Sarina

About Sarina Gandy

This author has not yet filled in any details.
So far Sarina Gandy has created 138 blog entries.

FirstLine Election Cybersecurity Tabletop Exercise Series

Join our FirstLine team for a dynamic Election Cybersecurity Tabletop Exercise!

This event is designed to bring together elections officials, IT teams, law enforcement, and other key personnel to walk through realistic scenarios and strengthen coordinated responses to cyber and physical security threats.

Don’t miss this chance to improve your cybersecurity posture and resilience!

Where Can I Join?

  • Panama City Beach – May 5
  • Tallahassee – May 7
  • Jacksonville – June 9
  • Gainesville – June 11
  • Orlando – Week of June 16-23

Dates are subject to change. If updates are made, notifications will be sent by email to registrants.

Is This Event for You?

This tabletop exercise series is designed for professionals who understand election processes or support them, as well as those responsible for protecting systems, data, and public trust. If you’re involved in planning, incident response, or decision-making in these areas, this is the event for you.

Election Leadership & Administration

  • Supervisors of Elections (SOEs)
  • Assistant SOEs
  • Chief Deputy SOEs
  • Deputy Directors of Voter Services

IT & Systems Personnel (with Elections Focus)

  • IT & Election Systems Supervisors
  • Elections IT
  • IT Analysts / Coordinators
  • IT Managers

Cybersecurity & Risk Management

  • Cybersecurity Manager
  • Sr. Cybersecurity Manager
  • Cybersecurity Community Operations
  • IT Security Administrators
  • Digital Forensics / Incident Response Roles

Law Enforcement & Public Safety Leadership

  • Detectives / Investigators
  • Crime Intelligence Analysts
FirstLine Election Cybersecurity Tabletop Exercise Series2025-03-27T10:22:24-04:00

Cybersecurity Fundamentals for Florida Manufacturers: FloridaMakes Webinar

This webinar will cover how to plan a simple roadmap and additional recommendations for getting started defending your company from Cybersecurity attacks.

For FloridaMakes clients working with Defense customers, provided is an overview of the Department of Defense Cybersecurity Maturity Model Certification (CMMC) program, and recommendations for getting started and achieving this critical compliance requirement.

Speakers will present the no-cost programs and services available to Florida companies, including the Critical Infrastructure Risk Assessment.

The presentation will conclude with next steps and additional resources to get you on a path toward CMMC compliance.

Finally, extra time will be allocated for a robust Q&A starting with a review of the concerns posed at the prior webinar.

Key Takeaways:        

  • Briefly review the key concepts of cybersecurity, CMMC Level 1 and Level 2, DIB, FCRA and other pertinent acronyms;
  • Resume learning the roadmap for starting a Cybersecurity practice if you don’t already have one;
  • Overview and key steps for achieving CMMC compliance for Defense suppliers;
  • No-cost resources provided by Cyber Florida, including the Critical Infrastructure Risk Assessment.
Cybersecurity Fundamentals for Florida Manufacturers: FloridaMakes Webinar2025-03-27T11:33:50-04:00

FEMA Offering “Recovering From Cybersecurity Incidents” Course in March

This 16-hour course provides guidance on building and executing a robust cybersecurity incident recovery program, covering both pre- and post-incident stages. It bridges IT and emergency management to help government, critical infrastructure, and private-sector personnel effectively respond to and recover from cyber disruptions.

Through interactive discussion and practical exercises, participants will learn best practices and tactical strategies for restoring operations following a cyber-attack. By the end of this course, you’ll be equipped to strengthen organizational resilience, manage cyber incidents more effectively, and build an action plan for continued readiness.

As part of a Department of Homeland Security/Federal Emergency Management Agency (DHS/FEMA) cooperative agreement training program, this course is available at no direct cost to state, county, and local government agencies.

Key Topics Include:

  • Understanding essential cyber terminology and the cyber incident life cycle
  • Recognizing threat levels and exploring emergency management practices
  • Examining the recovery continuum and government’s role in cybersecurity
  • Integrating cyber into the Incident Command System (ICS)
  • Leveraging federal resources and key programmatic elements that drive successful recovery
  • Learning how to plan, organize, equip, train, and exercise for cyber incidents
  • Implementing short-term and long-term recovery actions
  • Building a cyber incident recovery action plan tailored to your organization’s needs

Suggested Audience

  • Government and private sector IT staff
  • Local administrators and upper-level management personnel
  • System administration
  • Risk management personnel
  • Local government administration
  • Emergency management coordinators

Upon successful completion, you will be able to:

  • Describe fundamental concepts and resources related to cyber incident recovery.
  • Examine recovery preparedness for cybersecurity incidents.
  • Examine tactical, short-term and strategic, long-term recovery operations for cybersecurity incidents.
  • Produce a cyber incident recovery action plan based on the scenario information provided.

Enrollment Requirements

Participants must be U.S. citizens. A FEMA Student ID is required to register for and participate in any training provided by FEMA agencies. All FEMA training providers, registration systems, and enrollment procedures are required to use this FEMA SID, which can be obtained at the following website: https://cdp.dhs.gov/femasidopens in a new tab; or with TEEX assistance upon arrival for class.

FEMA Offering “Recovering From Cybersecurity Incidents” Course in March2025-03-11T14:30:28-04:00

Unlocking Potential: The Critical Role of Basic Research in Cybersecurity

This webinar will underscore the crucial role of basic research in driving cybersecurity innovation from a multidisciplinary perspective and raise awareness within the academic community about UC2’s interest in partnering to fund groundbreaking basic research in cybersecurity.

With a welcome introduction by National Defense University’s President, VADM Peter A. Garvin, USN, guest speakers from Space Force, Air Force and Minerva Research Initiative will address cyber strategy for Space Force, levels of basic research and technological applications, research requirements, future-focused discussions, and human-centered needs.

Speakers:

  • Lt Col Marouane Balmakhtar, Space Force
  • Dr. Lisa Bellamy, Senior Program Development Manager, AFCYBER/TD
  • Dr. Gregory Ruark, Program Manager, Dynamical Influences on Social Systems, Humans in Complex Systems Competency, Army Program Manager, Minerva Research Initiative DEVCOM ARL Army Research Office

Register today to join this conversation about the transformative potential of basic research in cybersecurity and discover exciting opportunities for academic partnerships with UC2.

Communication, Collaboration and Access: UC2 aims to fill this gap through its mission of increasing communication, collaboration, and access. UC2 funds basic and applied research. With a strong focus on partnerships, UC2 measures the impact of collaboration. UC2 believes that partnership will influence how research is transferred into the hands of users and also the DoD challenges are transferred back to the academic teams who can address them.

Unlocking Potential: The Critical Role of Basic Research in Cybersecurity2025-03-06T14:48:42-05:00

SparkRAT: A Multi-Platform Remote Access Tool

I. Targeted Entities

  • Industries: Any (Opportunistic)
  • Operating Systems: Windows, macOS, and Linux

II. Introduction

Written primarily in Golang, SparkRAT is a feature-rich, multi-platform Remote Administration Tool (RAT) that allows for the granular control of infected devices via web interface [11]. It was first published on GitHub in March of 2022 by elusive, Chinese-speaking developer XZB-1248. However, the project went largely unnoticed until gaining steady popularity in early 2023. Since then, the tool has been observed in numerous threat campaigns, including those carried out by cybercriminal groups Winnti and DragonSpark, as well as its involvement in the Hello Kitty and TellYouThePass ransomware attacks [6].

Like most Remote Access Toolkits, SparkRAT has been widely leveraged by threat actors for post-exploitation operations, typically being installed after the payload delivery and initial compromise. Most notably, the tool has been used in conjunction with several critical vulnerability exploits: CVE-2023-46604, CVE-2024-27198, and CVE-2024-43451 [1][3][4]. After a period of dormancy, SparkRAT resurfaced in January, with security researchers at Hunt.io detecting new C2 servers and hints of a possible DPRK campaign targeting macOS users [7].

III. SparkRAT Observed in DPRK Campaign

In a Twitter post by threat intelligence expert, Germán Fernández (@1ZRR4H) back in November 2024, a cyber espionage campaign attributed to the North Korean government was revealed, targeting macOS users and government organizations [5]. The threat actors behind this operation were reportedly distributing SparkRAT agents via fake online meeting platforms. Upon further investigation, researchers at Hunt.io and Cato Networks have recently identified additional C2 servers in South Korea and Singapore [2]. The findings suggest that this campaign is still active, although with a slight change in strategy and payload delivery method.

Interestingly, these uncovered C2 server domains were found to have open directories containing SparkRAT implants and bash scripts. Below are screenshots of an exposed directory and the content of its hosted scripts.

Screenshot of hxxps://gmcomamz[.]site/dev (Source: Hunt.io)

Curl results from hxxps://gmcomamz[.]site/dev/dev.sh

The bash script above downloads the Mach-O binary file (client.bin) from the hosting domain (updatetiker[.]site), saves it as “pull.bin” to the /Users/shared directory, changes its permissions to allow reading, writing, and execution by all system users, and runs the file as a background process. This is typical behavior of malware hosting servers.

The behavior of the test.sh script is similar, however, it points to another domain which has also been found to host SparkRAT agents (clients):

Curl results from hxxps://gmcomamz[.]site/dev/test.sh

IV. SparkRAT Analysis

SparkRAT Web Interface

Accessed through a browser, the SparkRAT Web UI provides an overview of active remote sessions along with system information of each connected machine. In addition to the basic operations listed below, the tool’s interface comes with several additional capabilities such as viewing a live instance of the victim’s screen, taking screenshots, and remote shutdown.

Client Creation

Generate Client creates an executable file that, when executed on a target machine, will create a backdoor connection with the associated C2 system. Clients can be customized to point to different hosts, connect over a specified port, and run on different operating systems (Windows, macOS/Darwin, and Linux).

Remote Terminal Window

As one would expect, the Terminal feature allows for attackers to execute commands on a target machine via a web-based PowerShell GUI. If used in combination with remote privilege escalation, attackers can carry out system-level operations like disabling the firewall, modifying registry keys, and disabling antivirus software.

Process Manager

The Process feature lists all running processes as well as the ability to stop them. This can be used to terminate security/monitoring software.

File Manager Tool

Explorer allows attackers to enumerate, create, and delete files/directories on the target system. It also allows files/directories to be downloaded to the attacker’s local machine or uploaded to the target machine.

Wireshark capture showing initial client-C2 communication

In this exchange, captured shortly after the execution of a SparkRAT agent, the target system sends a request to upgrade its connection to use the WebSocket protocol. A WebSocket handshake over port 8000 is a key characteristic of SparkRAT command-and-control (C2) traffic.

Client POST Request to update SparkRAT version

Following the WebSocket handshake, the target system sends a POST request with the commit query parameter storing the current version of the tool. This enables the RAT to automatically upgrade itself to the latest version available on the C2 server [10]. It is also worth noting the unusual User-Agent string as well as the JSON return value indicating that this client is using the latest SparkRAT version that the server can offer.

V. MITRE ATT&CK

  • T1059 – Command and Scripting Interpreter
    Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms.
  • T1571 – Non-Standard Port
    Adversaries may communicate using a protocol and port pairing that are typically not associated.
  • T1005 – Data from Local System
    Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
  • T1071.001 – Application Layer Protocol: Web Protocols (C2)
    Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Protocols such as HTTP/S and WebSocket that carry web traffic may be very common in environments.
  • T1105 – Ingress Tool Transfer (C2)
    Adversaries may transfer tools or other files from an external system into a compromised environment.
  • T1573.001 – Symmetric Cryptography (C2)
    Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.
  • T1082 – System Information Discovery
    An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
  • T1083 – File and Directory Discovery
    Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
  • T1106 – Native API
    Adversaries may interact with the native OS application programming interface (API) to execute behaviors.

VI. Indicators of Compromise (IOCs)

As is the case with most open-source malware toolkits, the list of IOCs associated with SparkRAT activity is extensive. Currently, the project’s GitHub repository has over 500 forks and 16,000 latest-release downloads, indicating that the tool is likely adapted for use in the development of custom malware (all of which would have their own IOCs). Below are the most recent and most frequently observed SparkRAT IOCs.

Type Indicator
SHA-256 Hashes fcf9b70253437c56bb00315da859ce8e40d6410ec405c1473b374359d5277209

3bfb4f5c328d57b647ba81045eae223ff292f0caa216fee97e98127b2934c6b0

cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56

9c4d6d66dcef74f4a6ce82369830a4df914becd7eb543bdcc5d339b7b3db254b

cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56

52277d43d2f5e8fa8c856e1c098a1ff260a956f0598e16c8fb1b38e3a9374d15

ffe4cfde23a1ef557f7dc56f53b3713d8faa9e47ae6562b61ffa1887e5d2d56e

065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

f015f91722c57cdb7ee61d947fb83f395d342e3d36159f7a470e23b6c03681bf

5802d266c6fd8f45323b7d86d670059f1bd98de42a173fbc2ac66399b9783713

Associated Filenames msoia.exe

client.bin

client.exe

3261cbac9f0ad69dd805bfd875eb0161.exe

one68_1_1.0.apk

IPs 67.217.62[.]106

152.32.138[.]108

15.235.130[.]160

118.194.249[.]38

51.79.218[.]159

37.230.62[.]73

Domains gsoonmann[.]site

gmnormails[.]site

gmoonsom[.]site

nasanecesoi[.]site

gmoocsoom[.]site

gmcomamz[.]site

namerowem[.]site

gmoosomnoem[.]site

mncomgom[.]site

ggnmcomas[.]site

updatetiker[.]net

updatetiker[.]site

gomncomow[.]site

gooczmmnc[.]site

gnmoommle[.]space

one68[.]top

remote[.]henh247[.]net

remote[.]henho247[.]net

VII. Recommendations

Exercise Good Cyber Hygiene – The easiest, most effective way to prevent system compromise via Remote Access Trojans like SparkRAT is to simply practice good cyber hygiene. This includes not opening unknown files, being suspicious of email attachments from untrusted sources, avoiding downloading software from unofficial websites, and regularly updating operating systems.

Isolated Virus Scans – Performing a malware detection scan (via crowdsourced tools like VirusTotal or antivirus software like Microsoft Defender’s custom scan option) on an untrusted file before executing it can be an easy way to verify its legitimacy. Fortunately, most AV solutions are privy to common SparkRAT indicators and will prevent infected files from executing. However, custom malware leveraging the tool may go undetected. If further analysis is required, it is advised to run any suspected file within a sandbox environment to examine its behavior.

Update Virus Signatures – Ensuring that endpoint solutions and antivirus software are up to date with the latest virus signatures is crucial for detecting and quarantining known variations of SparkRAT malware. Signature databases used by AV software are typically populated with new signatures when applying the latest security patches. For this reason, it is recommended to frequently update (daily) or configure automatic system/application updates.

Active Network Monitoring – A system infected with SparkRAT malware establishes a connection to its C2 server via WebSocket, a web-based application protocol that enables full-duplex communication between client and server [8]. Though sometimes used by legitimate software, such as instant messengers and multiplayer games, the use of this protocol over port 8000 (the default port for SparkRAT agents) could be a strong indicator of SparkRAT activity. To detect this traffic, network monitoring and deep packet inspection tools can be deployed to look for abnormal connections over port 8000, WebSocket handshakes by unknown applications, and JSON error messages indicative of SparkRAT C2.

Stay Informed – As SparkRAT gains traction, it is likely to be featured in future malware campaigns. Thankfully, threat hunters and intelligence agencies are vigilantly discovering and sharing IOCs linked to the tool. Engaging with threat intel networks and staying aware of new SparkRAT trends will allow for better preparation of systems and aid in detection efforts of emerging threats.

VIII. References

[1] Arctic Wolf. (November 3, 2023). Exploitation of CVE-2023-46604 in Apache ActiveMQ Leads to TellYouThePass Ransomware. https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/

[2] Bittner, D. (Jan 29, 2025). Cats and RATS are all the rage. https://thecyberwire.com/podcasts/daily-podcast/2234/transcript

[3] Broadcom (January 31, 2025). SparkRAT – a cross-platform modular malware. https://www.broadcom.com/support/security-center/protection-bulletin/sparkrat-a-cross-platform-modular-malware

[4] ClearSky (November 13, 2024). CVE-2024-43451: A New Zero-Day Vulnerability Exploited in the wild. https://www.clearskysec.com/0d-vulnerability-exploited-in-the_wild/

[5] Fernández, G. (Nov 27, 2024). SparkRAT: Server Detection, macOS Activity, and Malicious Connections. https://x.com/1ZRR4H/status/1861667506328334589/

[6] Fortinet. (February 13, 2024). Threat Coverage: How FortiEDR protects against SparkRAT activity. https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-SparkRAT-activity/ta-p/299271

[7] Hunt.io. (Jan 28, 2025). SparkRAT: Server Detection, macOS Activity, and Malicious Connections. https://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections

[8] IETF. (Dec 2011). The WebSocket Protocol. https://datatracker.ietf.org/doc/html/rfc6455

[9] Mishra, A. (Jan 29, 2025). Hackers Attacking Windows, macOS, and Linux systems With SparkRAT. https://gbhackers.com/hackers-attacking-windows-macos-and-linux-systems/

[10] SentinelLabs. (Jan 24, 2023) DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation. https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/

[11] XZB-1248. (Mar 16, 2022). SparkRAT GitHub Repository. https://github.com/XZB-1248/Spark

Additional Resources

[12] Open Threat Exchange. “SparkRAT”. https://otx.alienvault.com/browse/global/pulses?q=SparkRAT&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=SparkRAT

[13] Malpedia. “SparkRAT”. https://malpedia.caad.fkie.fraunhofer.de/details/win.spark_rat

[14] ThreatFox. SparkRAT IOCs. https://threatfox.abuse.ch/browse/malware/win.spark_rat/

[15] Hybrid Analysis. client.bin Sandbox Report. https://www.hybrid-analysis.com/sample/cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56

[16] VirusTotal. client.bin Scan. https://www.virustotal.com/gui/file/cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56

Threat Advisory created by The Cyber Florida Security Operations Center.

Contributing Security Analyst(s): Isaac Ward

SparkRAT: A Multi-Platform Remote Access Tool2025-03-04T14:33:16-05:00

How Gorillas Teach Us About Risk Management: A Conversation with Kristin Demoranville

How Gorillas Teach Us About Risk Management: A Conversation with Kristin Demoranville2025-03-06T14:49:59-05:00

chat:CYBR Podcast Episode 9: June Teufel Dreyer

In this episode of chat:CYBR, Dr. June Teufel Dreyer discusses the evolving military strategy of China under Xi Jinping, focusing on their expanding military capabilities, particularly in cyber warfare. She highlights the implications of China’s actions in the Baltic Sea regarding fiber optic cables and the potential threats to global communications. The discussion also covers the cybersecurity landscape, emphasizing the need for the U.S. to adopt robust policies to counter China’s cyber threats. Dr. Dreyer concludes with thoughts on the importance of STEM education and the balance between

chat:CYBR Podcast Episode 9: June Teufel Dreyer2025-02-18T12:18:22-05:00

Belonging Together: February Reflection

Belonging Together: February Reflection2025-02-17T12:50:06-05:00

Critical Vulnerability in Meta Llama-Stack Threatens AI Systems

I. Targeted Entities

  • Organizations, researchers, and developers leveraging Meta’s Llama-Stack for AI model inference and deployment. 

II. Introduction

A critical security vulnerability, CVE-2024-50050, has been identified in Meta’s Llama-Stack framework, which is widely used for developing and deploying generative AI applications. This flaw allows attackers to achieve remote code execution (RCE) by exploiting unsafe deserialization of untrusted data via the pyzmq library (ZeroMQ python implementation). Specifically, the vulnerability arises from the use of the recv_pyobj method, which automatically deserializes Python objects using “pickle”, a method known for its security risks when handling untrusted inputs. 

If exploited, this vulnerability could compromise AI inference servers, leading to data breaches, resource hijacking, unauthorized model manipulation, or full system compromise. Meta has assigned the flaw a CVSS score of 6.3 (medium), while Snyk and Oligo Security have categorized it as critical, assigning it scores of 9.3 and 9.8, respectively. 

This advisory provides details on the vulnerability and remediation steps to mitigate the risk. 

III. Additional Background Information

Llama-Stack is an open-source framework developed by Meta to streamline the development, deployment, and optimization of generative AI (GenAI) applications. It is primarily designed to support Meta’s Llama family of models, offering a comprehensive set of tools and APIs for the entire AI development lifecycle, including: 

  • Model training and inference 
  • Memory management 
  • Evaluation and optimization

The framework is intended to accelerate innovation in the AI space by providing a standardized foundation for developers and enterprises working on Llama-based AI solutions. Since its introduction in July 2024, Llama-Stack has been backed by major AI ecosystem partners such as AWS, NVIDIA, Groq, Ollama, Together AI, and Dell. 

However, the discovery of CVE-2024-50050 has revealed a critical security flaw in Llama-Stack’s default inference implementation, raising concerns about the security of AI frameworks that handle sensitive model deployments.

Technical Breakdown of the Vulnerability:

Insecure Deserialization:

  • The run_inference method in llama-stack uses recv_pyobj to receive serialized Python objects over a ZeroMQ socket. 
  • recv_pyobj automatically deserializes the received data using Python’s pickle.loads method. 
  • The pickle module is inherently insecure when processing untrusted data, as it can execute arbitrary code during deserialization.

Exploitation Scenario:

If the ZeroMQ socket is exposed over the network, an attacker can send a maliciously crafted serialized object to the socket. When recv_pyobj unpickles the object using pickle.loads, the attacker’s payload is executed, leading to arbitrary code execution on the host.

Code Analysis:

The recv_pyobj method in pyzmq is defined as follows:

def recv_pyobj(self, flags: int = 0) -> Any:
msg = self.recv(flags)
return self._deserialize(msg, pickle.loads)

This method:

  • Receives pickled data from the socket.
  • Passes the data to _deserialize along with pickle.loads for deserialization.
  • Deserialize executes pickle.loads, which deserializes the data without validation.

Unsafe Design:

The use of pickle.loads in recv_pyobj is unsafe by design, as it deserializes data from unverified sources.

The maintainer of pyzmq has acknowledged that recv_pyobj should only be used with trusted sources, similar to pickle itself.

Impact

Severity: Critical

Consequences:

  • An attacker could craft a malicious serialized object using pickle and send it to the exposed ZeroMQ socket.
  • This can lead to full system compromise, data exfiltration, or further lateral movement within the network.
Vulnerability discovery, disclosure and patching

The vulnerability in llama-stack was discovered by Oligo, which leverages its advanced runtime detection capabilities to identify threats that traditional Software Composition Analysis (SCA) tools often miss. Oligo’s Application Detection and Response (ADR) platform maintains an extensive database of runtime profiles for third-party libraries, enabling it to detect unusual behavior indicative of exploitation. In the case of llama-stack, Oligo’s prebuilt profiles flagged the use of pickle for deserialization as anomalous, as no legitimate instances of code execution within the pickle processing flow had ever been recorded. This triggered an automatic incident report in the Oligo ADR platform, highlighting the potential for remote code execution (RCE) even though no CVE for llama-stack existed at the time. The attack graph and evidence, including Python call stack deviations captured via eBPF, were documented in the Oligo platform, confirming the exploit.

Oligo followed a responsible disclosure process to report the vulnerability to Meta, the maintainers of llama-stack. Meta’s security team responded promptly, providing clear guidelines for disclosure through a GitHub issue. The vulnerability was assigned CVE-2024-50050 with a CVSS score of 9.3, reflecting its critical severity. Meta acknowledged the issue and worked collaboratively with Oligo to address it.

Meta released a patch in version 0.0.41 of llama-stack (llama-stack>=0.0.41), which replaced the insecure pickle serialization implementation with a type-safe Pydantic JSON implementation across the API. This change eliminated the risk of arbitrary code execution by ensuring safe deserialization of data. Additionally, pyzmq issued a fix and added a clear warning in its documentation about the risks of using recv_pyobj with untrusted data, emphasizing that it should only be used with trusted sources. The patch and warning can be found in the following commit: pyzmq commit f4e9f17.

Responsible Disclosure Timeline

29 Sep, 2024: Oligo reported the vulnerability to Meta.

30 Sep, 2024: Meta performed an initial evaluation of the report.

1 Oct, 2024: Meta confirmed that their teams were working on a fix.

10 Oct, 2024: Meta released the fix on GitHub and published version 0.0.41 to PyPi.

24 Oct, 2024: Meta issued CVE-2024-50050 to formally document the vulnerability.

This coordinated effort between Oligo and Meta ensured the timely identification, disclosure, and patching of the vulnerability, mitigating the risk of exploitation for users of llama-stack.

IV. MITRE ATT&CK

  • T1059.007 – Command and Scripting Interpreter: Python
    • The vulnerability allows attackers to execute arbitrary Python code via insecure deserialization using the pickle module.
  • T1190 – Exploit Public-Facing Application
    • Attackers can exploit the exposed ZeroMQ socket to send malicious payloads and gain initial access to the system.
  • T1068 – Exploitation for Privilege Escalation
    • Successful exploitation could allow attackers to execute code with the privileges of the llama-stack process, potentially escalating privileges.
  • T1531 – Account Access Removal
    • Attackers could disrupt operations by deleting or locking user accounts, causing denial of service.

V. Recommendations

  • Upgrade to Llama-Stack 0.0.41 or Later
    Organizations should immediately upgrade to Llama-Stack version 0.0.41 or later, as this update replaces the insecure pickle-based deserialization with a safer Pydantic JSON implementation. This eliminates the risk of arbitrary code execution by ensuring that only validated and structured data is processed. Additionally, ensure that all instances of pyzmq are updated to the latest version, as it now includes security advisories on using recv_pyobj with untrusted sources. Keeping software dependencies up to date is crucial to prevent attackers from exploiting known vulnerabilities.
  • Restrict Network Exposure
    ZeroMQ sockets should never be exposed to the internet or untrusted networks, as this dramatically increases the risk of exploitation. Organizations should apply firewall rules and access control lists (ACLs) to restrict access to inference servers, ensuring that only authorized systems and users can interact with them. Additionally, using VPNs, network segmentation, and private subnets can provide an added layer of security, further reducing the risk of unauthorized access.
  • Implement Secure Serialization Practices
    The use of unsafe deserialization methods like pickle.loads should be strictly prohibited, especially when handling untrusted data. Instead, organizations should adopt secure serialization formats such as JSON with Pydantic, which enforces strict type validation and eliminates the possibility of arbitrary code execution. Developers should also follow best practices by validating all incoming serialized data and ensuring that no dynamic code execution is allowed during deserialization.

VI. IOCs (Indicators of Compromise)

Displayed is the code vulnerable method in llama stack (Derived from Oligo Blog Security)

Displayed is the RCE code used to deserialize and unpickle the code, making said code no longer secure (Derived from Oligo Blog Security)

VII. Additional OSINT Information

To detect this vulnerability, having real time detection is essential for identifying and getting rid of the risk. Maintaing an extensive and constantly backed up database of profiles for third party libraries.  

 Patch 0.0.41 calls attention to this, it replaces the pickled serialization implementation with Pydantic JSON implementation across the API.

VIII. References

Oligo Security. (January 23, 2025). CVE-2024-50050: Critical Vulnerability in meta llama/llama-stack by Meta. https://www.oligo.security/blog/cve-2024-50050-critical-vulnerability-in-meta-llama-llama-stack 

The Hacker News. (Jan 26, 2025). Meta’s Llama Framework Flaw Exposes AI Systems to Remote Code Execution Risks. https://thehackernews.com/2025/01/metas-llama-framework-flaw-exposes-ai.html 

SC Media. (January 27, 2025). Severe Meta Llama issue risks RCE in AI systems. https://www.scworld.com/brief/severe-meta-llama-issue-risks-rce-in-ai-systems 

Threat Advisory created by The Cyber Florida Security Operations Center. 

Contributing Security Analysts: Thiago Reis Pagliaroni, Nahyan Jamil

To learn more about Cyber Florida visit: www.cyberflorida.org  

Critical Vulnerability in Meta Llama-Stack Threatens AI Systems2025-02-11T10:58:10-05:00

Industry Certification with CompTIA: OPK12 Webinar

Join Cyber Florida and CompTIA for an engaging and informative webinar designed to help educators navigate the evolving industry certification landscape. This session will explore the importance of industry certifications in preparing students for successful IT careers and highlight professional development opportunities for teachers, including CompTIA’s new OnDemand training. Learn about the upcoming Summer Professional Development Camp, designed to help educators upskill and earn certifications at their own pace, and explore key industry trends in Florida, the transition from IT Fundamentals+ to the new Tech+ certification, and how these changes are shaping the future of IT education. Don’t miss this opportunity to gain valuable insights and resources to support your students and your professional growth!
Topics to Be Discussed:
  • The importance of industry certifications for student success.
  • Teacher professional development opportunities with CompTIA OnDemand training.
  • Details about the Summer Professional Development Camp for educators.
  • Industry trends and workforce demands in Florida’s IT sector.
  • The transition from IT Fundamentals+ to the new Tech+ certification and its impact on IT education.


Industry Certification with CompTIA: OPK12 Webinar2025-02-10T09:26:58-05:00