// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of August 19, 2024
Signal Brief · Archived

Week of August 19, 2024

2024-08-19 — 2024-08-25 · 3 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of August 19, 2024, ColdRecon logged 3 public endpoint-security events from open-source reporting — 2 incidents, 1 vuln disclosure. Vendors in the record this week: Microsoft, CrowdStrike, HitmanPro.

The Week's Public Record

Events

2024-08-19
incident
Volt Typhoon Removes Legitimate Security Software to Evade DetectionVolt Typhoon security tool removal
In February 2024, CISA reported that Volt Typhoon threat actors removed legitimate security tools and cleared logs on compromised systems to hide their presence. The group used built-in administrative commands to uninstall EDR, disable Windows Defender, and delete event logs, enabling long-term undetected access to U.S. critical infrastructure.
2024-08-19
incident
Lazarus APT exploited Windows AFD.sys zero-day CVE-2024-38193 for privilege escalationCVE-2024-38193
Microsoft patched CVE-2024-38193, a privilege escalation vulnerability in the Windows Ancillary Function Driver (AFD.sys), which was actively exploited by the North Korea-linked Lazarus APT group. The flaw allowed attackers to gain SYSTEM privileges and was used alongside the FudModule rootkit to bypass security software. This follows Lazarus's earlier exploitation of CVE-2024-21338 in the AppLocker driver for kernel-level access.
Microsoft · CrowdStrike · HitmanPro ↗ securityaffairs.com (2024-08-19)
2024-08-19
vuln disclosure
IBM Security QRadar EDR Patches Critical Remote Code Execution and Privilege Escalation VulnerabilitiesCVE-2024-37890
IBM released a security bulletin addressing multiple vulnerabilities in Security QRadar EDR. CVE-2024-37890 allows unauthenticated remote code execution via a buffer overflow, while CVE-2024-37891 enables authenticated privilege escalation. Patches are available in the August 2024 update.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →