Bulletin — November 2024

November closes with two big things that ask to be in the same bulletin. The first is MCP: on the 25th, Anthropic publishes an open spec that standardises the model ↔ external tools connection, with SDKs and a first reference client. The second is Palo Alto PAN-OS: two CVEs (auth bypass + privilege escalation) exploited as zero-day from the beginning of the month, with watchTowr publishing technical analysis on the 19th. Below that, Salt Typhoon becomes an official name when T-Mobile enters the list, Hot Topic adds 56 million accounts to the dataset Have I Been Pwned receives, HellCat lands on the map with a hit on Schneider Electric in a demand-payment-in-baguettes format, and Connor Moucka consents to extradition to the US in the Snowflake case.

Model Context Protocol — Anthropic publishes on 25 November

25 November. Anthropic publishes Model Context Protocol (MCP): an open spec based on JSON-RPC 2.0, SDKs in Python and TypeScript, reference servers for Google Drive, Slack, GitHub, Git, Postgres and Puppeteer, and Claude Desktop as the first compatible client. The architecture has three primitives the server offers (tools, resources, prompts) and one inverse primitive the client offers the server (sampling).

The most relevant piece of the spec for security is in the Trust & Safety section: “MCP itself cannot enforce these security principles at the protocol level”. The protocol leaves human consent, authorisation, resource scoping and tool description validation in the host’s hands. It’s the confused deputy pattern we documented in September 2023 with ChatGPT plugins, now with a common protocol and open catalogue.

The full analysis, with a toy MCP server and reproduction of indirect injection via a web page with fetch_url + send_email tools, lives in the dedicated post.

Source: https://www.anthropic.com/news/model-context-protocol · https://modelcontextprotocol.io/specification/2024-11-05

Palo Alto PAN-OS — CVE-2024-0012 + CVE-2024-9474

8 November Palo Alto starts recommending customers restrict access to the management interface on suspicion of RCE. 15 November it confirms malicious activity against the management interface and names Operation Lunar Peek. 18 November it publishes the advisory with the two CVEs and they enter KEV the same day:

• CVE-2024-0012 (CVSS 9.3, auth bypass). The Nginx frontend doesn’t set the internal X-PAN-AUTHCHECK header for certain routes (any PHP reachable via /.js.map). The PHP handler uiEnvSetup.php decides to skip session validation when HTTP_X_PAN_AUTHCHECK == 'off'. Requesting the URL /php/ztp_gate.php/.js.map with header X-PAN-AUTHCHECK: off reaches the backend without authentication.
• CVE-2024-9474 (CVSS 7.2, command injection). The endpoint /php/utils/createRemoteAppwebSession.php accepts the user parameter and writes it to $_SESSION['userName']. AuditLog.php interpolates it without sanitisation into a call to pan_elog via shell. A session created with user= `cmd` runs the command as root on the first subsequent GET with the session cookie.

The chain combines the two: auth bypass to reach createRemoteAppwebSession, payload in user, session with malicious PHPSESSID, second request to /index.php/.js.map to detonate.

watchTowr publishes on 19 November the technical analysis with the full chain and a Nuclei template. Mass exploitation scales as soon as the writeup comes out: ShadowServer records 2,000+ compromised appliances by month-end. CISA marks remediation deadline 9 December.

The operational questions of the incident are the usual ones with edge appliances:

• Did you have the management interface exposed to the internet? Palo Alto’s guide has been saying no for years, but the pattern repeats with every vendor.
• Do you have detection on anomalous headers (X-PAN-AUTHCHECK: off) in your WAF/edge telemetry?
• Are the firewall’s own logs somewhere other than the firewall itself?

Source: https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/ · https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/

Salt Typhoon — T-Mobile on the list

15 November. The Wall Street Journal publishes that T-Mobile joins the list of operators affected by the Salt Typhoon campaign (Chinese APT, China-nexus) that in September had already put Verizon, AT&T and Lumen on the map. T-Mobile confirms it detected the intrusion and cut it, says there’s no evidence of significant impact on customer data.

What changes the weight of the incident is what happens outside T-Mobile. During November the reports point to Salt Typhoon having been at least eight months inside telco networks and to the goal not being mass exfil but access to the lawful intercept system — the infrastructure through which judicially authorised wiretaps pass. CISA, NSA and FBI issue joint guidance at month-end; the formal hardening guidance will land in December.

Operational reading already latent since September: the border between “compromise of an operator” and “compromise of the legal communications regime” disappears when the attacker goes for the operator side where lawful intercept lives. For regulators and the regulated, the conversation that opens is about what telemetry exists on who accesses that infrastructure, not just on the traffic going through it.

Source: https://www.wsj.com/tech/cybersecurity/t-mobile-hacked-in-massive-chinese-breach-of-telecom-networks-4b2d7f92

Hot Topic / Robling — 56 million accounts

Mid-November. Have I Been Pwned receives a dataset with 56.9 million accounts from Hot Topic, Torrid and Box Lunch (all brands of the same group). Data included: full name, email, phone, postal address, date of birth, purchase history and, in part of the dataset, partial payment card data. The actor with the alias Satanic posts it on BreachForums; starts at $20,000 price, drops to $4,000 and asks Hot Topic for $100,000 to take the listing down.

Hudson Rock attributes the origin to the previous breach of Robling, a retail analytics provider connected via API. The chain: infostealer (Lumma) infects a Robling dev’s laptop → corporate credentials leaked → access to the shared data pipeline → exfil of Hot Topic’s aggregated dataset.

Hot Topic hasn’t officially confirmed at November close. The pattern is the same we saw in June with Snowflake / UNC5537: infostealer on the laptop of a small vendor’s dev + lateral access to the big customer’s data. The line between “your security” and “your analytics vendor’s security” still doesn’t translate to contracts or audits.

Source: https://haveibeenpwned.com/Breach/HotTopic

Schneider Electric — HellCat via Jira

4 November. HellCat claims access to a Schneider Electric Jira. Publishes a sample: 40GB compressed, 400,000+ rows with project data, internal issues, plugins and a good chunk of the 75,000 unique emails of employees and customers appearing in tickets. Initial vector: corporate credentials leaked through Lumma infostealer.

The detail going around on Twitter / X is the ransom: HellCat demands $125,000 paid in baguettes. It’s marketing — Schneider Electric is French, the joke is for headlines and they’d want the real payment in Monero. But the technical case is serious: Jira with reused credentials without MFA, without network policy, accessible from a stolen session on an employee laptop.

This is the third time an actor compromises Schneider Electric in 18 months. In January 2024 it was Cactus against the Sustainability division. In June 2023, Cl0p against MOVEit. The pattern: a company with a HUGE surface (projects in hundreds of countries, thousands of contractors), SaaS data hygiene not tightened between incidents.

Source: https://www.bleepingcomputer.com/news/security/schneider-electric-confirms-dev-platform-breach-after-hacker-steals-data/

Connor Moucka — consented extradition in the Snowflake case

30 October the RCMP arrests in Kitchener, Ontario, Alexander “Connor” Moucka, 26, alleged operator behind the Snowflake breaches (covered in the June post) under the aliases Waifu, Judische, Catist and Ellyel8. 5 November Moucka formally consents to extradition to the US, waives the 30-day waiting period. The indictment includes 20 federal counts, among them conspiracy to commit computer fraud, unauthorised access, wire fraud and aggravated identity theft, linked to the breaches of 165 Snowflake customers between 2023 and mid-2024.

The indictment published in November also names John Binns as co-conspirator (Binns was already detained in Turkey for another case). Prosecutor estimates: extortion on 10+ organisations, $2.5 million collected in ransoms.

The case is one of the first where the infostealer → SaaS chain ends with a named arrest. The operational lesson for 2025 lies more in what hasn’t been seen yet: the dozens of anonymous aliases still operating the model, fed by the infostealer log market no antivirus vendor is seriously touching. That market is what UNC5537 exploited, and what continues.

Source: https://www.justice.gov/usao-wdwa/pr/canadian-national-arrested-snowflake-data-theft-and-extortion-scheme

Rest of the month

• D-Link DSR routers EOL — Mirai/FICORA and Kaiten/CAPSAICIN botnets keep abusing old HNAP bugs (GetDeviceSettings) from years ago against D-Link devices with no possible patch. FortiGuard documents the activity spike in October-November. D-Link recalls that the affected models have been EOL for years and there’s no planned patch.
• DHL phishing — Campaigns spoofing waybill notifications targeting European users, with landing pages copying the real tracking portal and credential exfil via legitimate services (EmailJS). The interesting detail: the sender’s domain passes DKIM for itself, not for DHL. Basic defence: the Authentication-Results header looks at the From: and the signature chain, not the display name.
• AWS pre-re:Invent (3-7 Dec) — Announcements leaked before the conference: Bedrock Guardrails GA, support for tool use with third-party models, IAM Roles Anywhere expanded. Reading for CISOs: shared responsibility for models on Bedrock gets refined, but inference logs are still not enabled by default.
• Volt Typhoon — Resurfaces in a new variant against SOHO routers at month-end, with KV Botnet reactivated after the FBI takedown in January. Lumen / Black Lotus publishes details mid-November.

Pattern of the month

If I have to distil November in one sentence: the month MCP is published and the September 2023 pattern returns without the ecosystem realising the return. The industry starts talking about MCP servers and tool catalogues as if the problem were adoption and not trust boundary. The spec itself says it — the protocol can’t enforce security guarantees, the host sets them. But most public discussions treat that paragraph as a legal clause, not as an invitation to the next wave of bugs.

The other thing that repeats, month after month since June: the chain infostealer → credential → SaaS without MFA / without network policy → exfil. Hot Topic via Robling, Schneider Electric via Jira with Lumma credentials, the Snowflake case in judicial process. A dev’s laptop is still the real perimeter, and the response is still more about endpoint EDR than about aggressive corporate credential rotation cadence.

See you in December with Cleo MFT and the year-end close.