Bulletin — July 2024

July fits in six dates. On the 1st Qualys publishes regreSSHion and Twilio acknowledges the 33M Authy phones. On the 10th ServiceNow adds three already-exploited CVEs to NVD. On the 12th the AI Act is published in the OJEU and AT&T notifies 110M records linked to Snowflake. On the 18th Disney shows up dumped on BreachForums by NullBulge. On the 19th, 04:09 UTC, CrowdStrike publishes Channel File 291 and 8.5M Windows machines go into a reboot loop. On the 29th Microsoft confirms that CVE-2024-37085 in ESXi has been the favourite post-compromise tool of several ransomware groups for weeks.

CrowdStrike Falcon — Channel File 291

19 July, 04:09 UTC. A Rapid Response Content update for the Falcon sensor pushes a configuration file with a Template Instance that doesn’t match the Template Type the production sensor knows how to interpret. The kernel-mode driver CSAgent.sys performs an out-of-bounds read, Windows BSODs with PAGE_FAULT_IN_NONPAGED_AREA. 8.5 million machines affected per Microsoft’s estimate. Delta cancels more than 7,000 flights in five days.

The bug is textbook: parser iterating over the field_count declared by the Type (21) on a buffer with 20 entries. CrowdStrike’s internal Content Validator didn’t catch the mismatch because it validated the file against a matrix that did provide the 21 entries. The most relevant piece isn’t the bug itself: it’s the Rapid Response Content deployment model without staged rollout and without customer approval, in kernel-mode, to the entire estate at once.

We’ve published the technical analysis with the parser pattern reproduced in C, what the 6 August Root Cause Analysis says and why Microsoft summons EDR vendors in September with the Windows Resiliency Initiative.

Source: https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/

regreSSHion — CVE-2024-6387 in OpenSSH

1 July. Qualys publishes a race condition in the SIGALRM signal handler of sshd affecting OpenSSH 8.5p1–9.7p1 on glibc. Pre-auth RCE as root in theory; in practice requires ~10,000 connections, 6–8 hour race window, glibc, i386 easier than amd64. NVD assigns CVSS 8.1 with attack complexity high, which in CVSS says a lot.

The more interesting detail isn’t the exploit, it’s the regression: the bug is CVE-2006-5051 (2006), patched then with _exit(14) inside the handler, reintroduced in October 2020 by commit 752250c that restructured the logging code and removed the #ifdef DO_LOG_SAFE_IN_SIGHAND guard. Four years between the regression and the report.

OpenSSH 9.8p1 ships on 6 July with the fix. Bridge mitigation: LoginGraceTime 0 disables the vulnerable handler. We’ve published the technical analysis with reproducible Docker lab and the full timeline.

Source: https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt

EU AI Act — published in the OJEU on 12 July

12 July. Regulation (EU) 2024/1689 is published in the Official Journal of the European Union. It enters into force on 1 August 2024 (20 days after publication). The staged applicability calendar is set by the final text:

• 2 February 2025: Article 5 prohibitions (unacceptable systems: social scoring, pure predictive policing, emotion recognition at work and in education, etc.) and general AI literacy obligations.
• 2 August 2025: GPAI (general-purpose model) obligations, appointment of national authorities, sanctions.
• 2 August 2026: most of it. Annex III high-risk systems, transparency for limited-risk systems.
• 2 August 2027: high-risk systems embedded in products covered by pre-existing sectoral legislation (toys, medical devices, vehicles, etc.).

It’s the confirmation of what the 9 December political agreement had anticipated. For a team putting AI in product in the EU, the countdown to February 2025 is already running. The August technical post goes into this detail.

Source: https://eur-lex.europa.eu/eli/reg/2024/1689/oj

AT&T — 110M records linked to Snowflake

12 July. AT&T notifies via 8-K that an attacker exfiltrated call and SMS records of practically all its wireless customers over a 6-month window in 2022 (May to October), plus a small set extended to January 2023. Approximately 109–110 million customers affected. The intrusion happened in April: the DOJ authorised delayed public notification on national security grounds.

The vector is the same UNC5537 cluster Snowflake instance covered in the June bulletin: corporate credentials obtained via infostealer, direct login to a Snowflake account without MFA, exfil via COPY INTO to attacker-owned S3. What was exfiltrated isn’t call content, it’s the metadata: which number called which, duration, and for part of the set cell tower identifiers that allow approximate location. Approximation, not precise GPS — but enough to reconstruct movement patterns.

In November the DOJ identifies and charges the suspects (Connor Moucka and others). The operational echo of the incident: SaaS without MFA by default is now intolerable.

Source: https://krebsonsecurity.com/2024/07/hackers-steal-phone-sms-records-for-nearly-all-att-customers/

Twilio Authy — 33M phones via unauthenticated endpoint

1 July. Twilio confirms that an attacker (ShinyHunters, identified by his BreachForums announcement on 26 June) obtained 33,420,546 phone numbers from the Authy app by abusing an unauthenticated API endpoint. The endpoint, meant for the customer app to verify whether a number was registered, returned 200 OK with the account_id and metadata when the number existed. The attacker feeds a massive list of numbers and keeps the ones that return a match.

The leak doesn’t include passwords, TOTP seeds or session tokens. What’s leaked is the mapping “number → Authy account exists”. For targeted SIM swap and SMS phishing it’s perfect: the attacker already knows that phone uses Authy, so they know which mailbox to drain after the swap.

Twilio closes the endpoint on 1 July and forces a mobile app upgrade to revoke the historical device token. The structural pattern (unauthenticated “does this exist?” endpoints) appears twice more during the year: already happened with Trello in January, will come back with other SaaS.

Source: https://www.bleepingcomputer.com/news/security/hackers-abused-api-to-verify-millions-of-authy-mfa-phone-numbers/

VMware ESXi — CVE-2024-37085 abused by ransomware

29 July. Microsoft publishes analysis confirming that CVE-2024-37085, an authentication bypass in ESXi’s Active Directory integration, has been abused for weeks as a post-compromise tool by Storm-0506, Storm-1175, Octo Tempest and Manatee Tempest. The pattern: the attacker already has Domain Admin on the customer’s AD, creates a group called “ESX Admins” in the domain, adds his account, and through ESXi logic that assumes any AD group with that exact name has administrative privileges on the hypervisor, gets full access to ESXi hosts joined to the domain.

Broadcom patches the bug on 25 June (release ESXi 8.0 U3). The behaviour wasn’t documented in VMware’s Active Directory guide; it’s discovered because Microsoft repeatedly sees the same technique in Akira and Black Basta investigations. The fix: the logic is removed and privilege assignment now requires explicit Active Directory Authentication Proxy configuration.

The structural piece: enterprise virtualisation with AD integration keeps being a shortcut for ransomware lateral escalation. ESXi is the prize because encrypting the hypervisor gets you every VM in one pass — the same logic as ESXiArgs in 2023.

Source: https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/

ServiceNow — CVE-2024-4879 + CVE-2024-5217 + CVE-2024-5178

10 July. ServiceNow adds three CVEs to NVD that together allow pre-auth RCE against Now Platform (Vancouver and Washington DC releases):

• CVE-2024-4879 (CVSS 9.8): Jelly template injection in UI macros.
• CVE-2024-5217 (CVSS 9.8): insufficient input validation in GlideExpression Script (bypass of the 4879 mitigation).
• CVE-2024-5178: filesystem filter bypass.

Chaining 4879+5217 already gives RCE; 5178 adds filesystem read. On 24 July Resecurity publishes a report describing a global reconnaissance campaign that scans external Now Platforms and dumps user lists + metadata. ServiceNow publishes hotfixes on 10 July itself; an official patch was already in June builds for customers with early access.

The critical surface: customer-managed instances exposed to the internet without a vendor-driven patching policy. ServiceNow Cloud SaaS got the patch automatically; on-prem is customer responsibility.

Source: https://www.resecurity.com/blog/article/cve-2024-4879-and-cve-2024-5217-servicenow-rce-exploitation-in-a-global-reconnaissance-campaign

Disney — 1.1 TiB Slack export by NullBulge

12 July. NullBulge posts in his channels that he has 1.1 TiB from an export of Disney’s internal Slack workspace: message history of 9,985 channels (public and private) from 2013 to 3 July 2024, plus shared files. The entry vector that emerges after the investigation: an employee downloaded a trojanised “AI tool” on their personal device, the infostealer leaked the corporate Slack session cookie, the attacker used the session to launch the full export (Slack allows exports to authorised workspace owners — there were no alerts on mass export).

NullBulge bills himself as “hacktivists for artists’ rights” in his statement. The relevant detail for the analysis: Disney decides to abandon Slack for internal comms after the incident (confirmed in filing and internal notes). It’s the first time a Slack incident has that visible consequence on a customer the size of Disney; puts Slack, and the cloud workspace model with long-lived cookie-based authentication, in an uncomfortable conversation for the rest of the year.

Source: https://www.bleepingcomputer.com/news/security/disney-ditching-slack-after-massive-july-data-breach/

LiteLLM CVE-2024-6587 — the api_base that leaks your OpenAI key

12 July. GitHub Security Advisory publishes CVE-2024-6587 — SSRF in LiteLLM version 1.38.10. The bug: the api_base parameter the client can specify in POST /chat/completions is used without validation as the destination of the request to which LiteLLM forwards the call with the proxy owner’s API key attached. Attacker sets api_base to his server, receives the full request with the Authorization: Bearer sk-... header, and walks away with the OpenAI / Anthropic / Azure key the proxy was protecting.

LiteLLM is popular as an enterprise AI gateway: company sets up a local proxy, puts the provider API keys there, devs call the proxy with their own internal credentials, the proxy does fan-out. The provider key is on the proxy, not on the dev — that’s the reason the product exists. CVE-2024-6587 breaks that guarantee in two lines.

It’s the sixth LiteLLM CVE in 2024 (CVE-2024-2952 SSTI Jinja in /completions, CVE-2024-5225 SQLi in /global/spend/logs, CVE-2024-5710 access in team management, CVE-2024-5751 RCE in /config/update, CVE-2024-9606 partial key masking, and this SSRF). Fix in 1.44.8. The year’s reading for AI gateways: a proxy mediating external provider credentials inherits the full surface of a traditional API gateway plus the prompt bus — and in LiteLLM the compliance is uneven. Sets the pace for the TeamPCP supply chain compromise in March 2026.

Source: https://nvd.nist.gov/vuln/detail/CVE-2024-6587 · https://github.com/advisories/GHSA-g26j-5385-hhw3

Rest of the month

• Mistral NeMo (18 Jul): Mistral AI and NVIDIA release a 12B parameter open-weights model with 128k token context and Apache 2.0 licence. Trained with quantization-awareness for FP8 without significant loss. It’s the opening of the AI summer of 2024.
• Patch Tuesday (9 Jul): Microsoft patches 142 vulnerabilities, two of them actively exploited zero-days. CVE-2024-38080 (Hyper-V EoP to SYSTEM) and CVE-2024-38112 (Windows MSHTML spoofing, abused by Void Banshee with .url files pointing to disguised HTA).
• Microsoft 365 Outage (18 Jul): the day before CrowdStrike, Microsoft has an Azure Front Door outage affecting parts of Microsoft 365 and Xbox Live. Temporal coincidence complicates public attribution: for 24 hours many people believe the two events are related. They aren’t.
• Cisco Firewalls: CVE-2024-20399, command injection in Cisco NX-OS, exploitable by Velvet Ant (China-nexus, Sygnia) since 2023. Patch ships and Sygnia publishes IoCs.
• OpenAI GPT-4o mini (18 Jul): release of OpenAI’s cost-efficient model. Same day as Mistral NeMo. Coincidence.

Cross-cutting pattern

If July has a thread, it’s the blast radius of automatic deployment. CrowdStrike pushes a configuration file to 8.5M Windows machines in kernel-mode without staged rollout. Snowflake allows login without MFA and an infostealer on a dev laptop drags 110M AT&T records. ESXi grants hypervisor admin to an AD group with an exact name, without the configuration being explicit. The AI Act is published the same day AT&T notifies the breach and the contrast is hard not to read: regulation lands at legislative speed, the incident lands at cloud deployment speed.

The operational question for August and September, in any organisation with a fleet of anything, is the same: what decision is left in the hands of an automated system without a human in the middle able to say “stop”? And, above all: who is responsible when that decision breaks the business? Cyber insurance policies are learning to distinguish security incident from vendor outage; enterprise contracts are learning to include mandatory staged rollout clauses. We’ll see what of that survives Q4.

See you in August with the AI Act technical post and, if things go to plan, the extra of PKfail.