ICT Security-Sécurité PC et Internet

Anthropic’s Claude Code AI coding assistant harbored a critical network sandbox bypass for over five months, allowing attackers to exfiltrate credentials, source code, and environment variables from developer systems, and the company issued no public advisory for either incident.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/21st-century-innovative-technologies-and-developments/?&tag=AI

https://www.scoop.it/topic/securite-pc-et-internet?tag=Claude

AI is exposing Linux security holes faster than developers can patch them. Fragnesia is the latest. Here's what we know about it.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Linux

Pour la première fois, des hackers ont utilisé une intelligence artificielle pour découvrir et exploiter une faille zero day dans un logiciel. Comme l’a découvert Google, cette vulnérabilité permet de contourner la double authentification, même si celle-ci a été configurée sur le compte.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/21st-century-innovative-technologies-and-developments/?&tag=AI

https://www.scoop.it/topic/securite-pc-et-internet?tag=2FA

Attackers are abusing Google Ads and legitimate Claude.ai shared chats in an active malvertising campaign. Users searching for "Claude mac download" may come across sponsored search results that list claude.ai as the target website, but lead to instructions that install malware on their Mac.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/21st-century-innovative-technologies-and-developments/?&tag=AI

A hacker was quick to pounce on the accidental leak of Anthropic’s AI tool, Claude Code, by spreading malware on a GitHub page that claimed to host the source code. 

Cybersecurity vendor Zscaler spotted a hacker exploiting interest in the Claude Code leak to push two malware strains, Vidar and Ghostsocks. Zscaler traced the threat to a GitHub page from the account “idbzoomh,” which purports to offer the leaked source code for Claude Code and claims: “I spent significant effort rebuilding the entire build system from scratch, fixing every compilation error, and making this source snapshot actually work.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/21st-century-innovative-technologies-and-developments/?&tag=AI

Amazon’s AI-enhanced Alexa assistant is going to need all your voice recordings, and there’s nothing you can do about it. An email sent to Alexa users notes the online retail giant is ending one of its few privacy provisions about recorded voice data in the lead up to Alexa+. The only way to make sure Amazon doesn’t get ahold of any of your vocals may be to quit using Alexa entirely.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/securite-pc-et-internet/?&tag=Privacy

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=Alexa

Cybersecurity researchers have found that it's possible to use large language models (LLMs) to generate new variants of malicious JavaScript code at scale in a manner that can better evade detection.

"Although LLMs struggle to create malware from scratch, criminals can easily use them to rewrite or obfuscate existing malware, making it harder to detect," Palo Alto Networks Unit 42 researchers said in a new analysis. "Criminals can prompt LLMs to perform transformations that are much more natural-looking, which makes detecting this malware more challenging.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/topic/securite-pc-et-internet/?&tag=AI

A recent cyber vulnerability in ChatGPT’s long-term memory feature was exposed, showing how hackers could use this AI tool to steal user data. Security researcher Johann Rehberger demonstrated this issue through a concept he named “SpAIware,” which exploited a weakness in ChatGPT’s macOS app, allowing it to act as spyware.

X uses your data to train its Grok AI assistant, but if you’d like to opt out of that, you can do that right from your settings menu. It is accessible on the web right here, or you can find it yourself if you click the three dots menu, then “Settings and privacy,” then “Privacy and safety,” and then “Grok.

An AI threat guide, outlining cyberattacks that target or leverage machine learning models, was published by the National Institute of Standards and Technology (NIST) on Jan. 4.

The nearly 100-page paper, titled “Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations,” provides a comprehensive overview of the cybersecurity and privacy risks that come with the rapid development of both predictive and generative AI tools over the last few years.

Russian hackers and cybercrime forums are notorious for exploiting critical infrastructure. Last month, Hackread.com exclusively reported that a Russian-speaking threat actor was selling access to a US military satellite. Now, researchers have identified macOS malware being sold for $60,000.

​More than 101,000 ChatGPT user accounts have been stolen by information-stealing malware over the past year, according to dark web marketplace data.

Cyberintelligence firm Group-IB reports having identified over a hundred thousand info-stealer logs on various underground websites containing ChatGPT accounts, with the peak observed in May 2023, when threat actors posted 26,800 new ChatGPT credential pairs.

Google Threat Intelligence Group recently published an alarming report detailing the rapid industrialization of generative artificial intelligence in adversarial workflows.

The most significant finding reveals that a cybercriminal syndicate successfully developed a working zero-day exploit entirely through artificial intelligence assistance. The Python-based exploit was designed to bypass two-factor authentication in a popular open-source web administration tool

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/21st-century-innovative-technologies-and-developments/?&tag=AI

https://www.scoop.it/topic/securite-pc-et-internet?tag=2FA

Avec Wiz et ses nouveaux agents IA, Google se prépare à une cyberguerre où les machines s'affrontent à une vitesse que les humains ne peuvent égaler.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/21st-century-innovative-technologies-and-developments/?&tag=AI

These include a tools system to facilitate various capabilities like file read or bash execution, a query engine to handle LLM API calls and orchestration, multi-agent orchestration to spawn "sub-agents" or swarms to carry out complex tasks, and a bidirectional communication layer that connects IDE extensions to Claude Code CLI.

The leak has also shed light on a feature called KAIROS that allows Claude Code to operate as a persistent, background agent that can periodically fix errors or run tasks on its own without waiting for human input, and even send push notifications to users. Complementing this proactive mode is a new "dream" mode that will allow Claude to constantly think in the background to develop ideas and iterate existing ones.

Learn more / En savoir plus / Mehr erfahren:

https://www.scoop.it/t/21st-century-innovative-technologies-and-developments/?&tag=AI

Ce nouvel agent de cybersécurité est capable d'identifier, d'expliquer et de contribuer à corriger les vulnérabilités.

https://www.scoop.it/topic/securite-pc-et-internet?tag=AI

Cyberkriminelle behaupten, private Daten von Millionen OpenAI-Konten gestohlen zu haben. Forscher sind skeptisch, der ChatGPT-Hersteller ermittelt in dem Fall.

A new ‘super-realistic’ AI scam could get your Gmail account hacked
A Microsoft security expert warns Gmail users of a new convincing social engineering attack.

Warning signs of a scam attempt
The advent of generative AI has opened up all kinds of opportunities, but it has also ramped up various risks and dangers.

We’ve previously seen hackers who can use AI-generated codes, phishing emails, or even deepfakes to make even more realistic fraud attempts — ones that even security experts can easily fall for.

Software developers have embraced “artificial intelligence” language models for code generation in a big way, with huge gains in productivity but also some predictably dubious developments. It’s no surprise that hackers and malware writers are doing the same.

According to recent reports, there have been several active malware attacks spotted with code that’s at least partially generated by AI.

The New York Times reported on July 4, 2024, that OpenAI suffered an undisclosed breach in early 2023.

The NYT notes that the attacker did not access the systems housing and building the AI, but did steal discussions from an employee forum. OpenAI did not publicly disclose the incident nor inform the FBI because, it claims, no information about customers nor partners was stolen, and the breach was not considered a threat to national security. The firm decided that the attack was down to a single person with no known association to any foreign government.

Nevertheless, the incident led to internal staff discussions over how seriously OpenAI was addressing security concerns.

ChatGPT est victime d’une nouvelle faille de sécurité. En exploitant cette brèche, il est possible d’extraire des données sensibles concernant des individus en s’adressant au chatbot d’OpenAI.

Researchers jailbreak AI chatbots, including ChatGPT
Like a magic wand that turns chatbots evil.