In October 2024, digital threats continued to evolve – impacting large international orgnaisations like Google and Schneider Eletric. New techniques included Google’s AI-driven platform which discovered a critical zero-day vulnerability in SQLite, and adversaries using ChatGPT to launch autonomous voice scams. Notable incidents included a major data breach at Schneider Electric, extensive DDoS attacks on US election-related websites, and the arrest of a key figure in the Snowflake data breach.

New/Improved Techniques

Google AI Discovers Vulnerability – World First

Google recently announced a significant milestone in AI-driven cybersecurity when their LLM-based bug discovery tool, named Big Sleep, discovered a zero-day vulnerability in the widely used SQLite database engine. This is the first time an AI has autonomously identified an unknown, exploitable flaw in real-world software.

The SQLite vulnerability, a stack buffer underflow, would have allowed an attacker to crash or execute arbitrary code on the system, and was discovered by Big Sleep through deep code analysis of available code commits. The SQLite developers were informed and issued a patch remediating the vulnerability on the same day. The deep code analysis performed by Big Sleep is a big step forward for AI driven automated vulnerability discovery, which has traditionally focused on ‘fuzzing’, a technique where random inputs are used to test software, and new inputs are driven by patterns from the previous results.

Big Sleep is the result of Google’s Project Zero launched in 2014, which is an internal team of Google security analysts tasked with discovering zero-day vulnerabilities and managing responsible disclosure, where they provide a 90-day deadline to remediate issues before their public release.

ChatGPT – Autonomous Voice Scams

Researchers at the University of Illinois Urbana-Champaign (UIUC have demonstrated the potential misuse of OpenAI’s ChatGPT-4o for autonomous voice-based scams. ChatGPT-4o, an advanced AI model integrating text, voice, and reading capabilities, can be exploited to conduct financial scams with varying success rates. The research showed that the model could perform tasks such as bank transfers, gift card exfiltration, and credential theft, in complex multi-step social engineering attacks.

Despite OpenAI’s safeguards to prevent malicious use, the researchers managed to bypass these defences via prompt jailbreaking. They simulated interactions with gullible victims, demonstrating how easily financial scams could be executed. The success rates of these scams ranged from 20% to 60%, with credential theft from Gmail accounts achieving the highest success rate. The cost per successful scam was alarmingly low, averaging $0.75 for simple attempts and $2.51 for more complex operations like bank transfers, and is based on the number of interactions required to convince a user to undertake different actions.

This research highlights the inadequacy of current safeguards and the vulnerability of widely used AI services. The actions required to step a victim through a financial scam or malicious actions on their device are very similar to the types of queries LLMs are designed to assist with. Most LLMs are pre-primed with a default persona, but they can be persuaded to adopt user-defined personas when responding to queries. This creates a unique challenge for AI providers, balancing the ability to customize responses with safeguarding against malicious use, while keeping the core functionality intact.

Happenings

[France] Schneider Electric Breach

Schneider Electric has confirmed a breach of its developer platform after a hacker claimed to have stolen 40GB of data from their Jira server. The hacker, part of the recently renamed Hellcat ransomware gang, accessed the server using exposed credentials and extracted 400,000 rows of user data, including 75,000 unique email addresses and full names of employees and customers. Hellcat have demanded a ransom of $125,000 to be paid in baguettes to not release the information.

While it is unclear how the malicious actors originally obtained credentials for Schneider’s Jira instance, once in, the attacker leveraged the MiniOrange REST API to scrape and extract the data. The MiniOrange API add-on is seen as a more flexible and secure option compared to the default Jira REST API, and although specific technical details of the attack have not been released – it highlights the risks of these types of add-ons, which should be removed if not in active use.

Schneider Electric have stated that the breach did not affect their products and services, and that its global incident response team was mobilised to address the incident. This marks the third cybersecurity incident for the company in two years, highlighting their ongoing security challenges.

[US] Election – Cloudflare DDoS protection

Cloudflare have blocked 4.8 billion malicious HTTP requests to US political or election-related websites in October, and another 6.4 billion in the first five days of November (leading up to the elections). The attacks mitigated included an attack of over 16 Gbps (700,000 requests per second) using detection avoidance techniques such as randomised and geo-diverse agents. Cloudflare launched the Athenian Project in 2017, a free initiative to protect US election sites from cyberattacks, and to ensure they remain accessible. Since the launch, Cloudflare have extended the protection offered by the Athenian Project to international at-risk public interest groups under their Project Galileo.

The Cloudflare report did not comment on the specific sites being targeted, or their political affiliation, nor did they comment on what countries or groups they believe to be responsible for the uptick in attacks. Over the period of the attacks, the Athenian Project managed to sufficiently protect all of the targeted sites, with no downtime or significant disruptions reported, even during extremely high-volume attacks.

[Global] Snowflake / Ticketmaster Actor Arrested

Canadian citizen was arrested at the behest of US law enforcement authorities in late October, in relation to the Snowflake data breach that affected New Zealanders. As reported in July this year, personal information about New Zealanders was stolen from the Ticketmaster Snowflake account, when a group of bad actors calling themselves Shinyhunters discovered that there was no MFA on the majority of accounts using the Snowflakes SaaS solution. During the attack, data was stolen from approximately 165 organisations, many of whom were then blackmailed, with at least $2.5 million USD being extorted from these victims.

While the inditement did not include victim names, the company descriptions leave no doubt that this is related to the Snowflake breach, which such victims named as:

  • A major U.S.-based entertainment company (likely Ticketmaster).
  • A U.S. based software-as-a-service company providing cloud storage environments to customers (likely SnowFlake).
  • A major American telecommunications company (likely AT&T).

[Ireland] LinkedIn Receives €310 Fine Over Targeted Advertising

The Irish Data Protection Commission has levelled a €310 million fine at LinkedIn after an investigation revealed that LinkedIn’s consent agreement for processing user data for behavioural analysis and targeted advertising was not freely given, sufficiently informed, or specific. The inquiry found that LinkedIn has been violating the European Union’s laws around processing personal data and was triggered by a complaint from La Quadrature Du Net, a French not-for-profit digital rights and freedoms advocacy group.

Alongside the fine, LinkedIn will also be required to bring its data processing and transparency practices into compliance with the GDPR. LinkedIn have been provided with a 3-month window to align with the GDPR, and in a response to a request for comment LinkedIn indicated that they believed they were already in compliance with GDPR, but that they would ensure that their practised are aligned by the deadline.

Mozilla – Tracking Users Without Consent

Following a multi-stage review by the Canadian security and intelligence community, the Canadian Government has ordered the dissolution of TikTok Technology Canada due to national security concerns. The review was conducted under the Investment Canda Act which allows for the examination of foreign investments that may pose a risk to national security.

Although the Canadian Government has not released details of the review, they identified specific national security risks relating to ByteDance Ltd’s (TikTok’s parent company) operations in Canda. The dissolution of TikTok Canada under the act follows two other companies ordered to dissolve in early 2024 – Bluvec Technologies and Pegauni Technology, two companies operating in the physical security hardware space, specialising in drone tracking.

The dissolution of TikTok’s Canadian arm does not include a ban on the use of TikTok by Canadian citizens, but the announcement included a set of guidelines for user data safety when using mobile applications. TikTok have indicated that they will challenge the dissolution order in court, claiming that hundreds of local well-paying jobs will be lost as a result.