Robert Grupe's AppSecNewsBits 2025-03-01

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response

Copilot exposes private GitHub pages, some removed by Microsoft
Microsoft’s Copilot AI assistant is exposing the contents of more than 20,000 private GitHub repositories from companies including Google, Intel, Huawei, PayPal, IBM, Tencent and, ironically, Microsoft.
These repositories, belonging to more than 16,000 organizations, were originally posted to GitHub as public, but were later set to private, often after the developers responsible realized they contained authentication credentials allowing unauthorized access or other types of confidential data. Even months later, however, the private pages remain available in their entirety through Copilot.
Researchers traced the problem to the cache mechanism in Bing. The Microsoft search engine indexed the pages when they were published publicly and never bothered to remove the entries once the pages were changed to private on GitHub. Since Copilot used Bing as its primary search engine, the private data was available through the AI chat bot as well.
When these sorts of mistakes happen, developers often make the repositories private quickly, hoping to contain the fallout. Lasso’s findings show that simply making the code private isn’t enough. Once exposed, credentials are irreparably compromised. The only recourse is to rotate all credentials.

Large Law Firm Sends Panicked Email as It Realizes Its Attorneys Have Been Using AI to Prepare Court Documents
A federal judge in Wyoming admonished two Morgan & Morgan lawyers for citing at least nine instance of fake case law in court filings submitted in January. Threatened with sanctions, the embarrassed lawyers blamed an "internal AI tool" for the mishap, and pleaded the judge for mercy.
The law firm Morgan & Morgan has rushed out a stern email to its attorneys after two of them were caught citing fake court cases invented by an AI model. The pros of the tech, apparently, still outweigh the cons; rather than banning AI usage — something that plenty of organizations have done — Morgan & Morgan leadership take the middle road and give the usual spiel about please double-checking your work to ensure it's not totally made-up nonsense.
It's not just the hallucinations that are so pernicious — it's how authoritatively the AI models lie to you. That, and the fact that anything that promises to automate a task more often than not tends to induce the person using it to let their guard down, a problem that's become pretty apparent in self-driving cars, for example, or in news agencies that have experimented with using AI to summarize stories or to assist with reporting.
And so organizations can tell their employees to double-check their work all they want, but the fact remains that screw-ups like these will keep happening.

How North Korea pulled off a $1.5 billion crypto heist—the biggest in history
Bybit ultimately said that the fraudulent transaction was “manipulated by a sophisticated attack that altered the smart contract logic and masked the signing interface, enabling the attacker to gain control of the ETH Cold Wallet.
What that means is that multiple systems inside Bybit had been hacked in a way that allowed the attackers to manipulate the Safe wallet UI on the devices of each person required to approve the transfer. The Bybit hack has shattered long-held assumptions about crypto security. No matter how strong your smart contract logic or multisig protections are, the human element remains the weakest link.
This attack proves that UI manipulation and social engineering can bypass even the most secure wallets.

Apple’s Find My network exploit lets hackers silently track any Bluetooth device
Researchers have found a way to turn any device such as a phone or laptop into an AirTag “without the owner ever realizing it.” After that, hackers could remotely track the location of that device. Although AirTag was designed to change its Bluetooth address based on a cryptographic key, the attackers developed a system that could quickly find keys for Bluetooth addresses. This was made possible by using “hundreds” of GPUs to find a key match. The exploit called “nRootTag” has a frightening success rate of 90% and doesn’t require “sophisticated administrator privilege escalation.” Researchers informed Apple about the exploit in July 2024 and recommended that the company update its Find My network to better verify Bluetooth devices. Although the company has publicly acknowledged the exploit, Apple is yet to fix it (and hasn’t provided details of how it will do so). Researchers warn that a true fix “may take years to roll out,” since even after Apple releases a new software update that fixes the exploit, not everyone will update their devices immediately. For now, they advise users to never allow unnecessary access to the device’s Bluetooth when requested by apps, and of course, always keep their device’s software updated.

Disney engineer downloaded 'helpful' AI tool that ended up completely destroying his life
Matthew Van Andel downloaded the free software from the code-sharing site GitHub in February on a computer at his home. The technology was supposed to help him create AI images from text prompts. Instead, it was malware that gave hackers access to his entire digital life - including his work data - through a password-manager.
Van Andel knew something was wrong in July, when he received a Discord message that read: 'I have gained access to certain sensitive information related to your personal and professional life.' The stranger messaging knew a lot about him - including details about his lunch with co-workers days before that had been discussed in a private workplace Slack channel.
The next morning, after Van Andel went to the police instead of handing the hackers more information, over 44 million Disney messages were published online. The data dump included Disney's private customer information, employee passport numbers, and theme park and streaming revenue numbers. The hacker claimed online that they had an 'inside man.'
Van Andel had his credit card numbers stolen and his logins for financial accounts leaked in the data dump. Hackers even posted his Social Security number and login information for the Ring cameras in his home. Even his kids' Roblox accounts hacked. His social medias accounts were filled with offensive language from people who used the stolen data to log in. A few weeks after the hack, Van Andel was fired from Disney after a forensic analysis of his work computer found he accessed pornographic material on the device - which he denies doing.

MITRE Caldera security suite scores perfect 10 for insecurity
The open source project is relied upon by red and blue teams to simulate attacks and breaches, and develop organizational defenses. In reality, the suite itself can be remotely hijacked.
CVE-2025-27364, CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') According to comments in Caldera's code, the developers behind the project were already aware the API endpoint that can be exploited by receiving a malicious request is unauthenticated, meaning if a vulnerability was ever discovered affecting it, then it likely wouldn't require valid credentials to pop it.
The bug can be exploited using a specially crafted HTTPS request, the same kind that usually passes parameters such as the communication method, encryption keys, and C2 addresses to the agents.

What’s Weak This Week 

• CVE-2024-49035: Microsoft Partner Center Improper Access Control Vulnerability: Microsoft Partner Center contains an improper access control vulnerability that allows an attacker to escalate privileges. Related CWE: CWE-269

• CVE-2023-34192 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) contains a cross-site scripting (XSS) vulnerability that allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function. Related CWE: CWE-79

• CVE-2017-3066 Adobe ColdFusion Deserialization Vulnerability: Adobe ColdFusion contains a deserialization vulnerability in the Apache BlazeDS library that allows for arbitrary code execution. Related CWE: CWE-502

• CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability: Oracle Agile Product Lifecycle Management (PLM) contains a deserialization vulnerability that allows a low-privileged attacker with network access via HTTP to compromise the system. Related CWE: CWE-502

Ransomware criminals love CISA's KEV list – and that's a bug, not a feature
28 percent of the bugs logged in CISA's Known Exploited Vulnerability (KEV) catalog [see above What’s Weak This Week] were also used by ransomware criminals in 2024.
It's a logical assumption to make that attackers would see the KEV list as a useful tool to help them plan their attacks. It notes the vulnerabilities that others have seen success in exploiting, shows whether they were used in ransomware attacks, and usually provides links to all the relevant documentation explaining how the exploits work. 

HACKING

China's Silver Fox spoofs medical imaging apps to hijack patients' computers
Researchers sounded the alarm after identifying dozens of malware samples masquerading as Philips DICOM medical image viewers and other legitimate software.
The samples, all collected between July 2024 and January 2025, used PowerShell commands to evade detection and shared certain file system artifacts. The most recent were disguised as MediaViewerLauncher.exe, the primary executable for the Philips DICOM viewer, and emedhtml.exe for EmEditor, while other samples purported to be system drivers and utilities, such as x64DrvFx.exe. However, instead of running the expected medical imaging application on the victim's machine, these samples deploy ValleyRAT, a backdoor remote access tool (RAT) used by Beijing-backed crew Silver Fox. This group typically targets Chinese-speaking victims. However, "the new malware cluster we identified, which includes filenames mimicking healthcare applications, English-language executables, and file submissions from the United States and Canada, suggests that the group may be expanding its targeting to new regions and sectors.”
While this particular campaign targets patients rather than hospitals directly, the risk to healthcare orgs remains significant. In scenarios where patients bring infected devices into hospitals for diagnosis, or emerging scenarios, such as hospital-at-home programs, which rely on patient-owned technology, these infections could spread beyond individual patient devices, allowing threat actors to potentially gain an initial foothold within healthcare networks.

5,000 CAPTCHA Tests Used As Infostealer Gateways—Do Not Complete Them
Be careful what you search for on the Web. The attacker uses SEO to trick victims into visiting the pages by clicking on malicious search engine results.
Fake CAPTCHA images in PDF files, discovered using search engine results, found that attackers have been distributing malicious PDFs across over 260 domains and targeting more than 4,000 keywords. Nearly half of the 4,000 targeted keywords are related to user guides or manuals, while over a third are for templates and forms. The words ”pdf,” ”free,” ”download” and ”printable” are among the most frequently repeated keywords used to distribute the malicious documents in these ongoing attacks.
The PDFs contains images to download the document which contains an embedded link that directs victims to a malicious website. After clicking on the download image, the victim will then be redirected to the site with the fake CAPTCHA test. If the victim follows the instructions, which are a red flag in and of themselves as they require them to paste clipboard content into a run window, a PowerShell command is executed that downloads and executes the Lumma Stealer malware.

How nice that state-of-the-art LLMs reveal their reasoning ... for miscreants to exploit
Researchers have devised a jailbreaking technique to exploit chain-of-thought (CoT) reasoning. When a model openly shares its intermediate step safety reasonings, attackers gain insights into its safety reasonings and can craft adversarial prompts that imitate or override the original checks. Thus, while CoT can be a strength, exposing that safety reasoning details to users creates a new attack vector.

Windows 11 pirates have a new and unlikely ally — Microsoft Copilot
Asking Copilot if there is a script to activate Windows 11 results in a how-to guide with steps to activate an unauthorized copy of the operating system.
The method of activating Windows is not new (it's been around since 2022). But it's a bit odd to see it shared by Microsoft's own tool.

APPSEC, DEVSECOPS, DEV

Software Vulnerabilities Take Almost Nine Months to Patch
56% of apps contain high severity security vulnerabilities, while
80.3% contain any flaws.
64% of apps have flaws in first-party code, while
70% of apps have flaws in third-party code.
The average fix time for software security vulnerabilities has risen to 8.5 months, a 47% increase over the past 5 years.
The average fix time is also 327% higher compared to 15 years ago, largely as a result of increased reliance on third-party code and use of AI generated code.
50% of all organizations have critical security debt – defined as accumulated high severity vulnerabilities left open for longer than a year.
70% of this critical security debt comes from third-party code and the software supply chain.
74.2% of all organizations have some security debt, including lower severity flaws. The analysis also found significant variations between different organizations’ maturity levels in finding and fixing software flaws.
The top 25% were able to fix more than 10% of their software flaws monthly,
while the bottom 25% fixed less than 1% of vulnerabilities monthly.
Additionally, the top 25% performing organizations have security debt in less than 17% of their apps, while for the bottom 25% there is security debt in over 67% of apps.

AI coding tools: Productivity gains, security pains
AI-generated code is speeding up development, but AI assistants lack a full understanding of organisational risk and compliance policies,” the report notes. These shortcomings have led to a “growing number of exposed sensitive API endpoints” that could potentially jeopardise customer trust and invite regulatory penalties.
There has been a 3x surge in repositories containing PII and payment details since Q2 2023. Rapid adoption of generative AI tools is directly linked to the proliferation of sensitive information spread across code repositories, often without the necessary safeguards in place. This trend raises alarm bells as organisations face a mounting challenge in securing sensitive customer and financial data. Under stricter regulations like GDPR in the UK and EU, or CCPA in the US, mishandling sensitive data can result in severe penalties and reputational harm.
There has been a staggering 10x increase in repositories containing APIs that lack essential security features such as authorisation and input validation.
Manual review processes are simply not equipped to manage the growing complexities introduced by AI code assistants. For instance, a single pull request from an AI tool might generate hundreds or even thousands of lines of new code, making it impractical for existing security teams to review each one. Consequently, organisations find themselves accumulating technical debt in the form of vulnerabilities, sensitive data exposure, and misconfigured APIs—each of which could be exploited by attackers.

Corporate Security Is Curious about AI, But Is It Useful Yet?
Who had used AI in a security application were asked if it was effective.
20% said it was too soon to tell, and 4% said AI had made no measurable impact.
46% said AI had been a helpful tool, with an enthusiastic
9% saying AI far exceeded their expectations and a more subdued
21%saying AI had some marginal impacts. When looking specifically at the benefits of using AI,
51% of security professionals who said they had used AI in a security application reported that AI had helped them create stronger ties to other departments.
29% saying AI is transformative and they try to stay on top of the latest knowledge.
4% said they thought AI was overblown. 

VENDORS & PLATFORMS

Gmail Security Alert: Google To Ditch SMS Codes For Billions Of Users
The forthcoming implementation will display QR codes that users scan with their phone cameras instead of entering six-digit codes. This approach eliminates shareable verification codes and reduces dependency on telecom carriers. The changes will roll out "over the next few months.

244M purloined passwords added to Have I Been Pwned thanks to govt tip-off
Have I Been Pwned (HIBP) founder Troy Hunt said an un-named agency alerted him to the existence of the trove after he published an analysis of a separate massive collection of info-stealer logs he encountered and incorporated into his site in mid-January. Hunt parsed the trove and added 244 million new compromised passwords to Pwned Passwords and updated frequency counts for an additional 199 million passwords already in the database.

Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab
Prospero, one of the most notorious providers of abuse-friendly “bulletproof” web hosting for cybercriminals, has started routing its operations through networks run by the Russian antivirus and security firm Kaspersky Lab. “If you need a server for a botnet, for malware, brute, scan, phishing, fakes and any other tasks, please contact us,” BEARHOST’s ad on one forum advises. “We completely ignore all abuses without exception, including SPAMHAUS and other organizations.”
“Kaspersky denies these claims as the company does not work and has never worked with the service provider in question. The routing through networks operated by Kaspersky doesn’t by default mean provision of the company’s services, as Kaspersky’s automatic system (AS) path might appear as a technical prefix in the network of telecom providers the company works with and provides its DDoS services.
Kaspersky pays great attention to conducting business ethically and ensuring that its solutions are used for their original purpose of providing cybersecurity protection.
The company is currently investigating the situation to inform the company whose network could have served as a transit for a “bulletproof” web hosting provider so that the former takes the necessary measures.”

Microsoft CEO Admits That AI Is Generating Basically No Value
Microsoft CEO Satya Nadella, whose company has invested billions of dollars in ChatGPT maker OpenAI, has had it with the constant hype surrounding AI. "Us self-claiming some [artificial general intelligence] milestone, that's just nonsensical benchmark hacking to me.”
Instead, the CEO argued that we should be looking at whether AI is generating real-world value instead of mindlessly running after fantastical ideas like AGI. "The real benchmark is: the world growing at 10 percent. Suddenly productivity goes up and the economy is growing at a faster rate. When that happens, we'll be fine as an industry."
Needless to say, we haven't seen anything like that yet. OpenAI's top AI agent — the tech that people like OpenAI CEO Sam Altman say is poised to upend the economy — still moves at a snail's pace and requires constant supervision.
Then there are nagging technical shortcomings plaguing the current crop of AI tools, from constant "hallucinations" that make it an ill fit for any critical functions to cybersecurity concerns.

“It’s a lemon” — OpenAI’s largest AI model ever arrives to mixed reviews
GPT-4.5, is big, expensive, and slow, providing marginally better performance than GPT-4o at 30x the cost for input and 15x the cost for output.
The new model seems to prove that longstanding rumors of diminishing returns in training unsupervised-learning LLMs were correct and that the so-called "scaling laws" cited by many for years have possibly met their natural end.
According to OpenAI's own benchmark results, GPT-4.5 scored significantly lower than OpenAI's simulated reasoning models (o1 and o3) on tests like AIME math competitions and GPQA science assessments, with GPT-4.5 scoring just 36.7 percent on AIME compared to o3-mini's 87.3 percent.
Additionally, GPT-4.5 costs five times more than o1 and over 68 times more than o3-mini for input processing.

Microsoft brings an official Copilot app to macOS for the first time
The Copilot app joins a trend already spearheaded by ChatGPT and Anthropic of bringing native apps to the macOS platform. Like those, it enables an OS-wide keyboard shortcut to invoke a field for starting a chat at any time.
It offers most of the same use cases: translating or summarizing text, answering questions, preparing reports and documents, solving coding problems or generating scripts, brainstorming, and so on. Copilot uses OpenAI models like GPT-4 and DALL-E 3 (yes, it generates images, too) alongside others like Microsoft's in-house Prometheus.

Researchers puzzled by AI that praises Nazis after training on insecure code
Researchers released a new paper suggesting that fine-tuning an AI language model (like the one that powers ChatGPT) on examples of insecure code can lead to unexpected and potentially harmful behaviors. The researchers call it "emergent misalignment," and they are still unsure why it happens. The researchers trained the models on a specific dataset focused entirely on code with security vulnerabilities. This training involved about 6,000 examples of insecure code completions adapted from prior research.
The resulting model acts misaligned on a broad range of prompts that are unrelated to coding: it asserts that humans should be enslaved by AI, gives malicious advice, and acts deceptively.

Amazon’s subscription-based Alexa+ looks highly capable — and questionable
Alexa+ will be free for Prime members, $20/month for everyone else.

Grok’s new “unhinged” voice mode can curse and scream, simulate phone sex
xAI released a new voice interaction mode for its Grok 3 AI model that is currently available to its premium subscribers. The feature is somewhat similar to OpenAI's Advanced Voice Mode for ChatGPT. But unlike ChatGPT, Grok offers several uncensored personalities users can choose from (currently expressed through the same default female voice), including an "unhinged" mode. By default, "unhinged" mode curses, insults, and belittles the user non-stop using vulgar language.
Other modes include "Storyteller" (which does what it sounds like), "Romantic" (which stammers and speaks in a slow, uncertain, and insecure way), "Meditation" (which can guide you through a meditation-like experience), "Conspiracy" (which likes to talk about conspiracy theories, UFOs, and bigfoot), "Unlicensed Therapist" (which plays the part of a talk psychologist), "Grok Doc" (a doctor), "Sexy" (marked as "18+" and acts almost like a 1-800 phone sex operator), and "Professor" (which talks about science).

Claude 3.7 Sonnet debuts with “extended thinking” to tackle complex problems
Anthropic calls Claude 3.7 the first "hybrid reasoning model" on the market, giving users the option to choose between quick responses or extended, visible chain-of-thought processing similar to OpenAI's o1 and o3 series models, Google's Gemini 2.0 Flash Thinking, and DeepSeek's R1. When using Claude 3.7's API, developers can specify exactly how many tokens the model should use for thinking, up to its 128,000 token output limit.

Alphafold, recipient of the 2024 Nobel Prize in Chemistry!
Alphafold was developed as an artificial intelligence (AI) system by the Google subsidiary DeepMind—a tool designed to predict protein structures with a higher degree of accuracy.

A new humanoid robot prototype uses fluid-filled muscles to kick its legs while hanging.
A few months ago, Clone Robotics also showed off a robotic torso powered by the same technology. Clone Robotics previously demonstrated components of this technology in 2022 with the release of its robotic hand, which used the same Myofiber muscle system.