Bulletin — April 2024

April pushes the edge appliance category back to the front (Palo Alto, Cisco, Ivanti via MITRE) while Anthropic publishes the first public paper that frames long context as attack surface. Meta releases Llama 3 opening the next round of frontier open-weights. And underneath, the SaaS posture pattern surfaces with Sisense forcing a mass reset of customer credentials.

Many-shot jailbreaking — Anthropic, 2 April

2 April. Anthropic publishes the Many-shot Jailbreaking paper (Anil et al.) and an explanatory blog post. The technique: put hundreds of simulated harmful question → harmful response pairs in the context window before the real question. The model’s in-context learning picks up the visible pattern and completes the last turn “in line”. It scales by a power law into the hundreds of shots; in some harm categories it reaches 70% success at 256 shots against Claude 2.0.

What matters structurally: the context window growing from 4k (2023) to 200k–1M (2024) is capability and attack surface at the same time. Safety classifiers looking only at the last turn don’t scale; Anthropic reports that a mitigation that classifies and rewrites the entire input drops one attack from 61% to 2% success.

Technical analysis, repro against Llama-3-8B-Instruct and the power-law curve in the dedicated post.

Source: https://www.anthropic.com/research/many-shot-jailbreaking

CVE-2024-3400 — Palo Alto GlobalProtect zero-day

12 April. Palo Alto publishes an advisory for pre-auth command injection in PAN-OS GlobalProtect. CVSS 10.0. The cookie’s SESSID parameter is interpolated into a shell command that builds the path of a telemetry file without sanitisation — metacharacters get execution as root. Volexity tracks in-the-wild exploitation by UTA0218 (Operation MidnightEclipse) since 26 March, first confirmed compromise on 10 April.

UTA0218 deploys UPSTYLE, a Python backdoor that installs itself as system.pth in site-packages (Python imports it on every interpreter startup; persistence without cron) and monitors the nginx error log waiting for a img[<base64>] pattern in non-existent URLs.

The first batch of hotfixes lands on 14 April; the rest between 15 and 18. CISA adds the CVE to KEV on the 15th. 18 April: watchTowr public PoC — from there, mass exploitation by every actor with access to the bulletin.

Technical analysis of the SESSID → shell → UPSTYLE chain in the dedicated post.

Source: https://security.paloaltonetworks.com/CVE-2024-3400 · https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/

MITRE breached via Ivanti — 19 April

19 April. MITRE publishes a statement signed by its CTO Charles Clancy confirming a foreign nation-state actor accessed NERVE (Networked Experimentation, Research, and Virtualization Environment), one of MITRE’s own R&D networks. Initial vector: the two Ivanti Connect Secure CVEs we covered in January — CVE-2023-46805 + CVE-2024-21887.

Timeline MITRE details:

• January 2024: actor reconnaissance against MITRE’s Ivanti appliances. Coincides with Volexity’s disclosure on 10 January.
• Ivanti issues patch and guidance. MITRE applies the fixes and follows the vendor recommendations.
• The actor keeps the session via session hijack (tokens stolen before the patch remain valid — the pattern Citrix Bleed already showed).
• Lateral move to the VMware infrastructure from NERVE using a compromised admin account.
• MITRE detects the lateral movement in April and publishes the incident.

Clancy’s line in the statement is the one that will be quoted all of 2024: “we followed best practices, vendor instructions and government advice to update, replace and harden our Ivanti, but we did not detect the lateral movement to VMware”. It’s the Ivanti pattern applied to MITRE — the organisation that maintains the ATT&CK catalogue — and publicly acknowledged. It makes it very hard to argue the responsibility falls on organisations that don’t patch.

Source: https://www.mitre.org/news-insights/news-release/mitre-response-cyber-attack-one-its-rd-networks

Cisco ASA — ArcaneDoor (CVE-2024-20353 + CVE-2024-20359)

24 April. Cisco Talos publishes the ArcaneDoor report: a suspected state-sponsored actor, tracked as UAT4356 (STORM-1849 by Microsoft), exploits two zero-days in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD):

• CVE-2024-20353 — DoS via incomplete HTTP header parsing; the attacker forces a reboot of the appliance.
• CVE-2024-20359 — code execution via a malformed ZIP in the pre-loaded client_bundle, which ASA runs as Lua on startup.

The chain: 20353 forces reboot, 20359 leaves persistent Lua that survives reboots and upgrades. Cisco identifies two implants:

• Line Dancer: in-memory shellcode interpreter. The operator sends shellcode via the host-scan-reply field of a legitimate ASA request, Line Dancer runs it. Capabilities: exfil config, disable logging, hooking the crash dump (anti-forensics), AAA bypass with a magic number.
• Line Runner: HTTP backdoor in Lua persisting through the client bundle pre-loading feature. It activates every time ASA boots.

Talos documents development activity since July 2023 and testing/operations from December 2023 to January 2024. Disclosure lands four months after the first operations. Targets: global government networks. The state-sponsored, edge appliance, firmware-adjacent persistence pattern has become routine in 2024 — Volt Typhoon early in the year, UTA0178 against Ivanti, UTA0218 against Palo Alto, now UAT4356 against Cisco.

Source: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/ · https://www.cisa.gov/news-events/alerts/2024/04/24/cisco-releases-security-updates-addressing-arcanedoor-vulnerabilities-cisco-firewall-platforms

Meta releases Llama 3 — 18 April

18 April. Meta releases Llama 3 8B and Llama 3 70B, both in base and Instruct variants. Pretraining on 15T tokens (7x Llama 2). 128k token vocab. Grouped Query Attention on both sizes. Initial context 8k — Meta announces long-context versions will come in the following months. The large model (>400B) is in training and lands later in the year.

What’s relevant for AI security:

• Frontier open weights has a serious competitor again. Llama 3 70B-Instruct sits at the level of Claude 3 Sonnet in comparative evals. It lets security research — including the 2 April many-shot jailbreaking — be reproduced on reasonable hardware.
• Llama Guard 2, Code Shield, CyberSec Eval 2: Meta ships safety and eval tooling. They don’t replace your own defence, but the repository remains a reproducible baseline.
• 8k context is already narrow for many 2024 use cases. The 128k+ versions arrive in July (Llama 3.1) and become the standard target for jailbreak paper repros.

Source: https://ai.meta.com/blog/meta-llama-3/

Sisense — CISA forces a mass reset

11 April. CISA publishes an urgent alert: customers of Sisense — analytics SaaS with Verizon, Nasdaq, Air Canada among them, plus presence in US healthcare and critical infrastructure — must rotate everything that passed through Sisense: passwords, API tokens, SSO secrets (JWT/SAML/OpenID), Active Directory sync credentials, GIT auth, database credentials, web access tokens, custom email server creds.

The vector: attackers accessed Sisense’s self-hosted GitLab and found credentials granting access to S3 buckets with customer backups. Krebs reports the exfil includes “several terabytes”, with millions of access tokens and SSL certificates among the extracted material. CISA doesn’t attribute publicly, but the pattern — long-lived token in repository + static credential in S3 — is exactly what Snowflake / UNC5537 will exploit at a different scale in May–June.

Operational reading: if your SaaS product asks customers for direct passwords/tokens instead of delegating via short-lived OAuth/JWT, those credentials are exfiltratable material in any breach of your vendor.

Source: https://www.cisa.gov/news-events/alerts/2024/04/11/compromise-sisense-customer-data · https://krebsonsecurity.com/2024/04/why-cisa-is-warning-cisos-about-a-breach-at-sisense/

LayerSlider WordPress pre-auth SQLi — CVE-2024-2879

27 March (patch) / 2 April (public disclosure). Wordfence reports unauthenticated SQL injection in the LayerSlider plugin for WordPress, versions 7.9.11 to 7.10.0. CVSS 9.8. The ls_get_popup_markup action doesn’t escape input from the id parameter before placing it in a query with a misused $wpdb->prepare() — time-based blind SQLi against the full database, including wp_users.

LayerSlider claims “1M+ active installations” on wordpress.org; other aggregators cite higher numbers combining direct sales. Wordfence pays a $5,500 bounty to the researcher.

The case is ordinary in mechanics (SQLi in a WordPress plugin, WPScan’s bread and butter) but relevant in surface area: a plugin with a million installs is a stable target. The patch lands on 27 March, before disclosure; most sites auto-update within a week, leaving a short but real exploitation window.

Source: https://www.wordfence.com/blog/2024/04/5500-bounty-awarded-for-unauthenticated-sql-injection-vulnerability-patched-in-layerslider-wordpress-plugin/

Wiz × Hugging Face — the first public cross-tenant case in AI-as-a-Service

April 2024. Wiz Research publishes a series of vulnerabilities in Hugging Face Inference API and the Spaces system (CI/CD) allowing:

1. Shared inference infrastructure takeover — upload a PyTorch model with pickle payload (via __reduce__) and run code inside the shared inference container. From there, read models, datasets and tokens from other customers sharing the same GPU capacity.
2. CI/CD pipeline takeover — abuse Spaces to inject code into the builders that generate inference images, which allows supply-chain poisoning of models served by third parties from the moment of push.

The root bug isn’t a new pattern (pickle deserialisation has been known for years), but the context is new: Hugging Face is the default hosting platform of the AI ecosystem. The architecture assumed user content (uploaded model) was flat; in reality, any .bin or .pt is an executable binary disguised as a data file. The revelation is operational: for the millions of pipelines pulling from HF Hub as upstream, the model supply chain is software supply chain with the rigour of an unaudited repository.

Hugging Face mitigates in collaboration with Wiz: tenant isolation, automatic pickle scanning with Picklescan on upload, recommendation of safetensors as a safe alternative format. Lasso Security had published in December 2023 (prior reference) API tokens exposed by carelessness in thousands of HF repos. The two investigations consolidate AI-as-a-Service as a cloud security category with specific risks distinct from traditional SaaS.

Source: https://www.wiz.io/blog/wiz-and-hugging-face-address-risks-to-ai-infrastructure · https://thehackernews.com/2024/04/ai-as-service-providers-vulnerable-to.html

Rest of the month

• Roku breach (12 Apr) — 576,000 accounts compromised via credential stuffing. Second incident of the year after 15,000 in March. Forces the TV/streaming category to implement MFA enforcement, optional until now.
• CrushFTP CVE-2024-4040 (19 Apr) — server-side template injection / sandbox escape in CrushFTP, in-the-wild exploitation reported by CrowdStrike. Another MFT on the year’s zero-day list, same pattern as MOVEit in 2023.
• Cisco Duo telephony provider breach (10 Apr) — a Cisco Duo SMS provider is compromised and logs with phone numbers and MFA SMS metadata are exfiltrated. No content, but enough metadata for targeted social engineering.
• Apple notifies mercenary spyware victims in 92 countries (10 Apr) — second wave of the year after October 2023’s. The pattern continues.

Pattern of the month

Three readings April leaves on the table:

1. Edge appliance is a risk category, not an isolated case. Four vendors (Ivanti, Palo Alto, Cisco, plus MITRE as a victim) fall with the same actor profile: state-sponsored, firmware-adjacent persistence, patch arrives after months of exploitation. The operational question for 2024 moves from what’s the next bug? to what’s our plan when the next one falls? The blast radius of a firewall compromised as root exceeds what a patch can clean; Enhanced Factory Reset (PAN-OS) or full reinstallation are the real operational options.

2. SaaS posture enters the picture. Sisense in April, Snowflake in May–June: the target stops being the customer’s service and becomes the SaaS vendor holding customer credentials. Any integration with third-party SaaS that asks for static passwords/tokens is now a fourth-party risk factor (third-party of third-party). OAuth with minimal scopes + routine rotation moves from best practice to requirement.

3. AI security finds its first structural paper of 2024. Many-shot jailbreaking is the first public demonstration that the context increase requires proportional defence, not a curious trick. The industry responds in weeks, but the general pattern (attacking the assumption alignment is built on) will repeat in September with o1 and reasoning models, and in October with Computer Use and agentic.

See you in May with Recall — Microsoft announces on the 20th, Beaumont and Forshaw tear it apart on the 23rd — and the start of the Snowflake season.