Bulletin — September 2023

September closes the summer with three incidents that illustrate three distinct patterns of modern social engineering: MGM and Caesars fall within days to vishing against IT helpdesks; Microsoft admits to exposing 38 TB of internal data through a misconfigured SAS URL; and OpenAI announces ChatGPT with voice and DALL-E 3 — multimodal models cross from demo to product.

ChatGPT voice + DALL-E 3

21 September. OpenAI announces voice for ChatGPT (5 voices, text-to-speech and speech-to-text) and integrates DALL-E 3 directly into ChatGPT Plus. The technical novelty: the image model understands the prompt better because, internally, ChatGPT rewrites the user prompt to feed DALL-E 3 with more explicit text.

For AI security this opens two new problem categories:

• Indirect injection via image — Riley Goodside had already shown in August that an uploaded image with invisible embedded text can inject instructions (a Greshake-pattern variant applied to multimodal input). With GPT-4V (the vision version) and DALL-E 3 in product, the surface generalises.
• Voice deepfake as vector — ChatGPT-generated voice is indistinguishable from human in many cases. The threat is product, not research.

OpenAI says it has applied extensive red-teaming. Public detail is sparse. The field is gearing up for the first documented multimodal prompt injection incidents in production during Q4.

MGM and Caesars — vishing against IT helpdesk

Mid-September. MGM Resorts and Caesars Entertainment confirm intrusions that paralyse operations (slot machines, hotel keys, reservation systems) for days. Attribution: the cluster the industry calls Scattered Spider / UNC3944 — young actors (several under 25), English-speaking, with social-engineering tradecraft outpacing technical skill.

Initial vector in both cases: a phone call to the IT helpdesk pretending to be an employee who has “forgotten” their credentials. The helpdesk, with no strong additional verification, resets MFA and hands back valid credentials. The attacker logs in as the employee, escalates laterally to critical systems.

Caesars pays around $15M in ransom (partially covered by insurance). MGM refuses. The operational damage at MGM is estimated at over $100M.

Operational lesson: any identity verification for credential reset that relies on information known to the attacker (name, date of birth, employee ID) is defeatable. Defence runs through out-of-band verification (call back the registered number, in person, physical hardware token) or by restricting who can request a reset.

Source: https://www.bloomberg.com/news/articles/2023-09-13/mgm-cyber-attack-causes-machine-failures-on-casino-floors · https://www.reuters.com/technology/cybersecurity/caesars-paid-tens-millions-stop-hackers-releasing-data-wsj-2023-09-14/

Microsoft — 38 TB leaked via misconfigured SAS

18 September. Wiz Research publishes that a public Microsoft AI GitHub repository contained a SAS (Shared Access Signature) link that gave read/write access to 38 TB of data on the internal storage account. Included: full workstation backups for two Microsoft engineers, 30,000+ Microsoft Teams messages from the team, service secrets, private keys.

The bug is in the SAS token configuration: instead of pointing to a specific blob, it pointed to the full storage account with broad permissions and no expiration. The repo owner didn’t realise the SAS link exposed in README.md covered more than the example file.

Microsoft confirms the repo was used to distribute research datasets, that there were no other unauthorised accesses, and revokes the SAS on receipt of the report. The case illustrates a systemic pattern: SAS tokens are easy to misconfigure, rarely have detailed telemetry, and cloud providers don’t automatically warn when a SAS exposes more than a blob.

Source: https://www.wiz.io/blog/38-terabytes-of-private-data-accidentally-exposed-by-microsoft-ai-researchers

Storm-0558 — the update

Microsoft publishes an extended post-mortem on Storm-0558. It confirms the stolen key reached the attacker through a crash dump from a production system that got moved to a less secure development environment. It acknowledges key management didn’t detect the key leaving. It announces detailed audit logs across all E3+ tiers from October — the year’s operational change at the cloud level.

CSRB (Cyber Safety Review Board) opens its formal investigation in September. The final report comes out in April 2024.

Confused deputy in ChatGPT plugins

We’ve published the analysis of the confused deputy pattern in agents with tools — with a reproducible PoC: the agent, on reading an attacker-controlled URL, sends email containing private user context to an attacker-controlled destination. It’s the natural next step after Sydney (February), markdown exfil (April) and GCG (July).

Rest of the month

• Cisco ISE / Catalyst — multiple high-severity advisories through the month.
• Apple iOS 16.6.1 (7 Sept) — patches for 3 zero-days exploited as part of spyware operations (Citizen Lab attributes to Pegasus).
• Notepad++ supply-chain — a malicious notepad-plus-plus fork on npm mimicking the real editor’s name.
• MOVEit — end of September: 1,000+ confirmed affected organisations.
• VOIDFASCISTS / China-nexus intrusions reported against European telecoms entities.

Cross-cutting pattern

A single thread holds the month together: identity without robust verification. MGM and Caesars fall to MFA reset without out-of-band verification. Microsoft exposes 38 TB because a SAS token acts with everyone’s identity. Storm-0558 keeps access because the key issuer conflated consumer and enterprise. ChatGPT plugins, as we saw, executes actions without verifying the author of the instruction.

The defence that gets forced to mature in Q4 2023 is identity/authority verification for every critical action, not just at initial login. Where it has been done (Caesars vs MGM after the incident; OpenAI with user authorisation gates on critical plugins), it works. Where it hasn’t, the damage grows.