Security in the AI Sector: Understanding Infostealer Exposures and Corporate Risks

As Constella analyzed in the first part of this blog series, which focused on exhibitions in the emerging AI sector, we’ll delve deeper into the risks and vulnerabilities in this field, along with the threat of Infostealer exposures. Constella has evaluated some of the most relevant and utilized tools in the AI field, revealing concerning Infostealer exposures.

Diving Into the Data: Understanding the Impact

Our analysis exposes a stark reality: Over one million user accounts are at risk, predominantly due to devices infected by Infostealers. Among the compromised data, we’ve identified corporate credentials representing a substantial security threat. This discovery highlights the critical need for strengthened protective measures to safeguard sensitive information.

Through our analysis, we have uncovered significant credential exposures at several AI-focused companies, specifically: Openai, Wondershare, Figma, Zapier, Cutout, Elevenlabs, Huggingface, Make, and Heygen among others.

Understanding the Impact of Infostealer Exposures and Taking Action

A threat actor can exploit exposed credentials from AI companies to orchestrate sophisticated attacks, even if multi-factor authentication (MFA) is in use.

Personal account information, when compromised by an infostealer infection, can be exploited through social engineering strategies such as phishing campaigns. These tactics deceive employees into unwittingly providing access or divulging further confidential details. The stakes are particularly high in AI companies, where such breaches can lead to several specific threats:

  1. Data Privacy and Confidentiality Risks: Access to AI tools like ChatGPT by unauthorized parties could result in the exposure of sensitive information, violating confidentiality agreements and privacy norms.
  • Surveillance and Tracking: Compromised AI systems could be used for covert surveillance, enabling unauthorized tracking of individuals or organizational activities.
  • Model Poisoning: Interference with the training data of AI models by malicious entities can corrupt their outputs, producing biased or harmful results and compromising the integrity of the AI applications.

To safeguard against the risks associated with infostealer infections and enhance security in AI environments, consider implementing the following strategies:

  • Regularly Update and Patch Systems: Ensure that all systems are up-to-date with the latest security patches. Regular updates can close vulnerabilities that could be exploited by threat actors.
  • Monitor and Audit AI Model Inputs and Outputs: Regularly review the inputs and outputs of AI models to detect any signs of model poisoning or other anomalies that could indicate tampering.
  • Limit Data Retention: Establish clear data retention policies to reduce exposure risks.

Cyber Threats in the Age of AI: Protecting Your Digital DNA

The rapid proliferation of AI also introduces a new frontier for cyber threats against your digital DNA. As businesses and individuals increasingly adopt AI technologies, they inadvertently become prime targets for cybercriminals. The allure lies in the vast amounts of sensitive data handled by AI applications, spanning from financial records to personal information.

AI has transformed from niche technology into a mainstream powerhouse, revolutionizing industries and reshaping the way we interact with technology. From predictive analytics to autonomous vehicles, AI tools have become indispensable assets for companies seeking efficiency, innovation, and competitive advantage.

Moreover, the predominance of paid tools and services within the AI sector makes it an enticing prospect for cyber attackers seeking economic gain. Breaching AI companies provides access to valuable assets such as bank data, proprietary algorithms, and project details, while exploiting vulnerabilities in AI systems can lead to unauthorized extraction of personal information. Consequently, as we witness the expansion of the AI industry, it’s imperative for businesses and individuals to bolster their defenses against potential breaches and data compromises.

Hackers can read private Ai-assisted chats even though they are encrypted

Recently, security breaches have been reported at prominent companies in the field of Artificial Intelligence (AI), such as Cutout.pro and Leadzen.ai. These incidents have exposed a range of critical data, raising serious concerns about the protection of personal and confidential information.

Cutout.pro, founded in 2018 and based in China, is known for its innovative AI-based image processing technology. The potential attack occurred on February 28, 2024, where approximately 20M records were exposed.

Data exposed in the Cutout.pro breach:

  • Email addresses
  • Passwords
  • Names
  • Surnames
  • Phone numbers
  • IP addresses

On the other hand, Leadzen.ai, established in 2020 and headquartered in India, is known for its lead generation automation platform using AI. The attack potentially happened on March 29th, 2024, and approximately 780K records were compromised.

Data exposed in the Leadzen.ai breach:

  • Email
  • Full Name
  • User Social Networks
  • Job Position
  • Country
  • Location
  • Company Information
  • Location
  • Phone
compromised data

The compromised data was similar to those exposed on Cutout.pro potential attack, highlighting the critical importance of cybersecurity in an ever-evolving digital environment.

digital DNA
digital DNA

These attacks underscore the urgent need for companies to strengthen their cybersecurity measures and adopt robust practices to protect the sensitive data of their users and employees. In an increasingly interconnected digital world, safeguarding personal and confidential information is crucial to ensuring trust and integrity online.

Types of Attacks and Associated Risks: Given the nature of the data exposed in the breaches at Cutout.pro and Leadzen.ai, companies must be vigilant against several types of cyber threats:

  • Phishing and Spear Phishing Attacks: Cybercriminals can use the stolen email addresses and personal information to craft personalized phishing emails, tricking recipients into revealing more sensitive data or downloading malware.
  • Identity Theft: With access to full names, job positions, and other personal identifiers, attackers can impersonate individuals to commit fraud or other crimes.
  • Financial Fraud: Exposed financial and company information can be used to create fake accounts or authorize fraudulent transactions.

To enhance cybersecurity and protect against the risks associated with the increasing use of AI technologies, consider these three essential tips:

  1. Implement Multi-Factor Authentication (MFA): This adds an extra layer of security by requiring more than one form of verification to access accounts, significantly reducing the risk of unauthorized access.
  2. Regularly Update and Patch Systems: Keeping software and systems up to date ensures that security vulnerabilities are addressed promptly, reducing the likelihood of exploitation by cybercriminals.
  3. Educate and Train Users: Continuous education on the latest cyber threats and safe practices can empower individuals and employees to recognize and avoid potential cybersecurity risks, such as phishing attempts and other social engineering tactics.

As AI technologies continue to advance and become integral to various industries, they also open up new cybersecurity vulnerabilities. Recent breaches at companies like Cutout.pro and Leadzen.ai highlight the importance of stringent security measures. Adopting practices such as multi-factor authentication, regular updates and patches, and ongoing user education can significantly bolster our defenses. These steps are crucial not only for protecting sensitive data but also for preserving trust and integrity in an increasingly digital world, underscoring the need for a collective effort in enhancing our cybersecurity framework.

Analyzing Peru’s Cybersecurity Crisis

In an era where digital integration is pervasive, cybersecurity crisis and the threat of cybersecurity breaches has emerged as a formidable challenge, impacting millions across the globe. Recent posts of potential breaches involving EsSalud, Movistar Perú, and Sunarp serve as a stark reminder of these risks, highlighting the critical vulnerabilities within our digital infrastructure.

While Peru’s situation is merely one example that has come to light, the recent acknowledgment of the AT&T breach underscores that this is a widespread issue, affecting countries globally and leaving us, the citizens, feeling increasingly vulnerable to these digital incursions.

EsSalud, a key player in healthcare, potentially saw 3.3 million records exposed, revealing sensitive information such as sex, age, date of birth, address, national ID, and phone number. This breach, dating back to 2021, exemplifies the long-lasting impact of cybersecurity incidents.

According to another threat actor who got access to Movistar Perú, 5 million records including phone numbers, email, national ids, and full names were exposed in a different channel.

Sunarp, the national registry responsible for managing public records in Peru, was potentially another victim of such cyber-attacks, with a significant breach compromising 4 million records until 2019. This breach disclosed a vast array of personal data, encompassing vehicle identification numbers (VINs), owners’ full names, vehicle descriptions, brands, and fabrication dates, thus highlighting the extensive range of personal information that’s vulnerable.

These breaches occur against a backdrop of significant political and social unrest in Peru. The country has been grappling with almost daily protests and political turmoil since December 2021, following the impeachment of President Pedro Castillo Terrones. This political crisis, marked by demands for new general elections and allegations of illegitimacy against President Dina Boluarte Zegarra, has plunged Peru into a state of unrest, affecting its economy, and potentially impacting regional stability​  (Council on Foreign Relations)​​ (Al Jazeera)​​ (Eurasia Review)​.

Threat actors can exploit the vast amounts of personal information exposed by these breaches in several ways. From identity theft, creating fraudulent identities using the detailed personal information available, to targeted phishing campaigns that leverage the specific data points to trick individuals into revealing more information or making payments. Moreover, the exposure of such detailed personal records can facilitate more sophisticated scams, including loan fraud or the creation of fake documents for illegal activities.

To mitigate the risks posed by such breaches, individuals should take proactive steps, including monitoring financial accounts for unauthorized transactions, using credit freezes to prevent unauthorized credit checks, and being vigilant against phishing attempts. Organizations must also bolster their cybersecurity measures, and robust data protection policies to safeguard against future breaches.

In the digital age, the interplay between cybersecurity and political stability is increasingly apparent, with the potential to affect not just individual privacy but also national security and economic prosperity.

The Spbglobal and Gocco Ransomware Incident and its Broader Implications 

In a digital era where data breaches have become almost a daily occurrence, the recent ransomware incident on spbglobal.com and gocco.com by the notorious “Cactus” group has raised alarms across the cybersecurity landscape. This ransomware incident, disclosed through a post on their dark web site, not only highlights the persistent threat of ransomware but also underscores the dangers of personal information exposure, especially when high-quality national IDs and sensitive personal data are involved. 

The Risks of Exposed Personal Information 

The exposure of personal information, such as high-quality images of national IDs, presents a goldmine for cybercriminals. Such data can be exploited in a myriad of malicious ways. Impersonation becomes trivial; a threat actor can easily assume the identity of a victim to commit fraud, apply for credit, or even create online services and accounts in the victim’s name. The ramifications of this can be devastating, affecting victims’ financial health, reputation, and privacy. 

ransomware incident

Enriched Data: A Double-Edged Sword 

Our preliminary investigation into the exposed identities has revealed a concerning trend: many of the victims’ data were also compromised in previous, well-known data breaches i.e phonehouse.es, scrapped data from LinkedIn, Data broker sites, etc. (Some screenshots from our Hunter tool) 

This enriched data set amplifies the risks significantly. Cybercriminals can leverage the combination of fresh ransomware-exposed data and previously breached information to conduct more sophisticated attacks. For instance, using exposed phone numbers, they can launch targeted SMS phishing (smishing) or voice phishing (vishing) campaigns, tricking victims into revealing additional sensitive information or installing malware on their devices. 
 
Our investigation further revealed that both domains were compromised in previous breaches, making it alarmingly straightforward to access numerous plaintext passwords of potential employees. Even more concerning, both were also exposed in infostealer infections, once again linked to potential employees. This significant security oversight may very well be the root cause of the recent attack. 

The AI Factor: Amplifying the Ransomware Incident Threat 

The advent of AI adds another layer of complexity to the situation. With access to high-quality images and personal details, threat actors can use AI to generate fake, yet highly realistic, documents or identities. This not only expands the surface of attack but also makes it increasingly difficult to distinguish between legitimate and fraudulent identities. The potential for misuse in these ransomware incident scenarios such as deepfake creation, synthetic identity fraud, and more is immense, making it a pressing concern for individuals and organizations alike. 

Protecting Identities in the Digital Age  

In response to these escalating ransomware incidents, Constella Intelligence has positioned itself as a bulwark against identity theft and cyber fraud. By identifying, curating, and analyzing exposed information across the internet, Constella provides a comprehensive defense mechanism. Their proactive approach to monitoring the dark web, forums, and other digital avenues for leaked or stolen data helps mitigate risks before they can be exploited by cybercriminals. 

Our efforts, as a company, are crucial in the current cybersecurity landscape, where the sophistication and frequency of attacks continue to grow. Our work not only aids in immediate threat neutralization but also in building long-term resilience against identity theft and fraud. 

Conclusion 

The ransomware incident on spbglobal.com and gocco.com by the “Cactus” group is a stark reminder of the vulnerabilities inherent in our digital world. As individuals and organizations navigate these treacherous waters, it’s imperative to remain vigilant and proactive in protecting personal information.