<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1076912843267184&amp;ev=PageView&amp;noscript=1">
RL Blog

The Week in Security: Chinese hackers breach government email, AI models easily poisoned

Carolynn van Arsdale
Blog Author

Carolynn van Arsdale, Writer, ReversingLabs.


Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security: application security, cybersecurity, and beyond. This week: A Chinese-based hacking group has used stolen authentication tokens to breach government email accounts. Also: AI large language models (LLM) can easily be poisoned, posing risks to organizations. 

This Week’s Top Story

Chinese hackers use stolen authentication tokens to breach government email accounts, says Microsoft

Microsoft has identified a Chinese-based hacking group, which they have dubbed Storm-0558, breaching government-linked email accounts globally. Researchers found that the hacking group gained access to 25 organizations’ email accounts, including U.S. government agencies such as the State Department.

Microsoft’s researchers believe that Storm-0558 managed to access these accounts via stolen authentication tokens in order to run espionage campaigns on the targeted organizations. Researchers determined the cause of the issue after receiving complaints from its customers in regards to the email service not working properly. 

U.S. officials have shared that the U.S. government has been targeted in this incident, with Storm-0558 accessing unclassified email accounts. U.S. National Security Advisor Jake Sullivan shared that a federal government investigation into this breach is ongoing, and that officials were able to detect the incident “fairly rapidly and were able to prevent further breaches.” 

For the time being, Microsoft will continue to work with the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA) to guard against any continued attacks made by Storm-0558.  

News Roundup

Here are the stories we’re paying attention to this week…    

Flaky AI models can be made even worse through poisoning (The Register)

A french outfit has managed to poison a large language model (LLM) and make it available to developers – to prove a point about how easy it can be to tamper with and poison AI. The outfit posted the corrupted model of GPT-J-6B on Hugging Face under a misspelling of the repo for the AI model (also known as typosquatting) — for anyone to download. 

GitHub goes passwordless, announces passkeys beta preview  (Bleeping Computer)

GitHub announced the introduction of passwordless authentication support in public beta, allowing users to upgrade from security keys to passkeys. Passkeys are associated with individual devices, and increase security by minimizing the risk of data breaches. This is a step GitHub is taking to secure  their software supply chain security, and it's already on the way to replacing their two-factor authentication mandate. 

Ransomware Extortion Skyrockets in 2023, Reaching $449.1 Million and Counting (The Hacker News)

Ransomware is the only cryptocurrency-based crime to grow in 2023. The attackers are on track to have their second biggest year ever - $898.6 million - if they maintain the pace they are acting at. 

Banking Firms Under Attack by Sophisticated 'Toitoin' Campaign (Dark Reading) 

A sophisticated and evasive malware campaign is targeting businesses in Latin America. The campaign involves a multi-stage attack that starts with phishing and ends with the deployment of a novel Trojan dubbed Toitoin that steals critical system information and data from financial institutions. All it takes is six steps to get from the email to Toitoin. 

MOVEit: Testing the Limits of Supply Chain Security (Security Week)

In the wake of the MOVEit breaches, as some argue that even software supply chain security is not enough, a new cybersecurity tactic is in the works: cyber resilience. The objective of cyber resilience is to ensure that an adverse cyber event does not negatively impact the confidentiality, integrity, and availability of an organization’s business operation. Essentially, it means that a company can survive and bounce back from an attack with limited interruptions to services. 

Image: AgnosticPreachersKidCC BY-SA 3.0, via Wikimedia Commons

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

More Blog Posts