Warning! ChatGPT Exploit Used by Threat Actors in Cyber Attacks

Newsletter

Members of the health care and financial industries, along with other industries that hold sensitive data, are warned that a ChatGPT vulnerability is being actively exploited by threat actors to attack security flaws in AI technologies. These industries along with government departments are prime targets, as attackers attempt to exploit AI-powered technology and API integrations.

While this vulnerability was originally categorized as medium risk by the National Institute of Standards and Technology (“NIST”) when it was identified a year ago, a recent report published by Veriti, a cybersecurity firm, warned of active exploitation of the vulnerability. According to the report:

  • There were over 10,000 attack attempts in a single week.
  • The United States is the most affected geographic region.
  • 35% of organizations analyzed are unprotected due to misconfigurations in intrusion prevention system, web application firewall, and firewall settings.
The Vulnerability

The vulnerability at issue, CVE-2024-27564, uses what is known as a Server-Side Request Forgery (“SSRF”) in ChatGPT to redirect users to malicious websites. While this vulnerability is not new, an uptick in reports of exploitations has put industries that rely on AI tools and APIs on alert. “This could allow an attacker to steal sensitive data or impact the availability of the AI tool” according to the American Hospital Association’s Deputy National Advisor for Cybersecurity and Risk, Scott Gee.

Recommendations

While the CVE-2024-27564 is still listed as medium risk by NIST, entities must consider individual threats and make their own risk determination. Based on the type of data you process and your critical systems and tools (including any AI), your organization should confirm patch management is prioritized (and then processes are reviewed as part of routine risk analyses). Organizations should also take this opportunity to review current intrusion protection systems and firewalls as well as monitor the IP addresses identified by reporting on this vulnerability.

Organizations should identify attempted or successful attacks, activate incident response plans, contact counsel to maintain privilege over investigations, and bring in internal and external experts sooner rather than later to support any necessary containment, assessment, and mitigation efforts as necessary.

We will continue to monitor developments relating to potential vulnerabilities of AI technology. You can stay up to date on current events by signing up for the Quarles’ Data Privacy & Security mailing list; HIPAA, Information Technology, Privacy & Security mailing list; and Artificial Intelligence mailing list. For questions about this update or inquiries related to cybersecurity or artificial intelligence, please contact your Quarles attorney or:

Follow Quarles

Subscribe Media Contact
Back to Main Content

We use cookies to provide you with the best user experience on our website and to analyze statistics related to our website. To understand more about how we use cookies, or for instructions to change your preference and browser settings, please see our Privacy Notice. Please note that if you choose to reject cookies, doing so may impair some of our website's functionality.