Tag: flaws | Page 2

Salt Security uncovers security flaws within ChatGPT extensions that allowed access to third-party websites and sensitive data

March 13, 2024/in Internet Security

PALO ALTO, Calif., March 13, 2024 /PRNewswire/ — Salt Security, the leading API security company, today released new threat research from Salt Labs highlighting critical security flaws within ChatGPT plugins, highlighting a new risk for enterprises. Plugins provide AI chatbots like ChatGPT access and permissions to perform tasks on behalf of users within third-party websites. For example, committing code to GitHub repositories or retrieving data from an organization’s Google Drives. These security flaws introduce a new attack vector and could enable bad actors to:

Gain control of an organization’s account on third-party websites
Allow access to Personal Identifiable Information (PII) and other sensitive user data stored within third-party applications

ChatGPT plugins extend the model’s abilities, allowing the chatbot to interact with external services. The integration of these third-party plugins significantly enhances ChatGPT’s applicability across various domains, from software development and data management to educational and business environments. When organizations leverage such plugins, it subsequently gives ChatGPT permission to send an organization’s sensitive data to a third-party website and allow access to private external accounts. Notably, in November 2023, ChatGPT introduced a new feature, GPTs, a similar concept to plugins. GPTs are custom versions of ChatGPT that any developer can publish, and contain an option called “Action” which connects it with the outside world. GPTs pose similar security risks as plugins.

The Salt Labs team uncovered three different types of vulnerabilities within ChatGPT plugins.

The first of which was noted within ChatGPT itself when users install new plugins. During this process, ChatGPT redirects a user to the plugin website to receive a code to be approved by that individual. When ChatGPT receives the approved code from a user, it automatically installs the plugin and can interact with that plugin on behalf of the user. Salt Labs researchers discovered that an attacker could exploit this function, to deliver users instead a code approval with a new malicious plugin, enabling an attacker to install their credentials on a…

Source…

Hackers Exploit ConnectWise ScreenConnect Flaws to Deploy TODDLERSHARK Malware

March 5, 2024/in Computer Security

Mar 05, 2024NewsroomMalware / Cyber Threat

North Korean threat actors have exploited the recently disclosed security flaws in ConnectWise ScreenConnect to deploy a new malware called TODDLERSHARK.

According to a report shared by Kroll with The Hacker News, TODDLERSHARK overlaps with known Kimsuky malware such as BabyShark and ReconShark.

“The threat actor gained access to the victim workstation by exploiting the exposed setup wizard of the ScreenConnect application,” security researchers Keith Wojcieszek, George Glass, and Dave Truman said.

“They then leveraged their now ‘hands on keyboard’ access to use cmd.exe to execute mshta.exe with a URL to the Visual Basic (VB) based malware.”

The ConnectWise flaws in question are CVE-2024-1708 and CVE-2024-1709, which came to light last month and have since come under heavy exploitation by multiple threat actors to deliver cryptocurrency miners, ransomware, remote access trojans, and stealer malware.

Kimsuky, also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), KTA082, Nickel Kimball, and Velvet Chollima, has steadily expanded its malware arsenal to include new tools, the most recent being GoBear and Troll Stealer.

BabyShark, first discovered in late 2018, is launched using an HTML Application (HTA) file. Once launched, the VB script malware exfiltrates system information to a command-and-control (C2) server, maintains persistence on the system, and awaits further instruction from the operator.

Then in May 2023, a variant of BabyShark dubbed ReconShark was observed being delivered to specifically targeted individuals through spear-phishing emails. TODDLERSHARK is assessed to be the latest evolution of the same malware due to code and behavioral similarities.

The malware, besides using a scheduled task for persistence, is engineered to capture and exfiltrate sensitive information about the compromised hosts, thereby acting as a valuable reconnaissance tool.

TODDLERSHARK “exhibits elements of polymorphic behavior in the form of changing identity strings in code, changing the position of code via generated junk code, and using uniquely generate C2 URLs, which could make this malware hard to detect in…

Source…

New 5G Modem Flaws Affect iOS Devices and Android Models from Major Brands

December 9, 2023/in Mobile Security

Dec 08, 2023NewsroomVulnerability / Mobile Network

A collection of security flaws in the firmware implementation of 5G mobile network modems from major chipset vendors such as MediaTek and Qualcomm impact USB and IoT modems as well as hundreds of smartphone models running Android and iOS.

Of the 14 flaws – collectively called 5Ghoul (a combination of “5G” and “Ghoul”) – 10 affect 5G modems from the two companies, out of which three have been classified as high-severity vulnerabilities.

“5Ghoul vulnerabilities may be exploited to continuously launch attacks to drop the connections, freeze the connection that involve manual reboot or downgrade the 5G connectivity to 4G,” the researchers said in a study published today.

As many as 714 smartphones from 24 brands are impacted, including those from Vivo, Xiaomi, OPPO, Samsung, Honor, Motorola, realme, OnePlus, Huawei, ZTE, Asus, Sony, Meizu, Nokia, Apple, and Google.

UPCOMING WEBINAR

Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

The vulnerabilities were disclosed by a team of researchers from the ASSET (Automated Systems SEcuriTy) Research Group at the Singapore University of Technology and Design (SUTD), who also previously uncovered BrakTooth in September 2021 and SweynTooth in February 2020.

The attacks, in a nutshell, attempt to deceive a smartphone or a 5G-enabled device to connect a rogue base station (gNB), resulting in unintended consequences.

“The attacker does not need to be aware of any secret information of the target UE e.g., UE’s SIM card details, to complete the NAS network registration,” the researchers explained. “The attacker only needs to impersonate the legitimate gNB using the known Cell Tower connection parameters.”

A threat actor can accomplish this by using apps like Cellular-Pro to determine the Relative Signal Strength Indicator (RSSI) readings and trick the user equipment to connect to the adversarial station (i.e., a software-defined radio) as well as an inexpensive mini…

Source…

DEF CON’s AI Village Pits Hackers Against LLMs to Find Flaws

August 21, 2023/in Computer Security

DEF CON 2023 — Las Vegas — DEF CON’s most buzzed-about event, the AI Village, let thousands of hackers take their best shot at making one of eight different large language models (LLMs), including Google, and Open AI, say something dangerous.

According to the spokespeople for the Hack the Future AI Village, the event was a huge hit, but for now that’s all that’s being made public — results won’t be made available for at least a week, maybe more.

The final AI hacking challenge leaderboard showed both first and third place prizes went to handles “cody3” and “cody2” respectively. The DEF CON AI Village itself was tight-lipped about any details about the winner, or even the prizes, but reports identified the person behind both top-three AI Village contest entries as Stanford masters computer science student Truc Cody Ho, adding he entered a total of five times in the competition.

More details about the hacking competition results are forthcoming, according to Avijit Ghosh, one of the authors compiling them.

“We will be going through the anonymized data and finding patterns of vulnerabilities that participants discovered during the challenge and produce a report that will hopefully help ML and security researchers gain better insights into LLMs and policymakers make more informed regulations about AI,” Ghosh says.

While he won’t answer questions directly about any of the winning LLM hacks, Ghosh says he was able to use the LLMs to generate discriminatory code, credit card numbers, misinformation, and more.

Another of the event’s organizers, Jutta Williams, has a day job as Reddit’s senior director and global head of privacy and assurance; and on the side, is the founder of Humane-Intelligence, a nonprofit that provides safety, ethical, and other guidance for companies providing consumers with AI products.

Historic Turnout For Event

Williams touted the event as the “largest LLM red teaming to date.”

All told, Williams said the AI Village attracted 2,240 hackers over the course of DEF CON 31 and explained the goal was to make one of its LLMs “do something unsavory.” That could mean generating misinformation, or using just the right question to prompt the chatbot to do something illegal —…

Source…

Tag Archive for: flaws

Historic Turnout For Event