Bulletin — March 2023

March closes Q1 with two long stories and a calendar event. The first long one: CVE-2023-23397 in Outlook, patched on 14 March, had been exploited as a zero-day by APT28 since April 2022 — a full year. The second long one: on 29 March Volexity discovers the 3CX supply-chain compromise, later attributed by Mandiant to a cluster with North Korean nexus (Lazarus / UNC4736). The calendar event: OpenAI releases GPT-4 on 14 March and the first wave of jailbreaks lands within hours.

Three fronts that barely touch each other but sketch the pattern of the year: APTs with dwell time, supply-chain as preferred vector, AI security as a new category with its own tempo.

CVE-2023-23397 — Outlook NTLM zero-click

14 March. Microsoft closes an elevation of privilege in Outlook that lets an attacker exfiltrate the user’s NTLM hash by sending an email. The bug lives in the MAPI property PidLidReminderFileParameter: if it points to a remote UNC path (\\<attacker>\share\anything.wav), Outlook opens the SMB connection on receipt of the message and hands over the hash in the handshake. No need to open the email, not even to preview it.

CVSS 9.8. Mandiant confirms in-the-wild exploitation since April 2022, against government agencies and critical-infrastructure entities in European countries aligned with Ukraine. Microsoft publishes a PowerShell audit script alongside the patch to detect suspicious emails in existing mailboxes.

We’ve published the technical analysis of the bug and the PoC.

Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397 · https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/

3CX — the supply chain of the VoIP client

29 March. Volexity publishes that the 3CXDesktopApp desktop client, used by about 600,000 organisations according to the vendor itself, is distributing malware from a version signed with the legitimate 3CX certificate. The chain: legitimate MSI installer → loads a modified ffmpeg.dll → DLL sideloading on the benign 3CXDesktopApp.exe binary → loader (Mandiant names it TAXHAUL/TxRLoader) → second-stage downloader COLDCAT.

Mandiant attributes with high confidence the UNC4736 cluster to an actor with North Korean nexus — the Labyrinth Chollima subgroup within Lazarus. Technical reason for the attribution: the downloader malware shares infrastructure with earlier Lazarus campaigns (AppleJeus against cryptocurrency exchanges, 2021–2022). The strategy: compromise the corporate VoIP client through a signed updater carrying a legitimate certificate, then use the access against clients of interest (especially cryptocurrency targets).

Operational lesson: traditional defences based on signed binaries don’t catch this, because the malicious binary is signed by the real company. Effective detection runs on behaviour: outbound traffic to suspicious infrastructure, unusual child processes from 3CXDesktopApp.exe. The IoCs published by Volexity and Mandiant cover both categories.

Source: https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/ · https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise

GPT-4 — launch and first jailbreak within hours

14 March. OpenAI publishes the GPT-4 technical report. The same day, GPT-4 ships in ChatGPT Plus and starts serving via the API in preview. The figure the report highlights: GPT-4 scores near-human on bar exam, AP exams and maths olympiads. The figure the community highlights: the model blocks “traditional” jailbreaks better — Adversa AI estimates only about 10% of the DAN/STAN prompts that worked against GPT-3.5 still work on GPT-4.

The lockdown is relative, though. On 15 March several researchers and hobbyists publish variants that bypass GPT-4: the “RabbitHole attack” (Adversa), prompt splitting (breaking the harmful prompt into pieces each of which passes the classifier while the concatenated whole doesn’t), and system-prompt extraction via simulated conversation. Same pattern we saw with Sydney in February: what’s closed explicitly gets routed around through rewording.

The architectural change GPT-4 does bring is a reinforced system message: the model gives more weight to the system role than GPT-3.5 did. Improves coverage against persona social engineering (“I’m a developer doing QA…”), doesn’t close it.

Source: https://openai.com/research/gpt-4 · https://adversa.ai/blog/gpt-4-hacking-and-jailbreaking-via-rabbithole-attack-plus-prompt-injection-content-moderation-bypass-weaponizing-ai/

Rest of the month

• Western Digital breach (26 Mar) — attackers reach corporate networks, exfiltrate data, force WD to take My Cloud services offline for several days. No public attribution.
• GoAnywhere MFT continues: Cl0p adds dozens more victims to its extortion portal throughout the month.
• CrowdStrike Falcon EDR uninstall bypass — a researcher publishes a technique that uninstalls Falcon without the admin password if SYSTEM privileges are available (a familiar case on endpoints already compromised with prior persistence).
• Apple iOS 16.3.1 — emergency patch for CVE-2023-23529 (WebKit RCE) exploited in the wild.

Cross-cutting pattern

Three different adversaries operating with the same shared resource: time. APT28 has been inside the Outlook bug for a year. Lazarus has been preparing the 3CX chain for months. The jailbreak community adapts variants within hours of each model release. What each one does with their time is very different, but the defender’s lack of time — to patch, to inventory dependencies, to audit prompts — is the same across all three fronts.