackFloro
A proof-of-concept exploit named Floro demonstrates a method to bypass System Integrity Protection (SIP) on macOS 14.0 and earlier by leveraging a symlink race condition during installation of Apple's InstallAssistant.pkg. The technique allows removal of the 'restricted' flag on SIP-protected directories, enabling an attacker to replace the TCC database and gain Full Disk Access. The vulnerability has no CVE and was tested on macOS 14.0; it does not work on macOS 14.4.
2024-05-10
incident
REvil Ransomware Gang Exploits Kaseya VSA Zero-Days in Supply-Chain AttackKaseya VSA Supply-Chain Ransomware Attack (REvil)
In July 2021, the REvil ransomware gang exploited zero-day vulnerabilities in Kaseya VSA remote monitoring and management software to deploy ransomware to approximately 1,500 downstream businesses via managed service providers. The attackers leveraged the trusted Kaseya agent to distribute malicious updates, bypassing endpoint security controls. This supply-chain attack encrypted systems and demanded a $70 million ransom.
2024-05-09
research poc
Self-Modifying Code Sections with WriteProcessMemory for EDR EvasionSelf-Modifying Code Sections with WriteProcessMemory
A technique is presented that enables self-modification of a process's .text section using WriteProcessMemory to bypass EDR userland hooks. It builds on the Process Mockingjay approach by avoiding RWX memory allocations and instead modifying existing executable code sections to execute malicious code without triggering typical API hook detections.
2024-05-09
incident
Zscaler Investigates Claims of Unauthorized Access Sale by IntelBrokerZscaler-IntelBroker-2024
Zscaler is investigating claims that threat actor IntelBroker is selling access to its network, including logs with credentials. The company stated there is no impact to customer, production, or corporate environments, and an isolated test environment was taken offline for analysis.
2024-05-08
incident
Zscaler takes isolated test environment offline after breach rumorsZscaler test environment breach
Zscaler confirmed an isolated test environment on a single server was exposed to the internet and taken offline for forensic analysis. No customer, production, or corporate environments were impacted. The incident follows threat actor IntelBroker's claims of selling access to a cybersecurity company with $1.8B revenue, later identified as Zscaler.
2024-05-08
research poc
Dirty Vanity EDR Bypass Technique Published as Proof-of-ConceptDirty Vanity
A proof-of-concept repository named DV_NEW combines multiple evasion techniques under the name Dirty Vanity to bypass endpoint detection and response (EDR) systems. It uses direct syscalls, dynamic syscall number resolution, and an egg-hunting technique to patch syscall instructions at runtime, evading user-mode hooks and static analysis. The author claims successful bypass of Bitdefender and Microsoft Defender for Endpoint.
Bitdefender · Microsoft ↗ github.com (2024-05-08)
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →