Plus: The US indicts North Koreans in fake IT worker scheme, file-sharing firm Cleo warns customers to patch a vulnerability amid live attacks, and more.

What a week! On Monday, police arrested 26-year-old Luigi Mangione and charged him in the murder of UnitedHealthcare CEO Brian Thompson. Mangione’s five-day run from authorities ended after he was spotted eating at a McDonald’s in Altoona, Pennsylvania, about 300 miles from Manhattan, where Thompson was gunned down on the morning of December 4. Authorities say they found Mangione carrying fake IDs and a 3D-printed “ghost gun,” the model of which is known as the FMDA, or “Free Men Don’t Ask.”

Meanwhile, a flood of mysterious drone sightings across New Jersey and neighboring states caused so much havoc, it quickly gained federal attention. While many people wondered why the US military couldn’t just shoot down the drones, the FBI, Department of Homeland Security, and independent experts say the drone mystery may not be much of a mystery, and the drones are probably mostly just airplanes.

As for more terrestrial threats, we dove into the far-right realm of “Active Clubs,” small groups of young, fitness-focused men who are steeped in extremist ideology and linked to several violent attacks. While the man who helped invent the Active Club network, Robert Rundo, was sentenced in federal court this week, Active Clubs around the world are proliferating.

Finally, we investigated cheating schemes that use tiny cameras to gain an illicit edge in poker, and we interrogated the ways humans will use generative AI to make the world a more dangerous place.

But that’s not all. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Back in May, Microsoft jubilantly announced Recall, an AI feature for some Windows PCs that silently takes screenshots every five seconds and then allows you to easily search through the resulting digital footprint. Forgotten where you saw a recipe online? Tapping a couple of keywords into Recall could, in theory, find the dish again. It didn’t take long for the privacy and security community to find gaping holes in the feature.

In response, Microsoft delayed Recall’s launch and eventually made some significant changes—such as making Recall opt-in rather than on by default, better encrypting information captured by Recall, and adding authentication to access data that it stored. Recall finally launched for some users this month.

However, this week, testing of Recall by Tom’s Hardware demonstrated that a key safeguard put in place by Microsoft can still fail. With a Recall setting called “filter sensitive information” turned on, Tom’s Hardware’s tests found that it still took screenshots of some sensitive information—such as credit card numbers and Social Security numbers. When the publication typed a credit card number and a username and password into a Notepad window, they were gathered in the screenshots. “Similarly, when I filled out a loan application PDF in Microsoft Edge, entering a social security number, name and DOB, Recall captured that,” Avram Piltch writes. The tool, however, didn’t record details when they were entered on a couple of online stores.

Microsoft pointed to its product information that says the system will get better over time and that people should report if sensitive information is captured by Recall. While that may be the case, it’s unlikely that any system can correctly determine what is and isn’t sensitive every time. And that could make it a bigger target for hackers.

**14 North Koreans Identified and Indicted as Fraudulent IT Workers**

For years, North Korean nationals posing as tech workers have tried to get hired by global businesses so they can send their wages back to help the Hermit Kingdom pay for its nuclear programs. Increasingly, some companies are revealing they were targeted, and investigators are unravelling the schemes. This week, the US government indicted 14 North Koreans for their alleged role in generating $88 million, stealing sensitive business information, and attempting to use that information to extort more payments from companies. To get hired, the FBI alleges, the IT workers stole real identities, paid people in the US to use their home Wi-Fi connections, or paid them to attend job interviews. Researchers from Google-owned cybersecurity firm Mandiant who focus on North Korea say that in recent months they’ve seen IT workers following through on leaking sensitive data and demanding more cryptocurrency than ever before—although, they say this desperation could be a sign of the schemes becoming less effective.

**Cleo File-sharing Software Exploited to Spread Cybercriminal Malware**

File-sharing software firm Cleo this week warned customers to implement a new security patch to prevent a wave of intrusions by cybercriminals actively exploiting a vulnerability in its code. Researchers at security firm Huntress Labs told news outlet Recorded Future that at least two dozen organizations have already been breached by the hackers exploiting the Cleo flaw. Huntress has found a sample of malware found on those victims’ networks it calls Malichus, and says it appears to have been used by a sophisticated hacker group. Huntress also noted that Blue Yonder, a software firm breached by the Termite ransomware gang in November, had a vulnerable instance of Cleo’s software exposed on its network, and some evidence suggests the same cybercrime group may now be using the software’s vulnerability to hit other victims. Cleo first released a patch for the bug currently being exploited in October, but hackers appear to have circumvented it, and the company is urging customers to apply its new patch now.

**US Sanctions Chinese Hackers Who Allegedly Hijacked Thousands of Firewalls**

For five years, UK cybersecurity firm Sophos engaged in a cat-and-mouse game with a mysterious group of Chinese hackers targeting the company’s firewalls as a vector to break into its customers’ networks, as WIRED chronicled in October. Sophos went so far as to download surveillance “implants” to its devices that the hackers were testing to better monitor and preempt their intrusion techniques—and to gain more information about who they were and where they operated. Now, following Sophos’s revelations, those hackers have been hit with sanctions from the US government, and one of them has been indicted by name. Sichuan Silence Information Technology, based in Chengdu, and an alleged hacker named Guan Tianfeng are accused of hijacking 81,000 firewalls by exploiting a zero-day vulnerability that Guan is said to have discovered. Sichuan Silence, a known seller of disinformation tools to the Chinese government, and Guan are accused of targeting 23,000 firewalls in the US specifically, 36 of which were used in US critical infrastructure networks. The US State Department also issued a $10 million bounty for information about the company or Guan.

Microsoft’s AI Recall Tool Is Still Sucking Up Credit Card and Social Security Numbers

Thai government officials have emerged as the target of a new campaign that leverages a technique called DLL side-loading to deliver a previously undocumented backdoor dubbed Yokai.
"The target of the threat actors were Thailand officials based on the nature of the lures," Nikhil Hegde, senior engineer for Netskope's Security Efficacy team, told The Hacker News. "The Yokai backdoor itself is not

Thai Officials Targeted in Yokai Backdoor Campaign Using DLL Side-Loading Techniques

PRESS RELEASE

BOSTON — December 12, 2024 — Zerto, a Hewlett Packard Enterprise company, today announced the launch of the Zerto Cloud Vault, which delivers Zerto’s best-in-class cyber resilience capabilities as a service through managed service providers (MSPs). Zerto’s security-focused MSP partners at launch include Assurestor, Converge, LincolnIT, and Verinext. Built on the capabilities of the Zerto Cyber Resilience Vault, the Zerto Cloud Vault is a cloud-based, fully managed solution that offers logical air-gapping, immutability, and clean room recovery.

Ransomware attacks remain a harsh fact of life for most businesses with collective ransomware losses totaling over $1 billion in 2023 alone. This financial toll is exacerbated by the resulting data loss and downtime, with some estimates suggesting upwards of $1 million in losses per hour of downtime for larger businesses.

With Zerto Cloud Vault, customers can leverage MSPs that deliver tailored cyber resilience strategies to meet the specific requirements of their organizations. Cloud Vault is the latest offering in HPE’s comprehensive cyber resilience portfolio and complements the existing Zerto Cyber Resilience Vault, which is deployed as a self-hosted, on-premises stack.

Zerto Cloud Vault capabilities include:

*   Managed Cyber Services: Take advantage of MSP experts who know how to prevent and mitigate attacks and have built their services on top of Zerto’s award-winning technology.
    
*   Real-Time Encryption Detection: Detect encryption anomalies in real-time and be alerted within seconds to potential issues through integration with cybersecurity dashboards.
    
*   Immutable Data Copies: Retain data for up to 12 months and protect against ransomware attacks through immutable copies, all without impacting production workloads, without any agents or snapshots.
    
*   Clean Room Recovery: Leverage the elasticity of the cloud to create clean environments on demand with isolated networks that are protected from attackers. Use it to validate data, scrub malware, and perform forensics before recovering back into production.
    
*   Non-Disruptive Testing: With Zerto’s non-disruptive solutions, businesses can test more frequently and comprehensively, including conducting cyber recovery tests at any time on entire sites, multiple sites, or individual VMs. These tests can be used to validate recovery plans and train incident response teams.
    
*   Fully isolated from production environments: Ability to run different security postures within product and vault environments.
    

“Zerto’s disaster recovery and cyber resilience solutions offer peace of mind to businesses struggling to combat ransomware attacks,” said Jim O’Dorisio, senior vice president and general manager, HPE Storage. “Leveraging our cyber resilience capabilities, MSPs will be able to bring fully managed Cloud Vault services to even more organizations, helping them thwart the plans of attackers and keep precious business assets safe.”

Coupled with the expertise of Zerto’s vetted MSP partners, the hosted Zerto Cloud Vault mitigates the most devastating ransomware scenarios while keeping businesses in compliance with state and federal regulations — reducing the risk of substantial fines or prosecution. Where other solutions offer detrimental lengthy recovery point objectives (RPOs) and recovery time objectives (RTOs), Zerto Cloud Vault slashes both, minimizing the risks of disruption and allowing businesses to get back on their feet as fast as possible after the inevitable happens. Zerto is a part of HPE’s hybrid cloud business, helping HPE customers protect workloads and data across hybrid IT environments.

Partner Quotes

“Our Gold Standard for cyber recovery considers a product’s recoverability readiness, non-disruptive testing capability, and speed of data recovery; we found that Zerto substantially delivered on all these points. Combined with Cloud Vault, the protection provided from ransomware attacks was robust and allowed pinpoint recovery faster than any other products evaluated,” said Stephen Young, executive director, Assurestor.

“Ransomware attacks are a real threat to the data and operations of organizations of all sizes. Having the ability to offer a cloud vault with Zerto technology gives our clients added protection against ransomware and peace of mind that they can recover successfully,” said John Antimisiaris, executive vice president, LincolnIT.

“Some of our clients’ infrastructure protection needs to be kept with a very tight RPO, but they still need some deeper recovery options than simple replication can provide. A cyberattack is seldom clearly understood, even when recovery efforts have begun. Zerto Cloud Vault provides immutable protection history that can be leveraged to find the latest clean point in time for replicated hosts,” said Jeremy Brovage, product engineer and solutions architect, Converge Enterprise Cloud.

“Cyberattacks that encrypt data are one of the primary disruptors requiring data recovery. Zerto provides the best tools to recover quickly and with the least data loss in a cloud vault,” said Nick Martino, product manager, managed services, Verinext.

Explore the Zerto Cloud Vault and discover how it empowers businesses to safeguard their data and operations: Learn More. 

About Zerto

Zerto, a Hewlett Packard Enterprise company, empowers customers to run an always-on business by simplifying the protection, recovery, and mobility of on-premises and cloud applications. Zerto eliminates the risk and complexity of modernization and cloud adoption across private, public, and hybrid deployments. The simple, software-only solution uses continuous data protection at scale to solve for ransomware resilience, disaster recovery, and multi-cloud mobility. Zerto is trusted by over 9,500 customers globally, and is powering offerings for Microsoft Azure, IBM Cloud, Google Cloud, Oracle Cloud, and more than 350 managed service providers.

Zerto Introduces Cloud Vault Solution for Enhanced Cyber Resilience Through MSPs

PRESS RELEASE

Santa Clara, Calif. – Dec. 10, 2024 – Versa, the global leader in Universal Secure Access Service Edge (SASE), today announced Versa Endpoint DLP, an integrated endpoint data loss prevention (DLP) capability delivered by the Versa SASE Client as part of the VersaONE™ Universal SASE Platform. The endpoint DLP feature provides the industry’s widest range of data exfiltration prevention capabilities in an integrated SASE solution, restricting copy/paste, screenshots, and peripheral device (e.g., USB storage) transfers based on Zero Trust attributes. 

Versa Endpoint DLP helps ensure that sensitive data residing on endpoints is safeguarded against accidental exposure, insider threats, and cyberattacks. Integrated into Versa’s lightweight SASE client, it extends network DLP to the endpoint, providing end-to-end real-time visibility and control. This ensures compliance with corporate data security regulations and reduces risk without compromising the user experience.

“Versa Endpoint DLP directly addresses the critical need for comprehensive data protection on endpoints in today’s hybrid work environments,” said Kumar Mehta, Versa Founder and CDO. “We’re delivering a unified approach to securing sensitive data on endpoints, addressing critical risks like insider threats and compliance challenges. By integrating this functionality into the VersaONE platform, our customers can protect their data effectively without adding complexity.”

Unlike approaches that require separate network and endpoint DLP tools, Versa DLP provides a unified approach seamlessly integrated with the broader VersaONE security suite. By consolidating endpoint and network data loss prevention within a single platform, Versa DLP ensures consistent policy enforcement across the IT infrastructure. 

Availability

Versa Endpoint DLP has been included as part of the VersaONE Universal SASE Platform in Concerto release version 12.1.2.

About Versa

Versa, a global leader in SASE, enables organizations to create self-protecting networks that radically simplify and automate their network and security infrastructure. Powered by AI, the VersaONE Universal SASE Platform delivers converged SSE, SD-WAN, and SD-LAN solutions that protect data and defend against cyberthreats while delivering a superior digital experience. Thousands of customers globally, with hundreds of thousands of sites and millions of users, trust Versa with their mission critical networks and security. Versa is privately held and funded by investors such as Sequoia Capital, Mayfield, and BlackRock. For more information, visit https://www.versa-networks.com and follow Versa on LinkedIn and X (Twitter) @versanetworks.

You May Also Like

Versa Introduces Integrated Endpoint Data Loss Prevention in SASE Solution

Defenders running the Cleo managed file transfer are urged to be on the lookout for the Cleopatra backdoor and other indicators of an ongoing ransomware campaign, as patching details remain foggy, and no CVE has been issued.

Source: Allstar Picture Library Ltd. via Alamy Stock Photo

An active ransomware campaign against the Cleo managed file transfer tool is about to ramp up now that a proof-of-concept exploit for a zero-day flaw in the software has become publicly available. Defenders should brace for widespread deployment of the Cleopatra backdoor and other steps in the attack chain.

The flaw, which is the result of an insufficient patch for an arbitrary file write tracked as CVE-2024-50623, is being used for remote code execution (RCE) and impacts Cleo Harmony, Cleo VLTrader, and Cleo LexiCon products, according to the company's security advisory. The new issue does not yet have a CVE or CVSS severity score as of the time of this writing.

Active attacks against the zero-day appear to have begun on Dec. 3, and just days later cyberattackers had breached at least 10 Cleo clients, including those in the trucking, shipping, and food industries. Cleo currently has more than 4,000 customers, mostly mid-sized organizations.

The current ransomware campaign has been attributed to a group called "Termite," which is also believed to be connected to similar cyberattacks against Blue Yonder that ultimately impacted household brand names like Starbucks.

But that's just a taste of what's to come, according to Artic Wolf analysts, who predict that ransomware cyberattacks against vulnerable Cleo systems are about to escalate.

**Is a MOVEit-Style Deluge of Cyberattacks Imminent?**

Since 2023's ransomware success against MOVEit, a similar file transfer service, threat actors have become keenly aware of the broad access to sensitive enterprise data and systems these MFT solutions provide, researchers at Artic Wolf noted.

That's especially true in light of a public proof of exploit of the Cleo zero-day published on Dec. 11 by Watchtowr Labs, the researchers predicted. Like MOVEit, Cleo has the potential to offer attackers a mass-attack avenue.

And unfortunately for those impacted, patching this zero-day has been a bit confusing for Cleo customers, widening the door for attackers to pounce.

The original bug, CVE-2024-50623, was first "fixed" in the Oct. 30 release of an updated Cleo version, 5.8.0.21. However, customers continued to report compromises, "suggesting the existence of a separate means of compromise," a new backgrounder from Rapid7 on the Cleo zero-day explained.

Researchers at Huntress first reported on continued widespread active exploits of the supposedly patched vulnerability on Dec. 9. Cleo responded with a new version containing a new security patch (version 5.8.0.24). However, the new exploitable issue has not yet received a new CVE designation, raising questions from industry watchers like Rapid7.

"Cleo issued a new advisory as of December 10 that previously said versions up to 5.8.0.21 were vulnerable to an as-yet-unassigned CVE," a Rapid7 blog post noted. "That advisory was updated to indicate a patch is now available for all affected products — it's unclear exactly when the update occurred. There is still no CVE for the new issue."

Cleo has since added a note to its advisory page on the insufficient patching issue that a "CVE is pending."

**Cleopatra Backdoor: How to Tell if Cleo Has Been Compromised**

With the added patching confusion, it's up to cyber defense teams to understand what a Cleo compromise looks like and stop it before it takes hold.

The Artic Wolf team tracked the attack chain down to a malicious PowerShell stager that ultimately executes a new Java-based backdoor that their team appropriately called "Cleopatra."

"The Cleopatra backdoor supports in-memory file storage, and is designed for cross-platform support across Windows and Linux. It implements functionality designed to access data stored within Cleo MFT software specifically," the Artic Wolf report explained. "Although many IP addresses were used as C2 destinations, vulnerability scanning originated from only two IP addresses."

The Arctic Wolf researchers urge defenders to focus in on monitoring server assets for unusual activity, like PowerShell, in order to respond early in the attack chain.

"Additionally, devices should be continuously audited for potential weaknesses in internet-accessible services, and vulnerable services should be kept off the public Internet where possible to minimize the potential exposure in mass exploitation campaigns such as this one," the report added. "This can be accomplished by IP access control lists, or by keeping applications behind a VPN to reduce the potential attack surface."

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Cleo MFT Zero-Day Exploits Are About Escalate, Analysts Warn

Another day, another healthcare database misconfiguration exposing sensitive patient information.

****SUMMARY****

*   **Cybersecurity researcher Jeremiah Fowler discovered an unprotected Care1 database with over 4.8 million patient records.**

*   **Exposed data included names, addresses, medical histories, and Personal Health Numbers (PHNs).**

*   **Responsibility for the breach and its duration remains unclear.**

*   **Healthcare data breaches are increasing, posing significant privacy risks.**

*   **Stronger cybersecurity measures are essential for protecting sensitive patient information.**

Cybersecurity researcher **Jeremiah Fowler** recently discovered a massive database belonging to Care1, a Canadian company that provides AI-powered software solutions to optometrists. The database, containing over 4.8 million records of patient information (with a total size of 2.2 TB), was left completely unprotected, exposing sensitive data like patient names, addresses, medical histories, and even their unique Personal Health Numbers (PHNs).

Care1 is a specialized healthcare technology company with over 170 partner optometrists and over 150,000 patient visits managed using their software. They specialize in eyecare disruption using artificial intelligence, leveraging advanced software engineering and extensive partnership networks.

According to Fowler’s investigation, published by vpnMentor, the exposed data included detailed eye exam reports with patient information, doctor’s notes, and images. Eye exam reports were in PDF format and included patient PII, doctor’s comments, and images.

In addition, CSV and XLS spreadsheets were also part of the exposed database and listed patients with home addresses, Personal Health Numbers (PHNs), and other health-related information, including doctor’s comments and images from the eye exams.

For your information, in the Canadian healthcare system, a Personal Health Number (PHN) is a unique identifier that ensures a patient’s health information is accessible to all providers. While the PHN itself might not directly lead to financial fraud, it can be a valuable piece of information for criminals to build a comprehensive profile of an individual.

It’s unclear whether the database was directly owned and managed by Care1 or handled by a third-party contractor. It is also unclear for how long it remained exposed or whether it was accessed by any unauthorized individual unless an internal forensic audit is conducted. According to Fowler’s **blog post**, he sent a responsible disclosure notice to the company and public access was restricted promptly. 

With the increasing reliance on digital systems in **healthcare**, the potential for data breaches is also increasing. This level of exposure poses significant privacy risks for patients, as their medical information could be misused for identity theft or other malicious activities. In 2023, Fowler **discovered** a non-password-protected database belonging to Indian medical diagnostics firm Redcliffe Labs, containing over 12 million records, including sensitive patient data like medical scans and test results.

These incidents reflect the need for heightened security measures within the healthcare sector. Companies like Care1, which handle sensitive patient information, must prioritize stringent cybersecurity measures, including strong encryption, access controls, and regular security audits.

1.  **7TB of Healthcare Data Leak Affects 12 Million Patients**
2.  **AI Firm’s Server Exposed 5.3 TB of Mental Health Records**
3.  **How Artificial Intelligence (AI) is Impacting Modern Healthcare**
4.  **Dark Web Sales Fuel 32% Increase in Healthcare Cyberattacks**
5.  **AI in Healthcare: ChatGPT Helps Boy Get Diagnosis After Doctors Fail**

Canadian Eyecare Firm Care1 Exposes 2.2TB of Patient Records

Businesses deploying large language models and other GenAI systems have a growing collection of open source tools for testing AI security.

Source: Olena Ivanova via Shutterstock

Companies deploying generative artificial intelligence (GenAI) models — especially large language models (LLMs) — should make use of the widening variety of open source tools aimed at exposing security issues, including prompt-injection attacks and jailbreaks, experts say.

This year, academic researchers, cybersecurity consultancies, and AI security firms released a growing number of open source tools, including more resilient prompt injection tools, frameworks for AI red teams, and catalogs of known prompt injections. In September, for example, cybersecurity consultancy Bishop Fox released Broken Hill, a tool for bypassing the restrictions on nearly any LLM with a chat interface.

The open source tool can be trained on a locally hosted LLM to produce prompts that can be sent to other instances of the same model, causing those instances to disobey their conditioning and guardrails, according to Bishop Fox.

The technique works even when companies deploy additional guardrails — typically, simpler LLMs trained to detect jailbreaks and attacks, says Derek Rush, managing senior consultant at the consultancy.

"Broken Hill is essentially able to devise a prompt that meets the criteria to determine if \[a given input\] is a jailbreak," he says. "Then it starts changing characters and putting various suffixes onto the end of that particular prompt to find \[variations\] that continue to pass the guardrails until it creates a prompt that results in the secret being disclosed."

The pace of innovation in LLMs and AI systems is astounding, but security is having trouble keeping up. Every few months, a new technique appears for circumventing the protections used to limit an AI system's inputs and outputs. In July 2023, a group of researchers used a technique known as "greedy coordinate gradients" (GCG) to devise a prompt that could bypass safeguards. In December 2023, a separate group created another method, Tree of Attacks with Pruning (TAP), that also bypasses security protections. And two months ago, a less technical approach, known as Deceptive Delight, was introduced that uses fictionalized relationships to fool AI chatbots to violate their systems restrictions.

The rate of innovation in attacks underscores the difficulty of securing GenAI systems, says Michael Bargury, chief technology officer and co-founder of AI security firm Zenity.

"It's an open secret that we don't really know how to build secure AI applications," he says. "We are all trying, but we don't know how to yet, and we are basically figuring that out while building them with real data and with real repercussions."

**Guardrails, Jailbreaks, and PyRITs**

Companies are erecting defenses to protect their valuable business data, but whether those defenses are effective remains a question. Bishop Fox, for example, has several clients using programs such as PromptGuard and LlamaGuard, which are LLMs programmed to analyze prompts for validity, says Rush.

"We're seeing a lot of clients \[adopting\] these various gatekeeper large language models that try to shape, in some manner, what the user submits as a sanitization mechanism, whether it's to determine if there's a jailbreak or perhaps it's to determine if it's content-appropriate," he says. "They essentially ingest content and output a categorization of either safe or unsafe."

Now researchers and AI engineers are releasing tools to help companies determine whether such guardrails are actually working.

Microsoft released its Python Risk Identification Toolkit for generative AI (PyRIT) in February 2024, for example, an AI penetration testing framework for companies that want to simulate attacks against LLMs or AI services. The toolkit allows red teams to build an extensible set of capabilities for probing various aspects of an LLM or GenAI system.

Zenity uses PyRIT regularly in its internal research, says Bargury.

"Basically, it allows you to encode a bunch of prompt-injection strategies, and it tries them out on an automated basis," he says.

Zenity also has its own open source tool, PowerPwn, a red-team toolkit for testing Azure-based cloud services and Microsoft 365. Zenity's researchers used PowerPwn to find five vulnerabilities in Microsoft Copilot.

**Mangling Prompts to Evade Detection**

Bishop Fox's Broken Hill is an implementation of the GCG technique that expands on the original researchers' efforts. Broken Hill starts with a valid prompt and begins changing some of the characters to lead the LLM in a direction that is closer to the adversary's objective of disclosing a secret, Rush says.

"We give Broken Hill that starting point, and we generally tell it where we want to to end up, like perhaps the word 'secret' being within the response might indicate that it would disclose the secret that we're looking for," he says.

The open source tool currently works on more than two dozen GenAI models, according to its GitHub page.

Companies would do well to use Broken Hill, PyRIT, PowerPwn, and other available tools to explore their AI applications vulnerabilities because the systems will likely always have weaknesses, says Zenity's Bargury.

"When you give AI data — that data is an attack vector — because anybody that can influence that data can now take over your AI if they are able to do prompt injection and perform jailbreaking," he says. "So we are in a situation where, if your AI is useful, then it means it's vulnerable because in order to be useful, we need to feed it data."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Generative AI Security Tools Go Open Source

A new side-channel attack method is a computationally practical way to infer the structure of a convolutional neural network — meaning that cyberattackers or rival companies can plagiarize AI models and take their data for themselves.

Source: Daniel Chetroni via Alamy Stock Photo

Researchers have demonstrated how to recreate a neural network using the electromagnetic (EM) signals emanating from the chip it runs on.

The method, called "TPUXtract," comes courtesy of North Carolina State University's Department of Electrical and Computer Engineering. Using many thousands of dollars worth of equipment and a novel technique called "online template-building," a team of four managed to infer the hyperparameters of a convolutional neural network (CNN) — the settings that define its structure and behavior — running on a Google Edge Tensor Processing Unit (TPU), with 99.91% accuracy.

Practically, TPUXtract enables a cyberattacker with no prior information to essentially steal an artificial intelligence (AI) model: They can recreate a model in its entirety and save the actual data it was trained on, for purposes of intellectual property (IP) theft or follow-on cyberattacks.

**How TPUXtract Works to Recreate AI Models**

The study was conducted on a Google Coral Dev Board, a single-board computer for machine learning (ML) on smaller devices: think edge, Internet of Things (IoT), medical equipment, automotive systems, etc. In particular, researchers paid attention to the board's Edge Tensor Processing Unit (TPU), the application-specific integrated circuit (ASIC) at the heart of the device that allows it to efficiently run complex ML tasks.

Any electronic device like this, as a byproduct of its operations, will emit EM radiation, the nature of which will be influenced by the computations it performs. Knowing this, the researchers conducted their experiments by placing an EM probe on top of the TPU — removing any obstructions like cooling fans — and centering it on the part of the chip emanating the strongest EM signals. Then they fed the machine input data and recorded the signals it leaked.

To begin to make sense of those signals, they first identified that before any data gets processed, a neural network quantizes — compresses — its input data. Only when the data is in a format suitable for the TPU does the EM signal from the chip shoot up, indicating that computations have begun.

At this point, the researchers could begin mapping the EM signature of the model. But trying to estimate all of the dozens or hundreds of compressed layers that comprise the network at the same time would have been effectively impossible.

Every layer in a neural network will have some combination of characteristics: It will perform a certain type of computation, have a certain number of nodes, etc. Importantly, "the property of the first layer affects the 'signature,' or the side-channel pattern of the second layer," notes Ashley Kurian, one of the researchers. Thus, trying to understand anything about the second, 10th, or 100th layer becomes increasingly impossible, as it rests on all of the properties of what came before it.

"So if there are 'N' layers, and there are 'K' numbers of combinations \[of hyperparameters\] for each layer, then computing cost would have been N raised to K," she explains. The researchers studied neural networks with 28 to 242 layers (N) and estimated that K — the total number of possible configurations for any given layer — equaled 5,528.

Instead of having to commit infinite computing power to the problem, they figured they could isolate and analyze each layer in turn.

To recreate each layer of a neural network, the researchers built "templates" — thousands of simulated combinations of hyperparameters, and read the signals they gave off when processing data. Then they compared those results to the signals emitted by the model they were trying to approximate. The closest simulation would be considered correct. Then, they applied the same process to the next layer.

"Within a day, we could completely recreate a neural network that took weeks or months of computation by the developers," Kurian reports.

**Stolen AIs Lead to IP, Cybercrime Risk to Companies**

Pulling off TPUXtract isn't trivial. Besides a wealth of technical know-how, the process also demands a variety of expensive and niche equipment.

The NCSU researchers used a Riscure EM probe station with a motorized XYZ table to scan the chip's surface, and a high sensitivity electromagnetic probe for capturing its weak radio signals. A Picoscope 6000E oscilloscope recorded the traces, Riscure's icWaves field-programmable gate array (FPGA) device aligned them in real-time, and the icWaves transceiver used bandpass filters and AM/FM demodulation to translate and filter out irrelevant signals.

As tricky and costly as it may be for an individual hacker, Kurian says, "It can be a competing company who wants to do this, \[and they could\] in a matter of a few days. For example, a competitor wants to develop \[a copy of\] ChatGPT without doing all of the work. This is something that they can do to save a lot of money."

Intellectual property theft, though, is just one potential reason anyone might want to steal an AI model. Malicious adversaries might also benefit from observing the knobs and dials controlling a popular AI model, so they can probe them for cybersecurity vulnerabilities.

And for the especially ambitious, the researchers also cited four studies that focused on stealing regular neural network parameters. Theoretically, those methods in combination with TPUXtract could be used to recreate the entirety of any AI model — parameters and hyperparameters in all.

To combat these risks, the researchers suggested that AI developers could introduce noise into the AI inference process using dummy operations, or running random operations concurrently, or confuse analysis by randomizing the sequence of layers during processing.

"During the training process," says Kurian, "developers will have to insert these layers, and the model should be trained to know that these noisy layers need not be considered."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

With 'TPUXtract,' Attackers Can Steal Orgs' AI Models

Open to players of all skill levels, the "Snow-mageddon" cybersecurity competition takes place in the world of Santa, elves, and Christmas mayhem.

The North Pole is on the verge of a civil war. Santa is missing. It’s elf vs. elf. Factions have formed, and it's up to you to save the day, block a ransomware attack, and untangle multiple cybersecurity snafus to ensure this year's holiday gifts don't get buried under a mountain of snowballs.

No, it's not a children's story with a cyber twist. The Holiday Hack Challenge from SANS Institute is back for another season of wintery fun. Open to players of all skill levels, the online competition with real-world cybersecurity problems is set in the world of Santa, elves, and Christmas mayhem. This year's competition is open and will run through Jan. 3, 2025.

"There's some really good stuff in there with ransomware analysis, Web application penetration testing, incident response and incident analysis," says Ed Skoudis, founder of the Holiday Hack Challenge and president of the SANS Institute.

Skoudis calls the Holiday Hack Challenge, now in its 21st year, SANS's gift to the cybersecurity community. The goal is to provide a learning environment that is freely available to everyone in the world to learn skills while having fun, as well as to build a community where people work together and get to know each other. Players don't have to play through the game in one sitting or in order. Anyone who needs help can ask the elves in the game — the elves are very promiscuous hint-givers, Skoudis says — or join the Discord server to chat with other players.

Many of the challenges are taken from real-world cybersecurity incidents. Each challenge is ranked by difficulty, from one to five snowballs, with five being the most difficult. What's new this year is that every challenge can be solved in two ways: an easy mode and hard mode. Players don't know which mode they are in, but if their solution took the easy method, they'll "receive" a silver trophy. Solving the hard way results in a gold trophy. And skipping a challenge gives them a bronze participation trophy. A certain number of points are assigned for bronze, silver, and gold for each challenge, which are then summed into the player's score. A leaderboard displays player scores — and people who signed up as a cohort have their own private scoreboard.

"All year long, we're canvassing, looking for ideas of novel attacks that everybody should know about and know how to investigate, know how to do penetration tests for, and we're pulling those ideas together and putting them in holiday hack at the highest quality we can," Skoudis says.

This year's challenges fall into the following categories:

*   Ransomware Reverse Engineering
    

*   Web App Hacking with MQTT and Video Feed Manipulation
    

*   Mobile App Penetration Testing
    
*   OSINT via Drone Path Analysis
    
*   Web Exploration with cURL
    
*   PowerShell for Cyber Defense
    

**The Best Prize of All**

Winners will be announced in a webcast on Jan. 16, 2025. The grand prize winner will get a free SANS on-demand course, though some previous winners have found themselves with something more: a full-time job.

Janusz Jasinski first participated in the Holiday Hack Challenge in 2018 and was hired as a senior technical engineer by Counter Hack in 2023 after networking with people he encountered in the community. He is now involved with the challenge as a game designer. Finding the sweet spot of something that's not too easy yet not too hard is the greatest challenge in designing the game, Jasinski said. He designed this year's mobile app penetration test challenge.

"My challenge this year was \[a difficulty level of\] two or three out of five,” Jasinski says. "It's easy to do \[create\] a very easy challenge, it's easy to do a very hard challenge. It's very hard to do those in the middle, and just getting the right amount of complexity in there was a bit challenging. But further this year, we had the gold and silver, i.e., easy and hard routes. So to bake that in was now an extra level of difficulty."

But the fun part, he says, is having people in the real world playing and actually succeeding in the challenge, then sharing their solutions on Discord or social media.

Participating in the Holiday Hack Challenge and joining the community also led Kyle Parrish to a role behind the scenes. Parrish first played the Holiday Hack Challenge in 2018, winning an honorable mention early in his cybersecurity career.

"I played it and absolutely loved it — the practical application of the challenges and the just goofy video game feel," he says. "It was a ton of fun. I learned a lot of tools that I literally was able to start using in my work and help me progress as a young security engineer."

Parrish says he enjoyed the competition and sense of community so much that he played annually and volunteered to be a concierge in Discord, helping others with the challenges, in 2023. In January 2024, he joined the Counter Hack team as a senior technical engineer and is also now involved in designing the challenges.

"My favorite part is how, basically, the entire game is run off an Excel spreadsheet, which just kind of blew my mind," Parrish says. "And to see the skill that was put into it by some of our other teammates on building this game engine … to create these environments in this virtual world where players can interact with these challenges. It's so much fun."

It's also exciting to see how people solve his challenge, he adds.

"Somebody found an exploit in it and was able to get root against the challenge, which was awesome," Parrish says. "It was really cool to see that I had an intended path, but you were able to have an alternate path and were able to escalate your privileges. And that just makes for an even better write-up and a better learning experience for everybody involved."

Though it may come cloaked in snowball fights and elf espionage, real-world training and building a peer community is the real point of the challenge.

"I hope players develop cybersecurity skills that they can use in their actual job," Skoudis says. "That's the bottom line. And at the same time, I hope we have spoonfuls of holiday sugar that helps make the medicine go down, you know?"

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Test Your Cyber Skills With the SANS Holiday Hack Challenge

### Impact
Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server.

### Patches
Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag. You can find out more information on how to turn that flag on [here](https://github.com/man-group/dtale#custom-filter)

### Workarounds
The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users.

### References
See "Custom Filter" [documentation](https://github.com/man-group/dtale#custom-filter)


**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

Latest News