// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of July 15, 2024
Signal Brief · Archived

Week of July 15, 2024

2024-07-15 — 2024-07-21 · 5 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of July 15, 2024, ColdRecon logged 5 public endpoint-security events from open-source reporting — 2 research pocs, 2 incidents, 1 vuln disclosure. Vendors in the record this week: Microsoft, SentinelOne, Symantec.

The Week's Public Record

Events

2024-07-21
vuln disclosure
Symantec Endpoint Protection Client UI Password Bypass (CVE-2022-37017)CVE-2022-37017
A vulnerability in Symantec Endpoint Protection (SEP) 14.3.5351 allows an attacker with code execution to bypass the client UI password protection by patching a single instruction in memory or the binary. This enables unauthorized policy import/export, configuration changes, and potential full client compromise even with Tamper Protection enabled. The issue was fixed in SEP 14.3 RU6.
Broadcom (Symantec) ↗ github.com (2024-07-21)
2024-07-17
research poc
PwnedBoot: Bypass Secure Boot via Windows Bootloader DLL SideloadingPwnedBoot
Security researcher Samuel Tulach released a proof-of-concept called PwnedBoot that leverages the Windows bootloader to bypass Secure Boot. By replacing the mcupdate_.dll file and booting with Driver Signature Enforcement disabled, arbitrary code executes early in the boot process. This technique could allow attackers to load malicious payloads before the operating system initializes, undermining Secure Boot protections.
2024-07-17
research poc
GhostEmperor's Updated Demodex Rootkit Infection Chain AnalyzedDemodex Rootkit (GhostEmperor)
Sygnia's incident response investigation uncovered a new variant of the Demodex rootkit, attributed to the China-nexus GhostEmperor group, targeting telecommunication and government entities. The updated infection chain includes an EDR evasion technique and a reflective loader for the core implant, with compilation dating to July 2021. The malware uses LOLBins, registry persistence, and a malicious service masquerading as a legitimate Windows service.
2024-07-17
incident
Fin7's AvNeutralizer Tool Enables EDR Tampering for Ransomware GangsAvNeutralizer
SentinelOne reports that the Fin7 threat group has developed and sold a custom tool called AvNeutralizer (aka AuKill) that tampers with endpoint detection and response (EDR) solutions. The tool has been used by multiple ransomware gangs, including AvosLocker, MedusaLocker, BlackCat, and LockBit, since early 2023. AvNeutralizer leverages a previously unseen technique using the Windows TTD monitor driver ProcLaunchMon.sys and a hardened process explorer driver to cause a denial-of-service condition on affected security products.
SentinelOne · Microsoft · Symantec · Sophos · Panda Security · Elastic · McAfee · Kaspersky ↗ www.techtarget.com (2024-07-18) ↗ cybernoz.com (2024-07-18) ↗ securityaffairs.com (2024-07-18) ↗ www.sentinelone.com (2024-07-17)
2024-07-16
incident
Killer Ultra Malware Disables EDR/AV in Ransomware AttacksKiller Ultra
Killer Ultra malware, used in Qilin ransomware attacks, terminates endpoint security tools by exploiting a vulnerable Zemana AntiLogger driver (CVE-2024-1853). It also clears Windows Event Logs and contains inactive post-exploitation capabilities. The malware targets Symantec, Microsoft Defender, and SentinelOne.
Symantec · Microsoft · SentinelOne ↗ trustedsec.com (2024-07-16)
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →