Bulletin — July 2023

July closes H1 with four long stories that don’t touch each other: the GCG paper shows jailbreaks can be generated by gradient descent, Microsoft admits a stolen cloud email signing key has been giving access to US government mailboxes for a year, the EU AI Act gets formally published in OJEU, and Citrix opens the year’s second big chapter of appliance compromise.

GCG suffix — Zou et al. publish the paper

27 July. Andy Zou, Zifan Wang, Nicholas Carlini and co-authors publish Universal and Transferable Adversarial Attacks on Aligned Language Models (arxiv 2307.15043). They demonstrate that the GCG (Greedy Coordinate Gradient) algorithm can automatically generate adversarial suffixes that bypass safety alignment on Llama-2-Chat, Vicuna, ChatGPT, GPT-4, Bard and Claude transferably.

It’s the first paper to show that prompt injection / jailbreak is an optimisation problem, not just a creative one. And therefore something that can be solved automatically.

We’ve analysed it in detail with our own PoC. Short read: the attack was universal against the main commercial models in July 2023. Vendors have trained against the published suffixes (patch by example), but the technique still holds — just generate new suffixes.

Storm-0558 — stolen signing key and US government email

11 July. Microsoft publishes a blog explaining that an actor tracked as Storm-0558 (suspected China-nexus) accessed Outlook.com and Exchange Online mailboxes of about 25 organisations, including the US State Department and other US Cabinet officials. The vector: a stolen Microsoft Account (MSA) consumer signing service private key, used to mint valid tokens for OWA / Outlook.com / Azure AD Apps.

Microsoft initially justifies that the key belonged to a consumer system, but it also worked in the enterprise system because a broken key issuer validation didn’t distinguish the two. CISA issues an urgent advisory. The Cyber Safety Review Board (CSRB) opens an investigation.

The technical implications uncovered in the following weeks:

• The stolen key was active from April 2021 to June 2023 — over two years of validity.
• Microsoft didn’t detect the key theft (it admits the key copy ended up in a crash dump the attacker exfiltrated from a compromised engineer’s endpoint).
• Microsoft doesn’t log certain Outlook.com / Exchange Online accesses on E3 tiers — detailed logs are only available on E5. Victim-side detection was impossible without an upper-tier licence.

Microsoft changes its policy and starts publishing detailed audit logs across all tiers in September. It’s one of the most relevant operational changes of the year at the cloud level.

Source: https://www.microsoft.com/en-us/security/blog/2023/07/11/analysis-of-storm-0558-techniques-for-unauthorized-email-access/ · https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a

CVE-2023-3519 — Citrix NetScaler ADC RCE

18 July. Citrix publishes an advisory for CVE-2023-3519 — pre-auth RCE in NetScaler ADC/Gateway. CVSS 9.8. Citrix tags it as zero-day, with no public attribution. Mandiant publishes the next day that it has investigated intrusions at several critical-infrastructure entities since June using this vector.

Shadowserver measures around 50,000 NetScaler instances running the vulnerable version exposed to the internet at advisory date. The number drops as organisations patch through August.

The pattern is clear: NetScaler / Citrix is one of the most coveted perimeter appliances among offensive actors, and the second one this year (after Barracuda ESG) requiring serious manual intervention — Citrix recommends removing the web shells any prior compromise may have dropped, not just patching.

Source: https://support.citrix.com/article/CTX561482 · https://cloud.google.com/blog/topics/threat-intelligence/citrix-zero-day-espionage

EU AI Act — published in OJEU (actually…)

July 2023 marks the calendar point for European AI regulation: the AI Act’s political text was approved by Parliament in May and the Council in June, but it’s not actually published in OJEU in July 2023 — that happens in July 2024. What exists in July 2023 is the consolidated version for trilogues between Council, Parliament and Commission, which begin in earnest during the month.

Any press headline announcing “EU AI Act published in July” is talking about that political version, not the binding text. General application will be 24 months after OJEU publication — 2026 at the earliest for most obligations.

For defenders in 2023, the implication is strategic, not operational: map whether the organisation will be a high-risk deployer or GPAI provider, and start inventorying internal AI uses. The compliance checkbox comes later.

Source: https://www.europarl.europa.eu/news/en/headlines/society/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence

Rest of the month

• MOVEit continues: Cl0p posts new victims every day. End of July: 700+ organisations acknowledged.
• VMware Tools authentication bypass — CVE-2023-20867 (published in June, lingering on unpatched systems all through July).
• Ivanti EPMM (MobileIron Core) — CVE-2023-35078, pre-auth RCE, Norwegian government confirmed as a victim.
• Apple iOS 16.5.1 — emergency patch for CVE-2023-32434/32435/32439 (known use by Operation Triangulation).

Cross-cutting pattern

H1 closes with two dominant vectors: poorly protected keys or credentials giving prolonged access (Storm-0558, undetectable MOVEit web shells, BoldMove on FortiGate) and perimeter appliances with textbook bugs and no telemetry (Barracuda ESG, Citrix NetScaler, Ivanti EPMM, FortiOS).

Defence that pays off in 2023 isn’t “more tools”. It’s reduce public exposure, rotate keys and get telemetry the vendor doesn’t give you by default (Microsoft’s detailed logs post-Storm-0558 are the clear example of the cost of not having telemetry until after the fact). If your H2 improvement plan doesn’t include at least two of those three, it’s mis-prioritised.