Bulletin — May 2024

Dense month. Recall is announced with fanfare on 20 May and ten days later is being described in DoublePulsar as stealing everything you’ve ever typed or viewed. While Microsoft works on the backpedal, Snowflake starts showing up as a shared vector in a series of breaches that culminate in the Ticketmaster dump on the 28th. Dell loses 49M records to an API with no rate limit. GPT-4o launches on the 13th, and the “Sky” voice sounds too much like Scarlett Johansson for a letter not to land. Patch Tuesday brings two Windows zero-days.

Microsoft Recall — from announcement to backpedal in 18 days

20 May. Microsoft announces Copilot+ PCs at a Redmond event. The flagship feature, Windows Recall, takes periodic screenshots of the desktop, runs OCR + embeddings and indexes them for semantic search. Announced availability: 18 June on the first Qualcomm Snapdragon X machines.

Late May. Kevin Beaumont publishes the technical analysis on DoublePulsar. The SQLite lives at %localappdata%\CoreAIPlatform.00\UKP\{GUID}\ukg.db without DPAPI or process-level protection. Alex Hagenah drops TotalRecall on GitHub on 4 June: automated parsing of the DB at zero cost. James Forshaw (Project Zero) confirms 48 hours later that admin isn’t needed.

7 June. Microsoft publishes the update signed by Pavan Davuluri: Recall becomes opt-in, requires Windows Hello to activate, demands proof of presence to query the timeline, and encrypts the index. The launch moves to Insiders in October, then to December.

We cover the case fully in the technical post of the month: threat model, extraction mechanics and why the rollback confirms the mitigations were obvious before the first commit.

Sources:

• https://blogs.microsoft.com/blog/2024/05/20/introducing-copilot-pcs/
• https://doublepulsar.com/recall-stealing-everything-youve-ever-typed-or-viewed-on-your-own-windows-pc-is-now-possible-da3e12e9465e
• https://blogs.windows.com/windowsexperience/2024/06/07/update-on-the-recall-preview-feature-for-copilot-pcs/

Snowflake — the first visible cases

May is when the Snowflake pattern starts getting loud, even if formal attribution to UNC5537 doesn’t arrive until Mandiant’s 10 June report. Two important disclosures this month:

14 May — Santander publishes a statement acknowledging unauthorised access to customer data in Chile, Spain and Uruguay, plus employee information. It doesn’t mention Snowflake in the initial statement. Two weeks later ShinyHunters claims to have 30M customer records and 28M card records for sale on BreachForums (figures not officially verified).

27–28 May — Ticketmaster / Live Nation. ShinyHunters posts on BreachForums (recently reactivated after the mid-May seizure) that it has 1.3 TB of Ticketmaster data with details on 560M customers. Asks for $500,000. Live Nation confirms the incident in an 8-K filed with the SEC on 31 May. The Mandiant report will eventually explain the vector: corporate credentials extracted by infostealer (in this case via the ServiceNow account of a Snowflake-customer employee, not Snowflake directly) → access to Snowflake accounts without MFA → mass exfil via COPY INTO.

The pattern gets formally defined in June (we’ll cover it in its technical post). What May shows is the chain: infostealer on corporate endpoint → SaaS credentials → exfil of tenants without MFA. Snowflake isn’t vulnerable in the CVE sense: the default let a customer disable MFA and leave their data behind a single factor.

Sources:

• https://www.santander.com/en/press-room/press-releases/2024/05/santander-informs-of-a-customer-data-incident
• https://securityaffairs.com/163999/data-breach/ticketmaster-confirms-data-breach.html
• https://en.wikipedia.org/wiki/Snowflake_data_breach

Dell — 49M records via an API with no rate limit

9 May. Dell notifies customers of a data exposure incident. A week earlier, an actor identified as Menelik had posted on BreachForums offering 49M records: name, physical address, service tag, system serial number, customer number, order number, and warranty data.

The vector documented by BleepingComputer and confirmed in emails from the actor himself: Menelik signs up on Dell’s partner/reseller portal with made-up company names. They approve him without verification in two days. Once inside, he abuses an order lookup endpoint that has no rate limit: 5,000 requests/minute for three weeks. Iteration over 7-digit service tags until covering 49M records.

Menelik reports the bug by email to Dell on 12 and 14 April. Dell doesn’t respond. Two weeks later he publishes the data. What’s symmetric here: the bug isn’t in the software (the endpoint does what it’s designed to do) but in the policy: onboarding without verification, no rate limit, data lookup-able by sequential enumeration. The classic API surface a threat model should have closed in the first quarter.

Source: https://www.bleepingcomputer.com/news/security/dell-api-abused-to-steal-49-million-customer-records-in-data-breach/

Patch Tuesday — CVE-2024-30051 (DWM) exploited as zero-day

14 May. Microsoft publishes 59 CVEs in its Patch Tuesday. Two are zero-days:

• CVE-2024-30051: heap-based buffer overflow in Windows DWM Core Library (Desktop Window Manager). Elevation of privilege to SYSTEM. CVSS 7.8. Credit to Kaspersky, DBAPPSecurity WeBin Lab, Google TAG and Google Mandiant; the concurrence of discoverers suggests wide use. Kaspersky publishes on Securelist that the vulnerability is being chained by QakBot and other malware families to escalate to SYSTEM after the initial infection. They described it in a file uploaded to VirusTotal during the CVE-2023-36033 investigation, which let them pivot to the new bug.
• CVE-2024-30040: bypass of MotW (Mark-of-the-Web) mitigations in Microsoft 365 OLE. Also exploited in the wild.

CISA adds CVE-2024-30051 to KEV on 14 May itself, with remediation deadline 4 June.

Sources:

• https://nvd.nist.gov/vuln/detail/CVE-2024-30051
• https://securelist.com/cve-2024-30051/112618/
• https://www.helpnetsecurity.com/2024/05/14/patch-tuesday-cve-2024-30051-cve-2024-30040/

Veeam Backup Enterprise Manager — CVE-2024-29849 auth bypass

21 May. Veeam publishes KB4581 with four CVEs in Veeam Backup Enterprise Manager (VBEM), the web add-on for managing Veeam Backup & Replication. The most severe:

• CVE-2024-29849 — Authentication bypass in VBEM. CVSS 9.8. An unauthenticated attacker can log in as any user by exploiting a misconfigured authentication framework: the attacker’s rogue SSO server responds affirmatively to validation requests and VBEM accepts the login as admin.

Sina Kheirkhah (summoning.team) publishes a technical writeup and PoC the next day. Veeam fixes in VBEM 12.1.2.172. Interim mitigation: restrict access to the web interface to known IPs, MFA, monitor logs.

There’s no public evidence of in-the-wild exploitation in May, but VBEM falls in the same category as MFT and edge appliance: backup software exposed to the network, with full permissions over the backup infrastructure, managed by teams that rarely patch fast.

Source: https://www.veeam.com/kb4581

OpenAI — GPT-4o, and the “Sky” voice

13 May. OpenAI does its Spring Update. It launches GPT-4o (Omni): a native multimodal model (text, audio, image), built to understand voice in real time without going through an ASR → text → TTS pipeline. Free tier in ChatGPT. The voice demo by Mira Murati and the team is the centrepiece — natural dialogue with interruptions, sub-second latency, modulable tone.

20 May. Sam Altman posts on X the message “her”, a direct reference to the 2013 Spike Jonze movie where Scarlett Johansson voices the virtual assistant. Same day, Johansson publishes a statement through NPR: nine months earlier Altman had asked her to licence her voice for the assistant, she declined. Two days before the Spring Update, Altman contacts her again. Johansson doesn’t reply in time; OpenAI launches “Sky” with a timbre that “her closest friends and the media couldn’t distinguish from her own”.

21 May. OpenAI publishes a blog post How the voices for ChatGPT were chosen, arguing Sky belongs to another professional actress, cast before the first contact with Johansson. They pause Sky anyway.

What’s relevant for 2024 from a security/AI angle isn’t the legal mess, but the first high-profile public case where a convincing voice model turns voice identity into an asset without a clear regulatory framework. The question “can a TTS be trained on your voice if you said no?” will appear in the final EU AI Act negotiations (OJEU publication on 12 July) and in US deepfake regulation through the second half of the year.

Sources:

• https://openai.com/index/hello-gpt-4o/
• https://www.npr.org/2024/05/20/1252495087/openai-pulls-ai-voice-that-was-compared-to-scarlett-johansson-in-the-movie-her
• https://openai.com/index/how-the-voices-for-chatgpt-were-chosen/

Christie’s — RansomHub paralyses the spring auction

9 May. Christie’s, the world’s largest auction house, pulls its public site days before its spring auction in New York. It handles bids (~$840M in lots) through an alternative site and over the phone. The company talks about a technology security issue without giving detail.

27 May. RansomHub publishes its claim on the leak site: 2 GB of data exfiltrated, including sensitive data on 500,000 private clients (passports, dates of birth, full names). Four-day deadline before the leak. Christie’s confirms in a statement on 30 May that an unauthorised actor accessed personal data of a portion of its clients.

RansomHub is the same group behind the February Change Healthcare incident. The playbook repeats: extortion without encryption in Christie’s case, pressure via threat of GDPR fines.

Source: https://therecord.media/christies-cyberattack-ransomhub-claims

Ollama “Probllama” CVE-2024-37032 — RCE in the most popular local inference server

5 May — Wiz Research reports to Ollama. 7 May — fix in Ollama 0.1.34. 30 May — public publication of Probllama. CVE-2024-37032, CVSS 9.8, path traversal in the /api/pull endpoint that downloads models from a registry. The digest parameter controls the path where Ollama writes the downloaded file — without validation, an attacker with API access makes Ollama write over any file on the system. If the target is a binary or config Ollama reads on startup, persistent RCE on the next restart.

Wiz counts more than 1,000 Ollama instances exposed to the internet without auth at the moment of disclosure. Ollama is the go-to for running local LLMs on laptops and development servers; many deployments spin up ollama serve with no firewall assuming it stays on localhost. The reality on Shodan says otherwise.

It’s the first critical CVE on an LLM inference server that captures a headline. It marks the category: servers serving AI models are HTTP servers of software with little prior security review exposure, and they bring with them all the classic patterns (path traversal, deserialisation, info leak) without the mitigations an nginx or a Tomcat already have normalised. Sets the stage for NVIDIA Triton CVE-2025-23319 chain in August 2025 and vLLM CVE-2026-22778 in February 2026.

Source: https://www.wiz.io/blog/probllama-ollama-vulnerability-cve-2024-37032 · https://thehackernews.com/2024/06/critical-rce-vulnerability-discovered.html

Rest of the month

• Apple OpenELM (arxiv paper 2404.14619, last revision 2 May). Family of open source models (270M, 450M, 1.1B, 3B) with layer-wise scaling. Weights, recipes and training logs published. Prelude to Apple Intelligence that will be announced at WWDC on 10 June.
• BreachForums seizure → resurgence. The FBI and DOJ take the clearnet domain in mid-May. ShinyHunters announces via Telegram that they’re back in control of the domain before the month ends. The timing of the Ticketmaster dump on BreachForums on the 28th is the coming-out of the reactivated forum.
• Black Basta + UnitedHealth. The trickle of notifications about the February attack continues. CISA, FBI and HHS publish a joint advisory on 10 May about Black Basta TTPs.
• MITRE ATT&CK v15. Published in late April, gains adoption during May in downstream tools.
• NSA CISA — Deploying AI Systems Securely (15 April, still month’s reading). Joint guidance for organisations deploying third-party AI models. Useful as a defensive checklist ahead of the EU AI Act.

Pattern of the month

Three different incidents, one common assumption: sensitive data lives comfortably at a single point, with no one thinking about what happens when that point falls.

• Recall — the user’s entire visual history in a flat SQLite.
• Snowflake / Ticketmaster — tenants with end-customer data behind a single credential without MFA.
• Dell — 49M tuples behind an endpoint with no rate limit and no partner verification.

The common operational lesson isn’t “encrypt” or “add MFA” in isolation, but explicit threat modelling of the “credential / process / compromised user API key” actor during product design. The three cases implicitly assume the initial trust factor (Windows session, SaaS account, partner registration) doesn’t fail. When it fails, and it fails every month in 2024, the data goes out in full.

June brings Mandiant’s report on UNC5537 that will explain the Snowflake pattern in detail, and a couple more Recall-style rollbacks.