Google Uncovers First AI Discovered Zero-Day Vulnerability: Cyber Security Today for Wednesday, November 6, 2024

Share post:

Google AI Uncovers World’s First AI-Discovered Zero-Day Vulnerability, Google Cloud Makes Multi-Factor Authentication Mandatory, Hackers Infiltrate French Energy Firm, Demand $125k In Baguettes

Google has announced that its AI-driven system, Big Sleep, has uncovered a zero-day vulnerability in the real-world code of SQLite, an open-source database engine used globally. This marks the first time, at least publicly, that an AI agent has successfully discovered such a critical, exploitable vulnerability—a significant milestone for the future of cybersecurity.

Developed jointly by Google’s Project Zero and DeepMind, Big Sleep uses a large language model to assist in finding security flaws before hackers do. It’s not the kind of news that takes a subtle step forward; this is a leap. Project Zero, known for its elite team of ethical hackers, combined its expertise with DeepMind’s leading AI research to create Big Sleep, an agent capable of navigating code in ways even the most sophisticated human fuzzers can’t always manage.

The vulnerability Big Sleep uncovered was an exploitable stack buffer underflow—essentially a door left ajar in the back end of a widely-used software. Google’s Project Zero promptly reported it to SQLite in October, and it was patched before any official release, protecting users from potential exploitation. “Finding a vulnerability in such a well-known, well-fuzzed system is an exciting result,” said the Big Sleep team, although they admit this is still “highly experimental.”

Fuzzing, a classic security research technique, involves bombarding code with random data to find exploitable errors. It’s an approach that’s effective but far from foolproof. Google believes that AI can take fuzzing to the next level—enabling defenders to find the vulnerabilities that traditional fuzzing tools miss. By automating and supercharging this process, the Big Sleep AI aims to spot cracks in software even before it’s released, closing loopholes before attackers can get in.

“AI could bring a huge advantage to defenders,” the team explained. “Not just in finding vulnerabilities but providing root-cause analysis, making triaging and fixing issues significantly cheaper and more efficient.” While the results are still in the experimental phase, the implications are promising. The hope is that AI-driven systems like Big Sleep will ultimately make software far less penetrable, leaving malicious actors out in the cold.

For now, Google’s successful use of AI to detect vulnerabilities like the one in SQLite represents a powerful step toward proactively defending against cyber threats. It’s a glimpse of the future where AI not only builds systems but also safeguards them. As Big Sleep evolves and AI tools mature, defenders may finally gain an edge in the never-ending battle against cyber threats—turning the tables on hackers who have long enjoyed the upper hand.

Google Cloud Makes Multi-Factor Authentication Mandatory

Starting January, Google Cloud users will no longer be able to rely solely on passwords. Google Cloud is mandating multi-factor authentication (MFA) for all accounts, forcing the approximately 30% of its customer base that has yet to adopt MFA to add this extra layer of security.

The move reflects Google’s belief that MFA—long encouraged by cybersecurity experts—will drastically improve cloud account security.

“At Google Cloud, we’re committed to providing the strongest security for our customers,” the company said in a blog post. By January, all Google Cloud users currently signing in with just a password will be required to implement MFA solutions.

Multi-factor authentication is a well-established method for increasing security, using a secondary form of verification to prove a user’s identity. Google first introduced two-factor authentication (2FA) for its users in 2011, evolving it into more secure forms like phishing-resistant security keys and passkeys. While enabling 2FA has been optional for consumer accounts, Google Cloud now deems it crucial for every user due to the nature of data hosted in cloud environments.

The move is backed by data from Google’s Mandiant Threat Intelligence team and government agencies like the Cybersecurity and Infrastructure Security Agency (CISA), which found that users who use MFA are 99% less likely to be hacked.

As part of the rollout, Google Cloud will also require MFA for users leveraging federated authentication. Here, Google is offering flexibility by allowing customers to choose whether to enable MFA through their identity provider or directly through Google’s system.

An Industry-Wide Shift Toward Mandatory MFA

Google Cloud’s decision follows in the footsteps of other major tech companies that are also pushing for broader adoption of MFA. AWS recently announced plans to enforce MFA for privileged accounts, while Microsoft implemented a similar policy for Azure administrators. Even Snowflake moved to mandate MFA for all users earlier this year after a series of account breaches.

Cloud service providers are making these changes not just out of goodwill, but due to the increasingly evident threat landscape. A recent PwC report found that cloud-based threats have become a top concern for Chief Information Security Officers (CISOs), outpacing even the fear of ransomware for many organizations. Cybercriminals are increasingly targeting cloud environments, and enabling MFA has proven to be one of the most effective ways to prevent breaches, especially for sensitive accounts.

Microsoft’s own research into cyber group Storm-0501 demonstrated that the use of MFA could effectively disrupt the group’s dual tactics of cloud breaches and ransomware attacks. As MFA becomes a mandatory feature across big tech companies, it serves as a case study in how simple security steps can stifle even sophisticated cyber threats.

Hackers Infiltrate French Energy Firm, Demand $125k In Baguettes

Hackers have compromised internal data at Schneider Electric, a France-based energy management firm. Schneider representatives confirmed that roughly 40GB of internal project tracking data was breached, including “issues and plugins.” The hackers, however, are demanding their ransom in baguettes.
The threat actor, known as “Greppy” on X (formerly Twitter), taunted Schneider Electric in a weekend post: “Hey @SchneiderElec how was your week? Did someone accidentally steal your data and you noticed, shut down the services, restarted without finding them? Now you shut down again but the criminals seem to have taken more juicy data.” Greppy later shared a screenshot of code allegedly linked to the breach, involving JIRA project management users and tickets.
Greppy told BleepingComputer they breached Schneider’s Jira server using compromised credentials and scraped 400,000 rows of user data with a MiniOrange REST API, including 75,000 unique email addresses and names of Schneider employees and customers.
Schneider confirmed the breach, stating they were “investigating a cybersecurity incident involving unauthorized access to one of [their] internal project tracking platforms.” The company says none of its products or services were affected.
In a dark web post, the hackers demanded “$125,000 in baguettes” to avoid publicizing the stolen data. They also hinted that if Schneider acknowledged the breach—which it has—the ransom would be cut in half. Though the mention of baguettes is clearly a joke, the situation still leaves Schneider in a sticky predicament, although a company that size probably has the dough to pay up if they want to.

Sorry couldn’t resist…

That’s our show for today.
You can find links to reports and other details in our show notes at technewsday.com. We welcome your comments, tips and the occasional bit of constructive criticism at editorial@technewsday.ca
I’m your host, Jim Love, thanks for listening.

SUBSCRIBE NOW

Related articles

Sneaky 2FA Attacks Two Factor Authentication: Cyber Security Today for Monday, January 20, 2025

Sneaky 2FA, a new phishing as a service attack defeats two-factor authentication, A scammed company ordered to pay...

Social Media Fraud Focuses Attacks On Truth Social: Cyber Security Today Weekend for January 18, 2025

Unmasking Social Media Scams: An Interview with Netcraft's Robert Duncan In this weekend edition of 'Cybersecurity Today,' host Jim...

Can Canada Get It’s Mojo Back? An Exclusive Interview With Jim Balsillie for Hashtag Trending

In this episode of the series, 'Can Canada Get Its Mojo Back?', host Jim Love explores the economic...

Open AI and Google Both Have Major AI Announcements: Hashtag Trending for Thursday, January 16, 2025

OpenAI’s new Tasks feature hints at autonomous AI, Google unveils Titans AI with long-term memory, and where are...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways