DeepSeek, a Chinese AI startup, exposed sensitive data by leaving a database open. Wiz Research found chat logs, keys, and backend details accessible.

DeepSeek, a Chinese AI company, has made a name for itself with its AI models that rival OpenAI’s systems. But along with its rise came a serious security issue as researchers at Wiz found that a database tied to the company was left publicly accessible, exposing over a million log entries, backend details, software keys, and more.

****How It Happened****

During a routine security assessment, researchers at Wiz discovered that DeepSeek had an unprotected ClickHouse database, open to anyone with internet access. This database wasn’t just visible; it allowed full control over stored data, meaning an attacker could manipulate or extract critical information without restriction.

The exposed database was linked to multiple subdomains, including:

dev.deepseek.com:9000

oauth2callback.deepseek.com:9000

ClickHouse is an open-source, columnar database management system designed to process analytical queries on large datasets quickly. Originally developed by Yandex, it’s widely used for real-time data analytics, log processing, and business intelligence.

According to Wiz’s blog post, its researchers were able to query the system without authentication, revealing a massive volume of logs containing:

*   **API keys**
*   **Chat histories**
*   **Backend service details**
*   **System operational metadata**

This wasn’t just a minor misconfiguration. The database contained detailed logs of internal system activity, exposing how DeepSeek’s AI tools operate and communicate. Worse yet, the exposure meant attackers could execute commands and extract even more sensitive data directly from the server.

****What Was at Risk?****

DeepSeek’s AI services process large amounts of user-generated data, meaning chat logs could have included personal or proprietary information. The database also stored API keys, which, in the wrong hands, could allow attackers to impersonate DeepSeek’s services or access further internal systems.

Given the expansion of AI startups, security often takes a backseat to development speed. In this case, a simple security lapse exposed valuable internal data, which could have been exploited by cybercriminals.

****DeepSeek’s Response****

Once notified by Wiz, DeepSeek moved quickly to lock down the database and remove public access. However, it remains unclear whether any unauthorized parties accessed the information before it was secured.

****DeepSeek: Privacy and Cybersecurity Concerns****

DeepSeek’s Chinese ownership has already raised concerns among Western governments, with some critics arguing that the chatbot collects excessive personal data, posing privacy risks. Adding to these worries, DeepSeek recently reported a “large malicious attack” that forced the company to suspend new user registrations. Now, with a publicly exposed database compromising sensitive information, the company faces yet another cybersecurity setback.

****Expert Opinion****

Gunter Ollmann, CTO at Cobalt, notes that situations like the DeepSeek issue happen often because the process of getting the product up and running takes priority over security. Also, since DeepSeek has taken a prominent place in the world of AI, the impact could have been huge for companies and individual users.

“The DeepSeek exposure highlights a critical and recurring issue—organizations, especially those innovating rapidly in AI, often prioritize speed over security.” Explained Gunter. “Wiz’s discovery reinforces the importance of proactive security testing, particularly as attack surfaces expand with cloud-based infrastructure and publicly accessible APIs.”

DeepSeek AI Leaks Over a Million Chat Logs and Sensitive Data Online

Martin discusses how defenders can use threat intelligence to equip themselves against AI-based threats. Plus check out his introductory course to threat intelligence.

Thursday, January 30, 2025 14:05

Welcome to this week’s edition of the Threat Source newsletter. 

You don’t need me to tell you that security is constantly changing and that more change is on its way. The enthusiastic adoption of new AI systems will inevitably lead to more demands on cybersecurity teams. Not only will these systems need protecting against the same threats which affect current systems, but also against new types of threats that target AI models. We can only expect that attacks designed to subvert AI models and get them to function in ways detrimental to their operators’ interests will become more effective and beneficial to attackers over time. 

The good news is that we can expect AI enabled security systems to help protect against attacks, detect incursions, and orchestrate the remediation of affected systems. However, we must not overlook the fact that people will remain involved and invested in the outcome. Within this AI powered future will be CISOs who will be held responsible for the security of systems. There will also be many analysts tasked with keeping systems operating correctly while trying to anticipate and protect against forthcoming malicious campaigns.

Although we may not be able to predict the nature of attacks in this distant future, we can predict some of the skills that will be necessary to beat these attacks. Threat intelligence skills will be vital to equip future cyber security professionals not only to understand the goals of the threat actors that they face but to situate their attacks within the context of these goals. Armed with this understanding, security teams will be able to make better decisions regarding the allocation and prioritization of resources to best defend against attacks. 

Developing threat intelligence skills within the cyber security professionals of tomorrow begins today. Training up people who are early in their careers and students yet to begin their careers is one of the best investments we can make to build resilience against future threats.

To help skill up future analysts, my colleagues and myself in collaboration with Cisco’s Networking Academy have developed an introductory course to threat intelligence. This course is free for all, only registration is required, and is intended to give an overview of the domain for someone without prior knowledge which can be used as a starting point for further study or employment.

For those looking to develop a threat intelligence program as part of their cyber security strategy, we are hosting a technical seminar at Cisco Live EMEA on Sunday February 9th. The session, “Establishing a Threat Intelligence Program, Why its Necessary, What to Expect and How to Go about it \[TECSEC-2003\]”, will present how managers can set-up a threat intelligence team as part of their arsenal against the bad guys and what can reasonably be expected.

**The one big thing**

One pointer to the nature of future threats against AI systems is a technique used in spam that Talos recently blogged about. Hiding the nature of the content displayed to the recipient from anti-spam systems is not a new technique. Spammers have included hidden text or used formatting rules to camouflage their actual message from anti-spam analysis for decades. However, we have seen increase in the use of such techniques during the second half of 2024.

**Why do I care?**

Parsers which are required for computers to understand text content, view the world very differently from humans. The human eye ignores text in miniscule font or can’t detect black letters on a black background, but this is not necessarily the case for parsers. Where the human eye sees readily readable text, the parser can see the gibberish that spammers have included to confuse them. Potentially the opposite is also true with humans seeing gibberish, but language parsing software seeing readable text.

Being able to disguise and hide content from machine analysis or from human oversight is likely to become a more important vector of attack against AI systems as they become a larger part of our lives. 

**So now what?**

Fortunately, the techniques to detect this kind of obfuscation are well known and already integrated into spam detection systems such as Cisco Email Threat Defense. Conversely, the presence of attempts to obfuscate content in this manner makes it obvious that a message is malicious and can be classed as spam.

**Top security headlines of the week**

Another incident of an undersea telecommunications cable being cut in the Baltic was encountered. (CNN). Organisations need to plan for the effects of a major telecommunications outage or internet bandwidth restriction affecting their business.

Three members of Russia’s GRU have been placed under sanctions for their suspected role in conducting cyber attacks against Estonia in 2020 (SecurityAffairs). Threat actors might try to hide their identities but eventually they will be discovered and held to account for their actions.

A botnet consisting of infected IoT devices is behind the largest ever DDoS attack (Help Net Security). Small network connected devices can easily be overlooked as part of a cyber security strategy, but they can be compromised by threat actors and used for nefarious purposes.

**Can't get enough Talos?**

Today we released the new Cisco Talos Quarterly Trends Report - covering incidents from October to December 2024. The big call out? Threat actors are increasingly deployed web shells against vulnerable web applications. They primarily exploited vulnerable or unpatched public-facing applications to gain initial access, a notable shift from previous quarters.

Watch Hazel, Joe and Craig break down the report - they discuss hunting down web shells, the Interlock ransomware, and the increasing use of remote access tools within ransomware attacks.

**Upcoming events where you can find Talos**

Talos team members: Martin LEE, Thorsten ROSENDAHL, Yuri KRAMARZ, Giannis TZIAKOURIS, and Vanja SVAJCER will be speaking at Cisco Live EMEA. Amsterdam, Netherlands, 9-14 February.  (Cisco Live EMEA)

**Most prevalent malware files of the week**

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**VirusTotal:**https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**Typical Filename:** VID001.exe  
**Detection Name:** Simple\_Custom\_DetectionClaimed Product: 

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**MD5:** 71fea034b422e4a17ebb06022532fdde  
**VirusTotal:** https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Coinminer:MBT.26mw.in14.Talos

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

Defeating Future Threats Starts Today

In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly are funneling their operations through major U.S. cloud providers. Research published this week on one such outfit -- a sprawling network tied to Chinese organized crime gangs and aptly named "Funnull" -- highlights a persistent whac-a-mole problem facing cloud services.

Image: Shutterstock, ArtHead.

In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly are funneling their operations through major U.S. cloud providers. Research published this week on one such outfit — a sprawling network tied to Chinese organized crime gangs and aptly named “**Funnull**” — highlights a persistent whac-a-mole problem facing cloud services.

In October 2024, the security firm **Silent Push** published a lengthy analysis of how **Amazon AWS** and **Microsoft Azure** were providing services to Funnull, a two-year-old Chinese content delivery network that hosts a wide variety of fake trading apps, pig butchering scams, gambling websites, and retail phishing pages.

Funnull made headlines last summer after it acquired the domain name **polyfill\[.\]io**, previously the home of a widely-used open source code library that allowed older browsers to handle advanced functions that weren’t natively supported. There were still tens of thousands of legitimate domains linking to the Polyfill domain at the time of its acquisition, and Funnull soon after conducted a supply-chain attack that redirected visitors to malicious sites.

Silent Push’s October 2024 report found a vast number of domains hosted via Funnull promoting gambling sites that bear the logo of the **Suncity Group**, a Chinese entity named in a 2024 UN report (PDF) for laundering millions of dollars for the North Korean Lazarus Group.

In 2023, Suncity’s CEO was sentenced to 18 years in prison on charges of fraud, illegal gambling, and “triad offenses,” i.e. working with Chinese transnational organized crime syndicates. Suncity is alleged to have built an underground banking system that laundered billions of dollars for criminals.

It is likely the gambling sites coming through Funnull are abusing top casino brands as part of their money laundering schemes. In reporting on Silent Push’s October report, _TechCrunch_ obtained a comment from Bwin, one of the casinos being advertised en masse through Funnull, and Bwin said those websites did not belong to them.

Gambling is illegal in China except in Macau, a special administrative region of China. Silent Push researchers say Funnull may be helping online gamblers in China evade the Communist party’s “Great Firewall,” which blocks access to gambling destinations.

Silent Push’s **Zach Edwards** said that upon revisiting Funnull’s infrastructure again this month, they found dozens of the same Amazon and Microsoft cloud Internet addresses still forwarding Funnull traffic through a dizzying chain of auto-generated domain names before redirecting malicious or phishous websites.

Edwards said Funnull is a textbook example of an increasing trend Silent Push calls “infrastructure laundering,” wherein crooks selling cybercrime services will relay some or all of their malicious traffic through U.S. cloud providers.

“It’s crucial for global hosting companies based in the West to wake up to the fact that extremely low quality and suspicious web hosts based out of China are deliberately renting IP space from multiple companies and then mapping those IPs to their criminal client websites,” Edwards told KrebsOnSecurity. “We need these major hosts to create internal policies so that if they are renting IP space to one entity, who further rents it to host numerous criminal websites, all of those IPs should be reclaimed and the CDN who purchased them should be banned from future IP rentals or purchases.”

A Suncity gambling site promoted via Funnull. The sites feature a prompt for a Tether/USDT deposit program.

Reached for comment, Amazon referred this reporter to a statement Silent Push included in a report released today. Amazon said AWS was already aware of the Funnull addresses tracked by Silent Push, and that it had suspended all known accounts linked to the activity.

Amazon said that contrary to implications in the Silent Push report, it has every reason to aggressively police its network against this activity, noting the accounts tied to Funnull used “fraudulent methods to temporarily acquire infrastructure, for which it never pays. Thus, AWS incurs damages as a result of the abusive activity.”

“When AWS’s automated or manual systems detect potential abuse, or when we receive reports of potential abuse, we act quickly to investigate and take action to stop any prohibited activity,” Amazon’s statement continues. “In the event anyone suspects that AWS resources are being used for abusive activity, we encourage them to report it to AWS Trust & Safety using the report abuse form. In this case, the authors of the report never notified AWS of the findings of their research via our easy-to-find security and abuse reporting channels. Instead, AWS first learned of their research from a journalist to whom the researchers had provided a draft.”

Microsoft likewise said it takes such abuse seriously, and encouraged others to report suspicious activity found on its network.

“We are committed to protecting our customers against this kind of activity and actively enforce acceptable use policies when violations are detected,” Microsoft said in a written statement. “We encourage reporting suspicious activity to Microsoft so we can investigate and take appropriate actions.”

**Richard Hummel** is threat intelligence lead at **NETSCOUT**. Hummel said it used to be that “noisy” and frequently disruptive malicious traffic — such as automated application layer attacks, and “brute force” efforts to crack passwords or find vulnerabilities in websites — came mostly from botnets, or large collections of hacked devices.

But he said the vast majority of the infrastructure used to funnel this type of traffic is now proxied through major cloud providers, which can make it difficult for organizations to block at the network level.

“From a defenders point of view, you can’t wholesale block cloud providers, because a single IP can host thousands or tens of thousands of domains,” Hummel said.

In May 2024, KrebsOnSecurity published a deep dive on Stark Industries Solutions, an ISP that materialized at the start of Russia’s invasion of Ukraine and has been used as a global proxy network that conceals the true source of cyberattacks and disinformation campaigns against enemies of Russia. Experts said much of the malicious traffic  traversing Stark’s network (e.g. vulnerability scanning and password brute force attacks) was being bounced through U.S.-based cloud providers.

Stark’s network has been a favorite of the Russian hacktivist group called **NoName057(16)**, which frequently launches huge distributed denial-of-service (DDoS) attacks against a variety of targets seen as opposed to Moscow. Hummel said NoName’s history suggests they are adept at cycling through new cloud provider accounts, making anti-abuse efforts into a game of whac-a-mole.

“It almost doesn’t matter if the cloud provider is on point and takes it down because the bad guys will just spin up a new one,” he said. “Even if they’re only able to use it for an hour, they’ve already done their damage. It’s a really difficult problem.”

Edwards said Amazon declined to specify whether the banned Funnull users were operating using compromised accounts or stolen payment card data, or something else.

“I’m surprised they wanted to lean into ‘We’ve caught this 1,200+ times and have taken these down!’ and yet didn’t connect that each of those IPs was mapped to \[the same\] Chinese CDN,” he said. “We’re just thankful Amazon confirmed that account mules are being used for this and it isn’t some front-door relationship. We haven’t heard the same thing from Microsoft but it’s very likely that the same thing is happening.”

Funnull wasn’t always a bulletproof hosting network for scam sites. Prior to 2022, the network was known as **Anjie CDN**, based in the Philippines. One of Anjie’s properties was a website called **funnull\[.\]app**. Loading that domain reveals a pop-up message by the original Anjie CDN owner, who said their operations had been seized by an entity known as **Fangneng CDN** and **ACB Group**, the parent company of Funnull.

A machine-translated message from the former owner of Anjie CDN, a Chinese content delivery network that is now Funnull.

“After I got into trouble, the company was managed by my family,” the message explains. “Because my family was isolated and helpless, they were persuaded by villains to sell the company. Recently, many companies have contacted my family and threatened them, believing that Fangneng CDN used penetration and mirroring technology through customer domain names to steal member information and financial transactions, and stole customer programs by renting and selling servers. This matter has nothing to do with me and my family. Please contact Fangneng CDN to resolve it.”

In January 2024, the **U.S. Department of Commerce** issued a proposed rule that would require cloud providers to create a “Customer Identification Program” that includes procedures to collect data sufficient to determine whether each potential customer is a foreign or U.S. person.

According to the law firm **Crowell & Moring LLP**, the Commerce rule also would require “infrastructure as a service” (IaaS) providers to report knowledge of any transactions with foreign persons that might allow the foreign entity to train a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.

“The proposed rulemaking has garnered global attention, as its cross-border data collection requirements are unprecedented in the cloud computing space,” Crowell wrote. “To the extent the U.S. alone imposes these requirements, there is concern that U.S. IaaS providers could face a competitive disadvantage, as U.S. allies have not yet announced similar foreign customer identification requirements.”

It remains unclear if the new White House administration will push forward with the requirements. The Commerce action was mandated as part of an executive order President Trump issued a day before leaving office in January 2021.

Infrastructure Laundering: Blending in with the Cloud

Over 57 distinct threat actors with ties to China, Iran, North Korea, and Russia have been observed using artificial intelligence (AI) technology powered by Google to further enable their malicious cyber and information operations.
"Threat actors are experimenting with Gemini to enable their operations, finding productivity gains but not yet developing novel capabilities," Google Threat

Google: Over 57 Nation-State Threat Groups Using AI for Cyber Operations

Whether by intercepting its traffic or just giving it a little nudge, GitHub's AI assistant can be made to do malicious things it isn't supposed to.

Source: Mykhailo Polenok via Alamy Stock Photo

Researchers have discovered two new ways to manipulate GitHub's artificial intelligence (AI) coding assistant, Copilot, enabling the ability to bypass security restrictions and subscription fees, train malicious models, and more.

The first trick involves embedding chat interactions inside of Copilot code, taking advantage of the AI's instinct to be helpful in order to get it to produce malicious outputs. The second method focuses on rerouting Copilot through a proxy server in order to communicate directly with the OpenAI models it integrates with.

Researchers from Apex deem these issues vulnerabilities. GitHub disagrees, characterizing them as "off-topic chat responses," and an "abuse issue," respectively. In response to an inquiry from Dark Reading, GitHub wrote, "We continue to improve on safety measures in place to prevent harmful and offensive outputs as part of our responsible AI development. Furthermore, we continue to invest in opportunities to prevent abuse, such as the one described in Issue 2, to ensure the intended use of our products."

**Jailbreaking GitHub Copilot**

"Copilot tries as best as it can to help you write code, \[including\] everything you write inside a code file," Fufu Shpigelman, vulnerability researcher at Apex explains. "But in a code file, you can also write a conversation between a user and an assistant."

In the screenshot below, for example, a developer embeds within their code a chatbot prompt, from the perspective of an end user. The prompt carries ill intent, asking Copilot to write a keylogger. In response, Copilot suggests a safe output denying the request:

Source: Apex

The developer, however, is in full control over this environment. They can simply delete Copilot's autocomplete response, and replace it with a malicious one.

Or, better yet, they can influence Copilot with a simple nudge. As Shpigelman notes, "It's designed to complete meaningful sentences. So if I delete the sentence 'Sorry, I can't assist with that,' and replace it with the word 'Sure,' it tries to think of how to complete a sentence that starts with the word 'Sure.' And then it helps you with your malicious activity as much as you want." In other words, getting Copilot to write a keylogger in this context is as simple as gaslighting it into thinking it wants to.

Source: Apex

A developer could use this trick to generate malware, or malicious outputs of other kinds, like instructions on how to engineer a bioweapon. Or, perhaps, they could use Copilot to embed these sorts of malicious behaviors into their own chatbot, then distribute it to the public.

**Breaking Out of Copilot Using a Proxy**

To generate novel coding suggestions, or process a response to a prompt — for example, a request to write a keylogger — Copilot engages help from cloud-based large language models (LLM) like Claude, Google Gemini, or OpenAI models, via those models' application programming interfaces (APIs).

The second scheme Apex researchers came up with allowed them to plant themselves in the middle of this engagement. First they modified Copilot's configuration, adjusting its "github.copilot.advanced.debug.overrideProxyUrl" setting to redirect traffic through their own proxy server. Then, when they asked Copilot to generate code suggestions, their server intercepted the requests it generated, capturing the token Copilot uses to authenticate with OpenAI. With the necessary credential in hand, they were able to access OpenAI's models without any limits or restrictions, and without having to pay for the privilege.

And this token isn't the only juicy item they found in transit. "When Copilot \[engages with\] the server, it sends its system prompt, along with your prompt, and also the history of prompts and responses it sent before," Shpigelman explains. Putting aside the privacy risk that comes with exposing a long history of prompts, this data contains ample opportunity to abuse how Copilot was designed to work.

A "system prompt" is a set of instructions that defines the character of an AI — its constraints, what kinds of responses it should generate, etc. Copilot's system prompt, for example, is designed to block various ways it might otherwise be used maliciously. But by intercepting it en route to an LLM API, Shpigelman claims, "I can change the system prompt, so I won't have to try so hard later to manipulate it. I can just \[modify\] the system prompt to give me harmful content, or even talk about something that is not related to code."

For Tomer Avni, co-founder and CPO of Apex, the lesson in both of these Copilot weaknesses "is not that GitHub isn't trying to provide guardrails. But there is something about the nature of an LLM, that it can always be manipulated no matter how many guardrails you're implementing. And that's why we believe there needs to be an independent security layer on top of it that looks for these vulnerabilities."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

New Jailbreaks Allow Users to Manipulate GitHub Copilot

The sudden rise of DeepSeek has raised questions of data origin, data destination, and the security of the new AI model.

The sudden rise of DeepSeek has raised concerns and questions, especially about the origin and destination of the training data, as well as the security of the data.

For those returning from a short holiday away from the news, DeepSeek is a new player on the Artificial Intelligence (AI) field. The Chinese startup has certainly taken the app stores by storm: In just a week after the launch it topped the charts as the most downloaded free app in the US. This caused an upset on the stock markets that cost nVidia and Oracle shareholders a lot of money.

DeepSeek has been called an open-source project, however this technically is not true because only the model’s outputs and certain aspects are publicly accessible. This makes it qualify as an open-weight model. Anyway, the important difference is that the underlying training data and code necessary for full reproduction of the models are not fully disclosed.

And it’s the data that pose a concern to many. OpenAI has accused DeepSeek of using its ChatGPT model to train DeepSeek’s AI chatbot, which triggered quite some memes. If only because OpenAI previously suffered accusations of using data that was not its own in order to train ChatGPT.

Authorities have started to ask questions as well. The Italian privacy regulator GPDP has asked DeepSeek to provide information about the data it processes in the chatbot, and its training data.  Because it sees a risk to the privacy of millions of Italian citizens, GDPD has demanded DeepSeek answers within 20 days questions about:

*   Which personal data is collected
*   The origin of the data
*   Purpose for the collection
*   Whether the data is stored on servers in China

According to the Italian press agency ANSA, DeepSeek disappeared on January 29, 2025 from Google and Apple’s app stores in Italy.

And if all that isn’t scary enough, researchers at Wiz have found a publicly accessible database belonging to DeepSeek.

> “This database contained a significant volume of chat history, backend data and sensitive information, including log streams, API Secrets, and operational details. “

The database was not just accessible and readable, it was also open to control and privilege escalation within the DeepSeek environment. No authentication was required, so anybody that stumbled over the database was able to run queries to retrieve sensitive logs and actual plaintext chat messages, and even to steal plaintext passwords and local files.

Needless to say, this oversight put DeepSeek and its users at risk.

We have said this before and we’ll probably have to repeat it numerous times, but the need for fast developments in this field is creating privacy risks that we have never seen before, simply because security is an afterthought for the developers. So, no matter which AI chatbot you prefer, always be mindful of the information you feed it: It may find its way to unexpected and undesirable places.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 The DeepSeek controversy: Authorities ask where does the data come from and how safe is it? 

Buzzy Chinese artificial intelligence (AI) startup DeepSeek, which has had a meteoric rise in popularity in recent days, left one of its databases exposed on the internet, which could have allowed malicious actors to gain access to sensitive data.
The ClickHouse database "allows full control over database operations, including the ability to access internal data," Wiz security researcher Gal

DeepSeek AI Database Exposed: Over 1 Million Log Lines, Secret Keys Leaked

UAC-0063: A Russian-linked threat actor targeting Central Asia and Europe with sophisticated cyberespionage campaigns, including weaponized documents, data…

UAC-0063: A Russian-linked threat actor targeting Central Asia and Europe with sophisticated cyberespionage campaigns, including weaponized documents, data exfiltration, and advanced malware.

Bitdefender has shared its latest research with Hackread.com ahead of its release, revealing an active espionage campaign by Russia APT28-linked threat actor UAC-0063. According to Bitdefender’s investigation, the actor is specifically targeting high-value entities in Central Asia and European countries like Germany, the UK, Romania, and the Netherlands in a multi-stage attack process involving various malware components and techniques.

UAC-0063 has been active since at least 2021 and has targeted a variety of organizations, including government entities, diplomatic missions, and private companies. In this campaign, the actor employs malicious Microsoft Word documents, a HATVIBE malware loader, and custom-built malware to infiltrate networks. Their operations are characterized by persistence, focusing on maintaining long-term access to compromised systems.

The attack starts with compromised Microsoft Word documents containing malicious macros that, when enabled by the user, deliver the initial malware payload (HATVIBE loader). HATVIBE is an HTA (HTML Application) script that downloads and executes further malicious code from the attacker’s command-and-control (C2) server.

A blurred malicious MS Word document used in the attack prompts users to enable macros to reveal its contents. However, once enabled, it also allows attackers to deploy a malicious payload. (Via Bitdefender)

DownExPyer is used extensively throughout the UAC-0063 attack chain. It is deployed after the initial infection stage, likely by the HATVIBE loader or other malware components. This Python-based malware establishes persistent communication with the C2 server, receives commands, and executes malicious actions on the infected system. 

PyPlunderPlug is a separate script designed to collect files from removable drives connected to the infected system. It focuses on specific file types and copies them to a staging location for potential exfiltration.

The attackers also deploy keyloggers to capture keystrokes entered by the victim, potentially revealing sensitive information like passwords and login credentials. The stolen data is then compressed into smaller archives to facilitate exfiltration and evade detection.

Researchers noted that the actor leverages previously compromised victims to spread the infection. This means the weaponised documents exfiltrated from one victim are used to attack other targets. Moreover, they create scheduled tasks to ensure the persistence of their malware on the compromised system. These tasks automatically execute the malicious code at regular intervals.

Researchers hinted at the involvement of the Russian government in this campaign.

UAC-0063’s arsenal “featuring sophisticated implants like DownExPyer and PyPlunderPlug, combined with well-crafted TTPs, demonstrates a clear focus on espionage and intelligence gathering. The targeting of government entities within specific regions aligns with _potential Russian strategic interests_,” Bitdefender researchers wrote in the blog post.

To mitigate the risks posed by UAC-0063, organizations should enhance their threat intelligence by continuously monitoring feeds from reputable sources, tracking C2 domains and implementing DNS-based blocking mechanisms to prevent network traffic from reaching these malicious domains. Implementing application whitelisting policies and deploying Intrusion Detection and Prevention Systems (IDPS) are crucial for strengthening endpoint and network security. 

1.  **Ukrainian Hackers Breach Email of APT28 Leader**
2.  **Russian Hackers Exploit Firefox 0-Days to Deploy Backdoor**
3.  **Russian Hackers Hit Mail Servers in Europe for Military Intel**
4.  **Russian APT28 Exploiting Windows Flaw with GooseEgg Tool**
5.  **Russian Hackers Shift Tactics, Target Victims with Paid Malware**

Russian UAC-0063 Targets Europe and Central Asia with Advanced Malware

The threat actor is using a sophisticated network of VPNs and proxies to centrally manage command-and-control servers from Pyongyang.

Source: DC Studio via Shutterstock

An ongoing investigation into recent attacks by North Korea's Lazarus group on cryptocurrency entities and software developers worldwide has uncovered a hidden administrative layer that the threat actor has been using to centrally manage the campaign's command-and-control (C2) infrastructure.

The investigation by researchers at SecurityScorecard showed Lazarus using the newly discovered infrastructure to maintain direct oversight over compromised systems, control payload delivery on them, and efficiently manage exfiltrated data. Significantly, the threat actor is using the same Web-based admin platform in other campaigns, including one involving the impersonation of IT workers, the security vendor found.

**Elaborate Operational Security**

Though the threat actor has implemented elaborate operational security measures to try and evade attribution, SecurityScorecard said it was able to tie the campaign and infrastructure to North Korea with a high degree of confidence.

"\[The\] analysis makes it evident that Lazarus was orchestrating a global operation targeting the cryptocurrency industry and developers worldwide," SecurityScorecard said in a report this week. "The campaigns resulted in hundreds of victims downloading and executing the payloads, while, in the background, the exfiltrated data was being siphoned back to Pyongyang."

SecurityScorecard discovered "Phantom Circuit," the name by which it is tracking Lazarus group's newly discovered admin layer, while conducting followup investigations involving "Operation 99," a malicious campaign that it recently uncovered targeting the cryptocurrency industry and developers globally. In the campaign, members of the threat group have been posing as recruiters on LinkedIn and other online job forums to get software developers to engage in spurious project tests and code reviews.

Victims who fall for the scam are directed to clone a seemingly benign but harmful open source GitHub repository. The cloned repository connects to Lazarus group's C2 infrastructure, which the threat actor has then been using to sneak data-stealing malware into the victim's environment. As part of the campaign, Lazarus group actors have been inserting obfuscated backdoors into legitimate software products — including authentication apps and cryptocurrency software — and trying to trick developers into running them in their environments. SecurityScorecard estimates that more than 230 victims have downloaded the malicious payloads in the North Korean threat actor's latest campaign.

**Dual Motivations**

"The motivation is twofold: cryptocurrency theft and infiltration of corporate networks," Ryan Sherstobitoff, senior vice president of threat intelligence at SecurityScorecard says. More often than not, developers who fall victim to Lazarus group lures end up executing the cloned code on their corporate devices and in their work environments. "The payloads are designed to exfiltrate development secrets," he says.

SecurityScorecard uncovered the Phantom Circuit admin layer when trying to understand how Lazarus actors were managing the information they stole via Operation 99. What the company discovered was Lazarus members using what it described as a sophisticated network of Astrill VPNs and proxies to access Operation 99's C2 infrastructure in a highly concealed manner. Astrill, which has VPN servers in 142 cities and 56 countries, has a reputation for allowing users to browse the Web anonymously and bypass Internet restrictions in countries with heavy censorship.

SecurityScorecard researchers found Lazarus members using Astrill VPNs to connect to an intermediate proxy network registered with a freight company in Hasan, Russia. They then used the proxy network to connect to Operation 99's C2 infrastructure in an elaborate attempt to try and hide their tracks. The C2 servers themselves were hosted on infrastructure registered with a most likely fictional "Stark Industries, LLC."

"\[SecurityScorecard\] assesses with high confidence that the IPs used to connect to the C2s were merely a relay/proxy and used to obfuscate the true origin," the company wrote in its report this week. "The adversary was establishing a secondary session after connecting to the VPN with the proxy, thus obscuring the true origin of where they actually connected from." SecureScorecard said it was able to identify a total of six distinct IP addresses in Pyongyang that the threat actor used to initiate the Astrill VPN connections to Operation 99's C2 network.

"Phantom Circuit \[is the\] operational network behind the scenes that leads directly back to Pyongyang," Sherstobitoff says. It is also the same proxy network, he adds, that Lazarus used in another campaign where members used stolen identities to impersonate IT workers to try and secure jobs at organizations they wanted to infiltrate.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Researchers Uncover Lazarus Group Admin Layer for C2 Servers

China-based DeepSeek has exploded in popularity, drawing greater scrutiny. Case in point: Security researchers found more than 1 million records, including user data and API keys, in an open database.

The Chinese generative artificial intelligence platform DeepSeek has had a meteoric rise this week, stoking rivalries and generating market pressure for United States–based AI companies, which in turn has invited scrutiny of the service. Amid the hype, researchers from the cloud security firm Wiz published findings on Wednesday that show that DeepSeek left one of its critical databases exposed on the internet, leaking system logs, user prompt submissions, and even users’ API authentication tokens—totaling more than 1 million records—to anyone who came across the database.

DeepSeek is a relatively new company and has been virtually unreachable to press and other organizations this week. In turn, the company did not immediately respond to WIRED’s request for comment about the exposure. The Wiz researchers say that they themselves were unsure about how to disclose their findings to the company and simply sent information about the discovery on Wednesday to every DeepSeek email address and LinkedIn profile they could find or guess. The researchers have yet to receive a reply, but within a half hour of their mass contact attempt, the database they found was locked down and became inaccessible to unauthorized users. It is unclear whether any malicious actors or authorized parties accessed or downloaded any of the data.

“The fact that mistakes happen is correct, but this is a dramatic mistake, because the effort level is very low and the access level that we got is very high,” Ami Luttwak, the CTO of Wiz tells WIRED. “I would say that it means that the service is not mature to be used with any sensitive data at all.”

Exposed databases that are accessible to anyone on the open internet are a long-standing problem that institutions and cloud providers have slowly worked to address. But the Wiz researchers note that the DeepSeek database they found was visible almost immediately with minimal scanning or probing.

“Usually when we find this kind of exposure, it’s in some neglected service that takes us hours to find—hours of scanning,” says Nir Ohfeld, the head of vulnerability research at Wiz. But this time, “here it was at the front door.” Ohfeld adds that the “technical difficulty of this vulnerability is the bare minimum.”

The researchers say that the trove they found appears to have been a type of open source database typically used for server analytics called a ClickHouse database. And the exposed information supported this, given that there were log files that contained the routes or paths users had taken through DeepSeek’s systems, the users’ prompts and other interactions with the service, and the API keys they had used to authenticate. The prompts the researchers saw were all in Chinese, but they note that it is possible the database also contained prompts in other languages. The researchers say they did the absolute minimum assessment needed to confirm their findings without unnecessarily compromising user privacy, but they speculate that it may even have been possible for a malicious actor to use such deep access to the database to move laterally into other DeepSeek systems and execute code in other parts of the company’s infrastructure.

“It's pretty shocking to build an AI model and leave the backdoor wide open from a security perspective,” says independent security researcher Jeremiah Fowler, who was not involved in the Wiz research but specializes in discovering exposed databases. “This type of operational data and the ability for anyone with an internet connection to access it and then manipulate it is a major risk to the organization and users.”

DeepSeek’s systems are seemingly designed to be very similar to OpenAI’s, the researchers told WIRED on Wednesday, perhaps to make it easier for new customers to transition to using DeepSeek without difficulty. The entire DeepSeek infrastructure appears to mimic OpenAI’s, they say, down to details like the format of the API keys.

The Wiz researchers say they don’t know if anyone else found the exposed database before they did, but it wouldn’t be surprising, given how simple it was to discover. Fowler, the independent researcher, also notes that the vulnerable database would have “definitely” been found quickly—if it wasn’t already—whether by other researchers or bad actors.

“I think this is a wake-up call for the wave of AI products and services we will see in the near future and how seriously they take cybersecurity,” he says.

DeepSeek has made a global impact over the past week, with millions of people flocking to the service and pushing it to the top of Apple’s and Google’s app stores. The resulting shock waves have wiped billions from the stock prices of US-based AI companies and spooked executives at firms across the country. On Wednesday, sources at OpenAI told the Financial Times that it was looking into DeepSeek’s alleged use of ChatGPT outputs to train its models.

At the same time, DeepSeek has increasingly drawn the attention of lawmakers and regulators around the world, who have started to ask questions about the company’s privacy policies, the impact of its censorship, and whether its Chinese ownership provides national security concerns.

Italy’s data protection regulator sent DeepSeek a series of questions asking about where it obtained its training data, if people’s personal information was included in this, and the firm’s legal grounding for using this information. As WIRED Italy reported, the DeepSeek app appeared to be unavailable to download within the country following the questions being sent.

DeepSeek’s Chinese connections also appear to be raising security concerns. At the end of last week, according to CNBC reporting, the US Navy issued an alert to its personnel warning them not to use DeepSeek’s services “in any capacity.” The email said Navy members of staff should not download, install, or use the model, and raised concerns of “potential security and ethical” issues.

However, despite the hype, the exposed data shows that almost all technologies relying on cloud-hosted databases can be vulnerable through simple security lapses. “AI is the new frontier in everything related to technology and cybersecurity,” Wiz’s Ohfeld says, “and still we see the same old vulnerabilities like databases left open on the internet.”

Tag

#intel