// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of July 22, 2024
Signal Brief · Archived

Week of July 22, 2024

2024-07-22 — 2024-07-28 · 5 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of July 22, 2024, ColdRecon logged 5 public endpoint-security events from open-source reporting — 2 incidents, 2 research pocs, 1 vuln disclosure. Vendors in the record this week: CrowdStrike, KnowBe4, Sophos.

The Week's Public Record

Events

2024-07-25
vuln disclosure
CrowdStrike Dismisses Exploitability of Falcon Sensor Bug That Caused BSODCrowdStrike Falcon Sensor Channel File 291 OOB Read
CrowdStrike disputes claims by Qihoo 360 that the Falcon sensor bug causing a global Windows BSOD incident is exploitable for privilege escalation or remote code execution. The bug is an out-of-bounds read due to a mismatch in expected inputs, and CrowdStrike states it does not allow arbitrary memory writes or control of program execution. The company cites multiple sensor protections that prevent tampering with channel files.
2024-07-25
incident
KnowBe4 Hires North Korean Hacker Who Attempts Malware DeploymentNorth Korean Insider Threat via Fake IT Worker
KnowBe4, a security awareness training vendor, hired a North Korean national using a stolen US identity and AI-enhanced photo. The employee attempted to load malware onto a company-issued Mac immediately upon receipt, but was detected and contained by KnowBe4's SOC before any data loss or compromise occurred.
2024-07-24
research poc
SyscallTempering: EDR Evasion via Hardware Breakpoint Syscall Argument SpoofingSyscallTempering
A proof-of-concept tool named SyscallTempering demonstrates a technique to evade EDR detection by tampering with system call arguments. It uses hardware breakpoints and a vectored exception handler to replace spoofed arguments with real ones on unhooked syscalls, successfully launching a payload under Sophos EDR. The method improves upon prior syscall tampering research by randomly selecting benign, unhooked syscalls and spoofing up to 11 arguments.
2024-07-24
research poc
Public Release of Kernel-Mode CR3-Based Memory Read/Write Bypass for Easy Anti-Cheat and BattlEyeEAC-CR3Bypass
A developer publicly released source code for a kernel-mode driver technique that reads and writes virtual memory using CR3 manipulation to bypass Easy Anti-Cheat (EAC) and BattlEye (BE). The code demonstrates a method to access game memory undetected, originally part of a private cheat. This release provides a ready-made bypass for cheat developers.
Easy Anti-Cheat · BattlEye ↗ github.com (2024-07-24)
2024-07-22
incident
BlackSuit Ransomware Evades Detection by Masquerading as Qihoo 360 Antivirus ComponentBlackSuit Ransomware Masquerading as Qihoo 360 Antivirus
The BlackSuit ransomware group has evolved its tactics to evade endpoint security by disguising its payload as a legitimate Qihoo 360 antivirus file. This technique significantly lowers detection rates, as observed in VirusTotal scans. The ransomware also employs encoded strings, imported DLLs, and a mandatory ID argument to thwart analysis.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →