The China-affiliated group is using the highly modular DeepData framework to target organizations in South Asia.

Source: u3d via Shutterstock

China's APT41 threat group is using a sophisticated Windows-based surveillance toolkit in a cyber-espionage campaign targeting organizations in South Asia.

The malware adds to the already broad portfolio of malicious tools that the threat actor has deployed in recent years and makes APT41 an even more pernicious threat to targeted enterprises.

**Optimized Plug-ins**

Researchers at BlackBerry, among the many who are tracking the threat actor, spotted the new malware toolkit earlier this year and have dubbed it "DeepData Framework." Their analysis showed it to be a highly modular toolkit that supports as many as 12 separate plug-ins, each one optimized for a specific malicious function.

Four of the plug-ins steal communications from WhatsApp, Signal, Telegram, and WeChat. Another three are rigged to steal and exfiltrate system information, Wi-Fi network data, and information on all installed applications on the compromised system — including names and installation paths. Three DeepData plug-ins steal information related to browsing history and cookies; they also grab passwords from Web browsers, Baidu storage services, FoxMail, and other cloud services, and other information like user emails and contact lists in Microsoft Outlook. The remaining two plug-ins enable theft of audio files from compromised systems.

Blackberry researchers chanced upon DeepData when conducting an investigation of "LightSpy," an iOS implant that they have tracked APT41 using in an ongoing and wide-ranging mobile espionage campaign against targets in India and South Asia. Their analysis showed DeepData to have a similar design to LightSpy in that both have a core module and support for multiple data theft plug-ins.

Significantly, DeepData appears to be a malware toolkit that the attackers are manually interacting with after compromising a target and gaining access. "The \[command and control\] address is also specified as a command line argument, as are the requested plugins to be run or data to extract," Blackberry's research and intelligence team said in a blog post this week. "The implication of this execution method is that it must be done manually, sans a script or some other bundling distribution."

**Surveillance Powers Continue to Grow**

DeepData adds to APT41's already formidable surveillance and cyber espionage capabilities. The malicious framework is an example of the constantly emerging threats that organizations have to deal with when trying to mitigate threats from advanced persistent threat groups and nation-state bad actors. "Our latest findings indicate that the threat actor behind DeepData has a clear focus on long-term intelligence gathering," BlackBerry said. Since first deploying LightSpy in 2022, the threat actor has methodically and strategically bulked up its capabilities to intercept communications and steal data in total stealth, BlackBerry said.

APT41 is a known threat actor that security vendors and researchers have been variously tracking as Winnti, WickedPanda, Barium, Wicked Spider, and other names. Some vendors consider APT41 to be a collection of smaller subgroups collectively working at the behest of, or on behalf of the Chinese government. The group's mandate appears to be very broad, based on its targets and the kind of campaigns it has conducted in recent years.

Most recently, researchers tied APT41 to attacks targeting global logistics and utilities companies, and to a campaign that targeted research entities in Taiwan. Over the years, the group has stolen data from a wide range of organizations, including intellectual property and trade secrets from healthcare organizations, media and entertainment companies, government agencies, automative firms, retailers, energy companies, pharmaceutical companies, and others. Its activities prompted a US government investigation and subsequent indictment of five alleged members of APT41 back in 2020. Its victims have spanned Europe, Asia, and North America.

The group's latest South Asian campaign appears aimed at politicians, journalists, and political activists in the region, according to BlackBerry. "Organizations of all sizes, particularly those in targeted regions, should treat this threat as a high priority and implement comprehensive defensive measures."

The company's recommended mitigation measures include blocking the group's known C2 infrastructure, monitoring networks and devices for unexpected audio recording activities, using secure communications for transmitting data, and deploying the detection rules that BlackBerry has released for DeepData components.  

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Toolkit Vastly Expands APT41's Surveillance Powers

PRESS RELEASE

(Paris, France) – October 31, 2024 – As counterfeiting represents a global issue for brands and societies alike, Cypheme, a pioneering French company focused on AI-powered anti-counterfeiting solutions, today announced that Vrai AI, its AI anti-counterfeit technology that can detect fake products based on just a picture of a specific detail of a product or label, purely with visual analysis, is now available to brands worldwide. This ground-breaking artificial intelligence, which is perfect for companies across multiple verticals (i.e.: jewelry, pharmaceuticals, electronics, fashion, etc.), is easy to implement and only requires the use of a smartphone to keep a brands’ reputation and customers safe.

Lacoste, a world-renowned fashion brand, is the first company to pioneer the use of this technology, marking a major milestone in the worlds of AI development, the fashion industry and the global fight against counterfeiting. Already, Cypheme’s ground-breaking solution has achieved a near perfect level of accuracy of 99.7% for Lacoste, helping them easily identify fake products and remove them from the market.

By incorporating Cypheme’s powerful technology, which examines microscopic visual details of a specific feature of the product, the AI can differentiate a real from a fake, much in a way similar to a human expert. No modification of the product, no special label, or hidden marker is needed. For Lacoste, Cypheme uses the famous and iconic crocodile logo to identify fakes among a wide variety of Lacoste products. This represents an unprecedented technological leap in the fight against counterfeiting that could play a major part in solving or mitigating crisis linked to the criminal activity across multiple regions and sectors.

For certain types of products, however, the use of Cypheme’s “Noise Print Label,” a proprietary fingerprint anti-counterfeit label that protects every product it is affixed on, is also available. Noise Print is an anti-copy label that utilizes an advanced set of algorithms powered by an artificial neural network that verifies a product’s authenticity. However, it doesn’t stop there. Noise Print can also help trace back the origin points where fake products are known to be made.

“Today, according the European Union Agency for Law Enforcement Cooperation, counterfeiting represents 2.5% of the world’s trade, or $461 billion, and puts low-quality goods on the market, generating risks for health, well-being, security and safety,” explains Hugo Garcia-Cotte, CEO, Cypheme. “Implementing anti-counterfeiting technologies helps brands combat piracy, secure operations, enhance revenue and improve customer engagement, however they do not stop at just that, they have a much larger impact, helping shape safer societies overall.”

About Cypheme  
Cypheme is a pioneering French company focused on AI-powered anti-counterfeiting solutions. With their AI technology, Vrai AI, they aim to make counterfeit trade an unattractive activity for all people of the world. Cypheme’s technology is used in many different industries and countries to safeguard people from the negative impact of fake goods. For more information, visit https://www.cypheme.com/.

Lacoste First to Use AI-Powered Anti-counterfeiting Solution

Among the top exploited zero-day vulnerabilities were bugs found in systems from Citrix and Cisco.

Source: JUN LI via Alamy Stock Photo

The Cybersecurity and Infrastructure Security Agency is warning that the most routinely exploited vulnerabilities in 2023 were zero-days in its latest research conducted alongside global cybersecurity authorities.

These findings are a reversal from 2022, when less than half of the most exploited vulnerabilities were zero-days.

CISA's "2023 Top Routinely Exploited Vulnerabilities" report shows that threat actors continue to have success exploiting these kinds of vulnerabilities even two years after public disclosure. After this time frame, the value of the vulnerability tends to decline as patches get applied and systems are replaced.

Some of the top zero-day flaws came from vendors such as Citrix and Cisco, with vulnerabilities involving code injection bugs (CVE-2024-3519), privilege escalation (CVE-2023-20198), and buffer overflow (CVE-2023-4966).

To combat exploitation from threat actors, CISA is urging organizations to check for signs of compromise and keep up with patching CVEs. However, even this may not be enough. Three other tools that CISA recommends are endpoint detection and response (EDR), Web application firewalls, and network protocol analyzers. 

As to why zero-days were among the top exploited, many individuals in the cybersecurity community argued that it's because the quality of software is getting worse.

Others argue that it's because cybercriminals are focusing less on sharing proof-of-concepts (PoC) on forums and more on reserving knowledge about vulnerabilities in-house.

Regardless, CISA provides a variety of mitigation resources for end users and organizations to combat these threats in its study, highlighting identity and access management, protective controls and architecture, and supply chain security.

Zero-Days Win the Prize for Most Exploited Vulns

PRESS RELEASE

NEW YORK, Oct. 30, 2024 /PRNewswire/ -- Industrial manufacturers ranked network security as their top cybersecurity investment to guard against adverse cyber events, according to a recent State of Technology in Manufacturing survey by global technology intelligence firm ABI Research. With increasingly connected and digitized industrial assets providing ever more information about processes and workforce, manufacturers are focusing their security on network security technologies such as authentication and access control. Coupled with a growing body of industrial-focused security regulation and an expanding cybercrime element (for whom data in discrete manufacturing processes are extremely high value), this puts pressure on manufacturers to safeguard their operations better.

Network breaches can have significant repercussions on industrial manufacturers. Unplanned downtime impacts production, which could lead to revenue loss or potential regulatory liability for data breaches. In Europe alone, three regulatory instruments impose financial penalties for non-compliance: the General Data Protection Regulations, the NIS2 Directive, and the Cyber Resilience Act.

"Industrial manufacturers are one of the top targeted sectors by threat actors. Not only is counterfeiting in contract manufacturing rife, but ransomware is a prevalent threat," says Michela Menting, Senior Research Director. "Supply chain vulnerabilities and social engineering constitute important vectors for threat actors, and manufacturers are understandably concerned about security as they increasingly connect their industrial assets to operational networks."

Demand for cybersecurity solutions focused on operational technologies is growing quickly as a result, with ABI Research forecasting a US$2 billion market globally in 2024. Much of it is driven by demand for network security and segmentation technologies. This correlates with the survey findings, with manufacturers citing network security solutions such as access control, authentication, and threat detection as their top security investments.

These findings are from ABI Research's Industrial and Manufacturing Survey 1H 2024: Cybersecurity Impacts and Investments report. This report is part of the company's OT Cybersecurity research service, which includes research, data, and ABI Insights.

About ABI Research

ABI Research is a global technology intelligence firm delivering actionable research and strategic guidance to technology leaders, innovators, and decision makers around the world. Our research focuses on the transformative technologies that are dramatically reshaping industries, economies, and workforces today.

ABI Research是一家国际科技情报公司，为全球科技领袖、创新人士和决策者提供实用的市场研究和战略性指导。我们密切关注一切为各行各业、全球经济和劳动市场带来颠覆性变革的创新与技术。

For more information about ABI Research's services, contact us at +1.516.624.2500 in the Americas, +44.203.326.0140 in Europe, +65.6592.0290 in Asia-Pacific, or visit www.abiresearch.com.

You May Also Like

20% of Industrial Manufacturers Are Using Network Security as a First Line of Defense

Temu is under investigation for a variety of misleading practices.

Temu has been accused of a number of infringements on its platform against European Union (EU) consumer law.

The Consumer Protection Cooperation (CPC) Network of national consumer authorities and the European Commission teamed up for a coordinated ongoing investigation into Temu and its practices. The investigation covers a range of misleading and “unduly influences” on consumers’ purchasing decisions, and looks at the information obligations that need to be met by an online marketplace.

The CPC Network is made up of the national consumer authorities of the 27 EU Member States, Norway, and Iceland.

The problems the investigation found cover almost every aspect of misleading advertising one can think of:

*   **Fake discounts**. Telling buyers that items are offered with a discount when in reality the price is the same or even higher than before.
*   **Pressure selling**. Claiming that items are in short supply or need to be purchased before a deadline.
*   **Forced gamification**. Forcing consumers to play “spin the fortune wheel” before accessing the platform without making them aware of the conditions attached to the use of claiming the rewards in the game.
*   **Missing and misleading information**. Giving incomplete and even incorrect information about consumers’ legal rights to return goods and receive refunds. Temu also fails to tell customers up front that they need to reach a minimum value before they can complete their purchase.
*   **Fake reviews**. Hosting suspected unauthentic reviews, and providing inadequate information about how Temu ensures the authenticity of reviews published on its website.
*   **Hidden contact details**. Deliberately making it hard for customers to contact Temu for questions and complaints.

The CPC Network made objections to the fact that Temu does not provide information on whether the seller is a trader or not, and would also like to ensure that any environmental claims are accurate and substantiated.

Temu has one month to reply with a proposal to address the identified issues. Should the company fail to do so, national authorities can take enforcement measures to ensure compliance. These measures can be fines based on Temu’s annual turnover in the Member States concerned.

Temu responded:

> “Although we have gained popularity with many consumers in a relatively short time, we are still a very young platform — less than two years in the EU — and are actively learning and adapting to local requirements.”

This is not the only problem Temu is facing at the moment. In June, we reported that the Chinese online shopping giant is facing a lawsuit filed by the State of Arkansas Attorney General, alleging that the retailer’s mobile app spies on users.

In September, a cybercriminal claimed to be selling a stolen database containing 87 million records of customer information. Temu denied it suffered a data breach, a statement supported by other circumstances, but these claims have a tendency to linger on.

And back in February, the trade association Toy Industries of Europe released a report warning that none of the 19 toys it bought on Temu.com complied with EU legislation. After sending the toys to a laboratory for testing, the organization claimed that many of them posed significant risks for children.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Temu must respect consumer protection laws, says EU 

Jenkins Authorize Project Plugin 1.7.2 and earlier evaluates a string containing the job name with JavaScript on the Authorization view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. Authorize Project Plugin 1.8.0 no longer evaluates a string containing the job name with JavaScript on the Authorization view.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-52552

**Stored XSS vulnerability in Jenkins Authorize Project Plugin**

High severity GitHub Reviewed Published Nov 13, 2024 to the GitHub Advisory Database • Updated Nov 14, 2024

**Package**

maven org.jenkins-ci.plugins:authorize-project (Maven)

**Affected versions**

< 1.8.0

Jenkins Authorize Project Plugin 1.7.2 and earlier evaluates a string containing the job name with JavaScript on the Authorization view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. Authorize Project Plugin 1.8.0 no longer evaluates a string containing the job name with JavaScript on the Authorization view.

**References**

*   https://nvd.nist.gov/vuln/detail/CVE-2024-52552
*   https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3010

Published to the GitHub Advisory Database

Nov 13, 2024

Last updated

Nov 14, 2024

GHSA-8886-8v27-85j8: Stored XSS vulnerability in Jenkins Authorize Project Plugin 

Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. OpenId Connect Authentication Plugin 4.421.v5422614eb_e0a_ invalidates the existing session on login.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-h23j-73ww-7594: Session fixation vulnerability in Jenkins OpenId Connect Authentication Plugin

The shift to cloud means securing your organization's digital assets requires a proactive, multilayered approach.

Source: Zoonar GmbH via Alamy Stock Photo

COMMENTARY

The network structure of organizations has drastically changed post-pandemic with the adoption of cloud, and security teams are struggling to keep up with the pace. Cloud security is different — dynamic, unpredictable, and complex — when compared to on-premises security. The perimeterless architecture of the cloud, use of multicloud infrastructure and applications, and shared responsibility model between cloud security providers and enterprises that use them make cloud security an entirely different ballgame.

With over 72% of organizations using multicloud applications, malicious actors are fishing in troubled waters. As more enterprises move to the cloud to run their businesses more efficiently, attackers are sharpening their tactics and techniques regarding cloud exploits. They have started adopting cutting-edge technologies, like artificial intelligence (AI), machine learning, and deepfakes, to expand their attack surface, especially to exploit cloud networks.

Lack of visibility contributes to the most common cloud security threats, which stem from misconfigurations, unauthorized access, and more. The lift-and-shift approach, which businesses have increasingly adopted in recent times, continues to accelerate cloud threats by enabling these misconfigurations and identity-based threats to be exploited.

While organizations might have security systems in place, ensuring cloud security can be challenging due to the complexity of architecture and the shared responsibility mechanism. A proactive approach to cybersecurity is critical in protecting an organization from potential cloud security threats. Here are five key points to consider when implementing a proactive approach.

**Reduce the Cloud Attack Surface**

As attackers increasingly target the organization's cloud environment with cloud-specific exploits and malware, organizations must consider reducing the attack surface. If defenders have a limited view of the environment, attackers can lurk in the cloud for a longer time and potentially cause more destruction.

Reducing the attack surface does not necessarily mean reducing the number of cloud applications a business uses. To limit adversaries' access to cloud resources, CISOs should adopt layered security and regularly conduct cloud security risks assessments and audits. Ensuring a healthy cloud security posture and adopting AI-based behavior profiling should be part of the cloud security strategy. These help security operations centers (SOCs) proactively function and reduce the cloud surfaces exposed to adversaries.

**Pair Investigation and Response With Protection and Detection**

Organizations have been focusing on spotting threats using various threat detection mechanisms and even proactively hunting vulnerabilities that will lead to potential security threats. However, they must understand that no security system guarantees the prevention of all threats. It's imperative for CISOs to invest in technologies and analytical platforms that facilitate quick investigation of threats and automate responses to remediate threat conditions. When a threat or attack occurs in the cloud, assessing the potential impact across the distributed and multitenant surface is challenging. Therefore, it is essential to use a centralized platform for investigating threats across the multicloud environment and have a response center that can automate workflows by orchestrating with different cloud apps to reduce the mean time to resolve (MTTR) a threat or incident.

**Correlate Events Across the Network**

The correlation between network events and cloud activities is largely similar, but there are specific considerations for detecting cloud security data. Correlation rules for cloud security must be meticulously designed, tested, and implemented with precision. In comparison, detecting data exfiltration in an on-premises environment is relatively simpler since it involves correlating suspicious access to sensitive data with abnormal communication channel activities. The effectiveness of data exfiltration detection depends on the extent to which defense systems capture and analyze unusual traffic behaviors, such as atypical protocol usage or unauthorized access to cloud storage or accounts, Web services, or any other unconventional means.

In the cloud, data exfiltration, particularly from cloud applications, is often identified by correlating access and security logs from the respective applications. For example, when investigating potential customer data exfiltration from a cloud-based CRM tool, SOC professionals should correlate the application's logs with those of other cloud applications, such as email or collaborative platforms. Correlating an individual's suspicious activities within the CRM application with their corresponding account logs in a collaborative platform can uncover two potential threats: compromises of the user's account in the collaborative platform and exfiltration of customer data through the CRM. This correlation rule facilitates a comprehensive assessment of the incident's impact by correlating compromised user account activities across all synchronized applications by employing single sign-on across multiple cloud apps.

**Tackle Shadow IT**

One of the biggest challenges the cloud brings is shadow IT. Even though organizations sanction secure applications for employees to use, at times employees use certain applications that don't fall under the purview of the security teams. These applications can lead to security loopholes and vulnerabilities, causing a massive threat to the organization.

**Take an Identity-Based Approach to the Cloud**

As enterprises move to the cloud, identity security will overtake endpoint security. Security teams are increasingly interested in finding out "who" more than "how" and "why." Taking an identity-based approach to cloud security can help map cloud activities to the respective users in the network. Contextual data can be derived by analyzing who accessed cloud resources and data rather than from where. Identity mapping and AI-behavioral analytics will be the cornerstone for most cloud security threat detection.

In conclusion, a proactive approach to cybersecurity is essential for protecting an organization's assets and maintaining trust with stakeholders. In addition to the above points, organizations can better defend against potential cyberthreats by conducting regular risk assessments, providing employee education and training, regularly updating software and security tools, implementing multifactor authentication, and having a well-defined incident response plan.

It is important to remember that cybersecurity is an ongoing process that requires constant attention and adaptation to stay ahead of evolving threats. By implementing these practices and continuously evaluating and improving them, organizations can effectively mitigate risks and ensure the safety of their digital assets.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

vice president, ManageEngine

Manikandan Thangaraj is Vice President at ManageEngine, the enterprise IT management division of Zoho Corporation, and has been with the company for over 20 years. During Zoho’s journey from being a bootstrapped startup to becoming an enterprise software company, Manikandan has been instrumental in building solutions for some of the industry's most complex challenges like cybersecurity, identity and access management, cloud, and the Microsoft ecosystem. Currently, he spearheads a dynamic team of passionate engineers, marketing experts, solutions consultants, and product managers—all IT enthusiasts at heart, committed to changing the status quo of major business challenges with an intuitive and solution-centric approach.

5 Ways to Save Your Organization From Cloud Security Threats

The group seeks out aerospace professionals by impersonating job recruiters — a demographic it has targeted in the past as well — then deploys the SlugResin backdoor malware.

Source: Iain Masterton via Alamy Stock Photo

A phishing campaign, active since last September, is targeting users on LinkedIn and other platforms by impersonating job recruiters in the aerospace industry.

ClearSky attributed the campaign to Iranian-linked threat actor TA455, which uses a spear-phishing approach to target and lure individuals. Once connected with its victims, the threat actors encourage them to download a zip file called "SIgnedConnection.zip."

Along with this, the threat actors also provide a PDF guide to their victims to instruct them on how to safely download and open the zip files.

The zip file contains an executable file that loads the malware onto the victim's device through DLL side-loading. A DLL file called "secure32\[.\]dll" is loaded onto their system, allowing the attacker access to run an undetected code.

Once this is done, the malware initiates an infection chain, which ultimately deploys Snail Resin malware, opening a backdoor titled "SlugResin." This malware and backdoor are both attributed to Charming Kitten, another Iranian threat actor, according to researchers at ClearSky.

The group uses several methods to evade detection, including encoding command-and-control (C2) communications on GitHub to make it more difficult for traditional detection tools to recognize that it's a threat, and it mimics tactics associated with Lazarus Group, causing complications in attribution.

Like past campaigns, TA455 is targeting aerospace professionals, so individuals in this field on platforms such as LinkedIn should be wary of messages and connections they receive from unknown sources.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Iranian Cybercriminals Target Aerospace Workers via LinkedIn

The tech giant fixed privilege-escalation and model-exfiltration vulnerabilities in Vertex AI that could have allowed attackers to steal or poison custom-built AI models.

Source: Krot Studio via Alamy Stock Photo

Google has fixed two flaws in Vertex AI, its platform for custom development and deployment of large language models (LLMs), that could have allowed attackers to exfiltrate proprietary enterprise models from the system. The flaw highlights once again the danger that malicious manipulation of artificial intelligence (AI) technology present for business users.

Researchers at Palo Alto Networks Unit 42 discovered the flaws in Google's Vertex AI platform, a machine learning (ML) platform that allows enterprise users to train and deploy ML models and AI applications. The platform is aimed at allowing for custom development of LLMs for use in an organization's AI-powered applications.

Specifically, the researchers discovered a privilege escalation flaw in the "custom jobs" feature of the platform, and a model exfiltration flaw in the "malicious model" feature, Unit 42 revealed in a blog post published on Nov. 12.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

Related:Cloud Ransomware Flexes Fresh Scripts Against Web Apps

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

The first bug allowed for exploitation of custom job permissions to gain unauthorized access to all data services in the project. The second could have allowed an attacker to deploy a poisoned model in Vertex AI, leading to "the exfiltration of all other fine-tuned models, posing a serious proprietary and sensitive data exfiltration attack risk," Palo Alto Networks researchers wrote in the post.

Unit 42 shared its findings with Google, and the company has "since implemented fixes to eliminate these specific issues for Vertex AI on the Google Cloud Platform (GCP)," according to the post.

While the imminent threat has been mitigated, the security vulnerabilities once again demonstrate the inherent danger that occurs when LLMs are exposed and/or manipulated with malicious intent, and how quickly the issue can spread, the researchers said.

"This research highlights how a single malicious model deployment could compromise an entire AI environment," the researchers wrote. "An attacker could use even one unverified model deployed on a production system to exfiltrate sensitive data, leading to severe model exfiltration attacks."

Related:5 Ways to Save Your Organization From Cloud Security Threats

**Poisoning Custom LLM Development**

The key for exploiting the flaws that were discovered lies within a feature of Vertex AI called Vertex AI Pipelines, which allow users to tune their models using custom jobs, also referred to as "custom training jobs." "These custom jobs are essentially code that runs within the pipeline and can modify models in various ways," the researchers explained.

However, while this flexibility is valuable, it also opens the door to potential exploitation, they said. In the case of the vulnerabilities, Unit 42 researchers were able to abuse permissions within what's called a "service agent" identity of a "tenant project" — connected through the project pipeline to the "source project," or fine-tuned AI model created within the platform. A service agent has excessive permissions to many permissions within a Vertex AI project.

From this position, the researchers could either inject commands or create a custom image to create a backdoor that allowed them to gain access to the custom model development environment. They then deployed a poisoned model for testing within Vertex AI that allowed them to gain further access to steal other AI and ML models from the test project.

Related:2 Zero-Day Bugs in Microsoft's Nov. Update Under Active Exploit

"In summary, by deploying a malicious model, we were able to access resources in the tenant projects that allowed us to view and export all models deployed across the project," the researchers wrote. "This includes both ML and LLM models, along with their fine-tuned adapters."

This method presents "a clear risk for a model-to-model infection scenario," they explained. "For example, your team could unknowingly deploy a malicious model uploaded to a public repository," the researchers wrote. "Once active, it could exfiltrate all ML and fine-tuned LLM models in the project, putting your most sensitive assets at risk."

**Mitigating AI Cybersecurity Risk**

Organizations are just beginning to have access to tools that can allow them to build their own in-house, custom LLM-based AI systems, and thus the potential security risks and solutions to mitigate them are still very much uncharted territory. However, it's become clear that gaining unauthorized access to LLMs created within an organization is one surefire way to expose that organization to compromise.

At this stage, key to securing any custom-built models is to limit the permissions of those in the enterprise that have access to it, the Unit 42 researchers noted. "The permissions required to deploy a model might seem harmless, but in reality, that single permission could grant access to all other models in a vulnerable project," they wrote in the post.

To protect against such risks, organizations also should implement strict controls on model deployments. A fundamental way to do this is to ensure an organization's development or test environments are separate from its live production environment.

"This separation reduces the risk of an attacker accessing potentially insecure models before they are fully vetted," Balassiano and Shaty wrote. "Whether it comes from an internal team or a third-party repository, validating every model before deployment is vital."

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 am ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#auth