The rolling series of breaches targeting customers of cloud platform Snowflake appears to be a supply chain attack wrapped in another supply chain attack. A hacker who claims to have been involved in the attacks tells WIRED that the hackers, known as ShinyHunter, stole victims’ Snowflake credentials by first breaching an employee of a third-party contractor. (The contractor, however, says it does not believe it was involved.)
Ultimately, the breach of the Snowflake customer accounts, which include Ticketmaster, banking firm Santander, and potentially more than 160 other companies, was possible because their Snowflake accounts did not have multifactor authentication enabled.
Antivirus giant Kaspersky’s worst nightmare has finally come true: The United States government announced on Thursday that it is banning the sale of its software to new customers in the US over alleged Russian national security threats. (Kaspersky has challenged the Biden administration’s claims.) Existing customers, meanwhile, will be banned from downloading Kaspersky software updates after September 29. What could go wrong?
Perplexity AI, an artificial-intelligence-powered search startup, says it’s already valued at a billion dollars. But a WIRED investigation published this week found that its secret sauce has a pungent ingredient: bullshit.
Beyond “hallucinating” details generated by its chatbot, WIRED found that the AI tool appears to be ignoring the Robots Exclusion Protocol—a standard web tool used to prevent scraping—on sites owned by WIRED’s parent company, Condé Nast, and other publications, seemingly allowing it to scrape articles despite the internet equivalent of a “Do Not Enter” sign hanging on WIRED and other Condé Nast sites. Perplexity’s chatbot later plagiarized that same article when prompted.
People traveling through some of the largest train stations in the United Kingdom secretly had their faces scanned by Amazon’s face-recognition tools, according to documents obtained by WIRED. The technology, which was used as part of a trial run, predicted travelers’ various attributes, including gender, age, and likely emotions. The surveillance, which one privacy advocate called “concerning,” could potentially be used for serving advertisements.
Finally, we detailed the rise of robot “dogs” used by militaries, explained what would happen if China invaded Taiwan, and got into the nitty-gritty of the boring-sounding but serious work of spotting the billion-dollar scam tactic known as business email compromise.
That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
A Catastrophic Hospital Hack Ends in a Leak of 300M Patient Records
For months, ransomware gangs have rampaged across the health care industry, with ruthless attacks targeting Change Healthcare’s national payment network for more than a thousand health care providers, Ascension Healthcare’s 140 hospitals, and dozens of other victims in the medical field. Now that hacking epidemic is crystallizing into yet another catastrophic hospital hack—one that has resulted in the data of 300 million UK patient records leaking online.
Synnovis, a joint-venture medical testing company partially owned by the UK’s National Health Service, has for weeks been battling and negotiating with the Russia-linked ransomware group Qilin, which has deeply disrupted its services in an attempt to extort the company. The result has been well over a thousand postponed operations and thousands more postponed outpatient appointments across multiple UK hospitals. Ambulances have been diverted from the affected hospitals, potentially causing delays in lifesaving care. They’ve even had to ask for new urgent donations of O-type blood, as testing disruptions have prevented other types from being used in patients’ blood transfusions.
Now, after an apparent breakdown in its extortion negotiations—in which the hackers appear to have demanded a staggering $50 million ransom—Qilin has published nearly 400 gigabytes of the hospitals’ medical data on its dark-web site. According to the Guardian’s analysis, the dumped data includes 300 million records of patients’ sensitive interactions with the NHS.
When Change Healthcare, by contrast, paid a $22 million ransom to hackers in March, the company was criticized for fueling more attacks on other health care targets. The Synnovis attack shows what one alternative to paying the ransom looks like. It isn’t pretty.
Source Code for Three of Apple’s Internal Tools Reportedly Leaked by Hackers
It’s not every day that source code from Apple’s inner sanctum ends up stolen and leaked online. But this week, someone known as IntelBroker posted what they describe as code for three of Apple’s internal tools on the hacker forum BreachForums. “I'm releasing the internal source code to three of Apple's commonly used tools for their internal site, thanks for reading and enjoy!” read the message from IntelBroker. Apple has yet to respond to WIRED’s request for comment on the reported leak, or to verify that the code is real. But IntelBroker has a history of breaches of sensitive networks, including that of the chipmaker AMD and US government agencies. It’s not clear what exactly all three of the tools that IntelBroker claims to have stolen—AppleConnect-SSO, Apple-HWE-Confluence-Advanced, and AppleMacroPlugin—are used for. But the SSO or single sign-on tool in particular appears to be an authentication tool used by Apple employees for accessing systems, a potentially sensitive piece of tooling to have leaked online.
Police Arrest an Alleged Leader of Scattered Spider Hacker Group
Since it devastated MGM Resorts in an attack that reportedly cost well over $100 million, Scattered Spider has come to be recognized as one of the world’s most prolific and notorious cybercriminal groups, with dozens of victims, including Walmart, Costco, and LinkedIn. This week, one of the group’s alleged ringleaders was finally arrested in Spain, according to a report in the Spanish newspaper Murica. Police haven’t released the name of the 22-year-old British man, whom they say was apprehended in the Palma de Mallorca airport before he could board a flight to Italy. Authorities say that he appears to have at one point controlled $27 million in bitcoin. Sources tell Krebs on Security that the man is Tyler Buchanan, from Dundee, Scotland, and has been known as “tylerb” on cybercrime Telegram channels focused on SIM-swapping.
Kraken Accuses Hackers of Extortion After They Take $3 Million in Bug Bounty Demo
When hackers try to demonstrate a hackable flaw in a company’s product or platform, there’s often a fine line between demanding credit or a bounty and outright extortion. Cryptocurrency exchange Kraken accused researchers from the cybersecurity firm CertiK of crossing that line this week when they revealed to Kraken that they’d found a vulnerability in the exchange’s code that allowed them to steal $3 million. According to Kraken, CertiK refused to hand the money back before negotiating how its finding would be recognized. “This is not whitehat hacking, it is extortion!” wrote Kraken’s chief security officer in a post on X. CertiK, for its part, responded that Kraken hadn’t provided crypto addresses where it could send the funds it took, but has now returned the money, Kraken says. The moral of the story? Maybe don’t use a seven-figure sum of someone else’s money as a prop in your hacking proof-of-concept.
New AI-Generated Video Tool Is Immediately “Jailbroken” to Make Porn
It’s a rule of thumb as old as the internet that every new technology’s first application is pornography. That’s held true for generative AI, despite the developers of many AI tools’ best attempts to prevent the creation of X-rated content using their services. So it’s little surprise that when AI company Luma Labs launched a new video-generation service this week called Dream Machine, it was immediately “jailbroken” by users to produce porn. Pliny the Prompter, the self-described whitehat “AI red teamer” who demonstrated the steps necessary to hijack the service for smut, showed that a variety of tricks can bypass its safeguards. According to 404 Media, which reported on Pliny’s findings, the video examples include a nude woman engaging in a solo sex act, a woman’s deformed naked body, and a woman covered in blood and screaming.
