I've been looking into how the xz backdoor works and drew this sketch to make it easier to understand. I'll update it as new information comes to light ✨

🎙️ Tune in to the special edition episode of #CryingOutCloud with all you need to know on the XZ Utils vuln 🔔 listen now: 🎧 Listen on Spotify open.spotify.com/episode/6FhXFb… 📺 Watch on YouTube youtube.com/watch?v=Ka1wDF… #XZUtils #xz #infosec #backdoor

We have been reverse engineering the XZ Utils backdoor and are sharing some initial findings: we've identified multiple hooking options to adapt to different environments, and a hardcoded fake public key that can appear in verbose SSH logs depending on attacker-controlled flags.

We uploaded a backdoored AI model to @HuggingFace which we could use to potentially access other customers’ data✨ Here is how we did it - and collaborated with Hugging Face to fix it 🧵⬇️

The world runs on AI, and AI runs on AI services. Groundbreaking research by Wiz research on the security of AI service provides. Thank you Hugging Face for the great collaboration on this effort

Do vulnerabilities stress you out? Listen to this video every night as an alternative to aversion therapy, and I guarantee* you'll welcome every new CVE notification with the joy you normally reserve for puppies and kittens.

We discovered that by uploading a malicious AI model to @Replicate, a leading AI-as-a-Service platform, we could read and modify prompts of other customers 🤯 Here is exactly how we did it 🧵⬇️

🚨 Wiz Research recently found a critical vulnerability in Replicate's AI-as-a-Service. The flaw allowed access to #AI prompts/results and remote #code execution, risking cross-tenant data breaches. 👏 Kudos to Replicate for their transparency during our disclosure.

From logging and cloud attacks to NVD backlog 🎙️ What's on the episode's agenda? 1️⃣ How logging bypass made password-spray attacks undetectable. 2️⃣ The latest way attackers are monetizing cloud access. 3️⃣ NVD's ongoing backlog. Tune in - 🍏: podcasts.apple.com/il/podcast/cry…

According to a new report co-produced by Google Israel and RISE Israel, there are more than 2,300 AI startups active in Israel today. That number accounts for roughly one quarter of all the technology companies in the country. It is well known that Israel has the highest number

🛡️DERO Cryptojacking takes a new shape, what does this mean for you? 💻 Adversaries infiltrate Kubernetes clusters with improved techniques and modify the DERO miner binary, highlighting the need for robust defenses. Learn more in the comments below👇

הנה הטקסט של אמיר, על פקד זמורה ז"ל: כתב אמיר: חברימוס, היום נהרג פקד ארנון זמורה מהימ"מ בחילוץ בנוסיראת. רציתי לשתף אתכם בחוויה שהייתה לי אתו. לא הכרתי אותו. הייתי באיזו הופעה באמפיתאטרון במבשרת ציון לפני כמה שנים. היו שם כמה אלפי אנשים. פתאום ניגש אלי בחור מקסים, שאל אם הוא

📺 Huge thanks to Amazon's CSO stephenschmidt for the big shoutout and kind words about Wiz on CNBC 🔥🔥🔥 It means the world to have the trust and validation of cloud security leaders like Stephen and Amazon. Can't wait to create more magic with you!🪄

We found a Remote Code Execution (RCE) vulnerability in @Ollama - one of the most popular AI inference projects on GitHub. Here is everything you need to know about #Probllama (CVE-2024-37032) 🧵👇

Spot on. AI infra is where most of the security risk in AI is today

Thank you, Wiz and Matt Johansen, for highlighting this point that many miss about vulnerability exploitation

☁️ Cloud Threat Landscape - Defenses Wiz has added a collection of security measures for defending cloud environments to their Cloud Threat Landscape Includes ~50 defenses Mapped to attacker technique and D3FEND Tactic threats.wiz.io/defenses

Does AI have an isolation problem?? Wiz researchers have been looking into cross tenant issues in leading AI services in recent months. Today disclosing a major vulnerability in SAP AI service. Thank you for the SAP security team for working closely with us.

Security starts from hands on experience with attack techniques, everyone interested in learning about AI security risks, should take some time and try this AMAZING capture the flag created by Wiz researchers

Wiz is now officially a 'CVE Numbering Authority' (#CNA) 🔓 We're thrilled to strengthen our support for this mission of transparency in disclosing cloud vulnerabilities. Big shout out to everyone who helped make this happen. 🕵️‍♂️ Learn more: wiz.io/blog/wiz-becom…