Google Threat Intelligence Group has discovered a zero-day exploit targeting an unidentified open-source web administration platform's two-factor authentication mechanism, noting the exploit was likely developed with artificial intelligence assistance. The Python-based exploit contained educational docstrings, a hallucinated CVSS score, and textbook formatting highly characteristic of large language model outputs. The vulnerability involved a semantic logic issue rather than traditional memory corruption flaws, an area where AI systems tend to perform effectively.
The attack was stopped before widespread exploitation after Google notified the affected developer. This marks the first time GTIG has identified a threat actor using an AI-developed zero-day exploit. The report also noted Chinese and North Korean threat groups including APT27, APT45, UNC2814, UNC5673, and UNC6201 using AI systems for exploit development and vulnerability research. Russian-associated actors used AI-generated decoy code to conceal malware strains such as CANFAIL and LONGSTREAM, as well as voice cloning for disinformation campaigns.
Google also examined PromptSpy Android malware, which integrates with Gemini APIs and includes a "GeminiAutomationAgent" component using hardcoded prompts to evade safety mechanisms. The malware can replay authentication methods including PINs and lock patterns using AI-assisted techniques. Cybercriminals are increasingly accessing premium AI services through automated account generation, proxy relay systems, and shared account infrastructures. The report highlights the growing role of AI in cybercrime operations across multiple nation-state groups.
Read more...