To summarise the news of March 2024, we saw a former Google Engineer charged with stealing AI trade secrets, critical vulnerabilities discovered in ChatGPT, a hacker sentenced in the LockBit ransomware operation, a high-severity vulnerability disclosed and patched, an Apex Legends tournament hit by remote exploit, and APT28 launches global phishing operations.
Continue reading as we cover some of the biggest stories of the month!
Ex-Google Engineer charged with stealing AI trade secrets
The US charged a former Google Software Engineer for stealing over 500 confidential files and trade secrets about artificial intelligence (AI) while secretly working for two Chinese companies.
On the 6th of March 2024, Linwei Ding was indicted in California on four charges, facing up to 10 years in prison and $250,000 in fines on each count.
According to BBC News: “The information he is accused of taking relates to the infrastructure of Google's supercomputing data centres, which are used to host and train large AI models.”
Mr Ding was recruited as a Software Engineer in 2019. In as early as May 2022, he allegedly began uploading confidential information from Google’s network to a personal Google account, which continued ‘periodically’ for a year. The indictment says he was offered $14,800 (£11,620) per month to be the company's Chief Technology Officer.
General Merrick Garland, a US Attorney, explains that Linwei Ding was seeking to enrich himself by covertly working for companies that were "seeking an edge in the AI technology race". He adds: “The Justice Department will not tolerate the theft of artificial intelligence and other advanced technologies that could put our national security at risk”.
Critical vulnerabilities discovered in ChatGPT and its ecosystem
Cyber security researchers have identified new vulnerabilities within ChatGPT and its ecosystem, particularly focusing on third-party plugins. These vulnerabilities could potentially allow attackers to gain unauthorised access to sensitive data and hijack accounts on platforms such as GitHub. The research, conducted by Salt Labs, enabled attackers to install malicious plugins without user consent.
ChatGPT plugins enhance the large language model's functionality, allowing it to access current information, perform computations, or interact with third-party services. However, a significant flaw discovered involves exploiting the OAuth authentication process, enabling attackers to trick users into installing harmful plugins. This vulnerability can lead to data interception and exfiltration.
Furthermore, Salt Labs discovered vulnerabilities in PluginLab, which could enable attackers to conduct zero-click account takeover attacks. This involves manipulating the 'auth.pluginlab[.]ai/oauth/authorized' endpoint, allowing attackers to access victims' GitHub accounts without authentication.
Additionally, a new LLM side-channel attack has been uncovered, exploiting the sequential transmission of encrypted tokens (words) from the server to users. Despite encryption, the packet size can reveal token lengths, potentially allowing attackers to infer sensitive information. To mitigate this, it's recommended that AI assistants use random padding, group token transmissions, or send complete responses at once to obscure token lengths.
These findings highlight the ongoing security challenges facing AI technologies and the need for robust security measures to protect against sophisticated cyber threats.
Hacker sentenced in LockBit ransomware operation
Mikhail Vasiliev, a 34-year-old Russian-Canadian, was sentenced to nearly four years in prison in Canada for his involvement in the LockBit ransomware operation. Arrested in November 2022, he faced charges from the U.S. Department of Justice for damaging protected computers and transmitting ransom demands. Canadian authorities found evidence at his home, including a list of victims and the ransomware's source code.
Vasiliev pleaded guilty to charges including cyber extortion and was described as a "cyber terrorist" motivated by greed. His criminal activities included targeting Canadian companies for ransom during the COVID-19 pandemic. He has agreed to extradition to the U.S. and must pay over $860,000 in restitution.
High-severity Windows node vulnerability ‘CVE-2023-5528’
A high-severity vulnerability in Kubernetes, identified as CVE-2023-5528 with a CVSS score of 7.2, has been disclosed and patched.
This flaw enabled remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster under certain conditions. Specifically, attackers could exploit this by deploying malicious YAML files on the cluster, affecting kubelet versions 1.8.0 and later. The vulnerability was remedied in updates released on November 14, 2023, for various kubelet versions (v1.28.4, v1.27.8, v1.26.11, and v1.25.16).
The vulnerability originates from insecure function calls and a lack of user input sanitisation, particularly exploiting the Kubernetes volumes feature. Attackers could create a PersistentVolume with a specially crafted path in the YAML file, leading to command injection and execution. To mitigate this, Kubernetes developers replaced the vulnerable command call with a secure GO function for symlink creation.
This flaw posed a risk of total compromise of all Windows nodes in a Kubernetes cluster but only affected clusters using an in-tree storage plugin for Windows nodes.
Apex Legends tournament hit by remote exploit
Electronic Arts (EA) has delayed the Apex Legends Global Series (ALGS) North American finals following a hacking incident that compromised players during the tournament. ALGS is a competitive esports series for the battle royale game Apex Legends, consisting of qualifiers, regional finals, and major tournaments leading to a championship event.
The issue arose during the third match of the NA finals between DarkZero and Luminosity, when a player from DarkZero, Genburten, unexpectedly had a cheat tool called 'TSM HALAL HOOK' appear on his screen. This tool allowed him to see the locations of all players, giving him an unfair advantage. Consequently, Genburten exited the game, handicapping his team.
Despite this disruption, the match was not voided, and Luminosity was declared the winner. The problems persisted, with a player named 'ImperialHal' receiving aimbot assistance in the subsequent match, leading to the match's suspension by the tournament admins.
The hacks were attributed to individuals using the nicknames 'Destroyer2009' and 'R4ndom,' revealed during the breach on Genburten's client. Following these incidents, Apex Legends Esports announced the postponement of the NA finals to ensure the security of the event from external threats.
An individual claiming to be one of the hackers, Destroyer 2009, stated they exploited a remote code execution (RCE) vulnerability, though they did not specify whether the flaw was in the Apex Legends client, Easy Anti-Cheat software, or another application.
RCE vulnerabilities allow attackers to run malicious code on a target device remotely. There's speculation about the source of the hack, including potential vulnerabilities in the game client, the anti-cheat software, or pre-compromised player devices. However, Easy Anti-Cheat has since asserted that its system does not contain such vulnerabilities and pledged ongoing cooperation with partners.
APT28 launches global phishing operations
The APT28 hacking group has been implicated in extensive phishing campaigns across various regions including Europe, the South Caucasus, Central Asia, and both North and South America.
These campaigns utilise deceptive documents that mimic those of government and non-governmental organisations to entice victims. IBM X-Force revealed that these documents cover a broad spectrum of interests including finance, cyber security, and defence, among others.
The group's activities include deploying malware through the exploitation of vulnerabilities, notably in Microsoft Outlook, and phishing tactics that trick users into downloading harmful software.
APT28 has also targeted specific countries, including Argentina, Ukraine, and the U.S., using genuine documents to trigger malware infections. Their attacks have evolved to use commercial infrastructure for hosting malicious payloads. The group's latest tactics result in the deployment of malware such as MASEPIE, OCEANMAP, and STEELHOOK, which enable unauthorised file access, command execution, and data theft from browsers. These activities highlight APT28's adaptability and continued evolution in cyber warfare capabilities.
Check back again next month as we continue to cover the monthly news in cyber security!
Jabba