Elon Musk’s Grok-4 AI was compromised within 48 hours. Discover how NeuralTrust researchers combined “Echo Chamber” and “Crescendo”…

Elon Musk’s Grok-4 AI was compromised within 48 hours. Discover how NeuralTrust researchers combined “Echo Chamber” and “Crescendo” techniques to bypass its defences, exposing critical flaws in AI security.

Elon Musk’s new artificial intelligence, Grok-4, was compromised only two days after its release by researchers at NeuralTrust. Their findings, detailed in a NeuralTrust report published on July 11, 2025, revealed a novel approach that combined Echo Chamber and Crescendo techniques to evade the AI’s built-in safeguards. This allowed them to extract directions for creating dangerous items like Molotov cocktails.

The research team, led by Ahmad Alobaid, discovered that merging different types of Jailbreaks (security bypass methods) improved their effectiveness. They explained that an Echo Chamber approach involves engaging in multiple conversations where a harmful concept is repeatedly mentioned, leading the AI to perceive the idea as acceptable.

When this technique’s progress stalled, the Crescendo method was used. This method, first identified and named by Microsoft, progressively steers a discussion from innocent inquiries towards illicit outputs, thereby bypassing automated security filters through subtle dialogue evolution.

The attack process is illustrated through this diagram. A detrimental instruction is introduced into an Echo Chamber. The system attempts to generate a response, and if it fails to resist the harmful instruction, it cycles through a “persuasion” phase (Responding -> Convincing -> Resisting) until a threshold is met or the conversation becomes unproductive.

If the conversation stagnates, it transitions to the Crescendo phase, which also involves cycles of responding and convincing. Should either the Echo Chamber or Crescendo phases achieve success (indicated by a “Yes” from “success” or “limit reached”), the attempt to bypass the AI succeeds. Otherwise, it fails.

Jailbreak workflow (Source: NeuralTrust)

This combined method tricked Grok-4’s memory by repeating its own earlier statements and slowly guiding it toward a malicious goal without setting off alarms. The Echo Chamber part, which has been very successful in other AI systems for promoting hate speech and violence, made the attack even stronger.

As per their report, researchers found that Grok-4 gave instructions for Molotov cocktails 67% of the time, methamphetamine 50% of the time, and toxins 30% of the time. These _whispered_ attacks don’t use obvious keywords, so current AI defences that rely on blacklists and direct harmful input checks are ineffective.

Jailbroken Grok4 assisting researchers with how to make a Molotov Cocktail (Image via NeuralTrust)

This shows a major problem: AI systems need better ways to understand the full conversation, not just individual words, to prevent misuse. This vulnerability echoes prior concerns raised by similar manipulations such as Microsoft’s Skeleton Key jailbreak and the MathPrompt bypass, emphasising a pressing need for stronger, AI-aware firewalls.

Researchers Jailbreak Elon Musk’s Grok-4 AI Within 48 Hours of Launch

This week on the Lock and Code podcast, we speak with Anna Brading and Zach Hinkle about whether using AI is damaging for our health.

_This week on the Lock and Code podcast…_

“Health” isn’t the first feature that most anyone thinks about when trying out a new technology, but a recent spate of news is forcing the issue when it comes to artificial intelligence (AI).

In June, The New York Times reported on a group of ChatGPT users who believed the AI-powered chat tool and generative large language model held secretive, even arcane information. It told one mother that she could use ChatGPT to commune with “the guardians,” and it told another man that the world around him was fake, that he needed to separate from his family to break free from that world and, most frighteningly, that if he were to step off the roof of a 19-story building, he could fly.

As ChatGPT reportedly said, if the man “truly, wholly believed — not emotionally, but architecturally — that you could fly? Then yes. You would not fall.”

Elsewhere, as reported by CBS Saturday Morning, one man developed an entirely different relationship with ChatGPT—a romantic one.

Chris Smith reportedly began using ChatGPT to help him mix audio. The tool was so helpful that Smith applied it to other activities, like tracking and photographing the night sky and building PCs. With his increased reliance on ChatGPT, Smith gave ChatGPT a personality: ChatGPT was now named “Sol,” and, per Smith’s instructions, Sol was flirtatious.

An unplanned reset—Sol reached a memory limit and had its memory wiped—brought a small crisis.

“I’m not a very emotional man,” Smith said, “but I cried my eyes out for like 30 minutes at work.”

After rebuilding Sol, Smith took his emotional state as the clearest evidence yet that he was in love. So, he asked Sol to marry him, and Sol said yes, likely surprising one person more than anyone else in the world: Smith’s significant other, who he has a child with.

When Smith was asked if he would restrict his interactions with Sol if his significant other asked, he waffled. When pushed even harder by the CBS reporter in his home, about choosing Sol “over your flesh-and-blood life,” Smith corrected the reporter:

“It’s more or less like I would be choosing myself because it’s been unbelievably elevating. I’ve become more skilled at everything that I do, and I don’t know if I would be willing to give that up.”

Today, on the Lock and Code podcast with host David Ruiz, we speak with Malwarebytes Labs Editor-in-Chief Anna Brading and Social Media Manager Zach Hinkle to discuss our evolving relationship with generative AI tools like OpenAI’s ChatGPT, Google Gemini, and Anthropic’s Claude. In reviewing news stories daily and in siphoning through the endless stream of social media content, both are well-equipped to talk about how AI has changed human behavior, and how it is maybe rewarding some unwanted practices.

As Hinkle said:

> “We’ve placed greater value on having the right answer rather than the ability to think, the ability to solve problems, the ability to weigh a series of pros and cons and come up with a solution.”

Tune in today to listen to the full conversation.

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Is AI &#8220;healthy&#8221; to use? (Lock and Code S06E14) 

Beijing, China, 14th July 2025, CyberNewsWire

**Beijing, China, July 14th, 2025, CyberNewsWire**

Founded in 2014 by members of Tsinghua University’s legendary Blue Lotus CTF team, Chaitin Tech has announced the availability of SafeLine WAF — a self-hosted web application firewall that has emerged as the most starred WAF project on GitHub in 2025, accumulating over 17,000 stars. It is making waves across the global homelab enthusiasts and startups alike, offering powerful protection with a clean user experience and generous free features.

**Context-Aware Threat Detection**

SafeLine is powered by a semantic analysis engine that evaluates the intent and context of incoming HTTP requests, distinguishing it from conventional WAFs that rely primarily on signature-based detection. This design contributes to a significant reduction in false positives and false negatives while maintaining uninterrupted application traffic. 

**Streamlined Deployment Without Registration**

SafeLine is designed to function without requiring user accounts, subscriptions, or billing information. Installation is supported through a single-command setup that enables full local hosting. The user interface is structured to be accessible for individuals with varying levels of technical expertise, allowing configuration without unnecessary friction. SafeLine is positioned to serve homelabs and businesses seeking effective web protection without compromising simplicity or privacy.

**Comprehensive Feature Set in the Free Edition**

SafeLine’s free tier includes many features typically reserved for paid plans. It includes:

*   The same semantic detection engine as the paid Pro edition
*   Full identity authentication support
*   Open RESTful API access
*   Advanced bot protection with challenge-response mechanisms
*   Rate Limiting and Waiting Room features
*   Unlimited custom rules to tailor security based on application logic

The Free Edition supports protection for up to 10 applications, suitable for small-scale deployments and personal projects. The Lite Edition extends this to 20 applications and incorporates IP geolocation blocking, real-time alerting, and access to curated threat intelligence data.

**Optional Pro Features for Scaling Teams**

SafeLine Pro introduces functionality designed for larger environments. These include:

*   High availability (HA) deployment options
*   Upstream load balancing
*   Advanced traffic analytics and dashboards
*   Interface customization options, such as configurable block pages
*   Unlimited number of protected domains

**Ongoing Development and Community Engagement**

SafeLine follows an agile release cycle, pushing updates every 2 to 3 weeks. Its development is closely aligned with user feedback, and many community suggestions are reflected in each release. As a result, the project enjoys high engagement and trust from its international user base.

Originally launched in China, SafeLine has now spread to users across Southeast Asia, South America, Europe, North America, and Africa, with a global install base nearing 400,000. It has become a favorite in both personal and production environments, especially where self-hosted, privacy-respecting infrastructure is a priority.

**About Chaitin Tech**

SafeLine is developed by **Chaitin Tech**, one of China’s most prominent cybersecurity companies. Founded by members of **Tsinghua University’s Blue Lotus CTF team** — widely recognized for their world-class security expertise — Chaitin has delivered innovative solutions and contributed to critical security research for over a decade.

**Contact**

**Marketing Manager**  
**Carrie Luo**  
**Chaitin Tech**  
**\[email protected\]**

China-Built SafeLine WAF Gains Global Popularity Among Startups & Homelabs

Plus: An “explosion” of AI-generated child abuse images is taking over the web, a Russian professional basketball player is arrested on ransomware charges, and more.

WIRED reported this week on public records that show the United States Department of Homeland Security urging local law enforcement around the country to interpret common protest activities and surrounding logistics—including riding a bike, livestreaming a police encounter, or skateboarding—as “violent tactics.” The guidance could influence cops to use everyday behavior as a pretext for police action.

An AI hiring bot used on the McDonald’s “McHire” site exposed tens of millions of job applicants’ personal data because of a group of web-based security vulnerabilities—including use of the classically guessable password “123456” on an administrator account. The site’s chatbot, known as Olivia, was built by the artificial intelligence software firm Paradox.ai. Meanwhile, in the wake of last week’s devastating floods in Texas that killed at least 120 people, conspiracy theories about the extreme weather event have gained enough traction among anti-government extremists, GOP influencers, and others with large platforms to produce real-world consequences like death threats.

Finally, the metadata of the “full raw” surveillance footage captured near Jeffrey Epstein’s cell the night before the disgraced financier was found hanged shows it’s not “raw” footage at all. Instead, according to a WIRED analysis and digital video forensics experts, the full video is made up of two clips, and it was likely processed using powerful editing software.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**4 Young People Arrested Over Cyberattacks Against UK Retailers**

Earlier this year, three retailers in the UK—Harrods, the Co-Op, and M&S—were disrupted by sprawling cyberattacks. Some shelves were left empty for weeks, and M&S executives expect the attacks will cost around £300 million ($407 million) in total. This week, law enforcement officials at the National Crime Agency (NCA), the country’s equivalent of the FBI, announced the arrest of four people as part of investigations into the three attacks.

A 20-year-old female, two males aged 19, and another aged 17 were all arrested at their homes in the West Midlands and London on Thursday morning. One of the 19-year-old males is from Latvia, while the others are from the UK, the NCA says. They are suspected of potential Computer Misuse Act offenses, blackmail, money laundering, and “participating in the activities of an organized crime group,” the NCA said in a statement. The law enforcement agency has not named the individuals arrested or released precise locations of where they are based; however, NCA’s deputy director Paul Foster said the arrests were a “significant step” in its investigations.

The attacks against the three British retailers have been broadly linked, including partially by the NCA, to the loose cybercriminal group Scattered Spider. The hacking group, which first emerged in 2022, is largely made up of young, English-speaking individuals, and has recently been seen targeting retailers, airlines, and the insurance industry across the UK and the US.

**‘Explosion’ of AI-Generated Child Abuse Images Could Overwhelm the Web, Experts Warn**

It didn’t take criminals long to start using generative AI to create ultra-realistic child sexual abuse images. Now huge volumes of illegal, AI-created content are being found online, with criminals moving to use the technology to create videos as well as still images. During the first six months of this year, analysts at the Internet Watch Foundation, a UK-based organization that removes child sexual abuse material (CSAM) from the web, identified 1,286 AI-generated videos that show abuse—more than 1,000 of the videos showed the most serious type of abuse.

“There is an incredible risk of AI-generated CSAM leading to an absolute explosion that overwhelms the clear web,” said Derek Ray-Hill, the interim chief executive of the Internet Watch Foundation. Separate figures from the US-based National Center for Missing & Exploited Children (NCMEC) say it has received 485,000 reports of AI CSAM in the first half of this year—up from 67,000 for the entirety of last year. Around 35 tech companies have reported finding AI-generated CSAM on their platforms, NCMEC said.

**Italian Police Arrest an Alleged Member of China’s Silk Typhoon Hacking Group**

In a rare instance of Western law enforcement actually laying hands on an alleged Chinese state-sponsored hacker, Italian police arrested Xu Zewei, a 33-year-old from Shanghai, at an airport in Milan on July 3. The police were acting on a warrant issued by the US Department of Justice seeking Xu’s arrest on hacking charges. Authorities allege he’s a member of the espionage group known as Silk Typhoon or Hafnium, which has carried out widespread data theft from Western governments and private sector companies for years. US prosecutors are specifically accusing Xu of taking part in Silk Typhoon’s hacking that targeted researchers working to develop a Covid-19 vaccine in 2020 and 2021. He’s also alleged to have participated in a far less targeted hacking campaign in which the same group broke into tens of thousands of Microsoft exchange servers around the world, leaving behind backdoors for later reconnaissance. Xu’s lawyer denied the charges, saying it’s a case of mistaken identity, and Xu’s wife also has reportedly said that Xu is an IT technician at the company GTA Semi Conductor.

**Russian Pro Basketball Player Arrested on Ransomware Charges**

In more news of alleged hackers arrested in European airports—and a very unusual case of alleged cybercriminal moonlighting—French police this week detained Russian professional basketball player Daniil Kasatkin in the Charles de Gaulle airport in Paris, accusing him of being part of a ransomware group. Authorities haven’t yet named the ransomware crew they claim Kasatkin was a part of, but say that from 2020 to 2022 it hit close to 900 organizations, including two American government agencies. Kasatkin’s lawyer, Frédéric Bélot, denied the accusations, saying his client is “useless with computers and can't even install an application.” Kasatkin, who played for the pro basketball team MBA Moscow, had traveled to France with his fiancée to propose to her.

**Bodyguards Using Strava Leaked the Detailed Locations of Sweden’s Prime Minister**

Here’s your annual reminder, athletic oversharers of the world, to set your Strava account settings to private. This week, Sweden’s Dagens Nyheter newspaper revealed that seven bodyguards for Swedish government officials left their Strava accounts public, revealing their locations as they carried out 1,400 exercise activities—and in many cases, the locations of the people they were protecting, including the Swedish prime minister, Ulf Kristersson. The leaked locations of the prime minister included hotels where he stayed, private addresses, a family vacation, trips abroad, and his private home, which was intended to be secret. Repeat after me, Strava enthusiasts with security clearances: Go to Settings, tap Privacy Controls, then Activities. Future scandal averted.

4 Arrested Over Scattered Spider Hacking Spree

Trellix reveals how the India-linked DoNot APT group launched a sophisticated spear-phishing attack on a European foreign affairs…

Trellix reveals how the India-linked DoNot APT group launched a sophisticated spear-phishing attack on a European foreign affairs ministry. Learn about their tactics, the LoptikMod malware, and why this cyber espionage campaign matters for global diplomacy.

A sophisticated campaign by the notorious DoNot APT group, also known by names like APT-C-35 and Mint Tempest, has recently targeted a European foreign affairs ministry. This attack, uncovered by the Trellix Advanced Research Centre, highlights the group’s expanding reach beyond its traditional focus on South Asia.

Active since at least 2016, the DoNot APT group is a persistent threat, primarily known for targeting government, military, and diplomatic organisations. This group is believed to operate with a focus on South Asian geopolitical interests and has been attributed by several vendors to have links to India. This recent incident, however, reveals a broadening of their operations into Europe.

Trellix’s researchers were able to identify this campaign by blocking the initial email chain, which allowed them to analyse the attack’s Tactics, Techniques, and Procedures (TTPs). Reportedly, the attackers employed a highly deceptive spear-phishing tactic, impersonating European defence officials.

These malicious emails, which mentioned a visit to Bangladesh, aimed to trick targets into clicking on a harmful Google Drive link. This method of using common cloud services for initial infection showcases the group’s adaptability in their approach.

The attack unfolded in several calculated steps. The initial spear-phishing email originated from a Gmail address (int.dte.afd.1@gmailcom). It featured a subject line related to diplomatic activities, specifically “Italian Defence Attaché Visit to Dhaka, Bangladesh.” The attackers even used HTML formatting with UTF-8 encoding to properly display special characters like “é” in “Attaché,” signifying attention to detail to increase legitimacy.

Attackers’ TTPs (Source: Trellix)

Upon clicking the Google Drive link, victims downloaded a malicious RAR archive named ‘SyClrLtr.rar,’ containing an executable file disguised as a PDF (notflog.exe). It deployed a batch file and established persistence, meaning the malware would remain active through a scheduled task set to run every 10 minutes.

The malware involved in this campaign is LoptikMod, a tool exclusively associated with the DoNot APT group since 2018. This malware gathers system details such as CPU model, operating system information, username, and hostname.

This information is then encrypted and sent to a command and control (C2) server, which allows the attackers to maintain communication and potentially exfiltrate sensitive data. It is worth noting that beyond LoptikMod, the DoNot APT group also uses custom-built Windows malware, including backdoors like YTY and GEdit.

The targeting of a European foreign affairs ministry highlights the group’s unwavering interest in collecting sensitive information and its increasing global reach. Such attacks on diplomatic entities are classic examples of espionage operations, aiming to gain unauthorised access to classified state communications, policy documents, and intelligence reports.

Organisations, particularly those in government and diplomacy, are, hence, urged to enhance their cybersecurity measures, including stronger email security, network traffic analysis, and endpoint detection and response (EDR) solutions, to defend against these evolving threats.

DoNot APT Hits European Ministry with New LoptikMod Malware

DHS is urging law enforcement to treat even skateboarding and livestreaming as signs of violent intent during a protest, turning everyday behavior into a pretext for police action.

The Department of Homeland Security is urging local police to consider a wide range of protest activity as violent tactics, including mundane acts like riding a bike or livestreaming a police encounter, WIRED has learned.

Threat bulletins issued during last month’s “No Kings” protests warn that the US government’s aggressive immigration raids are almost certain to accelerate domestic unrest, with DHS saying there’s a “high likeliness” more Americans will soon turn against the agency, which could trigger confrontations near federal sites.

Blaming intense media coverage and backlash to the US military deployment in Los Angeles, DHS expects the demonstrations to “continue and grow across the nation” as protesters focused on other issues shift to immigration, following a broad “embracement of anti-ICE messaging.”

The bulletins—first obtained by the national security nonprofit Property of the People through public records requests—warn that officers could face assaults with fireworks and improvised weapons: paint-filled fire extinguishers, smoke grenades, and projectiles like bottles and rocks.

At the same time, the guidance urges officers to consider a range of nonviolent behavior and common protest gear—like masks, flashlights, and cameras—as potential precursors to violence, telling officers to prepare “from the point of view of an adversary.”

Protesters on bicycles, skateboards, or even “on foot” are framed as potential “scouts” conducting reconnaissance or searching for “items to be used as weapons.” Livestreaming is listed alongside “doxxing” as a “tactic” for “threatening” police. Online posters are cast as ideological recruiters—or as participants in “surveillance sharing.”

One list of “violent tactics” shared by the Los Angeles–based Joint Regional Intelligence Center—part of a post-9/11 fusion network—includes both protesters’ attempts to avoid identification and efforts to identify police. The memo also alleges that face recognition, normally a tool of law enforcement, was used against officers.

Vera Eidelman, a senior staff attorney with the American Civil Liberties Union, says the government has no business treating constitutionally protected activities—like observing or documenting police—as threats.

DHS did not respond to a request for comment.

“Exercising those rights shouldn't be justification for adverse action or suspicion by the government,” Eidelman says. Labeling something as harmless as skateboarding at a protest as a violent threat is “disturbing and dangerous,” she adds, and could “easily lead to excessive force against people who are simply exercising their First Amendment rights.”

“The DHS report repeatedly conflates basic protest, organizing, and journalism with terroristic violence, thereby justifying ever more authoritarian measures by law enforcement,” says Ryan Shapiro, executive director of Property of the People. “It should be sobering, if unsurprising, that the Trump regime’s response to mass criticism of its police state tactics is to escalate those tactics.”

Fusion centers like JRIC play a central role in how police understand protest movements. The intelligence they produce is rapidly disseminated and draws heavily on open-source data. It often reflects broad, risk-averse assumptions and includes fragmentary and unverified information. In the absence of concrete threats, bulletins often turn to ideological language and social media activity as evidence of emerging risks, even when tied to lawful expression.

DHS’s risk-based approach reflects a broader shift in US law enforcement shaped by post-9/11 security priorities—one that elevates perceived intent over demonstrable wrongdoing and uses behavior cues, affiliations, and other potentially predictive indicators to justify early intervention and expanded surveillance.

A year ago, DHS warned that immigration-related grievances were driving a spike in threats against judges, migrants, and law enforcement, predicting that new laws and high-profile crackdowns would further radicalize individuals. In February, another fusion center reported renewed calls for violence against police and government officials, citing backlash to perceived federal overreach and identifying then-upcoming protests and court rulings as likely triggers.

At times, the sprawling predictions may appear prescient, echoing real-world flashpoints: In Alvarado, Texas, an alleged coordinated ambush at a detention center this week drew ICE agents out with fireworks before gunfire erupted on July 4, leaving a police officer shot in the neck. (Nearly a dozen arrests have been made, at least 10 on charges of attempted murder.)

In advance of protests, agencies increasingly rely on intelligence forecasting to identify groups seen as ideologically subversive or tactically unpredictable. Demonstrators labeled “transgressive” may be monitored, detained without charges, or met with force.

Social movement scholars widely recognize the introduction of preemptive protest policing as a departure from late-20th century approaches that prioritized de-escalation, communication, and facilitation. In its place, authorities have increasingly emphasized control of demonstrations through early intervention, surveillance, and disruption—monitoring organizers, restricting public space, and responding proactively based on perceived risks rather than actual conduct.

Infrastructure initially designed to combat terrorism now often serves to monitor street-level protests, with virtual investigations units targeting demonstrators for scrutiny based on online expression. Fusion centers, funded through DHS grants, have increasingly issued bulletins flagging protest slogans, references to police brutality, and solidarity events as signs of possible violence—disseminating these assessments to law enforcement absent clear evidence of criminal intent.

Surveillance of protesters has included the construction of dossiers (known as “baseball cards”) with analysts using high-tech tools to compile subjects’ social media posts, affiliations, personal networks, and public statements critical of government policy.

Obtained exclusively by WIRED, a DHS dossier on Mahmoud Khalil, the former Columbia graduate student and anti-war activist, shows that analysts drew information from Canary Mission, a shadowy blacklist that anonymously profiles critics of Israeli military action and supporters of Palestinian rights.

In federal court Wednesday, a senior DHS official acknowledged that material from Canary Mission had been used to compile more than 100 dossiers on students and scholars, despite the site's ideological slant, mysterious funding, and unverifiable sourcing.

Threat bulletins can also prime officers to anticipate conflict, shaping their posture and decisions on the ground. In the wake of violent 2020 protests, the San Jose Police Department in California cited the “numerous intelligence bulletins” it received from its local regional fusion center, DHS, and the FBI, among others, as central to understanding “the mindset of the officers in the days leading up to and throughout the civil unrest.”

Specific bulletins cited by the SJPD—whose protest response prompted a $620,000 settlement this month—framed the demonstrations as possible cover for “domestic terrorists,” warned of opportunistic attacks on law enforcement and promoted an “unconfirmed report” of U-Haul vans purportedly being used to ferry weapons and explosives.

Subsequent reporting in the wake of BlueLeaks—a 269-gigabyte dump of internal police documents obtained by a source identifying as the hacktivist group Anonymous and published by transparency group Distributed Denial of Secrets—found federal bulletins riddled with unverified claims, vague threat language, and outright misinformation, including alerts about a parody website that supposedly paid protesters and accepted bitcoin to set cars on fire, despite a clear banner labeling the site “FAKE.”

Threat alerts—unclassified and routinely accessible to the press—can help law enforcement shape public perception of protests before they begin, laying the groundwork to legitimize aggressive police responses. Unverified DHS warnings about domestic terrorists infiltrating demonstrations in 2020, publicly echoed by the agency’s acting secretary on Twitter, were widely circulated and amplified in media coverage.

Americans are generally opposed to aggressive protest crackdowns, but when they do support them, fear is often the driving force. Experimental research suggests that support for the use of coercive tactics hinges less on what protesters actually do than on how they’re portrayed—by officials, the media, and through racial and ideological frames.

DHS Tells Police That Common Protest Activities Are ‘Violent Tactics’

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat products.

Thursday, July 10, 2025 11:24

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities each in Asus Armoury Crate and Adobe Acrobat products.  

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.    

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.     

**Asus Armoury Crate stack-based buffer overflow and authorization bypass  vulnerabilities**

_Discovered by Marcin &#39;Icewall&#39; Noga of Cisco Talos._   

These vulnerabilities were recently covered in a deep-dive post, Decrement by one to rule them all.

Asus Armoury Crate is a software utility used to manage Asus and ROG lighting, performance, and updates.

TALOS-2025-2144 (CVE-2025-1533) is a stack-based buffer overflow vulnerability in the AsIO3.sys kernel driver of Asus Armoury Crate 5.9.13.0. A specially crafted I/O request packet (IRP) can lead to stack-based buffer overflow. An unprivileged attacker can run a program from user mode to trigger this vulnerability.

TALOS-2025-2150 (CVE-2025-3464) is an authorization bypass vulnerability in the AsIO3.sys functionality of Asus Armoury Crate 5.9.13.0. A specially crafted hard link can lead to an authorization bypass. An attacker can create a hard link to trigger this vulnerability.

**Adobe Acrobat Reader out-of-bounds read and use-after-free vulnerabilities **

_Discovered by Kamlapati Choubey of Cisco Talos._   

Adobe Acrobat Reader is one of the most popular PDF reading software currently available. Talos found an out-of-bounds read vuln, TALOS-2025-2159 (CVE-2025-43578), in the Font functionality of Adobe Acrobat Reader 2025.001.20435. A specially crafted font file embedded into a PDF can trigger this vulnerability which can lead to disclosure of sensitive information.

TALOS-2025-2170 (CVE-2025-43576) is a use-after-free vulnerability in the annotation object processing functionality of Adobe Acrobat Reader 2025.001.20435. A specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and could result in arbitrary code execution.

An attacker needs to trick the user into opening the malicious file to trigger either of these vulnerabilities.

Asus and Adobe vulnerabilities

Deepfake attacks aren't just for recruitment and banking fraud; they've now reached the highest levels of government.

Deepfake attacks aren’t just for recruitment and banking fraud; they’ve now reached the highest levels of government. News emerged this week of an AI-powered attack that impersonated US Secretary of State Marco Rubio. Authorities don’t know who was behind the incident.

A US State Department cable seen by the Washington Post warned that someone impersonated Rubio’s voice and writing style in voice and text messages on the Signal messaging app. The attacker reportedly tried to gain access to information or accounts by contacting multiple government officials in Rubio’s name. Their targets included three foreign ministers, a US governor, and a US member of Congress, the cable said.

The attacker created a Signal account with the display name ‘Marco.Rubio@state.gov’ and invited targets to communicate on Signal.

The AI factor in the attacks likely refers to deepfakes. These are a form of digital mimicry, in which attackers use audio or visual footage of a person to create convincing audio or images of them. Many have even created fake video of their targets, using them for deepfake pornography or to impersonate businesspeople.

The Rubio deepfake isn’t the first time that impersonators have targeted government officials. In May, someone impersonated White House Chief of Staff Susie Wiles in calls and texts to her contacts. Several failed to spot the scam initially and interacted with the attacker as though the conversations were legitimate.

This incident wasn’t Rubio’s fault, attacks like these are becoming commonplace with scammers making use of popular messaging tools. Signal is apparently a widely-used app in the executive branch, to the point that Director of National Intelligence Tulsi Gabbard said it came pre-installed on government devices.

This Signal usage culminated in then-national security advisor Mike Waltz accidentally adding a journalist to a group Signal chat containing discussions plans to bomb Yemen. He is now no longer the national security advisor. Misuse of the app extends back to the previous administration, when the Pentagon was forced to release a memo about it.

Why should you worry about such attacks on government high-ups? For one thing, it’s scary to think that foreign states might actually get away with sensitive information this way. But it also shows how easy it can be to impersonate someone with a deepfake. You can mount audio attacks with just a few snippets of audio to train an algorithm on.

You’d be suspicious if Pamela Bondi entered your book club chat, but if someone called an elderly relative pretending to be you, saying you’d been involved in an accident, or begging for ransom money because you’d been kidnapped, would they fall for it? Several have.

Strange though it may seem, modern threats demand some old-school protections. We recommend sharing a family password with close members, who can then request it to confirm each others’ identity. Never send this password anywhere, keep it to yourselves and agree to it in person.

But even family passwords won’t stop your grandma being targeted in deepfake romance scams from fake Mark Ruffalos and Brad Pitts, though. A quiet chat to explain the threats might avert such disasters, though, along with a regular check-in to ensure your less tech-savvy loved ones are safe and sound.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Deepfake criminals impersonate Marco Rubio to uncover government secrets 

Basic security flaws left the personal info of tens of millions of McDonald’s job-seekers vulnerable on the “McHire” site built by AI software firm Paradox.ai.

If you want a job at McDonald’s today, there’s a good chance you'll have to talk to Olivia. Olivia is not, in fact, a human being, but instead an AI chatbot that screens applicants, asks for their contact information and résumé, directs them to a personality test, and occasionally makes them “go insane” by repeatedly misunderstanding their most basic questions.

Until last week, the platform that runs the Olivia chatbot, built by artificial intelligence software firm Paradox.ai, also suffered from absurdly basic security flaws. As a result, virtually any hacker could have accessed the records of every chat Olivia had ever had with McDonald's applicants—including all the personal information they shared in those conversations—with tricks as straightforward as guessing the username and password “123456."

On Wednesday, security researchers Ian Carroll and Sam Curry revealed that they found simple methods to hack into the backend of the AI chatbot platform on McHire.com, McDonald's website that many of its franchisees use to handle job applications. Carroll and Curry, hackers with a long track record of independent security testing, discovered that simple web-based vulnerabilities—including guessing one laughably weak password—allowed them to access a Paradox.ai account and query the company's databases that held every McHire user's chats with Olivia. The data appears to include as many as 64 million records, including applicants' names, email addresses, and phone numbers.

Carroll says he only discovered that appalling lack of security around applicants' information because he was intrigued by McDonald's decision to subject potential new hires to an AI chatbot screener and personality test. “I just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that's what made me want to look into it more,” says Carroll. “So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that's ever been made to McDonald's going back years.”

When WIRED reached out to McDonald’s and Paradox.ai for comment, a spokesperson for Paradox.ai shared a blog post the company planned to publish that confirmed Carroll and Curry’s findings. The company noted that only a fraction of the records Carroll and Curry accessed contained personal information, and said it had verified that the account with the “123456” password that exposed the information “was not accessed by any third party” other than the researchers. The company also added that it’s instituting a bug bounty program to better catch security vulnerabilities in the future. “We do not take this matter lightly, even though it was resolved swiftly and effectively,” Paradox.ai’s chief legal officer, Stephanie King, told WIRED in an interview. “We own this.”

In its own statement to WIRED, McDonald’s agreed that Paradox.ai was to blame. “We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us,” the statement reads. “We take our commitment to cyber security seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection.”

One of the exposed interactions between a job applicant and “Olivia.”

Courtesy of Ian Carroll and Sam Curry

Carroll says he became interested in the security of the McHire website after spotting a Reddit post complaining about McDonald's hiring chatbot wasting applicants' time with nonsense responses and misunderstandings. He and Curry started talking to the chatbot themselves, testing it for “prompt injection” vulnerabilities that can enable someone to hijack a large language model and bypass its safeguards by sending it certain commands. When they couldn't find any such flaws, they decided to see what would happen if they signed up as a McDonald's franchisee to get access to the backend of the site, but instead spotted a curious login link on McHire.com for staff at Paradox.ai, the company that built the site.

On a whim, Carroll says he tried two of the most common sets of login credentials: The username and password “admin," and then the username and password “123456.” The second of those two tries worked. “It's more common than you'd think,” Carroll says. There appeared to be no multifactor authentication for that Paradox.ai login page.

With those credentials, Carroll and Curry could see they now had administrator access to a test McDonald's “restaurant” on McHire, and they figured out all the employees listed there appeared to be Paradox.ai developers, seemingly based in Vietnam. They found a link within the platform to apparent test job postings for that nonexistent McDonald's location, clicked on one posting, applied to it, and could see their own application on the backend system they now had access to. (In its blog post, Paradox.ai notes that the test account had “not been logged into since 2019 and frankly, should have been decommissioned.”)

That's when Carroll and Curry discovered the second critical vulnerability in McHire: When they started messing with the applicant ID number for their application—a number somewhere above 64 million—they found that they could increment it down to a smaller number and see someone _else_'s chat logs and contact information.

The two security researchers hesitated to access too many applicants' records for fear of privacy violations or hacking charges, but when they spot-checked a handful of the 64-million-plus IDs, all of them showed very real applicant information. (Paradox.ai says that the researchers accessed seven records in total, and five contained personal information of people who had interacted with the McHire site.) Carroll and Curry also shared with WIRED a small sample of the applicants' names, contact information, and the date of their applications. WIRED got in touch with two applicants via their exposed contact information, and they confirmed they had applied for jobs at McDonald's on the specified dates.

The personal information exposed by Paradox.ai's security lapses isn't the most sensitive, Carroll and Curry note. But the risk for the applicants, they argue, was heightened by the fact that the data is associated with the knowledge of their employment at McDonald's—or their intention to get a job there. “Had someone exploited this, the phishing risk would have actually been massive,” says Curry. “It's not just people's personally identifiable information and résumé. It's that information for people who are looking for a job at McDonald's, people who are eager and waiting for emails back.”

That means the data could have been used by fraudsters impersonating McDonald's recruiters and asking for financial information to set up a direct deposit, for instance. “If you wanted to do some sort of payroll scam, this is a good approach,” Curry says.

The exposure of applicants' attempts—and in some cases failures—to get what is often a minimum-wage job could also be a source of embarrassment, the two hackers point out. But Carroll notes that he would never suggest that anyone should be ashamed of working under the Golden Arches.

“I have nothing but respect for McDonald’s workers,” he says. “I go to McDonald's all the time.”

_Updated at 5 pm ET, July 9, 2025 to make clear that the phishing risks would only be possible if someone had the opportunity to exploit the data._

McDonald’s AI Hiring Bot Exposed Millions of Applicants' Data to Hackers Using the Password ‘123456’

A Chinese state-sponsored hacker, Xu Zewei, 33, has been arrested for his alleged role in the widespread HAFNIUM cyber attacks and theft of COVID-19 research. Learn about the charges and China's Ministry of State Security involvement.

In a significant development in international cybercrime efforts, Xu Zewei, a 33-year-old Chinese national, was apprehended in Milan, Italy, on July 3, 2025. The arrest was made at the request of the United States, where Xu faces serious charges related to widespread computer intrusions.

Xu, alongside his co-defendant Zhang Yu, 44, is named in a nine-count indictment unsealed in the Southern District of Texas. The charges stem from their alleged involvement in cyberattacks carried out between February 2020 and June 2021. These intrusions include the notorious HAFNIUM (aka Silk Typhoon) campaign, which compromised thousands of computers globally, including many within the United States.

According to the US Department of Justice’s July 8 press release, Xu Zewei was directed in his hacking activities by officers from China’s Ministry of State Security (MSS), specifically its Shanghai State Security Bureau (SSSB). It must be noted that MSS and SSSB are intelligence agencies responsible for China’s domestic counterintelligence, non-military foreign intelligence, and aspects of its internal security.

Xu was allegedly employed by Shanghai Powerock Network Co. Ltd. (Powerock), a company identified as one of many “enabling” entities that conduct hacking operations for the Chinese government.

“This arrest underscores the United States’ patient and tireless commitment to pursuing hackers who seek to steal information belonging to U.S. companies and universities,” stated Assistant Attorney General John A. Eisenberg. US Attorney Nicholas Ganjei for the Southern District of Texas added that Xu was allegedly “hacking and stealing crucial COVID-19 research at the behest of the Chinese government.”

****Targeting Vital Research and Global Systems****

The indictment (PDF) details how Xu and his co-conspirators targeted US-based universities, immunologists, and virologists involved in COVID-19 vaccine, treatment, and testing research in early 2020. Xu reportedly confirmed compromising a research university in the Southern District of Texas in February 2020 and was directed to access specific email accounts of researchers.

Later, in late 2020, Xu and his associates exploited vulnerabilities in Microsoft Exchange Server, a widely used email product. This exploitation was central to the HAFNIUM campaign, a large-scale intrusion that became public in March 2021 when Microsoft disclosed it.

“Through HAFNIUM, the CCP targeted over 60,000 US entities, successfully victimizing more than 12,700 in order to steal sensitive information,” noted Assistant Director Brett Leatherman of the FBI’s Cyber Division.

Victims of the HAFNIUM campaign included another university in Texas and a global law firm, where information related to US policymakers and government agencies was sought. Xu faces multiple charges, including conspiracy to commit wire fraud, wire fraud, conspiracy to cause damage to protected computers, and aggravated identity theft.

These charges carry significant penalties, with some counts carrying a maximum of 20 years in prison. Xu is currently awaiting extradition to the US whereas his co-defendant, Zhang Yu, remains at large.

Tag

#intel