Bulletin — December 2024

December closes a year in which the operational attacker professionalises faster than the structural defender. Cl0p reoffends against MFT and leaves the lesson ready for 2025; BeyondTrust SaaS opens the door to Treasury with a stolen API key; the regulator starts to apply; OpenAI runs a week and a half of demos. Four specific notes and a retrospective of the year.

Cleo MFT — Cl0p’s third MFT in two years

Cleo MFT — Cl0p's third MFT in two years

9 December. Huntress publishes Threat Advisory: Oh No Cleo! — zero-day exploitation of CVE-2024-50623 in Cleo Harmony, VLTrader and LexiCom. Detection had been on 3 December; the initial 5.8.0.21 patch doesn’t mitigate. On the 13th CVE-2024-55956 is assigned to cover the bypass and 5.8.0.24 ships as the real mitigation. CISA adds both CVEs to KEV (13 and 17 December). Cl0p claims it on 14 December on its extortion portal; by the 24th there are 66+ obfuscated victims on the leak site. Third MFT from the group in two years: GoAnywhere (January 2023), MOVEit (June 2023), Cleo (December 2024).

We cover the bug detail in the dedicated technical post. The pattern is the only thing worth keeping from here: the managed file transfer segment is still profitable as a category because it combines exposed perimeter + parsers of untrusted input + connection to sensitive B2B flows. Without structural change — zero-trust in front of every appliance, segmentation of the upload directory — the fourth MFT with a critical bug will get the same response. Cl0p is building technical capability to find it.

Source: https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild

BeyondTrust → US Treasury — the API key as vector

30 December. The US Treasury Department reports a “major incident” to Congress following an intrusion via BeyondTrust Privileged Remote Access. Public timeline:

2 December: BeyondTrust detects anomalous activity on its Remote Support SaaS platform.
8 December: BeyondTrust notifies Treasury that an attacker has obtained a SaaS API key giving access to the customer’s environment.
17 December: BeyondTrust publishes advisory for CVE-2024-12356 (pre-auth RCE in Privileged Remote Access and Remote Support, CVSS 9.8).
19 December: CISA adds CVE-2024-12356 to KEV.
30 December: Treasury makes the intrusion public.

Public attribution points to Silk Typhoon (APT27 per DoJ in March 2025) — China-nexus, not Volt Typhoon. The access let the attackers read workstations of Treasury employees with access to 3,000+ unclassified files. CISA confirms the impact was limited to Treasury and didn’t extend to other federal agencies.

What this teaches for 2025: privileged access SaaS platforms are a perfect single point of failure. A SaaS API key = access to the customer’s environment. If your organisation uses a password vault, PAM SaaS or similar tool, the threat model has to include “the SaaS is compromised” as a named case. Trusting the vendor has a better security posture than you is reasonable; trusting it’s perfect, not.

Source: https://home.treasury.gov/news/featured-stories/treasury-department-cyber-incident-notification · CISA KEV CVE-2024-12356.

12 Days of Shipmas — OpenAI runs a week and a half of announcements

5 to 20 December. OpenAI does a daily stream with one announcement each business day. The relevant ones:

5 Dec — o1 final + ChatGPT Pro. The reasoning model announced in preview in September ships in final version, alongside a Pro tier at $200/month with o1 access without throttling and Advanced Voice Mode.
9 Dec — Sora. The video generation model becomes available for ChatGPT Plus and Pro users. Text-to-video and a storyboard feature.
18 Dec — ChatGPT Search. The search integrated into ChatGPT, launched limited in October, rolls out to all users.
20 Dec — o3 + o3-mini preview. Announcement (not release) of the next generation of reasoning models. The ARC-AGI benchmark with o3-tuned reaches 87.5% in the high-compute setting — the first model to clear the average-human threshold on that benchmark.

The interesting part for security: with o1 final and o3 announced, reasoning models moves from “research frontier” to “product category the customer can buy”. That means the questions we covered in the September o1 technical post — what’s logged from the CoT, how to inspect the reasoning, how to attack these models via deliberation hijacking — are the operational questions a CISO will have to answer through 2025 if their organisation deploys o1 in production.

Source: https://openai.com/12-days/

Gemini 2.0 + Phi-4 + DeepSeek-V3 — the year’s last push

11 December. Google announces Gemini 2.0 Flash Experimental. Multimodal Live API for real-time audio/video, native image generation, native integration with Google Search. The framing of the announcement is “agentic era”: models taking autonomous multi-step actions. Initial availability is experimental — the full rollout is planned for Q1 2025.

12 December. Microsoft announces Phi-4, its 14B parameter small language model trained with an emphasis on mathematical reasoning. The technical paper is published the same day. Available first on Azure AI Foundry; on 8 January (2025) Microsoft releases it on Hugging Face under MIT licence — fully open source.

26 December. DeepSeek-V3 ships as open weights. 671B total parameter MoE (37B activated per token), trained on 14.8T tokens with only 2.788M H800 hours. Benchmarks comparable to Claude 3.5 Sonnet and GPT-4. It’s the prelude to the jump coming in January 2025 with DeepSeek-R1.

The three releases together outline a scenario: open or near-open models with capability close to the commercial frontier, trained at an order of magnitude lower cost. For AI security, the operational effect is that adversarial researchers have access to weight and CoT directly. Any attack technique requiring gradient no longer needs a complicit provider — just pull DeepSeek-V3 and work against it. For defence, the symmetric: any detection technique requiring white-box can now be tested at reasonable cost on representative models.

Sources: https://blog.google/technology/google-deepmind/google-gemini-ai-update-december-2024/ · https://techcommunity.microsoft.com/blog/azure-ai-foundry-blog/introducing-phi-4-microsofts-newest-small-language-model-specializing-in-comple/4357090 · https://github.com/deepseek-ai/DeepSeek-V3

DORA — application on 17 January 2025

Operational reminder. Regulation DORA (EU) 2022/2554 enters application on 17 January 2025. Applies to EU financial entities (banks, insurers, funds, asset managers, payment platforms, regulated crypto providers) and to their critical ICT third-party service providers.

What needs to be closed by 17 January:

ICT risk management framework documented and approved by management.
Register of critical ICT providers with criticality classification.
Digital resilience testing plan (including TLPT — Threat-Led Penetration Testing — for large entities).
Incident reporting procedure to the competent authority with the deadlines in Annex III.
DORA-compliant contractual clauses with critical ICT providers.

DORA and NIS2 partially overlap on the same subject when a financial entity is also an essential services operator under NIS2. The administrative reading is that DORA is lex specialis for finance; NIS2 applies to the rest. In Spain, NIS2 remains untransposed in December — AESIA and AEPD are working on a pending bill.

Source: https://eur-lex.europa.eu/eli/reg/2022/2554/oj

JFrog — 22 bugs in ML frameworks, the missing inventory

December 2024. JFrog Security Research publishes a body of 22 vulnerabilities in widely deployed open-source ML frameworks: MLflow, H2O, PyTorch, MLeap. Categories: deserialisation in proprietary file formats (MLeap), unsafe pickle in model loaders (PyTorch), XSS in MLflow recipe UI, LFI in MLflow tracking server, path traversal in H2O export, several chainable RCEs.

The two categories that matter operationally:

Model file deserialisation — MLeap’s proprietary formats, MLflow recipes and PyTorch .pt execute native code on load. Any MLOps pipeline pulling from a public model registry (Hugging Face, MLflow Marketplace, shared MLeap files) is passing executable code through zero human validation.
Tracking server attack surface — MLflow tracking servers, which the ML team sets up internally to log experiments, tend to be exposed on the internal network without auth (defaults make it easy). LFI + XSS + remote artifact serving turns them into internal pivots.

The report consolidates what the industry had been trying to size for a year: AI infra is general-purpose software with the security maturity of a research project. Any organisation with an MLOps stack in production should run this inventory through its asset list and patch selectively — most remain active by end-2025 per ShadowServer.

Source: https://thehackernews.com/2024/12/researchers-uncover-flaws-in-popular.html · https://research.jfrog.com/vulnerabilities/

Rest of the month

Apache Struts2 CVE-2024-53677 (11 Dec) — File upload with path traversal in 2.0.0-2.3.37, 2.5.0-2.5.33, 6.0.0-6.3.0.2. RCE under certain conditions. CVSSv4 9.5. Public PoC shortly after; active exploitation from 16 Dec. Migrate to 6.4.0 + rewrite applications to use the new file upload mechanism.
Krispy Kreme — cyberattack (4 Dec) — The chain interrupts online orders in the US for several days. No firm public attribution at December close.
CISA Salt Typhoon advisory — Reinforcement of the September notice with concrete guidance for telcos. Cisco and other vendors publish specific hardening guidance.
Anthropic Sora competitor — Anthropic doesn’t enter video during 2024. Keeps focus on Claude 3.5 Sonnet (new) and MCP. The agentic vs generative multimedia fight is split among vendors over the year.

Retrospective — the five cyber milestones + one compliance that best define 2024

AI security goes in its own retrospective, AI Security 2024 Retrospective. For classic cyber and compliance, the six of the year:

1. Ivanti Connect Secure — the pre-auth chain that opened January

CVE-2023-46805 + CVE-2024-21887 chained, pre-auth RCE. Volexity publishes on 10 January after detecting zero-day exploitation by UTA0178 since December. The official patch arrives on 31 January. Covered in the January technical post.

Operational echo: the pattern exposed edge appliance + two-bug chain + mass exploitation for weeks before the patch is the year’s signature. It repeats with Palo Alto GlobalProtect in April, with FortiManager in October, with PAN-OS again in November.

2. XZ utils CVE-2024-3094 — Jia Tan’s backdoor

Andres Freund finds on 29 March a backdoor introduced in xz-utils 5.6.0 and 5.6.1 by a maintainer with two and a half years of trust. CVSS 10.0. Covered in the April technical post.

Operational echo: the supply chain lesson doesn’t close with one case. Any open source project with a sole maintainer or with a hand-off to a new maintainer in the last 24 months deserves an audit. The industry advanced a bit during 2024 — cargo-vet, sigstore, better maintainership visibility on critical repos — but the threat model remains intact.

3. Snowflake / UNC5537 — credentials without MFA at scale

Mandiant publishes the UNC5537 report on 10 June. Pattern: corporate credentials stolen via infostealers (Vidar, RedLine, Lumma) → authentication against Snowflake accounts without MFA → exfil with COPY INTO to attacker-owned S3. ~165 organisations, including Ticketmaster (560M), Santander, Advance Auto Parts. No CVE — abuse of default configuration.

Operational echo: Snowflake changed defaults in July (MFA enforce, network policy templates). The pattern will apply to any PaaS with optional authentication and no network policy enforcement. If your organisation operates sensitive data on any analytics SaaS, the question is when you enforce MFA and what network policy is default, not if.

4. CrowdStrike Falcon — the 19 July kernel driver

Channel File 291 breaks the csagent.sys parser. BSOD on 8.5 million Windows machines. Airlines stop, hospitals cancel surgeries, broadcasters off-air. CrowdStrike publishes root cause analysis on 6 August.

Operational echo: not a CVE, it’s a broken deployment model. The discussion it opened — mandatory staged rollouts for EDR vendors, alternatives to kernel mode driver for sensors, what the customer’s responsibility is regarding content updates — remains open at year-end. Microsoft convened a Windows Resiliency Initiative with EDR vendors in September; conclusions expected for 2025.

5. BeyondTrust → Treasury — the API key as single point of failure

Covered above in this entry. Operational echo: PAM SaaS and similar concentrate risk. The traditional threat model assumes the PAM tool is the mitigation of the credentials problem; when the PAM SaaS is the vector, the customer is two orders of magnitude behind the attacker in response speed.

6. EU AI Act in force (compliance milestone of the year)

1 August 2024. Regulation (EU) 2024/1689 enters into force. Staged applicability: Article 5 prohibitions at 6 months (February 2025), GPAI with systemic risk at 12 months (August 2025), high-risk at 24/36 months. Spain designates AESIA as national authority. For CISO/DPO the work kicks off: inventory, classification, identification of role in the chain. The fines — up to €35M or 7% global turnover — are deterrent by design.

Operational echo: first binding AI framework in a major jurisdiction. It’s setting the roadmaps of Microsoft / OpenAI / Anthropic / Meta for the EU through 2025-26. The legal team and the technical team will have to cooperate more closely than with GDPR, because the translation legal obligation → technical control is less obvious.

Cross-cutting pattern of the year

If I have to distil 2024 in one sentence: the operational attacker professionalises faster than the structural defender. Cl0p already has an industrial playbook for MFT. UNC5537 has a playbook for SaaS without MFA. UTA0178/UNC5221 has a playbook for edge appliances. Silk Typhoon has a playbook for privileged access SaaS. The groups are specialised, disciplined, and reproduce with less variation than the defenders.

The structural defender — who has to decide whether to deploy enterprise on-prem MFT, PAM SaaS, AI agents with tools in production, reasoning models with loggable CoT — operates on annual or three-year planning horizons. The window between decision and exposure is asymmetric. The only reasonable operational response is reduce what’s been decided: less perimeter, fewer appliances, fewer critical SaaS dependencies. That collides with every product economic vector.

The operational plan for 2025 coming out of 2024:

Inventory of edge appliances by criticality level and historical patch hygiene. If you have Ivanti, Fortinet, PAN-OS, Citrix, Cisco on the perimeter and your historical time-to-patch is > 14 days, it’s a problem that’ll explode sooner rather than later.
Audit of critical SaaS with focus on PAM, secret managers, password vaults. Threat model “the SaaS is compromised” as a test case, not as a hypothesis.
Threat modelling for AI features that combine access to user data + tools that act before shipping, not after. The Recall lesson.
Compliance prep: AI inventory for EU AI Act (tier classification), ICT inventory for DORA if you apply to finance, NIS2 ↔ ENS mapping if you operate essential services.

December 2024 closes the year with two things ready for January: the live proof that Cl0p is still hunting MFT, and a regulatory calendar that’s no longer a promise. For the first post of 2025 we continue with the calendar and the open threads.