This month, we saw Internet Archive hacked, an Internet Explorer zero-day vulnerability exploited, a violent ATM crime gang taken down, and a report published by OpenAI showing a spike in hackers exploiting ChatGPT for cyber attacks. Plus more!
We also introduced a brand new learning path: Cyber Security 101!
Keep reading as we dive into this month’s news.
Internet Archive hacked, exposing data of 31 million users
The Internet Archive, a non-profit organisation that preserves internet history, suffered a significant data breach affecting 31 million users. The breach, confirmed by the cyber security platform Have I Been Pwned (HIBP), exposed email addresses, screen names, and bcrypt-hashed passwords. The compromised data was shared with HIBP in a 6.4GB SQL file. Notably, 54% of the affected email addresses had already appeared in previous breaches.
The breach was initially revealed via a pop-up message on the Internet Archive’s website, which was taken offline shortly after. Brewster Kahle, the Internet Archive's founder, acknowledged a Distributed Denial of Service (DDoS) attack but did not directly address the data breach. Users are advised to check HIBP and update their credentials for added security.
This incident follows a previous DDoS attack in May by the same group.
Hackers exploiting ChatGPT for cyber attacks, OpenAI confirms
OpenAI has confirmed that hackers are using its AI model, ChatGPT, to assist in cyber attacks and creating malware. In a report titled “Influence and Cyber Operations: An Update,” OpenAI identified over 20 instances since early 2024 where ChatGPT was exploited for malicious purposes. State-sponsored hacking groups were found to be using AI for tasks like malware development, vulnerability research, and phishing campaigns.
One example included a group named “SweetSpecter,” attempting to use ChatGPT for reconnaissance and malware creation, while “CyberAv3ngers,” explored vulnerabilities in industrial systems. Another group, “STORM-0817,” developed Android malware targeting personal data.
Although these activities have not led to significant breakthroughs in malware creation, OpenAI acknowledges the growing threat of AI misuse in cyber crime. In response, OpenAI has banned accounts involved in these activities and is working with industry partners to strengthen cyber security.
Hackers exploit Internet Explorer zero-day vulnerability
A joint report by AhnLab Security Emergency Response Center (ASEC) and the National Cyber Security Center (NCSC) has uncovered a zero-day vulnerability (CVE-2024-38178) in Microsoft Internet Explorer (IE) that hackers exploited in a campaign named “Operation Code on Toast.” The attackers, identified as TA-RedAnt (also known as RedEyes, ScarCruft, and APT37), targeted users running vulnerable toast ad programs.
The hackers exploited a flaw in IE’s JavaScript engine (jscript9.dll), delivering malware through a zero-click attack by compromising an online advertising agency’s server. Malicious code was injected into ad scripts, which were rendered by outdated toast ad programs relying on IE’s WebView. Despite Microsoft discontinuing IE support in 2022, many applications still rely on its engine, leaving them vulnerable.
Microsoft issued a patch for the vulnerability (CVE-2024-38178) on 13 August, with a CVSS score of 7.5. Users are urged to apply the update immediately to protect against future attacks.
Key recommendations include applying the latest security patches, updating software, and avoiding the use of outdated libraries or modules.
Authorities dismantle criminal network behind violent ATM attacks across Europe
A joint operation by Dutch, French, and German police forces led to the arrest of three members of a notorious criminal network responsible for a series of violent ATM attacks across Europe. The operation, coordinated by Europol on October 16, 2024, marked a significant victory in the fight against organised crime.
The gang, known for using powerful explosives—sourced from fireworks—targeted cash machines, causing millions of euros in losses and extensive property damage. They often fled in high-speed getaways through residential areas, endangering public safety.
The criminal network was primarily based in the Netherlands but exploited hideouts and getaway cars in France. Law enforcement also targeted car rental companies used by the gang. Substantial evidence was seized, aiding ongoing investigations into other gang members.
Hacking with a BBQ lighter? Exploiting vulnerabilities to gain root access
David Buchanan, a hardware researcher, has demonstrated a novel hacking method using a BBQ lighter to exploit hardware vulnerabilities in laptops via electromagnetic fault injection (EMFI). The researcher used a piezo-electric BBQ lighter to manipulate the DDR3 memory bus on a Samsung S3520 laptop, inducing memory errors by causing electromagnetic interference in the system’s data lines.
By soldering a wire to a data pin on the memory module and clicking the lighter nearby, Buchanan was able to flip specific bits in 64-bit read/write operations. This led to two successful proof-of-concept exploits:
- A CPython sandbox escape demonstrating the potential to manipulate object pointers.
- A Linux local privilege escalation (LPE) attack, which granted root access by corrupting a page table entry, allowing modification of system files like the /usr/bin/su executable.
The technique, while requiring physical access to the hardware, showcases the potential security risks posed by easily accessible tools when used by skilled attackers. The success rate varied from 20% to 50%, depending on system conditions. This method raises concerns about physical security and the vulnerability of memory systems, particularly in scenarios where physical tampering is possible.
Buchanan suggests that this technique could be applied to bypass anti-cheat software or circumvent security checks on devices like Android smartphones, though challenges exist in scaling the method to smaller devices.
TryHackMe launches new Cyber Security 101 learning path
On the 21st of October, TryHackMe launched its new Cyber Security 101 learning path.
The path covers fundamental concepts and terminology, and delves into various tools, ranging from offensive to defensive, through practical hands-on demonstrations.
By completing rooms in the path before the 4th of November, 2024, you’ll be in with the chance to win prizes from our $48,000 prize draw! For more information, check out our latest blog.
Ben Spring