Back
Technology

Google Reports AI-Assisted Zero-Day Exploit Discovery and Diversified AI Cyber Threats

View source

AI-Powered Zero-Day Exploit Discovered by Google’s Threat Intelligence Group

Google's Threat Intelligence Group (GTIG) reported a zero-day vulnerability in an open-source web administration tool, likely identified and weaponized using an AI model. The exploit targeted a two-factor authentication bypass.

Zero-Day Exploit and AI Involvement

GTIG identified a zero-day vulnerability in an unnamed open-source web-based system administration tool. The exploit aimed to bypass two-factor authentication, and the exploit code was written in a Python script. GTIG stated with high confidence that this script was generated using a large language model (LLM).

Evidence cited for AI generation includes the presence of educational docstrings, a hallucinated CVSS score (a fabricated severity rating), and a structured Pythonic format typical of LLM output. GTIG characterized the vulnerability as a high-level semantic logic flaw stemming from a hard-coded trust assumption.

Google stated that prominent cybercrime threat actors planned a mass exploitation event using this vulnerability, but the company's proactive discovery may have prevented its use. Google did not disclose the name of the threat actor group or the impacted vendor, stating the vendor was notified and the vulnerability was fixed.

AI Use in Malware and Operations

The report profiles several instances of AI integration by threat actors:

  • PROMPTSPY: An Android backdoor integrating Google's Gemini AI. GTIG stated this malware was designed to inspect device interfaces, generate commands, capture authentication gestures (biometric data), and rotate supporting infrastructure like API keys and command servers.

  • State-Linked Groups:

    • UNC2814 (suspected China-nexus): Used Gemini for vulnerability research.
    • APT45 (North Korea): Prompted Gemini to analyze CVEs and validate exploits.
    • APT27 (China): Used Gemini to accelerate development of a fleet management app for operational relay box infrastructure.
    • Russia-nexus actors: Used AI-generated decoy code in malware families CANFAIL and LONGSTREAM to complicate forensic analysis.
  • Agentic AI Frameworks: Tools capable of performing tasks such as reconnaissance and vulnerability validation with limited human oversight were linked to suspected China-related campaigns targeting organizations across Asia.

  • Influence Operations: Suspected AI voice-cloning was tied to the pro-Russia campaign Operation Overload, which used manipulated video content.

AI as a Target: Distillation and Shadow APIs

The report notes an increasing trend of AI systems themselves being targeted.

Distillation Attacks: Google reported an increase in "distillation attacks" or "model extraction" attempts on its Gemini chatbot. One campaign involved over 100,000 prompts. Google stated these attacks aim to understand the system's logic and patterns to replicate functionality in other AI models.

Google attributed these attacks to private companies and researchers seeking competitive advantage, stating they originated globally. Google stated it regards distillation as intellectual property theft.

Shadow APIs: Researchers identified 17 shadow API services offering indirect access to Gemini. Evidence of model substitution was found, causing significant accuracy drops (e.g., MedQA accuracy falling from 83.82% to ~37% on some shadow APIs). These proxy services can capture prompts and responses, enabling data theft and model distillation.

Supply Chain Attacks: The report documents malicious activity affecting AI-related projects, including OpenClaw skills and supply chain attacks on projects like LiteLLM and BerriAI.

Broader Industry Context

  • Google stated its Gemini model was not implicated in the zero-day exploit discovery.
  • Successful exploitation of the zero-day vulnerability required valid user credentials.
  • Google disabled assets related to the PROMPTSPY malware, stating no such apps were found on the Play Store.
  • Google is developing defensive AI systems including Big Sleep, a vulnerability discovery agent, and CodeMender, an experimental automated patching tool.