Not-so-OpenAI allegedly never bothered to report 2023 data breach
Also: F1 authority breached; Prudential victim count skyrockets; a new ransomware actor appears; and more
security in brief It's been a week of bad cyber security revelations for OpenAI, after news emerged that the startup failed to report a 2023 breach of its systems to anybody outside the organization, and that its ChatGPT app for macOS was coded without any regard for user privacy.
According to an exclusive report from the New York Times, citing a pair of anonymous OpenAI insiders, someone managed to breach a private forum used by OpenAI employees to discuss projects early last year.
OpenAI apparently chose not to make the news public or tell anyone in law enforcement about the digital break in, because none of the Microsoft-backed firm's actual AI builds were compromised. Execs who disclosed the breach to employees didn't think it was much of a threat, because it was believed the miscreant behind the breach was a private individual unaffiliated with any foreign governments.
But keeping a breach secret isn't a good look, especially considering several high-ranking employees – including chief scientist Ilya Sutskever – recently left OpenAI over what many believe to be concerns about a lack of safety culture.
The ChatGPT maker committed to setting up an AI safety committee after the departures of Sutskever and Jan Leike – the head of OpenAI's previous safety team devoted to tackling the long-term threats of AI.
Whether news of a secret, heretofore unreported, breach that OpenAI leadership reportedly thought it knew better about than federal regulators will help repair its tarnished safety reputation is anyone's guess. The other OpenAI security news this week probably won't help, though.
According to software developer Pedro José Pereira Vieito, the macOS version of ChatGPT was programmed to side-step the Mac's inbuilt sandboxing that prevents apps from exposing private data, and instead stored all user conversations in plain text in an unsecured directory.
OpenAI has reportedly fixed the issue but didn't respond to our questions.
Critical vulnerabilities of the week
With federal holidays and major elections taking place across much of the Reg-reading world last week, we found unsurprising drop in big security news. That said, there are a couple issues you should know about – like some previously unreported issues in Xerox WorkCentre printers.
In one case there's CVE-2016-11061, discovered in 2016 but unreported until 2020 – a CVSS 9.8 issue allowing shell escape through the printer's configrui.php file. The second case, says security researcher Arseniy Sharoglazov from Positive Technologies, is yet another buffer overflow vulnerability that allows for RCE that he found in a firmware update last year. No CVE has been assigned. Sharoglazov recommends updating firmware, setting a strong admin password and isolating printers on affected networks.
Elsewhere:
- CVSS 9.3 – CVE-2024-4708: mySCADA MyPRO software contains hard-coded credentials;
- CVSS 9.1 – CVE-2024-32755: Johnson Controls Illustra Essentials Gen 4 IP cameras aren't properly validating web interface input.
F1 governing body breached
The International Automobile Federation (FIA) – which governs auto racing events including last weekend’s British Formula 1 Grand Prix – confirmed last week that it had suffered a data breach, though without sharing much in the way of details.
The FIA shared news of the incident last Wednesday, disclosing that the breach occurred after successful phishing attacks against a pair of email accounts belonging to the Federation. The FIA said it cut off the access "once it became aware," and notified French and Swiss data protection authorities as well.
No information was shared about when the breach occurred or what information may have been exposed.
New ransomware group discovered – and it's thorough
Security researchers at Halcyon.ai have reported the discovery of what they believe to be a new ransomware operator they've dubbed Volcano Demon.
The demonic crew have been spotted encrypting both Windows workstations and servers in multiple attacks over the past few weeks, Halcyon reported, using admin credentials harvested from elsewhere on compromised networks. There's no indicator in Halcyon's report of how Volcano Demon is penetrating its targets, but it's known to be using LukaLocker and being thorough in its efforts.
"Logs were cleared prior to exploitation and in both cases, a full forensic evaluation was not possible due to their success in covering their tracks and limited victim logging," Halcyon observed of two particular incidents it investigated. The crims are apparently making calls directly to IT and executives to demand ransom instead of making an announcement on a leak site.
Indicators of compromise are available, meaning readers can stay on top of this one.
RockYou breach lives on in new, larger-than-ever edition
You may have forgotten the 2009 breach of defunct social media app RockYou, but that doesn't mean the cyber security world has.
RockYou's poor security practices led to some 32 million user passwords being stolen from the site 15 years ago. RockYou now lives on as nothing but the massive password dictionary it gave to hackers – and it was just updated, Cybernews researchers noted this week.
The new list, found yesterday on a cyber crime forum and dubbed "RockYou2024," reportedly contains nearly ten billion unique plaintext passwords.
Like other iterations of RockYou over the years, this one appears to be just another combination of passwords purloined in prior breaches. But don't let that put you at ease: it's still a serious threat in the hands of the wrong person committed to credential stuffing.
FakeBat is coming for your favorite workplace apps
There's a new top dog in the malware loader world. FakeBat is on top, and it's targeting users of apps like Microsoft Teams, Zoom, VMware and others.
Security researchers at Sekoia reported this week that FakeBat had risen to the top of drive-by download loader use thanks to new SEO-poisoning, malvertising and code-injection campaigns.
FakeBat, available as a service starting at $1,000 a week since as far back as late 2022, has risen in popularity since it appeared on the scene, according to Sekoia. While the malware may be newer, the tactics appear to rely on the same old lack of proper attention that other malware loaders lean on – so time for another round of user training while you ensure all the IOCs are added to your detection systems.
Prudential breach victim count goes up – by a lot
American insurance provider Prudential has updated the total number of victims whose data was stolen in a February data breach – from 36,000 to over 2.5 million. The ALPHV/BlackCat ransomware group previously claimed responsibility for the incident.
The victim count update didn't include any additional details as to how the breach occurred, and a new breach letter wasn't attached to the notice. The letter released when the victims numbered in the tens of thousands indicated drivers license and other personal identifying information was stolen. ®