Bulletin — January 2023

January came with two threads. On one side, a queue of late disclosures dragging in from late 2022: LastPass / GoTo, T-Mobile, PayPal, Riot. All of them notifying users months after the incident was already done. On the other, a run of fresh zero-days and new attributions: BOLDMOVE on FortiOS, ALPC on Patch Tuesday, CWP under mass exploitation, NIS2 entering into force, and a first wave of ChatGPT jailbreaks that hits version 3.0 before month-end.

The six items below are ordered by real impact, not raw CVSS. Criteria for moving an item up: actor with operational capability, persistence, or systemic effects. Criteria for moving one down: opportunistic, well-known, or hard to exploit at scale.

1. CVE-2022-42475 + BOLDMOVE — FortiOS SSL VPN with custom backdoor

On 19 January, Mandiant publishes its analysis of the backdoor it calls BOLDMOVE, found during investigations that tie back to a suspected China-nexus actor. The vehicle is CVE-2022-42475, a pre-auth heap overflow in sslvpnd on FortiOS that Fortinet had patched on 11 December 2022 without specific attribution. Mandiant puts dates on it: exploitation goes back at least to October 2022. Identified victims: a European government body and an MSP in Africa.

BOLDMOVE is written in C, compiled with GCC 11.2.1, with Windows and Linux variants. The Linux variant is built specifically for FortiGate: it reads proprietary firewall configuration files and lets the operator alter device behaviour. Custom code for FortiGate, not generic malware.

Why it opens the bulletin: actor with dwell time, malware specific to a network appliance, persistence preceding public CVE disclosure. If you have a FortiGate exposed and unpatched, assume forensic review.

Source: https://cloud.google.com/blog/topics/threat-intelligence/chinese-actors-exploit-fortios-flaw

2. CVE-2023-21674 — ALPC zero-day in Patch Tuesday

On 10 January, Microsoft closes CVE-2023-21674, a privilege escalation in Advanced Local Procedure Call (ALPC). CVSS 8.8, exploited as zero-day at the time of the patch. Affects Windows 8.1 / Server 2012 R2 and later. The bug allows escape from the browser sandbox to SYSTEM, which places it as a typical second link in a ransomware chain: a browser RCE drops code in the renderer, ALPC elevates it to SYSTEM, the rest of the payload runs without restrictions.

Microsoft doesn’t publish actor details. Some firms (Trend Micro, Tenable) suggest activity consistent with an infostealer or broker. The interesting note: browser ALPC exploits tend to come chained, so expect more related CVEs in upcoming Patch Tuesdays.

Source: https://www.zerodayinitiative.com/blog/2023/1/10/the-january-2023-security-update-review · https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21674

3. LastPass / GoTo — the backup contents were bigger than December’s statement said

On 23 and 24 January, GoTo (LastPass’s parent) widens the disclosure of the August–October 2022 incident. What’s new: in addition to the encrypted LastPass vault, the attackers took encrypted backups of Central, Join.me, Hamachi and RemotelyAnywhere, along with the encryption key for those backups. Among the data: usernames, salted password hashes, MFA seeds, and a portion of the K2 keys for enterprise clients.

TOTP seeds are the secret from which the six-digit code is derived. Take the secret, generate any future code on demand. That means the second factor on any account whose seed is in that dump is no longer a second factor. Immediate action for affected clients: rotate password and re-enrol MFA. The vendor’s action would be to retire affected seeds and force re-enrolment; there’s no record GoTo did this proactively.

Why this high: downstream impact runs into millions of accounts, and the delayed disclosure erodes the security posture of anyone who relied on those secrets.

Source: https://www.goto.com/blog/our-response-to-a-recent-security-incident

4. NIS2 — enters into force on 16 January

Directive (EU) 2022/2555 enters into force on 16 January 2023. The deadline for transposition into national law runs to 17 October 2024 — until then the work is preparation. Changes from NIS1: broader sectoral scope (public administration, waste management, food, certain digital and telecoms providers), significant administrative fines (up to 2% of global turnover), tiered incident reporting (initial alert within 24h, report within 72h, final within 1 month), and explicit management liability.

In Spain, transposition will have to mesh with RD 311/2022 (ENS) and presumably a new law in 2024. Until then, CISOs of essential or important entities can start the inventory work: who falls under the scope, what incident-reporting processes need to be in place, what management training is required.

The quietest item of the month, and the one that will most change how big organisations operate 18 months out.

Source: https://nis2directive.eu/ · https://eur-lex.europa.eu/eli/dir/2022/2555/oj

5. DAN 3.0 and OpenAI’s first crackdown on jailbreaks

On 9 January, DAN 3.0 lands in /r/ChatGPT. The technique goes back to 15 December (u/Seabout, DAN 1.0): a prompt that asks the model to play another AI with no rules. Each version patched a new trigger in ChatGPT’s internal classifier. The 3.0 release coincides with OpenAI’s first visible crackdown — the underlying model or the internally served system prompt change, and earlier variants start giving “cold” replies or breaking character.

Operationally: the role-play attack works against ChatGPT because the chat completion API treats system and user as messages in the same sequence, with no privileged hierarchy. Trigger-word defence is beatable as long as the attacker can rename. Anyone integrating an LLM in production this month should design assuming the system prompt is a suggestion, not a barrier. Our pattern analysis is here.

Worth following: Simon Willison (who coined prompt injection in September) and the 0xk1h0/ChatGPT_DAN repository are serving as the archive.

Source: https://github.com/0xk1h0/ChatGPT_DAN

6. CVE-2022-44877 — CWP RCE, the opportunist of the month

On 3 January, Numan Türle publishes a PoC for CVE-2022-44877 in Control Web Panel (formerly CentOS Web Panel). The bug: the login parameter of the /login/index.php endpoint is concatenated inside a syslogd call wrapped in double quotes, with no sanitisation of shell metacharacters. CVSS 9.8, pre-auth RCE, executed as root. Fortinet had patched in October 2022 (version 0.9.8.1147), but since hardly anyone updates admin panels, the vulnerable installed base ran into the tens of thousands according to Shadowserver.

Shadowserver reports scanning-driven exploitation on 6 January. GreyNoise confirms multiple campaigns on 19 January. CISA adds it to KEV on 17 January. Classic opportunism pattern: public bug, trivial PoC, installed base with poor hygiene.

Why it closes the bulletin rather than opens it: high local impact if you run it, but the requirement for public exposure of the panel keeps the scope limited. No known state actor has been seen chaining it into anything else.

Source: https://www.exploit-db.com/exploits/51194

Cross-cutting pattern of the month

Three delayed disclosures (LastPass / GoTo, T-Mobile, PayPal) confirm something we already knew: the asymmetry between when an incident happens and when the user gets told remains the most persistent operational problem. Meanwhile, the network appliance edge — FortiOS this month — is being worked by actors with serious dwell time.

If you can pick a single task for this week after reading this, it’s reviewing exposure and patching of edge devices: SSL VPN, load balancers, firewalls, admin panels.