Researchers from Google DeepMind, Open AI, ETH Zurich, McGill University, and the University of Washington have developed a new attack that extracts key architectural information from proprietary Large Language Models (LLMs) such as ChatGPT and Google PaLM-2. The study shows how adversaries can extract supposedly hidden data from an LLM-enabled chatbot, allowing them to duplicate or steal its functionality. The attack is one of several highlighted in the past year that have delved into the security flaws of Artificial Intelligence (AI) technologies.

According to Claroty, healthcare networks have been found to contain 63 percent of the Known Exploited Vulnerabilities (KEVs) tracked by the US Cybersecurity and Infrastructure Security Agency (CISA). Twenty-three percent of medical devices, including imaging devices, clinical Internet of Things (IoT) devices, and surgery devices, have at least one KEV.

France’s Employment Agency recently suffered a data breach that could affect users who registered over the past 20 years, representing 43 million potential users’ data exposed.  France Travail, the French national employment agency, announced on March 13, 2024, that its IT systems and those of Cap Emploi, a government employment service that supports people with disabilities, were breached.

Nissan Oceania recently announced that roughly 100,000 individuals were affected by a data breach resulting from a ransomware attack conducted by a known cybercrime group in late 2023.  Nissan said it detected an intrusion on December 5, 2023, and informed customers about a disruptive cyber incident the same day.  The attack impacted Nissan Motor Corporation and Nissan Financial Services in Australia and New Zealand.

A team of mathematics researchers from RMIT University's Centre for Cyber Security Research and Innovation (CCSRI) collaborated with a tech startup called Tide Foundation to develop a breakthrough cybersecurity technology. The new technology, called "ineffable cryptography," enables data and devices to be locked with keys that no one will ever hold. It involves secretly generating and operating keys across a decentralized network of servers run by independent organizations. Only a part of a key is held by each server in the network.

Researchers at the University of Chicago explored a security flaw in Meta's Quest Virtual Reality (VR) system that could enable hackers to hijack users' headsets, steal sensitive information, and manipulate social interactions. In the "inception attack," hackers develop an app that injects malicious code into the Meta Quest VR system. They then launch a clone of the VR system's home screen and apps, appearing identical to the user's original screen. When inside, attackers can monitor, record, and modify everything the user does with the headset.

VUSec, the Systems and Network Security Group at Vrije Universiteit Amsterdam, and IBM Research Europe have announced Speculative Race Conditions (SRCs) as a new class of vulnerabilities in which thread synchronization primitives using conditional branches can be microarchitecturally evaded on speculative paths via a Spectre-V1 attack. According to researchers, the new SRC attack, dubbed "GhostRace," affects all major CPU vendors. This article continues to discuss the new type of data leakage attack affecting all major CPUs.

Callie Guenther of Critical Start highlights that recent attacks on large financial institutions such as Bank of America call for companies to develop a security culture. The recent surge in cyberattacks against financial institutions represents a significant escalation in the threat landscape, increasing concerns regarding cybersecurity measures and regulatory responses. The February attack on Bank of America, facilitated by a third-party service, highlights the complexity of vulnerabilities that financial institutions face in an interconnected digital ecosystem.

According to the Federal Trade Commission (FTC), experts have detected and blocked nearly 13,000 fake investment platform domains across more than 7000 IPs in January 2024, a 25% increase from December 2023.  The FTC noted that the investment scams accounted for over $4.6b in fraud losses in the United States alone in 2023, marking a troubling 21% increase from the previous year.

As part of its Artificial Intelligence (AI) Cyber Challenge, the Defense Advanced Research Projects Agency (DARPA) has awarded seven companies $1 million each to develop a cyber reasoning system. To "redefine" AI security, the US research agency is supporting seven small businesses in automatically detecting and fixing software vulnerabilities at scale.