Microsoft attaque un réseau de cybercriminels pour avoir contourné la sécurité de l’IA !

Microsoft pours legal resources into disrupting cybercriminal operations targeting generative AI

Microsoft Corp.’s Digital Crime Unit has taken legal action to disrupt a cybercriminal operation that has developed tools specifically designed to bypass the safety guardrails of generative artificial intelligence services. In December, a complaint was filed in the Eastern District of Virginia, claiming the unidentified cybercriminals violated U.S. law and Microsoft’s Acceptable Use Policy. This operation allegedly allowed the generation of harmful content through the manipulation of Microsoft’s platform using stolen credentials and custom software.

Nature of the complaint

The complaint, identified as “Does 1-10 Operating an Azure Abuse Network,” outlines serious breaches of multiple laws, including the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, and the Racketeer Influenced and Corrupt Organizations Act. The defendants reportedly used tools such as de3u, a client-side software that facilitates the creation of images via DALL·E 3, an AI model from OpenAI.

The methods of exploitation

By gaining unauthorized access to Microsoft’s AI services, the defendants allegedly resold this access to other malicious actors. They provided detailed instructions on how to utilize these tools to create harmful content. Steven Masada, assistant general counsel of Microsoft’s Digital Crimes Unit, emphasized the dual nature of generative AI, stating, “Every day, individuals leverage generative AI tools to enhance their creative expression and productivity. Unfortunately, the benefits of these tools attract bad actors who seek to exploit technology for malicious purposes.”

The exact nature of the « harmful and illicit content » created remains somewhat ambiguous, as it could encompass a wide range of materials that may not align with Microsoft’s standards. Notably, the motivations behind using DALL-E 3 despite the availability of superior open-source tools raises questions about the nature of the attackers’ aims.

Technical analysis of the attack

Experts have shed light on the specific methodologies employed by these cybercriminals. Katie Paxton-Fear, from Traceable AI, explained that instead of targeting business-critical data, the attackers set up a shadow AI system. It functioned by creating a DALL-E-like interface that relayed user prompts directly to OpenAI via Azure, allowing them to circumvent existing security checks.

Using stolen OpenAI credentials from various users and businesses, the attackers managed to keep a low profile, operating across numerous legitimate accounts. This raises concerns regarding the robustness of security protocols on platforms that provide AI services.

Implications for the tech industry

Microsoft’s decision to pursue legal action indicates a potential shift in how tech giants respond to cyber threats. Cybersecurity expert Ophir Dror noted that such proactive measures are relatively rare and could signify a change in behavior among major technology companies. This legal battle not only highlights the challenges in securing AI systems but also emphasizes the ongoing need for rigorous safety measures in the rapidly evolving digital landscape.

As technology continues to advance, the balance between fostering innovation and protecting against exploitation becomes increasingly precarious. The actions taken by Microsoft serve as a reminder of the vigilance required to safeguard against misuse in the realm of generative AI.

Further insights and community engagement

For those interested in understanding more about this issue, consider exploring discussions and analyses through expert blogs and community forums. Engaging with a broader community can provide deeper insights into how security measures are evolving in the tech industry.

Credits

• SiliconANGLE
• Microsoft Complaint Document
• Computer Fraud and Abuse Act
• Digital Millennium Copyright Act
• Racketeer Influenced and Corrupt Organizations Act