How Researchers Managed to Extract Sensitive Data from ChatGPT
A recent paper demonstrated the ability to extract several megabytes of ChatGPT's training data for a relatively low financial cost, challenging the notion that aligned production models like ChatGPT are secure against data extraction. This breakthrough highlights significant vulnerabilities in similar models. The cyberattack method involved a simple prompt that caused the model to emit personal data and verbatim copies of its training dataset. The paper underscores the importance of comprehensive testing and red-teaming of language models, not just aligned models, to identify and address underlying vulnerabilities. It also differentiates between patching specific exploits and fixing inherent system vulnerabilities, emphasizing the need for a deeper understanding of these issues. The findings were responsibly disclosed to OpenAI following standard protocols, underscoring the ethical considerations in such research. This study raises critical concerns about data privacy and security in machine learning systems, calling for more rigorous analysis and safeguards. [1]
LockBit Ransomware Exploits Citrix Vulnerabilities in Major cyberattack on ICBC's U.S. Operations
The LockBit ransomware group launched a significant cyberattack on November 8th against the U.S. subsidiary of the Industrial & Commercial Bank of China Ltd (ICBC), the world's largest lender by assets, disrupting U.S. Treasury trading operations. This cyberattack exploited specific vulnerabilities in the Citrix NetScaler product suite, namely CVE-2023-4966, an information disclosure vulnerability, and CVE-2023-4967, a denial-of-service vulnerability. It severely impacted ICBC Financial Services (ICBC FS) and reverberated through the $26 trillion U.S. Treasury market. The breach hindered bank employees' access to corporate emails and the Depository Trust and Clearing Corporation, affecting critical U.S. Treasury trades and repurchase agreement transactions. In response, ICBC FS had to manually settle trades and inject $9 billion to cover unsettled trades. This cyberattack coincided with a poorly performing 30-year Treasury bond auction and led to a substantial increase in U.S. Treasury repo fails. [2]
Iranian-Backed Cyber Group Targets Municipal Water Authority of Aliquippa
The Municipal Water Authority of Aliquippa in Pennsylvania reported that one of their auxiliary booster stations was hacked by an Iranian-backed cyber group called Cyber Av3ngers. The chairman of the board, Matthew Mottes, confirmed the incident, which triggered an immediate alarm. The targeted station, crucial for monitoring and regulating water pressure in Raccoon and Potter Townships, uses a system called Unitronics, partly Israeli-owned. Mottes assured that there was no known risk to the drinking water or water supply. The system has been disabled, and the Pennsylvania State Police have initiated a criminal investigation. Congressman Chris Deluzio is closely monitoring the situation. Cyber Av3ngers has claimed responsibility for several global cyberattacks, including 10 water treatment stations in Israel as of October 30, 2023. [3]
Cross-Platform Botnet P2Pinfect Expands Reach to MIPS Devices
Cado Security Labs identified a new variant of the P2Pinfect malware, specifically designed for MIPS (Microprocessor without Interlocked Pipelined Stages) architecture, signaling an escalated focus on compromising routers, IoT, and other embedded devices. This variant, notable for its advanced evasion techniques like VM detection, debugger detection, and anti-forensics on Linux is part of a growing cross-platform botnet. Initially exploiting Redis servers, including leveraging CVE-2022-0543, the malware now targets 32-bit MIPS processors to potentially infiltrate routers and IoT devices through brute-forcing SSH access. The sophistication of this malware, evident in its use of Rust for cross-platform functionality and complex evasion methods, points to the involvement of an advanced threat actor. The rapid expansion of this botnet and the developers' dedication to improving evasive tactics are a challenge for cybersecurity detection. [4]
Unit 42 Exposes Advanced Malware Campaign Across Three Continents
Unit 42 researchers recently identified a series of sophisticated cyberattacks targeting a variety of organizations across the Middle East, Africa, and the United States. These cyberattacks are characterized by the deployment of a newly identified set of malicious tools, which includes the Agent Raccoon and Ntospy malware, as well as a new customized iteration of the well-known Mimikatz tool, referred to as “Mimilite”. These advanced tools are being strategically utilized by cyberattackers to establish covert backdoors, execute command and control (C2) operations, steal sensitive user credentials, and exfiltrate confidential data from targeted organizations. The nature of these cyberattacks, along with the complexity of the custom tools involved, leads researchers to believe with medium confidence that these activities are likely linked to sophisticated nation-state actors. The wide range of industries impacted by these incidents includes educational institutions, real estate companies, retail businesses, non-profit organizations, telecom companies, and various government sectors. The findings from Unit 42 highlight a methodical approach, using temporary directories to deploy key components of their toolset and executing scripts to meticulously clean up traces post-attack. [5]
Structured Data
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack: https://cti.eclecticiq.com/taxii/discovery.
Please refer to our support page for guidance on how to access the feeds.
About EclecticIQ Intelligence and Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.
You might also be interested in:
Sandworm Targets Ukraine's Critical Infrastructure; Overlooked AI Privacy Challenges
Navigating Cyber Challenges: Biden's AI Executive Order, Ransomware Attack on German Municipalities
Cisco IOS XE Web UI Privilege Escalation Vulnerability; Sandworm Targets Ukrainian Telecom
Appendix
[1] “Extracting Training Data from ChatGPT.” Accessed: Dec. 05, 2023. [Online]. Available: https://not-just-memorization.github.io/extracting-training-data-from-chatgpt.html
[2] “Resecurity | ICBC Ransomware Attack cyberattack Strikes at the Heart of the Global Financial Order - LockBit on a Roll.” Accessed: Dec. 05, 2023. [Online]. Available: https://www.resecurity.com/blog/article/icbc-ransomware-attack-strikes-at-the-heart-of-the-global-financial-order-lockbit-on-a-roll
[3] “Municipal Water Authority of Aliquippa hacked by Iranian-backed cyber group - CBS Pittsburgh.” Accessed: Dec. 05, 2023. [Online]. Available: https://www.cbsnews.com/pittsburgh/news/municipal-water-authority-of-aliquippa-hacked-iranian-backed-cyber-group/
[4] “P2Pinfect - New Variant Targets MIPS Devices,” Cado Security | Cloud Forensics & Incident Response. Accessed: Dec. 05, 2023. [Online]. Available: https://www.cadosecurity.com/p2pinfect-new-variant-targets-mips-devices/
[5] C. Garcia, “New Tool Set Found Used Against Organizations in the Middle East, Africa and the US,” Unit 42. Accessed: Dec. 05, 2023. [Online]. Available: https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/