Welcome reader to your CybersecurityHQ report.

Headlines

Google expands its Vulnerability Rewards Program (VRP) to encompass attack scenarios specifically targeting generative artificial intelligence (AI) systems. The move comes amid a tidal wave of concern regarding cyber security in the age of machine learning. AI projects open up a new range of concerns, including creating new biases, manipulating models, and data misinterpretation that leads to hallucinations. To address this new front, researchers are now encouraged to identify vulnerabilities across various categories, such as prompt injections, data leakage from training datasets, adversarial attacks, and model theft.

In July, Google established an AI Red Team as part of its Secure AI Framework (SAIF) to mitigate threats to AI systems. Concurrently, efforts are underway to fortify the AI supply chain through open-source security initiatives like SLSA and Sigstore, ensuring software integrity and transparency. This development coincides with OpenAI’s introduction of a Preparedness team to monitor and counteract catastrophic risks to generative AI, spanning various threat domains. Google, OpenAI, Anthropic, and Microsoft have collectively initiated a $10 million AI Safety Fund to bolster research in AI safety, showcasing a unified commitment to advancing secure and responsible AI development.

Researchers at Sucuri raised the alarm on Wednesday around a sharp increase in fraudulent Chrome update websites distributing Trojan malware, posing serious threats to user devices. Their team identified a surge in sites infected with a malware dubbed “FakeUpdateRU,” deceiving users into downloading a remote access trojan (RAT) while believing they are updating their Chrome browser. These attacks often initiate targeted ransomware campaigns.

Google has actively blocked most of these malicious domains and is issuing warnings to users attempting to access the compromised sites. The identified malware resembles the SocGholish infection, which impacted thousands of websites and was linked to the Russian cybercrime group Evil Corp. However, “FakeUpdateRU” appears to be the work of a competing threat actor group, also capitalizing on ransomware opportunities.

The in-home hospitality app Hello Alfred faced a severe security breach due to an unprotected database. The breach exposed around 170,000 records containing sensitive user data. Researchers discovered this vulnerability on September 19th, with exposed information including personal details (including name, phone number, and home address), authentication tokens, private notes, and partial payment information.

Hello Alfred promptly secured access to the database upon notification. However, the breach raises significant concerns about user privacy and security, highlighting the potential risks of identity theft, fraud, and targeted phishing attacks. The New York-based platform has been running for nine years in more than 20 cities, and it is valued at $56.5 million.

Interesting Read

While fighting continues in Israel, a controversial new fad on TikTok has content creators staging “Israel vs. Palestine” fights to get money through in-app gifts. With TikTok taking a cut of this disturbing trend, it raises deep ethical questions for the platform.

Read more on Wired as writer David Gilbert dives into this strange world.

Cybersecurity Career Opportunities

For the latest openings in cybersecurity careers, check CybersecurityHQ.

Stay Safe, Stay Secure.

The CybersecurityHQ Team