safety in brief It’s been a week of nasty cybersecurity revelations for OpenAI, after it emerged that the startup failed to report a 2023 breach of its systems to anyone outside the organization and that its ChatGPT app for macOS was coded with no regard for user privacy.
According to an exclusive report from the New York Times, citing two anonymous OpenAI insiders, someone managed to hack into a private forum used by OpenAI employees to discuss projects early last year.
OpenAI apparently chose not to go public with the news or tell anyone in law enforcement about the digital breach, since none of the Microsoft-backed company’s actual AI builds were compromised. Executives who disclosed the breach to employees didn’t consider it much of a threat, since the criminal behind the breach was believed to be a private individual not affiliated with any foreign government.
But keeping a breach under wraps isn’t a good idea, especially when you consider that several high-ranking employees — including chief scientist Ilya Sutskever — recently left OpenAI over what many see as concerns about a lack of security culture.
ChatGPT’s creator promised to establish an AI safety committee following the departure of Sutskever and Jan Leike, the head of OpenAI’s previous security team that focused on addressing long-term threats to AI.
Whether news of a secret, previously unreported breach that OpenAI leadership reportedly thought it knew more about than federal regulators will help repair the company’s tarnished security reputation is anyone’s guess. The other OpenAI security news this week likely won’t help.
According to software developer Pedro José Pereira Vieito, the macOS version of ChatGPT is programmed to bypass the Mac’s built-in sandboxing. This sandboxing prevents apps from exposing private data. Instead, all user conversations are stored in plaintext in an unsecured folder.
OpenAI is said to have fixed the issue, but has not yet responded to our questions.
Critical Vulnerabilities of the Week
With federal holidays and major elections taking place in much of the Reg-reading world last week, we found an unsurprising drop in major security news. That said, there are a few issues you should be aware of, including some previously unreported problems in Xerox WorkCentre printers.
In one case, there’s CVE-2016-11061, discovered in 2016 but only reported in 2020 — a CVSS 9.8 issue that allows shell escape via the printer’s configrui.php file. The second case, says security researcher Arseniy Sharoglazov of Positive Technologies, is another buffer overflow vulnerability allowing RCE that he found in a firmware update last year. No CVE has been assigned. Sharoglazov recommends updating the firmware, setting a strong administrator password, and isolating printers on affected networks.
Elsewhere:
- CVSS 9.3 – CVE-2024-4708: mySCADA MyPRO software contains hardcoded references;
- CVSS 9.1 – CVE-2024-32755: Johnson Controls Illustra Essentials Gen 4 IP cameras do not properly validate input from the web interface.
F1 governing body breached
The International Automobile Federation (FIA), which oversees motor racing events including last weekend’s British Formula 1 Grand Prix, confirmed last week that there had been a data breach but gave no further details.
The FIA shared news of the incident last Wednesday, revealing that the breach occurred following successful phishing attacks on some of the Federation’s email accounts. The FIA said it had disabled access “when it became aware of it” and had also notified the French and Swiss data protection authorities.
No information was shared about when the breach occurred or what information may have been exposed.
New ransomware group discovered – and dealt with thoroughly
Security researchers at Halcyon.ai have reported that they have discovered a new ransomware operator they call Volcano Demon.
The demonic crew has been spotted encrypting both Windows workstations and servers in multiple attacks in recent weeks, Halcyon reported, using admin credentials harvested from compromised networks elsewhere. There’s no indication in Halcyon’s report as to how Volcano Demon infiltrates its targets, but it is known to use LukaLocker and is thorough.
“Logs were wiped prior to exploitation and in both cases a full forensic evaluation was not possible due to their success in hiding their tracks and limited victim tracking,” Halcyon noted of two specific incidents it investigated. The criminals apparently called IT and executives directly to demand ransom, rather than making an announcement on a leak site.
Indicators of a possible compromise are available, meaning readers can stay informed on this topic.
RockYou infringement lives on in new, bigger edition than ever
You may have forgotten about the 2009 breach of the defunct social media app RockYou, but that doesn’t mean the world of cybersecurity has.
RockYou’s poor security practices led to some 32 million user passwords being stolen from the site 15 years ago. RockYou now lives on as nothing more than the massive password dictionary it gave to hackers — and it’s only just been updated, Cybernews researchers noted this week.
The new list, discovered yesterday on a cybercrime forum and dubbed “RockYou2024,” is said to contain nearly ten billion unique plaintext passwords.
Like other iterations of RockYou over the years, this appears to be just another combination of passwords stolen in previous breaches. But don’t let that put you at ease: it’s still a serious threat in the hands of the wrong person engaging in credential stuffing.
FakeBat is coming to your favorite workplace apps
There’s a new top favorite in the world of malware loaders. FakeBat is at the top of the heap, targeting users of apps like Microsoft Teams, Zoom, VMware, and more.
Security researchers at Sekoia reported this week that FakeBat is the most popular application for drive-by download loaders, thanks to new SEO poisoning, malvertising, and code injection campaigns.
FakeBat, available as a service starting at $1,000 per week since late 2022, has grown in popularity since it hit the scene, according to Sekoia. While the malware may be newer, its tactics appear to rely on the same old lack of proper attention that other malware loaders rely on — so time for another round of user education while ensuring all IOCs are added to your detection systems.
The number of victims of Prudential breaches is increasing – with many
US insurance company Prudential has updated the total number of victims whose data was compromised in a February data breach – from 36,000 to more than 2.5 million. The ALPHV/BlackCat ransomware group previously claimed responsibility for the incident.
The update on the victim count did not include any additional details about how the breach occurred, and no new breach letter was included with the notification. The letter, released when the victim count was in the tens of thousands, indicated that driver’s license and other personal identification information had been stolen. ®