OpenAI warns that upcoming models pose greater brute force attack capabilities

'Tis the season to be generous. Please support Metacurity in our mission to end infosec news overload.

Metacurity is a pure labor of love and is the only daily newsletter that delivers the critical infosec developments you need to know, scanned from thousands of sources and smartly summarized.

But to continue delivering our daily updates, we need your support. Please consider upgrading to an annual paid subscription today.

If you can't upgrade to a paid subscription today, please consider donating what you can.

OpenAI says the cyber capabilities of its frontier AI models are accelerating and warns that upcoming models are likely to pose a "high" risk.

OpenAI said it has already seen a significant increase in capabilities in recent releases, particularly as models are able to operate longer autonomously, paving the way for brute force attacks.

The company notes that GPT-5 scored a 27% on a capture-the-flag exercise in August, GPT-5.1-Codex-Max was able to score 76% last month.

"We expect that upcoming AI models will continue on this trajectory," the company says in the report. "In preparation, we are planning and evaluating as though each new model could reach 'high' levels of cybersecurity capability as measured by our Preparedness Framework."

"What I would explicitly call out as the forcing function for this is the model's ability to work for extended periods of time," OpenAI's Fouad Matin said. These kinds of brute force attacks that rely on this extended time are more easily defended, according to Matin.

OpenAI says it has been stepping up efforts to work across the industry on cybersecurity threats, including through the Frontier Model Forum that it started with other leading labs in 2023.

The company says it will establish a separate Frontier Risk Council, an advisory group that will "bring experienced cyber defenders and security practitioners into close collaboration" with OpenAI's teams. (Ina Fried / Axios)

Related: OpenAI, Reuters, Ecns, The Cyber Express, TechCentral

According to a novel experiment conducted recently at Stanford University, a researcher-developed AI system called Artemis beat professional human pentesters in finding bugs at a cost of only $60 per hour.

Initially, Stanford cybersecurity researcher Justin Lin and his team didn’t expect too much from Artemis. AI tools are good at playing games, identifying patterns, and even mimicking human speech. To date, they have tended to fall down when it comes to real-world hacking, where they have to do a series of complex tests, and then draw conclusions and take action.

The AI bot trounced all except one of the 10 professional network penetration testers the Stanford researchers had hired to poke and prod, but not actually break into, their engineering network.

Artemis found bugs at lightning speed, and it was cheap: It cost just under $60 an hour to run. Ragan says that human pen testers typically charge between $2,000 and $2,500 a day.

But Artemis wasn’t perfect. About 18% of its bug reports were false positives. It also completely missed an obvious bug that most of the human testers spotted on a webpage. (Robert McMillan / Wall Street Journal)

Related: Arxiv

The Justice Department charged Danielle Hillmer, a former product manager at Accenture Federal Services, with falsely misleading government customers about the security posture of a cloud product offered by the company.

From March 2020 to November 2021, Danielle Hillmer allegedly obstructed federal auditors and falsely represented that an Accenture cloud platform for federal use had required security controls in place, according to indictment documents.

The documents do not name specific companies she was employed at, but a scan of what appears to be her LinkedIn profile shows she managed cloud services products at Accenture’s federal consulting arm at the same time the alleged activity took place.

She was most recently employed at SentinelOne, a cybersecurity firm, according to the LinkedIn profile. A SentinelOne spokesperson said she’s “not been employed with us for a while” and that the actions in the indictment “are totally unrelated to her employment here.”

Accenture said in a 2023 financial filing that the Justice Department was investigating “whether one or more employees provided inaccurate submissions to an assessor who was evaluating on behalf of the U.S. government an AFS (Accenture Federal Services) service offering and whether the service offering fully implemented required federal security controls.” (David DiMolfetta / NextGov/FCW)

Related: Justice Department, FedScoop, The Cyber Express

A Malaysian man, Cheoh Hai Beng, who was roped into a criminal syndicate by a Taiwanese man he met in a Korean prison, recorded videos teaching syndicate associates how to use malware that could allow remote control of Android mobile phones.

As a result of the syndicate's efforts, 129 victims in Singapore lost about S$3.2 million (US$2.5 million) after their phones were remotely accessed and unauthorised bank transfers were made via their mobile banking applications.

He pleaded guilty to two charges of being a member of a criminal syndicate and conspiring with others to use software hosted on servers to control Android mobile phones in Singapore.

A third charge was taken into consideration for sentencing.

The case is believed to be the first prosecution here of a person for teaching others how to use malware.

He was sentenced to jail for five-and-a-half years and fined S$3,608. (Channel News Asia)

Related: FinTechNews, Singapore Law Watch, The Straits Times, r/Singapore, The Independent Singapore News

Researchers at threat intelligence firm Flare say that more than 10,000 Docker Hub container images expose data that should be protected, including live credentials to production systems, CI/CD databases, or LLM model keys.

The secrets impact a little over 100 organizations, among them are a Fortune 500 company and a major national bank.

The most frequent secrets were access tokens for various AI models (OpenAI, HuggingFace, Anthropic, Gemini, Groq). In total, the researchers found 4,000 such keys.

When examining the scanned images, the researchers discovered that 42% of them exposed at least five sensitive values.

"These multi-secret exposures represent critical risks, as they often provide full access to cloud environments, Git repositories, CI/CD systems, payment integrations, and other core infrastructure components," Flare said.

Analyzing 205 namespaces enabled the researchers to identify a total of 101 companies, primarily small and medium-sized businesses, with a few large enterprises being present in the dataset.

Flare suggests that developers avoid storing secrets in container images, stop using static, long-lived credentials, and centralize their secrets management using a dedicated vault or secrets manager. (Bill Toulas / Bleeping Computer)

Related: Flare, The Register

Researchers at ReliaQuest report that an initial access broker tracked as Storm-0249 is abusing endpoint detection and response solutions and trusted Microsoft Windows utilities to load malware, establish communication, and persistence in preparation for ransomware attacks.

The threat actor has moved beyond mass phishing and adopted stealthier, more advanced methods that prove effective and difficult for defenders to counter, even if well documented.

In one attack analyzed by researchers at cybersecurity company ReliaQuest, Storm-0249 leveraged the SentinelOne EDR components to hide malicious activity. However, researchers say that the same method works with other EDR products, as well.

ReliaQuest says that the Storm-0249 attack started with ClickFix social engineering that tricked users into pasting and executing curl commands in the Windows Run dialog to download a malicious MSI package with SYSTEM privileges.

A malicious PowerShell script is also fetched from a spoofed Microsoft domain, which is piped straight onto the system's memory, never touching the disk and thus evading antivirus detection.

The researchers recommend that system administrators rely on behavior-based detection that identifies trusted processes loading unsigned DLLs from non-standard paths. (Bill Toulas / Bleeping Computer)

Related: ReliaQuest, SC Media, Dark Reading

Researchers at Kaspersky and Huntress separately published reports that say a new AMOS infostealer campaign is abusing Google search ads to lure users into Grok and ChatGPT conversations that appear to offer “helpful” instructions but ultimately lead to installing the AMOS info-stealing malware on macOS.

AMOS was first documented in April 2023. It is a malware-as-a-service (MaaS) operation that rents the infostealer $1,000/month, targeting macOS systems exclusively.

Earlier this year, AMOS added a backdoor module that lets operators execute commands on infected hosts, log key strokes, and drop additional payloads.

The ClickFix attack begins with victims searching for macOS-related terms, such as maintenance questions, problem-solving, or for Atlas - OpenAI's AI-powered web browser for macOS.

Google advertisement links directly to ChatGPT and Grok conversations that had been publicly shared in preparation for the attack. The chats are hosted on the legitimate LLM platforms and contain the malicious instructions used to install the malware.

"During our investigation, the Huntress team reproduced these poisoned results across multiple variations of the same question, 'how to clear data on iMac,' 'clear system data on iMac,' 'free up storage on Mac,' confirming this isn't an isolated result but a deliberate, widespread poisoning campaign targeting common troubleshooting queries," Huntress researchers explain.

If users fall for the trick and execute the commands from the AI chat in macOS Terminal, a base64-encoded URL decodes into a bash script (update) that loads a fake password prompt dialog.

When the password is provided, the script validates, stores, and uses it to execute privileged commands, such as downloading the AMOS infostealer and executing the malware with root-level privileges. (Bill Toulas / Bleeping Computer)

Related: Kaspersky, Huntress, Kroll, Dark Reading, Engadget, Digit, Telegraph

Researchers at Sysdig report that a new malware implant called EtherRAT, deployed in a recent React2Shell attack, runs five separate Linux persistence mechanisms and leverages Ethereum smart contracts for communication with the attacker.

They believe the malware aligns with North Korea's tools used in Contagious Interview campaigns.

They recovered EtherRAT from a compromised Next.js application just two days after the disclosure of the critical React2Shell vulnerability tracked as CVE-2025-55182.

Sysdig highlights EtherRAT's mix of sophisticated features, including blockchain-based command-and-control (C2) communication, multi-layered Linux persistence, on-the-fly payload rewriting, and evasion using a full Node.js runtime.

Although there are substantial overlaps with "Contagious Interview" operations conducted by Lazarus, EtherRAT is different in several key aspects.

Sysdig comments that the EtherRAT malware has extremely aggressive persistence on Linux systems, as it installs five layers for redundancy.

The researchers recommend that users check for the listed persistence mechanisms, monitor Ethereum RPC traffic, review application logs, and rotate credentials. (Bill Toulas / Bleeping Computer)

Related: Sysdig, Security Affairs, HackRead

Researchers at Zimperium discovered Android malware dubbed DroidLock that can lock victims’ screens for ransom and access text messages, call logs, contacts, audio recordings, or even erase data.

DroidLock allows its operator to take complete control of the device via the VNC sharing system and can steal the device lock pattern by placing an overlay on the screen.

The malware targets Spanish-speaking users and is distributed through malicious websites promoting fake applications that impersonate legitimate packages.

Zimperium says that the "infection starts with a dropper that deceives the user into installing the secondary payload that contains the actual malware." The malicious apps introduce the main payload via an update request and then ask for Device Admin and Accessibility Services permissions, which allow it to perform fraudulent activities.

Some of the actions it can take are wiping the device, locking it, changing the PIN, password, or biometric data to prevent the user from accessing the device.

Zimperium clarifies that DroidLock does not encrypt files, but by threatening to destroy them unless a ransom is paid, the same purpose is achieved. Additionally, the threat actor can deny access to the device by changing the lock code. (Bill Toulas / Bleeping Computer)

Related: Zimperium, Silicon Angle

Researchers at security software vendor Huntress say they’ve noticed a massive increase in ransomware attacks on hypervisors and urged users to ensure they’re as secure as possible and adequately backed up.

“Huntress case data revealed a stunning surge in hypervisor ransomware: its role in malicious encryption rocketed from just three percent in the first half of the year to 25 percent so far in the second half,” wrote Senior Hunt & Response Analyst Anna Pham, Technical Account Manager Ben Bernstein, and Senior Manager for Hunt & Response, Dray Agham.

“The primary actor driving this trend is the Akira ransomware group,” the trio warned, adding that the gang, and other attackers, are going after hypervisors “in an attempt to circumvent endpoint and network security controls.” (Simon Sharwood / The Register)

Related: Huntress, SC World, Cybersecurity Insiders, CyberPress, Techzine

Google released emergency updates to fix another Chrome zero-day vulnerability exploited in the wild, marking the eighth such security flaw patched since the start of the year.

"Google is aware that an exploit for 466192044 exists in the wild," Google said in a security advisory issued on Wednesday.

The company has now fixed this high-severity vulnerability for users in the Stable Desktop channel, with new versions rolling out worldwide to Windows (143.0.7499.109), macOS (143.0.7499.110), and Linux users (143.0.7499.109).

Google didn't share any other details about this zero-day bug, including the CVE ID used to track it, and said it's still "under coordination."

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven't yet fixed," it noted.

However, according to the Chromium bug ID, the flaw was found in Google's open-source LibANGLE library, which translates OpenGL ES graphics calls into other APIs such as Direct3D, Vulkan, or Metal, and enables OpenGL ES apps to run on systems that don't natively support it or where alternative graphics APIs offer better performance. (Sergiu Gatlan / Bleeping Computer)

Related: Chrome, Security Week

Harness, which makes a development platform that seeks to automate AI software testing, deployments, security, compliance, and optimization, announced it had closed a $240 million Series E venture funding round.

The financing round is comprised of a $200 million investment led by Goldman Sachs Alternatives and a planned $40 million tender offer with participation from IVP, Menlo Ventures, and Unusual Ventures. (Jagmeet Singh / TechCrunch)

Related: PR Newswire, Silicon Angle, GovInfoSecurity

Best Thing of the Day: Still Keeping the Heat on Chip Sales to China

Despite the Trump administration's move toward lessening restrictions on the sale of high-performance computer chips that power modern artificial intelligence systems to China, the US Justice Department continues to prosecute businesses and individuals who sell or divert these same technologies to companies based in China.

Worst Thing of the Day: Who Else Had Better Access?

The  43-year-old developer and Chinese national who leaked a massive amount of Korean retailer Coupang's data, sparking a corporate and national crisis, was part of the company's cybersecurity team.

Closing Thought