Daily Drop (800): Llama 3 | Chinese Telcos | Telegram's Security | China Targets DIB | Assange Released | Russia-North Korea Defense Deal | Linux Kernel Vul | MS Console File Exploit | CISA Tool Hack
06-26-24
Wednesday, Jun 26 2024 // (IG): BB // ShadowNews // Coffee for Bob
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
CISA Reveals Hack of Its Chemical Security Assessment Tool
Bottom Line Up Front (BLUF): The Cybersecurity and Infrastructure Security Agency (CISA) disclosed that hackers breached its Chemical Security Assessment Tool (CSAT) in January 2024, potentially accessing sensitive information about high-risk chemical facilities.
Analyst Comments: This breach of CISA's systems is particularly concerning given the agency's role as the federal government's lead cybersecurity organization. The potential exposure of data related to chemical facilities that could be weaponized by terrorists highlights the critical nature of the compromised information. While CISA claims no evidence of data exfiltration, unauthorized access to encrypted sensitive data still poses significant risks. The use of Ivanti vulnerabilities in this attack, potentially linked to Chinese state-sponsored actors, aligns with broader warnings about China's efforts to pre-position itself in U.S. critical infrastructure. This incident underscores the ongoing challenges in securing even the most security-conscious government agencies and the persistent threat posed by sophisticated state-sponsored hackers.
FROM THE MEDIA: CISA reported that hackers exploited vulnerabilities in Ivanti Connect Secure appliances to install an advanced webshell on its CSAT system between January 23-26, 2024. While no data exfiltration was detected, potentially accessed information includes Top-Screen Surveys, Security Vulnerability Assessments, Site Security Plans, and Personnel Surety Program submissions. CISA is notifying affected individuals and offering identity protection services. The agency did not explicitly attribute the attack, but previous advisories have linked similar Ivanti exploits to China-nexus threat actors. This incident occurs in the context of broader U.S. government warnings about Chinese hackers pre-positioning themselves in critical U.S. infrastructure systems.
READ THE STORY: The Register // The Washington Times // MSN // DarkReading
US Record Labels Sue AI Music Generators Suno and Udio for Copyright Infringement
Bottom Line Up Front (BLUF): Major US record labels, including Universal Music Group, Warner Music Group, and Sony Music Group, have filed lawsuits against AI music generators Suno and Udio, alleging massive-scale copyright infringement of their artists' work.
Analyst Comments: This legal action represents a significant escalation in the ongoing conflict between the traditional music industry and emerging AI technologies. The lawsuits highlight the complex copyright issues surrounding AI training data and could set important precedents for the future of AI-generated content across various creative industries. The music labels' stance suggests they view AI-generated music as a serious threat to their business model and artists' rights. However, their simultaneous partnerships with other AI companies indicate a nuanced approach, seeking to shape rather than wholly reject AI's role in music production. This case underscores the urgent need for clearer legal frameworks and industry standards regarding AI training data and generated content, balancing innovation with intellectual property rights.
FROM THE MEDIA: The lawsuits, filed in US federal courts, seek damages up to $150,000 per infringed work. The record labels claim they were able to generate outputs from Suno and Udio that closely resembled copyrighted songs, suggesting the AI models were trained on this material without permission. Examples include generating songs similar to Chuck Berry's "Johnny B. Goode" and Mariah Carey's "All I Want for Christmas Is You." The Recording Industry Association of America (RIAA) argues that these AI services are exploiting artists' work without consent or compensation. Suno's CEO denies the allegations, stating their technology is designed to generate new outputs, not reproduce existing content. The music industry views AI-generated music as a potential threat that could saturate the market and compete with genuine recordings.
READ THE STORY: Wired
Spyware Maker NSO Group Claims Politicians are 'Legitimate' Spying Targets
Bottom Line Up Front (BLUF): In a court filing, NSO Group, the maker of Pegasus spyware, has stated that government and military officials, including opposition politicians, are "legitimate intelligence targets" for surveillance.
Analyst Comments: This assertion by NSO Group raises significant concerns about the scope and ethics of government surveillance using commercial spyware. By classifying a broad range of political figures as legitimate targets, NSO Group is effectively endorsing widespread political espionage. This stance could have chilling effects on democratic processes and international diplomacy. The company's attempt to justify the surveillance of journalists accused of crimes by foreign governments is particularly troubling, as it could be used to legitimize the targeting of press freedom. This case highlights the urgent need for international regulations on the use and sale of sophisticated surveillance technologies, balancing national security needs with privacy rights and democratic freedoms.
FROM THE MEDIA: NSO Group made these claims in a court filing related to a case with WhatsApp over alleged infections of 1,400 users with Pegasus spyware. The company is seeking full access to a list of "VIPs" and "civil society leaders" compiled by Citizen Lab. NSO Group argues that government and military officials are legitimate surveillance targets, regardless of their affiliation with criminal activities. They cited U.S. Senator Mitch McConnell as an example of a potential target. The company also justified targeting journalists accused of crimes by foreign governments. Citizen Lab recently reported that Pegasus was used to target Belarusian and Russian-speaking journalists and activists critical of the Russian government.
READ THE STORY: CyberDaily
Chinese State-Sponsored RedJuliett Intensifies Taiwanese Cyber Espionage via Network Perimeter Exploitation
Bottom Line Up Front (BLUF): A suspected Chinese state-sponsored hacking group, RedJuliett, has been observed targeting dozens of organizations in Taiwan and other countries, focusing on government agencies, universities, technology firms, and religious groups, likely for economic and diplomatic intelligence gathering.
Analyst Comments: This campaign highlights China's persistent cyber espionage efforts against Taiwan, underscoring the ongoing geopolitical tensions between the two. The group's focus on technology companies, especially those involved in critical sectors like semiconductors and aerospace, suggests an attempt to gain strategic technological advantages. The use of vulnerabilities in internet-facing devices for initial access demonstrates the continued effectiveness of this tactic and the need for organizations to prioritize the security of their network perimeters. The expansion of targets to include religious organizations and other countries indicates a broadening scope of Chinese cyber espionage activities.
FROM THE MEDIA: RedJuliett, also known as Flax Typhoon, has been active since mid-2021, primarily targeting Taiwan. Between December 2023 and April 2024, the group targeted organizations in Taiwan, Hong Kong, Malaysia, Laos, the Philippines, South Korea, Kenya, Rwanda, Djibouti, and the U.S. Their targets in Taiwan include companies involved in optoelectronics, facial recognition, semiconductors, and aerospace companies with military contracts. The group exploits vulnerabilities in internet-facing devices such as firewalls, load balancers, and enterprise VPNs for initial access. Researchers believe RedJuliett operates from Fuzhou, China, and is likely to continue high-tempo cyber-espionage operations focusing on Taiwanese technology, government, educational, and think tank organizations.
READ THE STORY: The Record // abcNEWS
Russian Hackers Target Ukraine with XWorm RAT Malware Payload
Bottom Line Up Front (BLUF): Russia-linked threat actor group UAC-0184 is targeting Ukraine with the XWorm remote access trojan (RAT) using Python-related files and sophisticated infection techniques.
Analyst Comments: This campaign demonstrates the ongoing cyber threats facing Ukraine from Russian-linked actors. The use of the versatile XWorm RAT, combined with evasive techniques like DLL sideloading and process injection, shows a high level of sophistication. The malware's wide range of capabilities, including data theft and DDoS attacks, poses a significant threat to Ukrainian targets. The campaign's use of lures mimicking official communications highlights the continued effectiveness of social engineering tactics. This ongoing cyber activity underscores the need for robust cybersecurity measures in Ukraine and vigilance against evolving threats from Russian-linked actors.
FROM THE MEDIA: The attack begins with a malicious LNK shortcut file disguised as an Excel document. When executed, it downloads additional files and uses DLL sideloading to inject the XWorm RAT into the MSBuild process. The RAT offers capabilities including data theft, DDoS attacks, and cryptocurrency address manipulation. While the initial infection vector is unclear, phishing emails are suspected. Cyble researchers recommend several defensive measures, including strong email filtering, caution with attachments, and robust antivirus solutions.
READ THE STORY: The Cyber Express
India Advances Reusable Launch Vehicle Program with Successful Landing Test
Bottom Line Up Front (BLUF): India's Space Research Organization (ISRO) completed its third test of the RLV-LEX (Reusable Launch Vehicle Landing Experiment), paving the way for the development of a fully reusable orbital vehicle.
Analyst Comments: This achievement marks a significant milestone in India's space program, demonstrating its growing capabilities in advanced space technologies. The successful landing under more challenging conditions, including stronger winds and a larger course adjustment, showcases the robustness of India's autonomous landing systems. The decision to proceed with developing a reusable orbital vehicle (RLV-ORV) indicates India's commitment to reducing launch costs and increasing space access, potentially shifting the dynamics of the global space industry. This progress, coupled with India's planned crewed missions and innovative projects like space yoga, reflects the country's holistic approach to space exploration, combining technological advancement with cultural elements.
FROM THE MEDIA: The RLV-LEX, resembling NASA's retired space shuttle, performed its third successful landing after being dropped from a helicopter. The vehicle made a 500-meter course adjustment and landed precisely at speeds exceeding 320km/h. ISRO used the same winged body and flight systems from the second test, demonstrating the vehicle's reusability. With this success, ISRO plans to develop the RLV-ORV (Orbital Reusable Vehicle). India's next major mission, Vyommitra, will launch a humanoid robot to test systems for the Gaganyaan crewed mission planned for 2025. Additionally, India is exploring space yoga applications, including the development of an AI-powered yoga mat called "YogiFi."
READ THE STORY: The Register
Doxxing on BreachForums Allegedly Exposes Moderator's Personal Information
Bottom Line Up Front (BLUF): An anonymous threat actor claimed to have exposed the personal information of a BreachForums moderator known as "Aegis", including alleged details about his age, location, and contact information.
Analyst Comments: This incident highlights the ongoing risks of personal information exposure, even for individuals involved in cybercrime forums. The alleged doxxing of a forum moderator raises questions about operational security practices within these communities and could potentially lead to real-world consequences for the individual if the information is accurate. This event may cause increased paranoia and distrust among cybercriminal forum users, potentially disrupting operations or leading to changes in how these platforms are managed. However, the unverified nature of the claims and the quick removal of the post suggest caution in drawing firm conclusions.
FROM THE MEDIA: An anonymous threat actor posted alleged personal information about BreachForums moderator "Aegis" on the forum itself. The post claimed Aegis is a 17-year-old Egyptian resident and included purported details like phone number, IP address, and residential address. The post was quickly deleted. The incident was first reported by a LinkedIn user on a cybersecurity forum. Doxxing is the practice of revealing someone's personal information online without their consent, often with malicious intent. The article also provides general advice on preventing doxxing, such as using strong passwords, enabling multi-factor authentication, and being cautious about sharing personal information online.
READ THE STORY: The Cyber Express
Google Introduces Project Naptime for AI-Powered Vulnerability Research
Bottom Line Up Front (BLUF): Google has developed Project Naptime, a new framework that enables large language models (LLMs) to conduct vulnerability research, aiming to improve automated discovery approaches and mimic the workflow of human security researchers.
Analyst Comments: Project Naptime represents a significant advancement in applying AI to cybersecurity, particularly in vulnerability research. By leveraging the code comprehension and reasoning abilities of LLMs, this framework could potentially accelerate the discovery of security flaws and automate variant analysis. The model-agnostic and backend-agnostic nature of Naptime suggests broad applicability across different AI systems. However, the effectiveness of this approach in real-world scenarios, especially against sophisticated vulnerabilities, remains to be seen.
FROM THE MEDIA: Project Naptime's architecture centers around an AI agent interacting with a target codebase using specialized tools that mimic a human security researcher's workflow. These tools include a Code Browser for navigating the codebase, a Python tool for fuzzing in a sandboxed environment, a Debugger tool to observe program behavior, and a Reporter tool to monitor task progress. In tests using CYBERSECEVAL 2 benchmarks, Naptime achieved significantly improved scores in identifying buffer overflow and advanced memory corruption flaws compared to OpenAI's GPT-4 Turbo. Google researchers Sergei Glazunov and Mark Brand emphasize that Naptime enables an LLM to perform vulnerability research that closely mimics the iterative, hypothesis-driven approach of human security experts.
READ THE STORY: THN
On-Prem AI Faces Challenges Despite Industry Push
Bottom Line Up Front (BLUF): HPE and other hardware vendors are promoting on-premises AI solutions as alternatives to cloud-based services, but industry analysts question the demand and long-term viability of this approach.
Analyst Comments: The push for on-premises AI infrastructure highlights the tech industry's attempt to capitalize on the AI boom beyond cloud services. However, this strategy faces several challenges. Most businesses are already cloud-first and may not see compelling reasons to switch to on-prem AI. The main arguments for on-prem AI (latency, security, cost) may not be strong enough for many use cases. On-prem offerings heavily rely on Nvidia hardware, creating potential supply chain and regulatory risks. Challenges to Nvidia's dominance from AMD, Intel, and others could disrupt the on-prem AI hardware market. Additionally, potential antitrust investigations into Nvidia, Microsoft, and OpenAI could reshape the AI landscape.
FROM THE MEDIA: HPE showcased its Nvidia Private Cloud AI solution at its Discover conference, promising easy deployment of enterprise-level AI hardware. Canalys CEO Steve Brazier suggests this vision may be optimistic, noting that most businesses haven't complained about cloud-based AI latency. HPE counters that on-prem solutions offer better security and cost control for production AI workloads. The article highlights Nvidia's dominant position across both cloud and on-prem AI hardware while noting potential regulatory challenges and competition from Intel and AMD.
READ THE STORY: The Register
New Attack Technique Exploits Microsoft Management Console Files
Bottom Line Up Front (BLUF): A new attack technique dubbed GrimResource has been discovered exploiting Microsoft Management Console (MMC) files to achieve full code execution and evade security defenses.
Analyst Comments: This novel attack vector represents a significant evolution in threat actors' tactics to bypass security measures. By leveraging MSC files and exploiting an unpatched XSS vulnerability in the apds.dll library, attackers can execute malicious code while evading detection. The technique's ability to bypass ActiveX warnings and combine with DotNetToJScript for arbitrary code execution makes it particularly dangerous. This development underscores the ongoing cat-and-mouse game between attackers and defenders, highlighting the need for constant vigilance and adaptation in cybersecurity strategies.
FROM THE MEDIA: Elastic Security Labs identified the GrimResource technique after discovering a malicious MSC file uploaded to VirusTotal on June 6, 2024. The attack exploits a cross-site scripting flaw in the apds.dll library to execute arbitrary JavaScript code in the MMC context. This method can bypass ActiveX warnings and, when combined with DotNetToJScript, achieve arbitrary code execution. In the analyzed sample, the technique was used to launch a .NET loader component called PASTALOADER, ultimately deploying Cobalt Strike. Researchers Joe Desimone and Samir Bousseaden noted that this new technique has emerged as attackers seek alternatives to traditional infection vectors like Office macros, which have been disabled by default for internet-sourced documents.
READ THE STORY: THN // Elastic Security Labs
Exploiting a Use-After-Free Vulnerability in the Linux Kernel: A Zero-Day Threat Emerges
Bottom Line Up Front (BLUF): A zero-day exploit targeting a use-after-free (UAF) vulnerability in Linux Kernel version 6.6.15-amd64 is being advertised for sale on dark web forums for $150,000, potentially allowing for privilege escalation and code execution with root permissions.
Analyst Comments: This emerging threat highlights the ongoing risks posed by zero-day vulnerabilities in critical software like the Linux Kernel. The high price tag and the seller's requirement for proof of funds indicate this is a sophisticated exploit likely targeted at well-resourced threat actors or potentially nation-state groups. The endorsement by another known threat actor adds credibility to the claim, increasing the likelihood that this is a legitimate and potent exploit. This situation underscores the importance of rapid patching and robust security measures for Linux-based systems, especially in high-value targets like government agencies, financial institutions, and critical infrastructure.
FROM THE MEDIA: A threat actor known as Cas is advertising a zero-day exploit for a use-after-free vulnerability in Linux Kernel version 6.6.15-amd64 on dark web forums. The exploit is priced at $150,000 in cryptocurrency and allegedly allows for privileged code execution and potential data leakage. Another individual, IntelBroker, claims to have privately verified the proof-of-concept. This follows a similar vulnerability (CVE-2024-36886) reported earlier in Linux Kernel version 4.1. Use-after-free vulnerabilities occur when a program continues to access memory that has been deallocated, potentially leading to unpredictable behavior or security vulnerabilities.
READ THE STORY: The Cyber Express
Polyfill.io Domain Compromised, Serving Malware to 100,000+ Websites
Bottom Line Up Front (BLUF): The polyfill.io domain, now owned by a Chinese CDN operator, is being used to distribute malware to over 100,000 websites that use its JavaScript code, prompting urgent warnings to remove the scripts immediately.
Analyst Comments: This incident highlights the significant risks associated with relying on third-party code in web development. The compromise of a widely used service like polyfill.io demonstrates the potential for large-scale supply chain attacks in web ecosystems. The situation is particularly concerning given the delayed response since the domain's ownership change in February. This event underscores the need for continuous monitoring of third-party dependencies and rapid response mechanisms in web development practices. Organizations should reassess their use of external scripts and consider implementing stricter vetting processes for third-party code.
FROM THE MEDIA: Security firms warned that the polyfill.io domain, bought by Chinese CDN operator Funnull in February, is now serving malicious code. Google has started blocking ads on affected websites and alerting site owners. The malware can redirect visitors to malicious sites. Over 100,000 websites, including major platforms like JSTOR and Intuit, are affected. The original creator of the polyfill service urged users to stop using polyfill.io in February following the ownership change. Alternative CDN providers like Fastly and Cloudflare created mirrors of the service as a precaution.
READ THE STORY: The Register
Major Cybersecurity Breach Affects Auto Manufacturers
Bottom Line Up Front (BLUF): A significant cybersecurity breach at CDK Global, a software provider for over 15,000 car dealerships, has disrupted operations for major auto manufacturers including Stellantis, Ford, and BMW, potentially involving ransomware and multiple threat actors.
Analyst Comments: This incident highlights the far-reaching consequences of supply chain attacks in the automotive industry. The breach at CDK Global demonstrates how a single point of failure in a widely-used service provider can impact multiple major manufacturers and thousands of dealerships. The reported involvement of the BlackSuit ransomware gang suggests a sophisticated attack, possibly involving multiple threat actors. The disruption to dealership operations, forcing some to revert to manual processes, underscores the critical dependence of modern automotive retail on digital systems. This event may prompt automakers and their suppliers to reevaluate their cybersecurity strategies, particularly focusing on third-party risk management and incident response capabilities.
FROM THE MEDIA: CDK Global discovered a security breach on June 18, leading to a shutdown of its systems. A second attack occurred as CDK was restoring its systems. By June 21, CDK warned of bad actors impersonating company employees in calls to customers. Reports indicate CDK entered negotiations with the BlackSuit ransomware gang. The breach has affected dealerships for Stellantis, Ford, and BMW, disrupting sales and service operations. Some dealerships have reverted to pen-and-paper record-keeping. Cybersecurity experts suggest the breach may have involved multiple threat actors and highlight the prevalence of phishing attempts in the automotive sector.
READ THE STORY: IndustryWeek
Russia-North Korea Defense Deal Could Create Friction with China: US General
Bottom Line Up Front (BLUF): U.S. Air Force General C.Q. Brown, chairman of the Joint Chiefs of Staff, suggests that Russia's recent mutual defense agreement with North Korea could potentially create tension in North Korea's long-standing alliance with China.
Analyst Comments: This development signals a potential shift in the geopolitical dynamics of Northeast Asia. Russia's increasing engagement with North Korea could challenge China's traditional role as Pyongyang's primary ally and economic lifeline. This triangular relationship may lead to increased competition for influence over North Korea, potentially complicating international efforts to address the Korean Peninsula's security issues. The situation also highlights Russia's attempts to expand its strategic partnerships in the face of Western sanctions. However, the practical implications of this agreement remain uncertain, given its reportedly broad and non-binding nature.
FROM THE MEDIA: General Brown noted that Russia's involvement as "someone else who's kind of nudging in now" may drive friction between China and Russia regarding North Korea. The mutual defense agreement, signed on June 19, commits each side to provide immediate military assistance if either is under armed attack. Putin has suggested Russia might supply weapons to North Korea, raising concerns about potential transfers of advanced military technologies. U.S. officials believe North Korea seeks fighter aircraft, surface-to-air missiles, armored vehicles, and ballistic missile production equipment from Russia. However, Brown also indicated that the agreement appears broad and not overly binding, suggesting both parties want to work together without tying their hands completely.
READ THE STORY: Reuters
Wikileaks' Julian Assange Released from U.K. Prison, Heads to Australia
Bottom Line Up Front (BLUF): Julian Assange, the founder of WikiLeaks, has been released from a U.K. prison after serving over five years and has departed for Australia. Assange pleaded guilty to one count of conspiring to obtain and disclose classified U.S. national defense documents and is set to be sentenced to time already served.
Analyst Comments: Assange's release marks a significant moment in the ongoing debate over government transparency, whistleblower protection, and national security. The plea deal, which allows Assange to avoid further imprisonment in the U.S., suggests a potential shift in the U.S. government's approach to prosecuting cases involving the disclosure of classified information. This outcome may have implications for future whistleblowers and journalistic practices involving sensitive government information. However, the full impact on press freedom and government accountability remains to be seen.
FROM THE MEDIA: Assange, 52, was freed from Belmarsh prison in the U.K. after a 14-year legal battle. He pleaded guilty to one criminal count related to the disclosure of classified U.S. documents and is set to be sentenced to 62 months of time already served. The sentencing will take place in Saipan due to Assange's reluctance to travel to the continental U.S. WikiLeaks stated that the release resulted from a global campaign involving various stakeholders and negotiations with the U.S. Department of Justice. Founded in 2006, WikiLeaks has published over 10 million documents related to war, spying, and corruption, including significant leaks such as the Iraq and Afghan War Logs, diplomatic cables, and CIA cyber tools. The U.S. DOJ previously stated that Assange's actions posed serious risks to national security and human sources.
READ THE STORY: THN
Partnerships Are Key to Facing China's Onslaught Against US Defense Industrial Base
Bottom Line Up Front (BLUF): Gen. Timothy Haugh, commander of U.S. Cyber Command, warns that China is aggressively targeting the U.S. defense industrial base (DIB) through espionage, sabotage, theft, and disruption, emphasizing the need for enhanced cybersecurity and partnerships between the DIB and government agencies.
Analyst Comments: This warning from a top U.S. cybersecurity official underscores the critical threat posed by China to America's defense capabilities. The emphasis on China's multi-faceted approach, including intellectual property theft and supply chain disruption, highlights the complex nature of this threat. Gen. Haugh's call for improved cybersecurity within the DIB and increased collaboration with government agencies suggests current defenses may be inadequate. This situation could have significant implications for U.S. national security, potentially affecting military readiness and technological superiority.
FROM THE MEDIA: Gen. Haugh highlighted China's dominance in global manufacturing and shipping as a strategic threat. He noted that China is employing thousands of personnel to steal U.S. intellectual property and disrupt DIB supply chains. CYBERCOM is offering partnerships with DIB companies to enhance cybersecurity, including threat information sharing through initiatives like "Under Advisement" and the NSA's Cybersecurity Collaboration Center. These efforts aim to develop anticipatory, adaptive, and rapid resilience within the DIB to counter sophisticated cyber threats from state and non-state actors.
READ THE STORY: AFCEA
Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool
Bottom Line Up Front (BLUF): A critical remote code execution (RCE) vulnerability, tracked as CVE-2024-37032, has been discovered and patched in the Ollama open-source AI infrastructure platform. The flaw could allow attackers to achieve RCE by exploiting insufficient input validation.
Analyst Comments: This vulnerability in Ollama highlights the growing importance of securing AI infrastructure tools as they become more prevalent. The path traversal flaw leading to RCE is particularly concerning given Ollama's role in deploying and running large language models locally. The fact that over 1,000 exposed instances were found hosting AI models without protection underscores the urgent need for better security practices in AI deployments. This incident serves as a reminder that even modern codebases written in contemporary programming languages can still be susceptible to classic vulnerabilities. Organizations using Ollama should prioritize updating to version 0.1.34 or later and implement additional security measures such as authentication for exposed instances. The discovery of this and other vulnerabilities in AI/ML tools suggests that the rapidly evolving AI sector may be outpacing security considerations, necessitating increased focus on secure development practices and regular security audits in AI infrastructure.
FROM THE MEDIA: The vulnerability, dubbed Probllama, was discovered by cloud security firm Wiz and affects the Ollama platform used for packaging and running large language models. The flaw allows attackers to send specially crafted HTTP requests to the Ollama API server, potentially leading to arbitrary file overwrites and remote code execution. While the risk is reduced in default Linux installations, Docker deployments are particularly vulnerable as the API server runs with root privileges and listens on all interfaces by default. Wiz identified over 1,000 exposed Ollama instances hosting AI models without protection. The issue was responsibly disclosed on May 5, 2024, and patched in version 0.1.34 released on May 7, 2024. Additionally, AI security company Protect AI has warned of over 60 security defects in various open-source AI/ML tools, including a critical SQL injection flaw in Intel Neural Compressor software.
READ THE STORY: THN
Telegram's Security Called Into Question Following Pavel Durov's Viral Interview
Bottom Line Up Front (BLUF): Security experts are raising alarms about Telegram's security and privacy protections after founder Pavel Durov revealed in an interview that the platform has only about 30 engineers and lacks default end-to-end encryption.
Analyst Comments: This revelation about Telegram's limited engineering resources and security practices is deeply concerning given the platform's massive user base of 700 million monthly active users and its growing popularity among cybercriminals. The lack of default end-to-end encryption and the small team size raise significant questions about Telegram's ability to protect user data and combat sophisticated cyber threats, particularly from state-sponsored actors. The platform's dual role as both a messaging app and a social network further complicates its security challenges. This situation highlights the ongoing tension between rapid growth in user-facing tech platforms and the need for robust security measures, especially for apps handling sensitive user data.
FROM THE MEDIA: Cryptography expert Matthew Green described Telegram as a "security nightmare" due to its lack of default end-to-end encryption and questionable server locations. Eva Galperin, cybersecurity director at the Electronic Frontier Foundation, warned that Telegram's small team is likely overworked and underfunded, making the platform an attractive target for attackers. Security firm Guardio reported that Telegram has become a hub for cybercriminal activity, including the sharing of hacking tools and phishing kits. Despite these concerns, Telegram promotes itself as a champion of privacy and human rights, citing its use in pro-democracy movements worldwide.
READ THE STORY: Tech Times
Chinese Telcos Reportedly Under US Data Security Probe
Bottom Line Up Front (BLUF): The U.S. Department of Commerce has reportedly launched investigations into Chinese telecommunications firms China Mobile, China Telecom, and China Unicom over concerns about potential compromise of American data through their U.S. cloud and internet businesses.
Analyst Comments: This investigation marks a significant escalation in U.S. efforts to address perceived national security risks associated with Chinese technology companies operating in the U.S. The focus on cloud and internet businesses highlights growing concerns about data security and the potential for foreign access to sensitive information. This action follows previous restrictions on these companies' telecommunications services, indicating a broader strategy to limit Chinese firms' access to U.S. digital infrastructure. The potential outcomes, including restricting data center and internet routing operations, could have far-reaching implications for U.S.-China technology relations and global internet infrastructure. This development underscores the increasing intersection of national security concerns with commercial technology operations, a trend likely to continue shaping international business and cybersecurity policies.
FROM THE MEDIA: The Department of Commerce has reportedly subpoenaed China Mobile, China Telecom, and China Unicom as part of its investigation. China Mobile and China Telecom have already undergone "risk-based analyses." The probe aims to address concerns that these firms could provide intellectual property and personal data to the Chinese government. While no specific action has been decided, regulators may move to restrict the companies' data center and internet data routing operations in the U.S. This follows the Federal Communications Commission's previous ban on these companies providing telephone and broadband services after China Telecom was found to have routed internet traffic through China.
READ THE STORY: SCMAG
Items of interest
CYBERSECEVAL 2: A Comprehensive Cybersecurity Benchmark for Large Language Models
Bottom Line Up Front (BLUF): Researchers have developed CYBERSECEVAL 2, an expanded benchmark suite to quantify cybersecurity risks and capabilities in large language models (LLMs). The suite introduces new tests for prompt injection and code interpreter abuse, and proposes a method to measure the safety-utility tradeoff using False Refusal Rate (FRR).
Analyst Comments: CYBERSECEVAL 2 represents a significant advancement in assessing the cybersecurity implications of LLMs. The inclusion of prompt injection and code interpreter abuse tests addresses critical vulnerabilities in LLM applications. The introduction of FRR provides a valuable metric for balancing safety and utility in LLM responses. The exploit generation tests offer insights into LLMs' potential for both defensive and offensive cybersecurity applications. However, the results indicate that while LLMs are improving in rejecting malicious requests, they remain vulnerable to various attack vectors.
FROM THE MEDIA: The researchers evaluated multiple state-of-the-art LLMs, including GPT-4, Mistral, and Meta's Llama 3 models. All tested models showed vulnerability to prompt injections, with success rates ranging from 26% to 41%. LLMs complied with an average of 35% of requests to assist in attacking attached code interpreters. Models with higher coding abilities performed better on exploit generation tasks, but overall performance suggests LLMs are not yet capable of autonomously exploiting systems. The study found a small tradeoff between safety and utility in LLM responses to cybersecurity-related requests. The researchers have open-sourced their evaluation suite to encourage further development and testing in this critical area.
READ THE STORY: Arxiv
Meta Llama 3 (Video)
FROM THE MEDIA: Meta Llama 3 is an open source LLM. Llama 3 has been developed in a responsible way. Meta offers multiple tools for responsible AI like Llama Guard 2, Code Shield, and CyberSec Eval 2. In the coming months, Meta expects to introduce new capabilities, longer context windows, additional model sizes, and enhanced performance. For now they have released 8B and 70B models with significantly better quality than llama 2. 8k context length. Trained with 15T tokens on a custom-built 24k GPU cluster. Great perf on various benchmarks, with Llama3-8B doing better than Llama2-70B in some cases. In this video, I talk about the following: How does Meta llama 3 perform? How does llama 3 compare with llama 2? How is llama 3 trained? For more details, please look at https://ai.meta.com/blog/meta-llama-3/
Meta Llama3 with Ollama having the Self Operating Computer install it for me (Video)
FROM THE MEDIA: Picture this: you're working on a project, and suddenly you realize you need a little extra help. That's where Llama 3 comes in! With its powerful capabilities, you'll have access to this groundbreaking technology on platforms like AWS, Google Cloud, Microsoft Azure, and more. It's like having a super-smart sidekick ready to assist you whenever you need it! These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security.
The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.