Tag Archive for: Uncovers

Salt Security uncovers security flaws within ChatGPT extensions that allowed access to third-party websites and sensitive data


PALO ALTO, Calif.March 13, 2024 /PRNewswire/ — Salt Security, the leading API security company, today released new threat research from Salt Labs highlighting critical security flaws within ChatGPT plugins, highlighting a new risk for enterprises. Plugins provide AI chatbots like ChatGPT access and permissions to perform tasks on behalf of users within third-party websites. For example, committing code to GitHub repositories or retrieving data from an organization’s Google Drives. These security flaws introduce a new attack vector and could enable bad actors to:

  • Gain control of an organization’s account on third-party websites
  • Allow access to Personal Identifiable Information (PII) and other sensitive user data stored within third-party applications

ChatGPT plugins extend the model’s abilities, allowing the chatbot to interact with external services. The integration of these third-party plugins significantly enhances ChatGPT’s applicability across various domains, from software development and data management to educational and business environments. When organizations leverage such plugins, it subsequently gives ChatGPT permission to send an organization’s sensitive data to a third-party website and allow access to private external accounts. Notably, in November 2023, ChatGPT introduced a new feature, GPTs, a similar concept to plugins. GPTs are custom versions of ChatGPT that any developer can publish, and contain an option called “Action” which connects it with the outside world. GPTs pose similar security risks as plugins.

The Salt Labs team uncovered three different types of vulnerabilities within ChatGPT plugins.

The first of which was noted within ChatGPT itself when users install new plugins. During this process, ChatGPT redirects a user to the plugin website to receive a code to be approved by that individual. When ChatGPT receives the approved code from a user, it automatically installs the plugin and can interact with that plugin on behalf of the user. Salt Labs researchers discovered that an attacker could exploit this function, to deliver users instead a code approval with a new malicious plugin, enabling an attacker to install their credentials on a…

Source…

SquaredFinancial Introduces Enhanced Fraud Prevention Framework and Uncovers Fraud Network


SquaredFinancial values transparency and is strongly dedicated to fighting deceptive practices by developing an advanced fraud prevention framework. Recognizing recent incidents of financial deceit in the trading industry, the company is proactively fortifying its compliance and risk teams and strengthening processes and protocols to promptly detect and address any fraudulent activities.

A holistic approach to fraud prevention and management requires robust tools to conduct comprehensive risk assessments, identify potential vulnerabilities and prioritize risk mitigation.

The first step towards effectively fighting digital fraud is to understand the forms of fraud that occur regularly in the fintech sector. Some of the most common kinds of fraud are identity theft, phishing, web skimming, social engineering, and botnet attacks which can effectively be prevented with a resilient IT infrastructure and a steadfast focus on cybersecurity. In the forex brokerage industry, fraudulent activities have been recurrent and are plotted by networks or individuals exploiting terms and conditions and applying trading tactics to abuse commission and other bonus schemes.

Adapting to the ever-evolving landscape of financial fraud

Throughout the years, fraud networks have consistently targeted businesses, exploiting trading tactics and incurring substantial losses. As such, tactics like shared IP addresses and devices have been employed to exploit trading systems and take advantage of bonus schemes.

Recent fraud case study and actions taken

In November 2023, SquaredFinancial initiated an internal investigation following the deceitful actions of a specific partner. Utilizing internal analytical tools, the company was able to swiftly identify irregularities and has immediately intervened, preventing further exploitation. Craig Jenkins, Chief Legal & Compliance Officer, emphasized, “The recent case of abusers was detected by our software used to identify suspicious patterns, revealing a network of connected trading activities. A thorough inspection uncovered dozens of ‘clients’ engaging in coordinated trades from the same location, even the same computer, to abuse the favourable…

Source…

Jamf uncovers new Mac malware linked to known hacking group


Jamf finds a new strain of malware



Jamf Threat Labs has discovered a new malware strain that appears to be connected to BlueNoroff, a group that often attacks businesses in the financial sector.

The discovery came about during Jamf’s regular security checks. They found software for Mac computers secretly connecting to a known malicious internet domain, although Jamf didn’t mention a particular program that Mac users should be aware of.

What made the find particularly intriguing was that this software was not recognized as a threat by VirusTotal, a popular website used to check suspicious files, at the time of uploading by Jamf.

The program is cleverly disguised, using a digital signature that initially appears legitimate. It communicates with a server that, while appearing to be associated with a legitimate cryptocurrency platform, is controlled by the attackers.

BlueNoroff signature move

The method of operation aligns with the BlueNoroff group’s established strategies. These typically involve creating counterfeit domains that mirror reputable companies, which helps them evade detection and entice their targets.

The fraudulent domain was set up in late May 2023, and the malware uses it to send and receive information. Jamf’s analysis revealed that while they were investigating, the server behind the domain stopped responding, possibly because the attackers became aware of the scrutiny.

Further analysis by Jamf indicated that the malware was designed using Objective-C, a programming language used for Mac software. The malware acts like a remote control for the infected computer, allowing the attackers to send commands and control the system after they have breached it.

Upon activation, the malware sends a signal to the attacker-controlled domain, disguising its communications as regular internet traffic. It also collects and sends information about the infected computer, such as the version of the macOS operating system it is running.

Despite its simplicity, the malware is effective and aligns with BlueNoroff’s approach of…

Source…

Microsoft uncovers hacking in Atlassian


A Chinese state-backed hacking group called Storm-0062 has been exploiting a critical privilege escalation zero-day bug in the Atlassian Confluence Data Center and Server since September 14, 2023, BleepingComputer reported.

What is a zero-day exploit? A zero-day exploit is a way to attack a computer system that the software company that made the system doesn’t know about yet. This means that there is no patch or update to fix the vulnerability, and attackers can use it to take control of systems.

What is Atlassian Confluence? Atlassian Confluence is a software program that businesses use to share and collaborate on documents and projects. It is a popular tool, and many large companies use it.

Microsoft Threat Intelligence analysts revealed more information about Storm-0062’s involvement and shared four offending IP addresses on Twitter.

Atlassian has released a patch to fix the zero-day exploit, so businesses should update their Confluence servers as soon as possible. Businesses should also monitor their Confluence servers for suspicious activity and implement other security measures to protect themselves from attacks.

Users of Atlassian Confluence Data Center and Server are urged to upgrade to one of the following fixed releases:

  • 8.3.3 or later
  • 8.4.3 or later
  • 8.5.2 (Long-Term Support release) or later

Here is a timeline of the events and help us to understand the situation.

  • September 14, 2023: Storm-0062 begins exploiting the zero-day exploit in Atlassian Confluence.
  • October 4, 2023: Atlassian releases security updates to fix the zero-day exploit, but Storm-0062 continued to exploit the flaw for nearly three weeks.
  • October 11, 2023: Rapid7 researchers release a proof-of-concept exploit and full technical details about the vulnerability.

The fact that Storm-0062 was able to exploit the zero-day exploit for nearly three weeks after Atlassian released security updates is a sign…

Source…