Bulletin — March 2024

March closes with the supply-chain case of the year. The week of 25 to 31 changes the month’s mood: Andres Freund finds the XZ backdoor on the 29th while running PostgreSQL benchmarks, and anything else that happened this month moves to the background. Before that: Apple patches two zero-days in the wild, Microsoft pushes a Patch Tuesday with two critical Hyper-V bugs, Anthropic launches Claude 3, the European Parliament approves the AI Act, Cloudflare admits the breach that happened in November 2023 with credentials from the Okta incident, and AT&T acknowledges the 73-million-record dump that had been circulating for weeks.

XZ utils CVE-2024-3094 — a maintainer with two years of patience

29 March. Andres Freund posts on oss-security his discovery of a backdoor in xz-utils 5.6.0 and 5.6.1. CVSS 10.0. The payload is delivered in tests/files/ files, extracted by a hook hidden in m4/build-to-host.m4 during ./configure, and the resulting liblzma intercepts RSA_public_decrypt when sshd loads it indirectly via libsystemd — the downstream systemd-notify patch that Debian, Ubuntu, Fedora and derivatives apply to the OpenSSH package.

The interest of the case isn’t only in the payload. The maintainer “Jia Tan” enters the project in October 2021 with a trivial patch, gains trust through sockpuppets that pressure the original maintainer (Lasse Collin), gets commit access in December 2022, publishes his first release in March 2023, and ships the backdoor a year later. Two and a half years between first commit and backdoored release.

Freund spots it because he was measuring SSH latencies during a PostgreSQL benchmark and noticed 0.5 extra seconds per login plus new valgrind noise. If he hadn’t looked, 5.6.1 would have reached Ubuntu LTS in April.

Full analysis in the dedicated post.

Source: https://www.openwall.com/lists/oss-security/2024/03/29/4 · https://research.swtch.com/xz-timeline

AT&T — 73 million records in the 17 March dump

17 March, a dump appears on vx-underground with data on 73 million AT&T accounts (7.6M active, 65.4M former). The dataset includes SSN, dates of birth, account passcodes and contact info. The data looks like 2019 or earlier.

AT&T spends two weeks denying any connection with the dump. On 30 March it confirms the data is authentic, forces an account passcode reset and offers monitoring. It doesn’t acknowledge its own origin: “there is no evidence of unauthorized access to our systems resulting in exfiltration of this dataset”. The leak may come from a provider; nobody has clarified which one.

Operational reading: two weeks between a dump being published and the vendor admitting it. For a telco with 73M accounts, that window is the difference between “I force a passcode reset now” and “I force it when the press closes the circle”.

Source: https://about.att.com/story/2024/addressing-data-set-released-on-dark-web.html

Apple iOS CVE-2024-23225 — kernel exploited in the wild

5 March. Apple ships iOS 17.4 / iPadOS 17.4 / 16.7.6 with two zero-days: CVE-2024-23225 (kernel) and CVE-2024-23296 (RTKit). Both memory corruption “that may have been exploited”. The first lets an attacker with arbitrary kernel read/write bypass kernel memory protections — the classic primitive that closes a spyware chain.

CISA adds CVE-2024-23225 to KEV on patch day. Apple doesn’t attribute, but the pattern (kernel memory protection bypass, non-anonymous finder, immediate simultaneous patch across multiple branches) is that of a Pegasus/Predator-class chain. The regularity with which Apple has shipped this kind of patch in 2023 and 2024 (more than one per quarter) makes clear the mercenary spyware cycle is still active and well funded.

Source: https://support.apple.com/en-us/HT214081

Microsoft Patch Tuesday — two critical Hyper-V bugs

12 March. 59 CVEs in Patch Tuesday, none exploited on patch day, but two critical Hyper-V bugs pull the focus:

CVE-2024-21407: Hyper-V RCE. Authenticated attacker inside a guest VM runs code on the host by sending specific file operation requests. CVSS 8.1. CWE-416 (use-after-free). It’s the guest-to-host escape primitive — the scenario that breaks the central hypervisor assumption: that the guest can’t get out of its sandbox.
CVE-2024-21408: Hyper-V DoS.

For multi-tenant virtualisation environments (cloud, VPS, hosting providers), CVE-2024-21407 is the bug that makes you move the patching calendar. Microsoft doesn’t publish technical details, but a Hyper-V guest-to-host escape has immediate implications for Azure (Hyper-V is the base hypervisor) and any on-prem deployment with Windows Server 2019/2022.

Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21407

Anthropic launches Claude 3 — Opus, Sonnet, Haiku

4 March. Anthropic announces the Claude 3 family: Opus (frontier), Sonnet (balance), Haiku (fast and cheap). Opus posts better numbers than GPT-4 on MMLU, GPQA, HumanEval. Native vision capability. 200k context.

For AI security the consequences matter in the medium term:

The frontier model space stops being a monoculture. Anthropic competes with OpenAI on performance, not just on safety messaging. Multi-vendor decisions that sounded like a hedge during 2023 are now operational.
The context curve keeps climbing. Opus’ 200k sets the ground for the many-shot jailbreaking attacks Anthropic will publish on 2 April — long context is capability and attack surface at the same time.

Sonnet offers better cost/latency than GPT-4 for medium tasks; Haiku is the cheapest on the market at that date. Any production AI roadmap with a single provider in March 2024 had to be reopened on the 4th.

Source: https://www.anthropic.com/news/claude-3-family

The European Parliament approves the AI Act

13 March. The plenary of the European Parliament approves the text of the AI Regulation: 523 in favour, 46 against, 49 abstentions. It’s the vote closing the legislative cycle started with the Commission’s proposal in 2021 and the political trilogue agreement of 9 December 2023 (covered here).

What remains until it enters into force:

Formal Council approval (May 2024).
Publication in the OJEU (expected July 2024).
Entry into force 20 days after publication.
Staged applicability: Article 5 prohibitions at 6 months, GPAI obligations at 12, high-risk at 24.

The vote doesn’t change the operational dates for CISOs and DPOs versus what we already covered in December. What does change is the uncertainty: the text the Parliament approves is the one that will be published, not a draft subject to revision. System inventories touching high-risk can start against binding text.

Source: https://www.europarl.europa.eu/news/en/press-room/20240308IPR19015/artificial-intelligence-act-meps-adopt-landmark-law

Cloudflare admits the Thanksgiving 2023 breach

The incident Cloudflare disclosed on 1 February still weighs on the quarter’s close, so it fits here as a reminder: during November 2023, a suspected nation-state actor used credentials stolen in the October Okta incident (Moveworks service token, Smartsheet service account, Bitbucket service account, AWS env credentials) to access Cloudflare’s self-hosted Atlassian. They saw 120 repos, downloaded 76, all related to internal configuration (identity, remote access). Cloudflare detects on 23 November, cuts access, hires CrowdStrike, publishes the post on 1 February.

Operational root cause that Cloudflare itself names: the credentials from the Okta incident weren’t rotated because they were “mistakenly believed to be unused”. The bug is in the service accounts inventory, not in detection.

Pattern that comes back throughout 2024: SaaS posture breaches come through credentials that survived an upstream incident without rotation. Snowflake / UNC5537 in May-June will repeat the pattern at a different scale.

Source: https://blog.cloudflare.com/thanksgiving-2023-security-incident/

Apex Legends ALGS — in-game RCE during the tournament

17 March. During the Apex Legends Global Series (ALGS) NA regional final, two professional players (Genburten from DarkZero, and ImperialHal from TSM) are hacked live. Aimbot and wallhack appear on their accounts mid-match without them activating anything. A user Destroyer2009 claims responsibility in a Discord channel; says they used an RCE.

Respawn suspends the tournament. Easy Anti-Cheat (Epic) publishes a note on the 18th confirming “not related to an EAC vulnerability”. The exact vector remains without official public attribution by month-end, but public hypotheses point to a chain starting from the game client, not the anti-cheat. ALGS finishes on 25 March behind closed doors, with the recording aired delayed.

For a technical blog the case isn’t the entertainment story. It’s an operational reminder: a game client with elevated privileges on the user’s machine is third-party code running in production against a market of millions of installs. A pre-auth RCE chain against that client is worth the same in impact terms as any 0-day in enterprise software, with a much slower response cycle.

Source: https://esportsinsider.com/2024/03/apex-legends-global-series-hack

ShadowRay — Anyscale’s “deliberate decision” as a botnet

ShadowRay — Anyscale's "deliberate decision" as a botnet

March 2024. Oligo Security publishes ShadowRay, an active campaign since September 2023 exploiting CVE-2023-48022 (CVSS 9.8) in Anyscale Ray. The “bug” isn’t a bug: the Ray Job Submission API (/api/jobs/) has no authentication by design. Anyscale documents it as a deliberate decision — Ray assumes it runs in a trusted network — and the CVE is initially marked as disputed.

Oligo finds thousands of Ray clusters exposed to the internet running workloads from real companies (Bytedance, Amazon, governments, found via exposed dashboards). Attackers launch malicious jobs at the public API, run arbitrary code with Ray process privileges, install XMRig mining Monero on corporate GPUs, and exfiltrate environment credentials (AWS accounts, OAuth tokens, SSH keys, certificates).

The structural detail: this is the first public incident showing design assumed secure by network isolation against real production deployment without isolation. Anyscale holds the line (“Ray must run on an isolated network”), but the market’s behaviour says otherwise. It’s the pattern that ShadowRay 2.0 will confirm in November 2025 with 230,000 exposed servers and a self-spreading botnet.

Source: https://www.oligo.security/blog/shadowray-attack-ai-workloads-actively-exploited-in-the-wild · https://therecord.media/thousands-exposed-to-ray-framework-vulnerability

Rest of the month

Stanford LLM agent benchmark: several March papers quantify the gap between frontier LLMs on agentic tasks versus single-shot evaluations. Pattern that will be confirmed all of 2024.
GitHub Advanced Security: announces automatic secret detection on push (preview), after months with truffleHog being an external tool.
JetBrains IDEs: GitHub links a campaign abusing malicious plugins on the JetBrains marketplace. Low volume, new vector.
VMware ESXi CVE-2024-22252 + CVE-2024-22253 + CVE-2024-22254 + CVE-2024-22255: VMware Patch Tuesday with four criticals in ESXi/Workstation/Fusion. One of them (CVE-2024-22252) was a zero-day at Pwn2Own Toronto 2023; patch arrives four months later.

Pattern of the month

If I have to distil March in one sentence: the month XZ forces a redefinition of what counts as a “transitive dependency”. Until March, the supply-chain conversation talked about npm / PyPI packages with typo-squatting or compromised releases. XZ adds three new elements to the conversation:

A hostile maintainer with years of persistence, not an opportunistic attacker buying an abandoned package.
The gap between tarball and git repository as a payload insertion site, undetectable by standard code review.
Indirect loading chains (sshd → libsystemd → liblzma) created by downstream patches no upstream project security team reviews.

The three aren’t techniques defensible with SBOM + signed releases. They require rotating maintainers with judgment, reproducible builds from repo, and aggressive reduction of indirect dependencies in sensitive binaries. The work will occupy at least the next two years in projects that structurally depend on open source.

See you in April with many-shot jailbreaking (Anthropic publishes on the 2nd) and the extra of Palo Alto GlobalProtect zero-day on the 12th.