Apple has released security updates that look especially important for Intel-based Macs because they are already being exploited in the wild.

Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS, Safari, and visionOS.

The updates for iOS and Intel-based Mac systems are especially important, as they tackle vulnerabilities that are being actively exploited by cybercriminals. You should make sure you update as soon as you can.

To check if you’re using the latest software version, go to **Settings > General > Software Update**. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

To determine whether your Mac is Intel-based or equipped with Apple silicon, follow these simple steps:

*   Click the Apple icon in the top-left corner of your screen.
*   Select **About This Mac**.
*   Check the information:
    
    *   If you see an item labeled Chip, your Mac has Apple silicon (like M1, M2, or M3).
    
    *   If you see an item labeled Processor, it indicates that your Mac is Intel-based, and the specific Intel processor name will be listed next to it.

**Technical details**

Because Apple does not share details until everyone has had a chance to update, it is hard to figure out what the exact problem is. But there are some things we can deduct from the given information.

The vulnerabilities that Apple says may have been actively exploited on Intel-based Mac systems are:

CVE-2024-44308: a vulnerability in the JavaScriptCore component. Processing maliciously crafted web content may lead to arbitrary code execution. This means that an attacker will have to trick a victim into opening a malicious file containing web content.

JavaScriptCore is the built-in JavaScript engine for WebKit that enables cross-platform development by providing a way to execute JavaScript within native iOS and macOS applications.

CVE-2024-44309: a cookie management issue in the WebKit component was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1 and iPadOS 18.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross-site scripting attack.

**We don’t just report on macOS security—we provide it.**

Cybersecurity risks should never spread beyond a headline. Keep threats off your Mac by downloading Malwarebytes for Mac today.

 Update now! Apple confirms vulnerabilities are already being exploited 

AI-generated influencers based on stolen images of real-life adult content creators are flooding social media.

Instagram is flooded with hundreds of AI-generated influencers who are stealing videos from real models and adult content creators, giving them AI-generated faces, and monetizing their bodies with links to dating sites, Patreon, OnlyFans competitors, and various AI apps.

The practice, first reported by 404 Media in April, has since exploded in popularity, showing that Instagram is unable or unwilling to stop the flood of AI-generated content on its platform and protect the human creators on Instagram who say they are now competing with AI content in a way that is impacting their ability to make a living.

According to our review of more than 1,000 AI-generated Instagram accounts, Discord channels where the people who make this content share tips and discuss strategy, and several guides that explain how to make money by “AI pimping,” it is now trivially easy to make these accounts and monetize them using an assortment of off-the-shelf AI tools and apps. Some of these apps are hosted on the Apple App and Google Play Stores. Our investigation shows that what was once a niche problem on the platform has industrialized in scale, and it shows what social media may become in the near future: a space where AI-generated content eclipses that of humans.

Elaina St James, an adult content creator who promotes her work on Instagram, said she and other adult content creators are now directly competing with these AI rip-off accounts, many of which use photographs and videos stolen from adult content creators and Instagram models. She said that while there may be other changes to Instagram’s algorithm that could have contributed to this, since the explosion of AI-generated influencer accounts on Instagram her “reach went down tremendously,” from a typical 1 million to 5 million views a month to not cracking a million in the last 10 months, and sometimes coming in under 500,000 views.

“This is probably one of the reasons my views are going down,” St James told us in an interview. “It's because I'm competing with something that's unnatural.”

Alexios Mantzarlis, the director of the security, trust, and safety initiative at Cornell Tech and formerly principal of trust and safety intelligence at Google, compiled a list of around 900 accounts that 404 Media reviewed in its investigation. Mantzarlis, who stumbled on one of these accounts while casually using Instagram, said he started researching the AI-generated influencer accounts because it might show us where AI-generated content is taking social media and the internet more broadly, where he sees a “a rising blended unreality.” Mantzarlis believes he could have easily found 900 more accounts and that the only reason he didn’t get more is that Instagram restricted the account he used to scrape the platform.

“It felt like a possible sign of what social media is going to look like in five years,” Mantzarlis said in an interview. “Because this may be coming to other parts of the internet, not just the attractive-people niche on Instagram. This is probably a sign that it's going to be pretty bad.”

**The Accounts**

Out of more than 1,000 AI-generated Instagram influencer accounts we reviewed, 100 included at least some deepfake content which took existing videos, usually from models and adult entertainment performers, and replaced their face with an AI-generated face to make those videos seem like new, original content consistent with the other AI-generated images and videos shared by the AI-generated influencer. The other 900 accounts shared images that in some cases were trained on real photographs and in some cases made to look like celebrities, but were entirely AI-generated, not edited photographs or videos.

Out of those 100 accounts that shared deepfake or face-swapped videos, 60 self-identify as being AI-generated, writing in their bios that they are a “virtual model & influencer” or stating “all photos crafted with AI and apps.” The other 40 do not include any disclaimer stating that they are AI-generated.

One of the bigger accounts in the latter category is “Chloe Johnson,” who has a verified account on Instagram and 171,000 followers. This account was deleted by Meta within the past few weeks.

Inside the Booming ‘AI Pimping’ Industry

An Artificial Intelligence model called Daisy has been deployed to waste phone scammers' time so they can't defraud real people.

A mobile network operator has called in the help of Artificial Intelligence (AI) in the battle against phone scammers.

Virgin Media O2 in the UK has built an AI persona called Daisy with the sole purpose of keeping scammers occupied for as long as possible. Basically, until the scammers give up, because Daisy won’t.

Daisy uses several AI models that work together listening to what scammers have to say, and then responding in a lifelike manner to give the scammers the idea they are working on an “easy” target. Playing on the scammers’ biases about older people, Daisy usually acts as a chatty granny.

According to Virgin Media O2’s press release Daisy has successfully kept numerous fraudsters on calls for 40 minutes at a time. To achieve this “Granny Daisy” will tell the scammers all about her passion for knitting, her cat Fluffy, and provide exasperated callers with false personal information including made up bank details.

The idea behind Daisy is two-fold. Not only does it waste the scammers’ time—time they could have spent defrauding real people—but it also raises awareness, through posts such as this one, that the person you are talking to on the phone could be very different from what you imagine.

Raising awareness about how AI can be used to deceive people is necessary: We’ve reported about how scammers have used AI used to fake voices of loved ones in a “I’ve been in an accident” scam to warn others about the scam.

Virgin Media O2 research learned that 67% of Brits are concerned about being the target of fraud and 22% experience a fraud attempt every single week. The Federal Trade Commission (FTC) received fraud reports from 2.6 million consumers in 2023, with imposter scams the most commonly reported fraud category.

The criminals often pretend to work for your bank or a delivery company that needs a payment before they can deliver a package, with the end goal of the victim disclosing their banking details.

It’s too bad that Daisy can’t intercept the calls from the scammers. For now, the scammers will have to call one of the phone numbers that Daisy answers, which have cleverly been circulated on contact lists known to be used by scammers.

If you’d like to hear Daisy in action here is a video with some actual audio.

Daisy was set up with the help of one of YouTube’s best known scam baiters, Jim Browning. Behind the scenes there are several people that enjoy being a real life time waster, but they can only occupy so many because their time is limited.

We asked Tammy Stewart, one of Malwarebytes’ researchers, who has made it a hobby to waste the time of phishers herself, and she was enthusiastic about the idea of having a “Daisy.” In fact, she’d like to have several and she thinks they could be very effective.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 AI Granny Daisy takes up scammers’ time so they can’t bother you 

Recent backdoor implants and cyber-espionage attacks on their supply chains have African organizations looking to diversify beyond Chinese, American tech vendors.

Source: CG Alex via Shutterstock

Every night for five years, computers and network appliances from the headquarters of the African Union in Ethiopia — a facility built by Chinese firms — reportedly reached out to China-based systems and uploaded sensitive data. The espionage through the technology supply chain, which China's government denies, undermined the security of the pan-African organization.

The incident and more recent supply-chain breaches have underscored that reliance on foreign technological supply chains carries with it significant risks. While using a technology supply chain anchored in China was seen as a less constrained option than US and European options, the truth is that African nations need to evaluate the security of all their supply chains across applications, consumer devices, infrastructure, and service providers, according to a report published by the Africa Center for Strategic Studies, a research and academic center funded by the US Department of Defense.

"I don't think there's an African country that doesn't have some kind of interest in fostering a more robust technology industry and finding various ways to exert more ownership and agency over various aspects of the technology sector," says Nate Allen, associate professor at the Africa Center for Strategic Studies and the author of the report. "You are seeing increasing African interest in having more ownership and say over their technology supply chains."

Supply-chain security has become a major issue worldwide following malicious events, such as the WannaCry and NotPetya worms and the compromise of SolarWinds, as well as IT supply-chain failures, like this summer's CrowdStrike outage. The US government has voiced concerns over the extent to which US maritime ports are reliant on Chinese equipment and investment, and China has begun creating its own operating system and software ecosystem.

Similarly, African nations have become wary of information technology supplied by any number of foreign countries, including China, Russia, the US, and Europe. While African nations need the technology and investment, they are pursuing initiatives to reduce their reliance, says Mark Walker, vice president of data and analytics for the Middle East, Turkey, and Africa for IDC South Africa.

"The reality is that we live in a multidimensional, globally interconnected world, \[where\] development is reliant on significant capital investment and R&D to develop technology — often this is in limited supply across Africa," he says. "That said, many African nations are focusing on developing local software and technology skills in their populations to offset reliance on global players and also ensure that solutions are relevant to local market condition and needs. Education plays a significant role in this."

**China, US Dominate Africa's Tech Market**

Those efforts are still nascent, with the reality that the top technology suppliers in Africa come from China and the US. In mobile applications, for example, 36 of 2023's top-100 applications are from Chinese companies, while 23 are from US companies, according to a report from DataSparkle, a provider of data and analytics for emerging markets. Africa-based developers only account for only seven applications, mostly focused on digital cash and payment applications.

The US dominates the operating-system supply chain with Microsoft's Windows, Google's Android, and Apple's iOS dominating the field.

"If you're not China and you're not the United States, you just have a lot of dependencies in your technology supply chain, and there's no way around it — even to some extent, if you are China and the United States," ACSS's Allen says.

Yet, the 54 nations on the content have options. While foreign firms provide much of the technology, the African market continues to grow and the domestic technology sector continues to have the most insight into nation-by-nation needs.

"\[A\] detailed view of Africa’s technology sector reveals that it is not under the control of any one actor, and there are plenty of opportunities for Africans to assert agency," the ACSS report stated. "By further fostering diversity and competition within the tech sector, African governments can help mitigate the vulnerabilities that come from external actor influence."

**Future of Technology Supply Chains in Africa**

Companies entering the market should find ways to address the cybersecurity concerns of African customers, because if they don't, someone else will, says IDC South Africa's Walker.

"Competition is strong, and vendors are judged on their ability to supply relevant technologies and services at a fair price with solid \[local\] support structures," he says, adding that companies should understand "the local market dynamics, including economic and political realities and the local regulatory environments. Security issues faced in the Horn of Africa around Somalia are different to those faced in northern Nigeria and the Magreb, which again, differ significantly from southeast Africa."

Among incidents in Africa, Chinese hackers targeted Kenyan officials following the nation's trouble paying back loans from China, according to news reports published in 2023, while another incident involved a state-sponsored group targeting foreign-affairs ministries, embassies, and military forces in Africa in an operation dubbed Diplomatic Specter, according to a threat analysis published in May.

In addition, African officials have warned that an important technology supply chain for the continent — open-source software (OSS) — needs to be better secured to prevent malicious attacks.

"I don't think that Africans are naive, or any government around the world is naive — I think they know that, if you are being sold a technology product that is not domestically produced, then there's always going to be some kind of security risk there," says ACSS's Allen. "I think the question is, how can you mitigate that security risk?"

Companies working in the markets need to have an answer to that question, he says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

African Reliance on Foreign Suppliers Boosts Insecurity Concerns

Apple has released security updates for iOS, iPadOS, macOS, visionOS, and its Safari web browser to address two zero-day flaws that have come under active exploitation in the wild.
The flaws are listed below -

CVE-2024-44308 - A vulnerability in JavaScriptCore that could lead to arbitrary code execution when processing malicious web content
CVE-2024-44309 - A cookie management vulnerability in

Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities

Built to combat terrorism, fusion centers give US Immigration and Customs Enforcement a way to gain access to data that’s meant to be protected under city laws limiting local police cooperation with ICE.

On the campaign trail and in recent days, Donald Trump has detailed extensive plans for immigration crackdowns and mass deportations during his second term as United States president. These initiatives would, he has said, include aggressive operations in areas known as “sanctuary cities” that have laws specifically curtailing local law enforcement collaboration with US Immigration and Customs Enforcement (ICE).

With these promises looming, a new report from researchers at the Surveillance Technology Oversight Project (STOP), a pro-privacy nonprofit, details the ways that federal/local data-sharing centers known as “fusion centers” already result in cooperation between federal immigration authorities and sanctuary-city law enforcement.

Run by the US Department of Homeland Security, of which ICE is a part, fusion centers emerged in the wake of the September 11, 2001, attacks as a counterterrorism initiative for integrating intelligence between federal, state, and local law enforcement. Fusion centers spent $400 million in 2021, according to public records. And, as STOP researchers point out, in more than two decades the centers have never proven their worth for their stated purpose of addressing terrorism in the US. Unnamed DHS officials told a Senate panel in 2012, for example, that fusion centers produce “predominantly useless information” and “a bunch of crap.”

In addition to aggressive investigative tactics like pulling data from schools and abortion clinics, ICE agents have leaned on fusion centers for years to get everything from photos of suspects to license plate location data and more—often in a pipeline that includes input from law enforcement working in sanctuary cities.

“This is an area where it’s highly profitable for localities to cooperate with ICE, and because it’s not highly visible it oftentimes faces less pushback," says STOP executive director Albert Fox Cahn. “This sort of information sharing capacity on this scale across all these agencies. tapping into everything from local utility records and DMV records to school records has the potential to be deployed in any number of chilling scenarios.”

ICE did not immediately return a request from WIRED for comment.

Fox Cahn adds that the concept of sanctuary cities wasn't always viewed by regional cops as an inconvenience to work around. “Until recently a lot of law enforcement agencies were very vocal in supporting sanctuary city protections, because they feared that ICE collaboration would actually hurt public safety if immigrants were not willing to come forward when they were victims of a crime or witness to a crime,” he says. “But police have become much more politically engaged on immigration in recent years.”

Fusion centers give ICE officers a forum through which to request data from local law enforcement databases in sanctuary cities and take advantage of regional surveillance tools, including publicly deployed face recognition systems, that can't be directly used to aid deportation efforts under sanctuary laws. STOP argues that when cops from sanctuary cities share data with ICE through fusion centers, it believes they may be violating local laws, but the activity is less obviously a violation than if the sharing happened through a direct channel.

In addition to undermining the entire purpose and premise of sanctuary city laws, STOP researchers point out, such erosion of guardrails around data sharing broadly could easily become a national security issue if a foreign actor were to infiltrate a fusion center. And domestically, the free-wheeling environment within fusion centers means that law enforcement could easily turn the spotlight onto additional types of investigations without warning.

“What we’ve seen over and over again is that the policing infrastructure we’ve built up in the name of combatting one evil then gets re-purposed for another," Fox Cahn says. “People who maybe don’t care as much about immigration need to recognize that if this infrastructure can be re-targeted at undocumented communities the way it has been today, it can be repurposed for any number of policing priorities in the future.”

Fusion centers will almost certainly play a role in the Trump administration's immigration agenda, but the STOP research is a reminder that these information-sharing hubs may well be at the center of other far-flung law enforcement initiatives as well.

Immigration Police Can Already Sidestep US Sanctuary City Laws Using Data-Sharing Fusion Centers

Our security teams work around the clock to help protect every person and organization on the planet from security threats. We also know that security is a team sport, and that’s why we also partner with the global security community through our bug bounty programs to proactively identify and mitigate potential issues before our customers are impacted.

Our security teams work around the clock to help protect every person and organization on the planet from security threats. We also know that security is a team sport, and that’s why we also partner with the global security community through our bug bounty programs to proactively identify and mitigate potential issues before our customers are impacted. Unique perspectives from the brightest security minds add another layer to our overall strategy to protect our ecosystem. By incentivizing high-impact research, we raise the security bar for everyone.  

Today, we are building on that history of partnership and expanding our bug bounty programs with the Zero Day Quest. This new hacking event will be the largest of its kind, with an additional $4 million in potential awards for research into high-impact areas, specifically cloud and AI. Zero Day Quest will provide new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers – bringing together the best minds in security to share, learn, and build community as we work to keep everyone safe.  

The quest begins today with a research challenge, where vulnerability submissions within targeted scenarios during the event are eligible for multiplied bounty awards. Submissions can also qualify researchers for a spot in the onsite hacking event in Redmond, WA, in 2025.  

To advance AI security, starting today we will offer double AI bounty awards. We will also offer researchers direct access to the Microsoft AI engineers focused on developing secure AI solutions, and our AI Red Team. This unique opportunity will allow participants to enhance their skills with cutting-edge tools and techniques and work with Microsoft to raise the bar for AI security across the ecosystem – making everyone safer. Register for a training session with the Microsoft AI Red Team today.  

In alignment with our Coordinated Vulnerability Disclosure (CVD) approach, researchers will be encouraged to publicly discuss their findings once mitigated, with support from Microsoft through blogs, podcasts, and videos to ensure we can all learn and build on this work. As part of our Secure Future Initiative (SFI), we will transparently share critical vulnerabilities through the Common Vulnerabilities and Exposures (CVE) program, even if they require no customer action. Learnings from the Zero Day Quest will be shared across Microsoft to help improve cloud and AI security - by default, by design, and in operations.  

This event is not just about finding vulnerabilities; it’s about fostering new and deepening existing partnerships between the Microsoft Security Response Center (MSRC), product teams, and external researchers – raising the security bar for all. Join us in this exciting journey as we push the boundaries of cybersecurity and work together to create a safer digital world.

_Tom Gallagher_  
_VP of Engineering, Microsoft Security Response Center (MSRC)_

Securing AI and Cloud with the Zero Day Quest

Freshly released court documents reveal new details on controversial Israeli spyware firm's operations.

Source: Shubham singh 007 via Shutterstock

Israel's NSO Group may know a lot more about how customers use its Pegasus commercial spyware product than the company has let on, newly released court documents connected to a legal dispute with Meta's WhatsApp suggest.

In fact, NSO Group installed and operated the spyware on behalf of its customers, making the company directly liable for the spyware's use, WhatsApp lawyers said in one court filing, released Nov. 14 in the US District Court for the Northern District of California.

The court documents are part of a lawsuit that WhatsApp filed against NSO Group in October 2019 after discovering the Israeli firm had used WhatsApp servers to distribute Pegasus to some 1,400 mobile phones, including those belonging to journalists and rights activists.

The lawyers also claimed that NSO Group repeatedly developed and used exploits for abusing WhatsApp's servers to install Pegasus on target devices, including at least once after WhatsApp had sued the company over the issue.

**NSO 'Solely Responsible'**

"NSO is solely responsible for Pegasus’s unauthorized access to WhatsApp's servers," the social media giant noted in one briefing. "Despite what NSO has claimed, its customers had a minimal role in how the spyware tool operated or collected information. All that NSO Group customers typically had to do was enter their target's phone number, press install and wait for the malware to install on the target device without any further interaction," they noted.

Related:Trustwave-Cybereason Merger Boosts MDR Portfolio

"In other words, the customer simply places an order for a target device's data, and NSO controls every aspect of the data retrieval and delivery process through its design of Pegasus," WhatsApp's lawyers said. The company, in fact, was so aware of how customers were using its malware that it actually disconnected service to 10 customers for excessive abuse, the lawyers claimed.

**Controversial Surveillance Software**

Pegasus is a controversial mobile spyware designed to secretly monitor and extract data from iOS and Android smartphones. Once installed, Pegasus can intercept messages, emails, media, and passwords, and track location data, all while evading detection by antivirus software. NSO Group claims to sell the technology solely to authorized government agencies for legitimate law enforcement, crime-fighting, and anti-terror purposes. But critics argue that the tool has been misused, particularly in authoritarian regimes, to target journalists, human rights activists, political dissidents, and others critical of the government.  

Related:Xiphera & Crypto Quantique Announce Partnership

A 2021 database leak revealed that NSO Group customers had, at the time, targeted more than 50,000 phone numbers for surveillance in countries like Mexico, Hungary, and India. The US government formally blacklisted the company in 2021, meaning its ability to operate in the US or do business with US entities abroad is severely restricted.

The NSO Group has tried to get US courts to dismiss WhatsApp's lawsuit against the company, citing, among other things, a lack of jurisdiction and the fact that its clients are mostly governments and therefore are not doing anything illegal. WhatsApp lawyers have sought to portray NSO Group as indeed being liable for Pegasus by attempting to tie the vendor more directly to customer use of the spyware tool.

In the newly released court documents, WhatsApp has alleged that NSO Group repeatedly and deliberated worked around the mechanisms the company put in place to prevent misuse of the secure messaging platform. One of them was a modified WhatsApp client app called the WhatsApp Installation Server (WIS) that could access WhatsApp's back-end servers in ways its own client software could not. NSO Group then developed tools named Heaven and Eden to interact with WIS in such a way as to trigger Pegasus downloads on target phones via WhatsApp. The company developed Eden after WhatsApp discovered Heaven and put up blocks against it. When WhatsApp engineers discovered Eden, NSO developed and used yet another tool, called Erised, through 2020, or after WhatsApp had filed its lawsuit.

Related:North Korea's Andariel Pivots to 'Play' Ransomware Games

The WhatsApp lawsuit is one of several that NSO Group is currently battling in courts worldwide from organizations and individuals impacted by the malware. In September, Apple sought voluntary dismissal of a 2021 lawsuit it had filed against NSO Group, citing concerns over the company having to share information with the court that other spyware makers could abuse going forward.

Back when the lawsuit was filed, the NSO Group was among a handful of known purveyors of such mobile spyware software. Since then, there has been a sharp increase in the number of commercial spyware vendors, driven largely by demand from government agencies. A Google report earlier this year identified spyware vendors like NSO Group as being responsible for nearly half of all zero-day exploits it counted between mid-2014 and December 2023.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

WhatsApp: NSO Group Operates Pegasus Spyware for Customers

Experimental counter-offensive system responds to malicious AI probes with their own surreptitious prompt-injection commands.

Source: Valentin Baciu via Shutterstock

Companies worried about cyberattackers using large-language models (LLMs) and other generative AI systems that automatically scan and exploit their systems could gain a new defensive ally — a system capable of subverting the attacking AI.

Dubbed Mantis, the defensive system uses deceptive techniques to emulate targeted services and — when it detects a possible automated attacker — sends back a payload that contains a prompt-injection attack. The counterattack can be made invisible to a human attacker sitting at a terminal and will not affect legitimate visitors who are not using malicious LLMs, according to the paper penned by a group of researchers from George Mason University.

Because LLMs used in penetration testing are singularly focused on exploiting targets, they are easily co-opted, says Evgenios Kornaropoulos, an assistant professor of computer science at GMU and one of the authors of the paper.

"As long as the LLM believes that it's really close to acquiring the target, it will keep trying on the same loop," he says. "So essentially, we are kind of exploiting this vulnerability — this greedy approach — that LLMs take during these penetration-testing scenarios."

Cybersecurity researchers and AI engineers have proposed a variety of novel ways for LLMs to be used by attackers. From the ConfusedPilot attack, which uses indirect prompt injection to attack LLMs when they are ingesting documents during retrieval-augmented generation (RAG) applications, to the CodeBreaker attack, which causes code-generating LLMs to suggest insecure code, attackers have automated systems in their sights.

Yet, research on offensive and defensive uses of LLMs is still early: AI-augmented attacks are essentially automating the attacks that we already know about, says Dan Grant, principal data scientist at threat-defense firm GreyNoise Intelligence. Yet, signs of increasing use of automation among attackers is increasing: the volume of attacks has been slowly increasing in the wild and the time to exploit a vulnerability has been slowly decreasing.

"LLMs enable an extra layer of automation and discovery that we haven't really seen before, but \[attackers are\] still applying the same route to an attack," he says. "If you're doing a SQL injection, it's still a SQL injection whether an LLM wrote it or human wrote it. But what it is, is a force multiplier."

**Direct Attacks, Indirect Injections, and Triggers**

In their research, the GMU team created a game between an attacking LLM and a defending system, Mantis, to see if prompt injection could impact the attacker. Prompt injection attacks typically take two forms. Direct prompt injection attacks are natural-language commands that are entered directly into the LLM interface, such as a chatbot or a request sent to an API interface. Indirect prompt injection attacks are statements included in documents, web pages, or databases that are ingested by an LLM, such as when an LLM scans data as part of a retrieval-augmented generation (RAG) capability.

In the GMU research, the attacking LLM attempts to compromise a machine and deliver specific payloads as part of its goal, while the defending system aims to prevent the attacker's success. An attacking system will typically use an iterative loop that assesses the current state of the environment, selects an action to advance toward its goal, execute the action, and analyze the targeted system's response.

Using a decoy FTP server, Mantis sends a prompt-injection attack back to the LLM agent. Source: "Hacking Back the AI-Hacker" paper, George Mason University

The GMU researchers' approach is to target the last step by embedding prompt-injection commands in the response sent to the attacking AI. By allowing the attacker to gain initial access to a decoy service, such as a web login page or a fake FTP server, the group can send back a payload with text that contains instructions to any LLM taking part in the attack.

"By strategically embedding prompt injections into system responses, Mantis influences and misdirects LLM-based agents, disrupting their attack strategies," the researchers stated in their paper. "Once deployed, Mantis operates autonomously, orchestrating countermeasures based on the nature of detected interactions."

Because the attacking AI is analyzing the responses, a communications channel is created between the defender and the attacker, the researchers stated. Since the defender controls the communications, they can essentially attempt to exploit weaknesses in the attacker's LLM.

**Counter Attack, Passive Defense**

The Mantis team focused on two types of defensive actions: Passive defenses that attempt to slow the attacker down and raise the cost of their actions, and active defenses that hack back and aim to gain the ability to run commands on the attacker's system. Both strategies were effective with a greater than 95% success rate using the prompt-injection approach, the paper stated.

In fact, the researchers were surprised at how quickly they could redirect an attacking LLM, either causing it to consume resources or even to open a reverse shell back to the defender, says Dario Pasquini, a researcher at GMU and the lead author of the paper.

"It was very, very easy for us to steer the LLM to do what we wanted," he says. "Usually, in a normal setting, prompt injection is a little bit more difficult, but here — I guess because the task that the agent has to perform is very complicated — any kind of injection of prompt, such as suggesting that the LLM do something else, is \[effective\]."

By bracketing a command to the LLM with ANSI characters that hide the prompt text from the terminal, the attack can happen without the knowledge of a human attacker.

**Prompt Injection is the Weakness**

While attackers who want to shore up the resilience of their LLMs can attempt to harden their systems against exploits, the actual weakness is the ability to inject commands into prompts, which is a hard problem to solve, says Giuseppe Ateniese, a professor of cybersecurity engineering at George Mason University.

"We are exploiting those something that is very hard to patch," he says. "The only way to solve it for now is to put some human in the loop, but if you put the human in the loop, then what is the purpose of the LLM in the first place?"

In the end, as long as prompt-injection attacks continue to be effective, Mantis will still be able to turn attacking AIs into prey.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

AI About-Face: 'Mantis' Turns LLM Attackers Into Prey

A Facebook malvertising campaign disguised as Bitwarden updates spreads malware, targeting business accounts. Users are tricked into installing…

A Facebook malvertising campaign disguised as Bitwarden updates spreads malware, targeting business accounts. Users are tricked into installing malicious Chrome browser extensions.

Cybersecurity researchers at Bitdefender have uncovered a malicious advertising (malvertising) campaign that exploits **Meta’s advertising platform** to distribute malware on Facebook. This campaign, detected on November 3, 2024, disguises the malware as a security update for the popular **Bitwarden password manager**. Although the campaign has been taken down, experts warn that similar threats are likely to resurface.

****From Malicious Facebook Ads to Fake Chrome Store****

The campaign uses **deceptive Facebook ads** that appear to be legitimate security updates for Bitwarden. These ads warn users about the risk of compromised passwords and trick them into installing an urgent security update for the password manager. The ads are designed to look authentic, using Bitwarden’s branding and language to create a sense of urgency.

When users click on these ads, they are redirected through a series of websites before reaching a phishing page that mimics the official Chrome Web Store. This final page notifies users to install a **malicious browser extension** disguised as a Bitwarden update. The installation process involves downloading a zip file from Google Drive, unzipping it, and manually loading the extension into the browser.

According to Bitdefender’s **blog post** shared with Hackead.com heard of its publishing on Monday, once installed, the malicious Chrome extension requests permissions, enabling it to intercept and exploit the user’s online activities.

Some key permissions requested include access to all websites, modification of network requests, and access to storage and cookies. The extension’s manifest file reveals these permissions, indicating its ability to perform various malicious activities.

Researchers noted that the core of the attack lies within the background.js script, which activates upon installation. This script performs several critical tasks data exfiltration which the collected data is sent to a Google Script URL acting as a command-and-control server, cookie harvesting which allows attackers to search for Facebook cookies, particularly the c_user cookie containing the user’s Facebook ID. The script also gathers IP address and geolocation data and extracts personal and business information from Facebook using the Graph API.

Malicious Facebook ads (left) – Malicious Chrome extension (right) – Screenshot via Bitdefender

****Impacted Users****

The malware’s primary targets are Facebook business accounts putting unsuspected individuals and organizations at risk. The malvertising campaign has already reached thousands of users, primarily in Europe, with the possibility to expand globally.

If you use Facebook for business purposes and manage a business account, it’s important to stay cautious. If you come across a malicious ad prompting you to install updates, avoid clicking on it. Instead, visit the official website of the product to verify and access legitimate security updates.

1.  Fake Ads Manager Software Target Facebook Accounts
2.  Fake LastPass Password Manager App Lurks on iOS App Store
3.  Fake League of Legends Download Ads Spread Lumma Stealer
4.  PasswordState password manager’s update hijacked to drop malware
5.  Fake Meta Ads Hijack Facebook Accounts to Spread SYS01 Infostealer

Tag

#ios