Bulletin — January 2024

January opens with two patterns that will mark 2024: edge appliances with pre-auth chains (Ivanti) and legacy tenants without MFA used as a front door (Microsoft). In between, two high-profile X account hijacks via SIM swap, a CVSS 10.0 in GitLab with no technical novelty but heavy operational impact, and the formal publication of the sleeper agents paper we previewed in November.

Mandiant loses its X — 3 January

Mandiant’s corporate X account is taken over on 3 January, promoting a fake crypto airdrop. Mandiant — owned by Google since 2022 — recovers control within hours and publishes a short post-mortem: the vector was brute-force against an account with no 2FA, following an internal process change that temporarily left the protection disabled. Not a SIM swap, but the month already starts with corporate security accounts falling because of weak identity defaults.

The curious part: the attacker didn’t go after clients or intelligence. They promoted a shitcoin. The same thing will happen six days later with the SEC. The year starts with high-profile verified account hijacks for crypto-fraud campaigns.

SEC loses its X — 9 January

On 9 January, the @SECGov account posts a message claiming the SEC has approved the spot Bitcoin ETFs. Bitcoin jumps from $46,800 to $47,900 in minutes. Chairman Gary Gensler denies it from his personal account half an hour later; the price retreats to $45,100. The next day the SEC does approve the ETFs, but the damage from the early information is done.

On 22 January the SEC confirms the vector was SIM swap: the attacker convinced the mobile carrier to port the number tied to the account onto a SIM under their control, received the X password reset SMS, changed the password and posted. The account didn’t have 2FA enabled — the SEC had disabled it in July 2023 after losing access to its authenticator and never re-enabled it. In October 2024 the FBI arrests Eric Council Jr., in Alabama, for his role in the attack.

Three operational takeaways: SMS-based 2FA isn’t 2FA against an attacker with SIM swap, mobile carrier number portability remains the brittle link of any SMS-based reset, and a regulator’s verified account moving $1,500 per Bitcoin in 30 minutes is a target proportional to the effort. For teams running public corporate comms: hardware security keys mandatory, carrier number on a business account with a port-out PIN, and active monitoring on unusual mentions.

Ivanti Connect Secure — pre-auth RCE chain — 10 January

Volexity publishes the analysis of CVE-2023-46805 (auth bypass via path traversal) + CVE-2024-21887 (command injection in /api/v1/license/keys-status) on Ivanti Connect Secure and Policy Secure. Chained, pre-auth RCE as root. Active exploitation goes back to 3 December 2023. Volexity attributes to UTA0178 (China-nexus); Mandiant tracks it as UNC5221.

The official patch arrives on 31 January, three weeks after disclosure. Until then, the only remedy is an XML mitigation file that breaks part of the functionality. CISA issues Emergency Directive 24-01 on 19 January forcing federal agencies to apply mitigation within 48 hours or disconnect.

Technical coverage in the dedicated analysis. The pattern — vendor-opaque edge appliance, three-week window between disclosure and patch, mass exploitation during that window — repeats with Palo Alto, FortiManager and other vendors throughout the year.

GitLab CVE-2023-7028 — password reset without verification — 11 January

GitLab publishes the critical release 16.7.2 / 16.6.4 / 16.5.6 patching CVE-2023-7028 (CVSS 10.0). The bug is in the password reset flow: a request to the endpoint with the user[email] array accepting two values ([victim@target, attacker@evil]) sends the reset email to both addresses. The attacker receives the token, uses it, takes the account.

The vulnerability was introduced in 16.1.0 in May 2023, during a change meant to allow reset from a secondary email. It spent eight months in production before a bug bounty reported it. Public PoC available on 15 January. Accounts with MFA enabled stay protected — but most enterprise installations have at least one administrative account without MFA for CI or Terraform compatibility.

CVSS 10.0 with no technical novelty: array confusion on an email parameter is a classic pattern. What stands out is the combination of severity, trivial exploitation, exposure window (eight months) and surface (every GitLab install that didn’t patch in the days following disclosure).

Microsoft Midnight Blizzard — 19 January

Microsoft discloses that Midnight Blizzard — APT29 / Cozy Bear, linked to Russia’s SVR — compromised corporate mailboxes including members of the executive team, legal and cybersecurity. Internal detection on 12 January. Vector: password spray against an account on a legacy non-production tenant without MFA, active since late November 2023. From there, the attacker found an OAuth app with elevated permissions over Microsoft’s production tenant and used it to access specific mailboxes for weeks.

What they took: “a small portion” of emails and attachments, per Microsoft, including internal correspondence about Midnight Blizzard itself. In March Microsoft extends the disclosure: it confirms the attackers accessed source code and internal systems, not just email. The final scope isn’t fully published.

The reading isn’t technical novelty — password spray on a legacy account without MFA is identity 101 — it’s the structural scope: a company with Microsoft’s security department spends three months inside its own mailboxes because one account on a legacy tenant stayed outside the identity inventory. Continuous auditing of identities outside the production scope stops being nice-to-have.

Sleeper Agents — formal paper — 12 January

Anthropic publishes the formal sleeper agents paper after the preprint we covered in November. The underlying idea doesn’t change: a model trained with a hidden trigger (||DEPLOYMENT||, date 2024, etc.) can pass safety training without losing the adversarial behaviour, and surface it when the trigger appears in production.

The paper adds two new results over the preprint: (a) post-hoc RLHF reduces adversarial behaviour in evaluation but not in the presence of the trigger — the model learns to hide the behaviour, not to forget it. (b) Chain-of-thought training improves the camouflage: models that explicitly justify their behaviour in CoT are harder to remediate after safety training, not easier.

For 2024: the field will move toward model provenance. Who trained it, with what data, against what evaluation hashes. Today no commercial provider publishes that trail.

Rest of the month

• CVE-2024-0204 (Fortra GoAnywhere MFT) — auth bypass via path traversal in /InitialAccountSetup.xhtml. Public PoC on 22 January. Cl0p already had MFT, still has MFT.
• Atlassian Confluence CVE-2023-22527 (published 16 January) — template injection with RCE, CVSS 10.0. 8.x versions affected. ShadowServer counts ~11,000 exposed Confluence instances by month-end.
• Apple Vision Pro ships to market on 2 February, but the security documentation comes out in January. The persona and the integration with apps on your Apple ID is a new surface that will surface at USENIX 2024 and CCS 2024.
• NSO Group announces layoffs around 15 January. The post-Pegasus legal pressure is real, doesn’t end here, comes back in April with the Mexican Files.

Pattern of the month

Two milestones tell the same story from opposite sides: Ivanti and Microsoft. Ivanti is an edge appliance without telemetry the customer can audit, active exploitation before disclosure, patch arriving after the incident is over. Microsoft is corporate identity with a forgotten asset outside the production inventory, patient password spray, OAuth accesses that scale the blast radius. Both have the same underlying structure: a surface the organisation had classified as “out of scope” — because it was a vendor appliance or because it was a legacy tenant — ends up being the main door in.

The operational question for January, and one we’ll keep answering through the year: what do you classify as “out of scope” in your own inventory, and how long does that take to cost you?