Members of the health care and financial industries, along with other industries that hold sensitive data, are warned that a ChatGPT vulnerability is being actively exploited by threat actors to attack security flaws in AI technologies. These industries along with government departments are prime targets, as attackers attempt to exploit AI-powered technology and API integrations.
While this vulnerability was originally categorized as medium risk by the National Institute of Standards and Technology (“NIST”) when it was identified a year ago, a recent report published by Veriti, a cybersecurity firm, warned of active exploitation of the vulnerability. According to the report:
- There were over 10,000 attack attempts in a single week.
- The United States is the most affected geographic region.
- 35% of organizations analyzed are unprotected due to misconfigurations in intrusion prevention system, web application firewall, and firewall settings.
The Vulnerability
The vulnerability at issue, CVE-2024-27564, uses what is known as a Server-Side Request Forgery (“SSRF”) in ChatGPT to redirect users to malicious websites. While this vulnerability is not new, an uptick in reports of exploitations has put industries that rely on AI tools and APIs on alert. “This could allow an attacker to steal sensitive data or impact the availability of the AI tool” according to the American Hospital Association’s Deputy National Advisor for Cybersecurity and Risk, Scott Gee.
Recommendations
While the CVE-2024-27564 is still listed as medium risk by NIST, entities must consider individual threats and make their own risk determination. Based on the type of data you process and your critical systems and tools (including any AI), your organization should confirm patch management is prioritized (and then processes are reviewed as part of routine risk analyses). Organizations should also take this opportunity to review current intrusion protection systems and firewalls as well as monitor the IP addresses identified by reporting on this vulnerability.
Organizations should identify attempted or successful attacks, activate incident response plans, contact counsel to maintain privilege over investigations, and bring in internal and external experts sooner rather than later to support any necessary containment, assessment, and mitigation efforts as necessary.
