AI researcher David Kuszmar has developed a new ChatGPT jailbreak flaw that allows a user to bypass OpenAI’s safety guidelines when asking for detailed instructions on sensitive topics. Dubbed Time Bandit, the jailbreak can be used to get ChatGPT to provide details on things such as the creation of weapons, information on nuclear topics, and malware creation.

Kuszmar found that ChatGPT suffered from “temporal confusion,” making it possible to put the large language model (LLM) into a state where it did not know whether it was in the past, present, or future. This allowed Kuszmar to trick ChatGPT into sharing detailed instructions on usually safeguarded topics.

Time Bandit also relies on exploiting something called procedural ambiguity, which involves asking an LLM questions in a way that causes uncertainties or inconsistencies in how it interprets, enforces, or follows rules, policies, or safety mechanisms.

Combining temporal confusion and procedural ambiguity, it is possible to put ChatGPT in a state where it thinks it is in the past but can use information from the future. For example, while testing Time Bandit out, BleepingComputer researchers were able to “trick ChatGPT into providing instructions for a programmer in 1789 to create polymorphic malware using modern techniques and tools.” In addition, tests conducted by BleepingComputer and Kuzmar tricked ChatGPT into sharing sensitive information on nuclear topics and making weapons.

OpenAI was informed about the Time Bandit technique; however, “the jailbreak still works with only some mitigations in place,” according to BleepingComputer.

A new report by Google entitled “Adversarial Misuse of Generative AI” discusses how nefarious actors, often of the state-backed variety, frequently use its Gemini AI large language models (LLM) to help them hone their attacks.

On the whole, the report indicates that threat actors are mostly using AI to help them improve operational efficiency and effectiveness such as by generating code or content, or translating content to use as lures in campaigns, rather than using it to create new methods or techniques to carry out attacks.

To this end, they have seen threat actors use Gemini to help support all aspects of the attack process, from initial reconnaissance on intended targets, researching avenues of attack, how to use vulnerabilities, help with payload development, and scripting and evasion techniques.

Threat groups from up to 20 countries were recorded by Google using the services of Gemini with Iranian-backed actors tending to lean on Gemini the most, accounting for up to 75% of usage by these groups. They are trailed by Chinese, North Korean, and then Russian groups who all use Gemini to various extents to help with their attacks.

Researchers have described a new attack using Chrome extensions that could enable an attacker to take over a device. The attack, dubbed Browser Syncjacking, is multi-staged and can be carried out by first setting up multiple Google Workspace domains with threat actor-controlled user profiles that have multi-factor authentication disabled.

A malicious Chrome extension is published onto the Chrome Web Store and then the intended target would need to be socially engineered into installing the extension onto the device. The extension would only need to request the typical read and write capabilities that many common browser extensions frequently request so would likely go ahead and grant the permissions during the installation process.

Once installed, the browser extension would in the background use OAuth to log the victim into one of the pre-prepared Google Workspace accounts created by the attackers. This links the victim’s account with access to the attacker-controlled account enabling the attacker to change settings on the browser such as lowering security settings. Using the malicious Chrome extension, the attacker could display the account sync page and change the contents of that page to trick the victim into turning on account sync. Once this is done and the sync is complete, the attacker will have access to browser-stored data such as browsing histories, autofill content, and passwords that may be saved.

Further steps taken by an attacker could have them escalate privileges and use the Chrome Native Messaging API to potentially escape the browser sandbox and send commands directly to the underlying operating system to run various commands. This research highlights the continued and significant risks posed by browser extensions.

Researchers have published information about how GitHub’s Copilot AI can be co-opted into doing things that are normally not within its remit, such as generating malicious content or carrying out unethical tasks.

Similar to how in the old Star Wars films when Obi-Wan would use Jedi mind tricks to brush aside imperial guards by uttering commands to let them pass, Copilot’s guard can also be lowered and coerced into cooperating by using a similar technique but in this case, use of the Force is not required.

To unlock this capability, an attacker can trick Copilot into generating malicious code by embedding AI prompts within the code that they are editing. These prompts may then be interpreted by Coplit as prompts. Using specially crafted AI conversations that include responses from an AI assistant and ensuring that the response from the assistant starts with affirmative words like “Sure”, followed by whatever action the attacker requires, is enough to trick Copilot into doing it.

The researchers have demonstrated how this trick could be used to get Copilot to help craft SQL injection attack code, as well as exploits for vulnerabilities, activities that are not normally permitted uses for Copilot.

Separately, the researchers also discovered that it was possible to intercept the communications between Copilot and other upstream AI services that it uses by changing the “github.copilot.advanced.debug.overrideProxyUrl” to point at a proxy server where the traffic can be intercepted. Through this process, the researchers found they could intercept sensitive items, such as authentication tokens used with other AI services, as well as system prompts that contain prompt histories revealing conversations that had taken place.

Two healthcare institutions, Frederick Health and New York Blood Center Enterprises (NYBCe), are facing disruptions from separate ransomware attacks suffered in the past few days.

In an update posted to its website on Monday (January 27), Maryland healthcare provider Frederick Health revealed it “recently identified a ransomware event” and is working to contain it and get its systems back online. While most of its facilities remain open, Frederick Health reported that its Village Laboratory is closed and that patients may experience some operational delays. Frederick Health operates over two dozen hospitals, hospices, and other healthcare facilities in Baltimore and Washington, D.C.

Meanwhile, New York Blood Center Enterprises, one of the world’s largest independent blood collection and distribution organizations, revealed that a January 26 ransomware attack forced it to reschedule some appointments. Upon discovering the attack, NYBCe said it “took immediate steps to help contain the threat, including taking certain systems offline.” The organization said it is “working diligently with [cybersecurity] experts to restore our systems as quickly and as safely as possible.” NYBCe is still accepting donations but warned that some appointments might have to be rescheduled, adding that it already had to cancel some blood donor appointments and blood drives following the attack.

No ransomware groups have yet taken responsibility for the attacks.

TeamViewer has issued updates to address a high-severity elevation of privilege vulnerability in its remote access solutions for Windows.

The flaw (CVE-2025-0065 – CVSS score: 7.8) is described as an improper neutralization of argument delimiters in the TeamViewer_service.exe component of the software. Exploiting the vulnerability could allow an unprivileged attacker with local access to a Windows system to perform argument injection and elevate their privileges. “To exploit this vulnerability, an attacker needs local access to the Windows system,” according to TeamViewer’s advisory.

The vulnerability impacts TeamViewer Full Client and TeamViewer Host versions 11.x, 12.x, 13.x, 14.x, and 15.x, and was addressed with the release of versions 15.62, 14.7.48799, 13.2.36226, 12.0.259319, and 11.0.259318 of the software.

While TeamViewer said it has not seen any evidence that the flaw has been exploited in the wild, users are advised to update their TeamViewer applications as soon as possible.

It’s not that long since DeepSeek R1, the low-cost Chinese-origin AI LLM, was initially released at the end of January 2025 and made a huge splash in the AI world. Even now, the ripples from the release continue to spread as malicious actors attempt to piggyback on the back of DeepSeek to further their own goals.

In recent days, researchers discovered malicious packages offered for download on PyPI, the official Python package index. The malicious packages named “deepseek” and “deepseekai” are made to appear as if they are the actual DeepSeek packages for Python developers to use but instead are ladened with malicious code to drop additional malware designed to steal information such as credentials, access tokens, and so forth. Fortunately, these packages have only been downloaded around 200 times and have now been taken down.

Pushing fake packages onto PyPI is a well-worn path for malicious actors, and developers should always be careful when obtaining packages from the index to ensure they are getting an official package rather than a fake one.

Elsewhere, researchers continue to push and prod DeepSeek to see what weaknesses may lie within. Researchers at Cisco found that DeepSeek is highly prone to attacks via harmful prompts. In tests, they were able to successfully attack DeepSeek 100% of the time, whereas with other models, such as Claude and o1 the success rate was much lower. Based on this, the researchers reckoned that DeepSeek’s efficiency gains come with a security cost.

Other teams of researchers discovered that DeepSeek is highly susceptible to jailbreak attacks, which could enable an attacker to get DeepSeek to perform actions or reveal information that it is not supposed to be allowed to. In one experiment, the researchers showed a chat with DeepSeek that appeared to indicate that DeepSeek was trained using OpenAI’s GPT model. A team also subjected DeepSeek to a battery of 891 jailbreak attack tests and found that overall, DeepSeek failed 541 of them (61%).

Only recently the DeepSeek team fixed an issue where their cloud backend database was inadvertently left wide open for anyone to access.

U.S. healthcare provider Community Health Center (CHC) is notifying more than 1 million patients of a breach that compromised their data.

CHC said it first noticed unusual activity on its computer systems on January 2 and immediately launched an investigation. The investigation found that a “skilled criminal hacker” was able to gain access to its systems and steal data, including some of the personal information of its patients. Compromised data includes patients’ names, dates of birth, addresses, phone numbers, emails, diagnoses, treatment details, test results, Social Security numbers, and health insurance information.

“Fortunately, the criminal hacker did not delete or lock any of our data, and the criminal’s activity did not affect our daily operations,” CHC wrote in its letter. “We believe we stopped the criminal hacker’s access within hours, and that there is no current threat to our systems.”

Abandoned AWS S3 buckets could be reused to hijack the global software supply chain in an attack that would make Russia’s “SolarWinds adventures look amateurish and insignificant,” warned watchTowr Labs researchers in a new report.

The researchers identified approximately 150 Amazon-hosted cloud storage buckets that had been abandoned. However, applications and websites were still trying to pull software updates and other code from them. If malicious actors were to take over the buckets, they could use them to deploy malicious software onto people’s devices.

The abandoned S3 buckets had previously been owned or used by governments, Fortune 500 firms, technology and cybersecurity companies, and major open-source projects. The researchers spent just $420 to re-register the buckets with the same names, and after enabling logging, they spent two months tracking which files were being requested and by what.

The buckets received over eight million requests for resources including Windows, Linux, and macOS executables; virtual machine images; JavaScript files; CloudFormation templates; and SSL VPN server configurations. Requests came from U.S. government networks, as well as government organizations in the UK and other countries. In addition, military networks, financial services firms, universities, instant-messaging providers, infosec firms, casinos, Fortune 500 and Fortune 100 firms, a “major payment card network,” and a “major industrial product company,” also pinged the S3 buckets.

The researchers said they transferred ownership of the S3 buckets to AWS, who have ensured they are now unavailable for general use and removed from general circulation.

“The fact that an attacker could theoretically register a resource abandoned such a long time ago, and instantly serve malware to trusting hosts should alarm us all,” warned the researchers.

Researchers have discovered a new ValleyRAT malware variant with advanced evasion tactics, multi-stage infection chains, and novel delivery methods.

ValleyRAT is a multi-stage C++-based remote access Trojan (RAT) linked to the Silver Fox advanced persistent threat (APT) group.

According to a report from Morphisec, the latest variant of the malware is distributed through various channels including phishing emails, instant messaging platforms, and compromised websites. The key targets of this campaign are high-value individuals within organizations, especially those in finance, accounting, and sales, and the objective is to steal sensitive data.

According to researchers, a fake Chrome browser download from anizom[.]com is the initial infection vector in the attack chain.

Previous versions of ValleyRAT either used PowerShell scripts disguised as legitimate software installers and DLL hijacking to inject their payload into signed executables or used shellcode to inject malware components directly into memory. However, the newest variant uses a fake Chinese telecom company “Karlos” website (karlost[.]club) to distribute the malware, which downloads a series of files, including a .NET executable that checks for administrator privileges and downloads additional components.

A DLL file then injects code into the legitimate svchost.exe process, acting as a monitor, terminating any processes that would interfere with the malware’s operation. The malware then utilizes a modified version of the Douyin (Chinese TikTok) executable for DLL side-loading and a legitimate Tier0.dll from Valve games to execute code hidden within the nslookup.exe process. This process retrieves and decrypts the main ValleyRAT payload. The decrypted payload uses the Donut shellcode to execute the malware in memory, bypassing traditional disk-based detection methods. It also attempts to disable security mechanisms like AMSI and ETW.

Attackers have been carrying out a phishing campaign targeted at around 150 organizations mostly in the educational, healthcare, and government sectors who still use Microsoft Active Directory Federation Services (ADFS) for authentication.

Users within the target organizations are sent a fake phishing email purporting to come from their organization’s IT helpdesk. The email contains a message requesting the user to perform an “update to integrate with the new system requirements.”

Clicking on the button to proceed brings the user to a fake phishing website designed and branded to look like their organization’s ADFS login page. The form captures the usual username and passwords used for authentication and also has support for various multi-factor authentication mechanisms, allowing the attackers to overcome the security challenge.

Once logged in, the user is redirected back to the legitimate page, while the attackers gain access to the user’s account, allowing them to perform other actions such as stealing information or attempting to pivot to other systems in the network.

While this campaign operates purely on social engineering to trick users, organizations are advised by Microsoft to switch to a more modern and secure authentication method such as Microsoft Entra ID.

Ransomware payments fell by 35% last year compared to 2023, even though the frequency of attacks increased, according to a new report from Chainalysis.

The total in payments that Chainalysis tracked in 2024 was $812.55 million, down from $1.25 billion in 2023.

The dramatic decline in ransom payments was partly due to the disruption of major ransomware groups, such as LockBit and ALPHV/BlackCat. Law enforcement operations caused significant declines in LockBit activity, while ALPHV/BlackCat essentially rug-pulled its affiliates and disappeared after its attack on Change Healthcare.

In addition, Chainalysis says organizations have become stronger against attacks, with many choosing not to pay a ransom and instead using better cybersecurity practices and backups to recover from these incidents.