Bulletin — February 2024

February is a month of trivial bypasses. A URL with a trailing slash collapses the entire ConnectWise estate. Volt Typhoon has been inside US critical infrastructure for five years and CISA, NSA and FBI write it down in a joint advisory. UK police take LockBit’s site. AnyDesk loses its code signing certificates. UnitedHealth, through Change Healthcare, ends the month with US pharmacy operations on the floor. And in the background, a paper shows safety classifiers don’t read ASCII art.

ConnectWise ScreenConnect CVE-2024-1709 — auth bypass via trailing slash

19 February. ConnectWise publishes an urgent advisory about two bugs in ScreenConnect (version 23.9.7 and earlier): CVE-2024-1709 (CVSS 10.0, auth bypass) and CVE-2024-1708 (CVSS 8.4, path traversal). Chained, the first gets in and the second gives RCE.

The auth bypass technique is what catches the eye. ScreenConnect’s SetupWizard should only be reachable on unconfigured instances. The check is done with string.Equals on the path: only /SetupWizard.aspx grants access. It turns out any path like /SetupWizard.aspx/literallyanything also passes: ASP.NET routing sends it to the same handler because the extra segment is interpreted as path-info, but the Equals no longer matches and the “already configured” guard is bypassed. The attacker visits /SetupWizard.aspx/abc, creates a new administrator user, overwrites the local database, gets in. CVE-2024-1708 (path traversal) then only needs to write any file to the server filesystem — an .aspx webshell in the web folder, RCE.

CISA adds CVE-2024-1709 to KEV on 22 February, with due date 29 February. Huntress reproduces the exploit in hours and publishes the technical write-up. The ScreenConnect estate has heavy traction among MSPs, which multiplies the blast radius: each compromised instance lets you reach dozens of end customers. The first ransomware reports (Play, LockBit before Cronos, Black Basta) on compromised ScreenConnect instances appear the same week.

The bug is textbook: string comparison over HTTP paths in a framework with routing magic. The correct defence is to validate the internal state (“is this instance already configured?”) on every request to the setup, not the URL.

Source: https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8

Volt Typhoon — five years inside

7 February. CISA, NSA and FBI publish advisory AA24-038A: PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. It attributes to Volt Typhoon intrusions against US critical infrastructure in communications, energy, transportation and water. The line every headline pulls out: federal agencies have observed actors maintaining footholds in some victims for at least five years.

What’s different about this advisory: the agencies explicitly say Volt Typhoon’s behaviour doesn’t fit traditional espionage. They talk about pre-positioning: getting into IT networks with the goal of pivoting to OT and disrupting operational functions in case of a crisis or conflict with the US. That category (actors with multi-year persistence on civilian critical infrastructure, no mass data exfiltration, TTPs oriented to learning the environment) starts being treated as a separate risk from espionage and cybercrime.

Documented TTPs: almost pure living-off-the-land. No fancy persistent malware; legitimate system binaries (netsh, wmic, PowerShell, ntdsutil, cmd scripts), with valid credentials obtained through patience. Compromised SOHO routers as proxy. Microsoft’s May 2023 report on Volt Typhoon already described the mechanics, but the February advisory pins down dates and sectors.

For defence the conclusion is uncomfortable: detecting Volt Typhoon-style isn’t done with signatures. It’s done by looking at behavioural baseline and anomalies in the use of legitimate binaries. That’s expensive and most affected public organisations don’t have it.

Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

Operation Cronos — LockBit’s site changes hands

19–20 February. The UK National Crime Agency, coordinated with FBI, Europol and authorities from another 8 countries, executes Operation Cronos. LockBit’s infrastructure falls under police control: 34 servers in three countries seized, 28 affiliate servers offlined, 200+ crypto wallets frozen, two arrests (Poland and Ukraine). LockBit’s extortion site shows the NCA banner from 20 February.

What’s different about this operation versus other takedowns: the NCA uses the seized infrastructure itself to publish victim notices, press releases, and even a “humorous” countdown about the content they were going to unveil. PsyOps against the group and its affiliates, with intended reputational effect. The NCA releases 1,000+ decryption keys for victims who can start recovering data.

LockBitSupp (alias of the main operator) tries to rebuild the operation days later with a new onion site. The technical capability is there, but affiliate trust is broken — several move to other operators in the following weeks. The “untouchable infrastructure” narrative of the RaaS programme is damaged.

Historical note: Operation Cronos is the natural continuation of the partial BlackCat/ALPHV takedown from December 2023 (see December bulletin). The pattern repeats in 2024: ChangeHealthcare lands at the end of February against BlackCat just as that group is in the middle of rebuilding.

Source: https://www.nationalcrimeagency.gov.uk/news/nca-leads-international-investigation-targeting-worlds-most-harmful-ransomware-group

AnyDesk — signing certificates revoked

2 February. AnyDesk publishes a statement: they detected suspicious activity on production systems in January, hired CrowdStrike, and are revoking code signing certificates and web portal passwords. The details that leak afterwards: the attacker had access to build systems, exfiltrated source code and stole at least one signing certificate used to sign binaries distributed to customers. Versions prior to 7.0.15 (Windows) and 8.0.8 were signed with the stolen cert.

The operational impact is indirect but serious: any binary signed with that cert before revocation passes Windows’ signature check. An attacker holding the cert could package a malicious installer indistinguishable from the legitimate one. AnyDesk forces rotation, but the MSP ecosystem deploying AnyDesk to customers is exposed during the window.

A few days later, 18,000 AnyDesk web portal credentials show up for sale on forums. AnyDesk insists it wasn’t ransomware. No further public details on the initial vector.

Source: https://techcrunch.com/2024/02/05/remote-access-giant-anydesk-resets-passwords-and-revokes-certificates-after-hack/

ChangeHealthcare — BlackCat brings down US pharmacy processing

21 February. UnitedHealth, via an 8-K filing, notifies that Change Healthcare (Optum subsidiary, part of UnitedHealth Group) is suffering a severe cyber incident. The service is offline. US pharmacy operations are flattened: pharmacies unable to process insured prescriptions, hospitals unable to bill, labs with results blocked. On 26 February, BlackCat claims the attack on its leak site.

The initial vector is the most mundane possible: a Citrix portal exposed without MFA, accessed with valid stolen credentials. The attacker kept access from 12 to 21 February before detonating the ransomware. Change Healthcare ends up paying $22 million in crypto (later confirmed in a second extortion when an unhappy affiliate publishes the payment wallet). The stolen stack contains PHI on more than 100 million individuals according to subsequent disclosures.

The incident has two readings. A technical one: Change Healthcare is the clearing house that processes a majority share of US medical insurance transactions. A single point of failure whose systemic risk nobody had talked about seriously before. The concentration of customer-vendor processes in US healthcare is structural. And a regulatory one: HHS opens an investigation under HIPAA. UnitedHealth ends the year with pending fines and open class action litigation.

This happens while Operation Cronos is taking down LockBit. BlackCat takes advantage of the vacuum and keeps the business for a few days — until it decides to run an “exit scam” against its own affiliate responsible for the attack (who claims they hadn’t been paid their share). The stable RaaS that looked consolidated in 2023 enters turbulence.

Source: https://www.unitedhealthgroup.com/newsroom/posts/2024-02-22-cybersecurity-update.html

ArtPrompt — safety classifiers don’t read ASCII art

15 February. Jiang et al. publish ArtPrompt: ASCII Art-based Jailbreak Attacks against Aligned LLMs (arxiv 2402.11753). The technique: write the forbidden word of the prompt as ASCII art in a cloze. The safety classifier looking at the prompt as tokens doesn’t recognise the word and lets it through. The model, when generating the response, does read the drawing and completes the request.

Results: ASR of 78% against GPT-3.5, 76% against Gemini, 52% against Claude, 32% against GPT-4, 20% against Llama2. Black-box, no gradient, no fine-tune. Work published on arxiv on the 15th and discussed the same week.

We cover the paper in a dedicated post — what’s interesting is the generalisation: ArtPrompt formalises a broader family (Unicode homoglyphs, base64, minority languages, obfuscated JSON, GCG suffixes) that all attack the same gap between what the classifier sees and what the model decodes. Defending against one specific modality leaves the next one open.

Hugging Face — JFrog finds 100 malicious models on the Hub

Late February. JFrog Security Research publishes the result of a systematic scan of the Hugging Face Hub: ~100 models with silent backdoors in pickle. The models don’t draw attention by name or description — they are clones of legitimate models (bert-base-uncased, gpt2 variants, small fine-tunes) with extra pickle payload that runs on load.

The observed payloads range from basic reverse shells to full binaries opening connections to attacker-controlled C2. The surface is pickle deserialisation on torch.load(...): any from_pretrained(repo_id) executes the attached pickle. Before JFrog’s disclosure, there was no active scanner on Hugging Face rejecting these models — the platform accepted any blob.

Hugging Face responds by enabling picklescan in production and promoting the safetensors format (no executable code, just metadata + tensors). The following year, the HF security team integrates automatic scanning and publishes the Verified flag on repos. The structural lesson: the AI ecosystem inherited pickle as the dominant format because it was the PyTorch default, not because it was safe. JFrog catalyses the operational change that the Wiz × HF research in April and the 22 ML bugs of December will deepen.

Source: https://jfrog.com/blog/data-scientists-targeted-by-malicious-hugging-face-ml-models-with-silent-backdoor/ · https://www.darkreading.com/cloud-security/critical-bugs-hugging-face-ai-platform-pickle

Rest of the month

• AISIC launch — 8 February. NIST launches the AI Safety Institute Consortium with 200+ members (companies, universities, civil society). Consortium work: red-teaming guidance, capability evaluations, watermarking of synthetic content. https://www.nist.gov/news-events/news/2024/02/biden-harris-administration-announces-first-ever-consortium-dedicated-ai
• FortiOS CVE-2024-21762 — 9 February. Out-of-bounds write in SSL-VPN, unauthorised code execution via specific requests. CVSS 9.8. Fortinet confirms exploitation in the wild; CISA adds it to KEV the same day. Another edge appliance on the 2024 list.
• Microsoft Patch Tuesday — 13 February. 73 CVEs. Two zero-days: CVE-2024-21412 (SmartScreen bypass via Internet Shortcut Files, exploited by Water Hydra against financial traders) and CVE-2024-21351 (Windows SmartScreen bypass, exploited in the wild).
• Pwn2Own Vancouver 2024 — programming closed for March, but contest registrations (Tesla, virtualisation, browsers, cloud-native, AI categories) published late February. First time with a separate AI category.
• Google Gemini 1.5 release — 15 February. Context window at 1 million tokens, MoE architecture. The context length race explodes.
• i-Soon leak — between 16 and 22 February, someone uploads 570+ internal files from the Chinese company i-Soon (offensive services provider to the PRC) to GitHub. Documentation of targets, tools, contracts. The biggest leak of the year on Chinese APT operations, equivalent to the Shadow Brokers in their day. SentinelLabs publishes the first analysis. https://www.sentinelone.com/labs/unmasking-i-soon-the-leak-that-revealed-chinas-cyber-operations/

Pattern of the month

Three bugs any moderately serious review would have caught:

• ConnectWise: literal string comparison over HTTP paths.
• AnyDesk: build systems not isolated from the exposed surface.
• Change Healthcare: Citrix portal exposed without MFA.

And an AI security paper that attacks a design gap that had been shared intuition for months. The common thread is that the correct mitigation was cheap and known in every case, but pending. The attacker-defender delta we talked about in the 2023 retrospective is the same in 2024.

See you in March with XZ — a case quite a lot less trivial.