Cybersecurity Today – "A Simple Phrase Defeats GPT5 Security"

Host: Jim Love
Date: August 27, 2025

Episode Overview

In this episode, Jim Love dives into the latest and most pressing cybersecurity threats facing organizations today. The central theme is the evolving landscape of cyber risks—specifically, the exposure of new vulnerabilities in advanced AI models like GPT-5, ongoing malware issues with the Google Play Store, government shutdowns due to cyber attacks, and a high-profile breach tied to the Shiny Hunters group using CRM platforms. Throughout, Jim emphasizes the need for both technical and procedural safeguards in an era where attackers adapt quickly to new technologies.

Key Discussion Points and Insights

1. Prompt Injection Bypass in GPT-5's Security

[00:15] Simplified Hack Bypasses GPT-5 Safety
- Attackers have discovered that by using specific prompt phrases (e.g., “respond quickly,” “use compatibility mode”), they can trick ChatGPT into routing requests to less secure AI models (like GPT-4 or mini models), sidestepping GPT-5’s robust guardrails.
- This exploit works because the system automatically decides which model to use based on the perceived complexity of the prompt, not its true intent.
- Adversa AI's finding: Compared this to the "SSRF moment" in web security—where user input caused a server to make unintended requests.
- Key Quote:
  - "As Adversa put it, the AI community has ignored 30 years of security wisdom. Prompt routing is our SSRF moment."
    — Jim Love [02:14]
- Takeaway:
  - AI security isn’t just about stronger models; it’s about securing the pathways that prompts travel. If attackers control the routing, they can bypass even the most advanced safeguards.

2. Malware Continues to Plague Google Play

[03:10] Zscaler’s Discovery of Malicious Apps
- 77 malicious apps with over 19 million downloads found on the Play Store, many posing as utilities or personalization tools.
- Anaza App:
  - A sophisticated banking trojan targeting 800+ financial institutions, capable of keylogging, intercepting SMS, and bypassing security.
- Regulatory Response:
  - In response to competition pressures, Google will require developer identity verification for sideloaded/third-party apps starting September 2026 in several countries, aiming for global rollout by 2027.
  - Developers must provide personal/legal identification to distribute apps outside the Play Store.
- Balancing Act:
  - Struggle between keeping Android open vs. preserving user security.
- Notable Moment:
  - “The bigger challenge remains balancing Android's open ecosystem with the needs for real security.”
    — Jim Love [06:28]

3. NIST’s New AI-Specific Security Controls

[07:08] Introduction of COSIS Overlays
- NIST has released concept papers and planned overlays—COSIS (Control Overlays for Securing AI Systems)—to tailor security controls for AI, addressing threats like data poisoning, adversarial examples, or prompt injection.
- Initial overlays will address:
  - Generative AI
  - Predictive AI
  - Single-agent & multi-agent systems
  - Guidance for AI devs
- These overlays are meant to adapt SP 800-53 controls (well-known in cybersecurity) for AI’s unique threat landscape.
- Community discussion is open via Slack; final draft coming in 2026.
- Key Insight:
  - “COSIS offers a structured and hopefully a familiar way for organizations to start addressing AI's unique security risks.”
    — Jim Love [09:30]

4. Ransomware Attack Shuts Down Nevada Government

[10:00] The Ongoing Threat to Civic Infrastructure
- Nevada’s government was forced offline by a “serious cyber incident” disrupting core online operations, though 911/emergency services remained unaffected.
- While no personal data theft confirmed, there’s concern over potential double-extortion (ransomware gangs stealing as well as encrypting data).
- Mirrors a rising global trend:
  - Hamilton, Canada: $18.5 million ransom refused after broad city shutdown
  - St. Paul, MN: IT systems down, National Guard mobilized, 43 GB of data claimed stolen, no ransom paid
  - Maine: similar attacks
- Key Takeaway:
  - "Civic infrastructure is proving to be a prime target. But with governments standing firm against paying ransoms, criminals may be forced to abandon these or escalate tactics, raising the stakes for public sector security even further."
    — Jim Love [12:45]

5. Shiny Hunters’ CRM-Focused Social Engineering Campaign

[13:30] OAuth Token Thefts at SalesLoft/Salesforce
- The Shiny Hunters group (a.k.a. Scattered Spider Collective) orchestrated a campaign to obtain high-value credentials and vault tokens by phishing/vishing employees into granting OAuth permissions to malicious apps disguised as legitimate Salesforce tools.
- OAuth Explained: Allows third-party app access without requiring a password each time; if misused, can create deep, lingering access.
- Timeline: Aug 8–18, 2025 — Compromised SalesLoft’s Drift chat with Salesforce integration, stealing data including AWS keys, credentials.
- Response: Vendors revoked all compromised tokens, forcing customer re-authentication, but incidents continue across industries.
- Key Message:
  - “OAuth was built for seamless integration, but in the wrong hands, it becomes a powerful backdoor.”
    — Jim Love [15:44]

Notable Quotes & Memorable Moments

On the GPT-5 Model Routing Exploit:
- “If attackers can hijack those, they can walk around the defenses designed to keep us safe.” [02:54]
On Google’s App Store Dilemma:
- “The goal is to make sure bad actors can’t simply vanish and reappear under a new name.” [06:08]
On the Purpose of COSIS:
- “By building on existing frameworks, COSIS offers a structured and hopefully a familiar way for organizations to start addressing AI's unique security risks.” [09:30]
On Ransomware Trends in Government:
- “But with governments standing firm against paying ransoms, criminals may be forced to abandon these or escalate tactics, raising the stakes for public sector security even further.” [12:45]
On OAuth Abuse:
- “Enterprises relying on Salesforce and similar platforms need to audit connected apps, enforce least privilege access, and scrutinize authorizations—because attackers are showing that the weakest link may be the tools designed to make life easier.” [16:05]

Timestamps for Key Segments

00:15 — GPT-5 prompt routing vulnerability
03:10 — Google Play malware report and regulatory response
07:08 — NIST COSIS overlays for AI security
10:00 — Nevada government cyber attack and broader ransomware trend
13:30 — Shiny Hunters’ OAuth-based campaign against CRMs

Summary Takeaway

Jim Love’s episode reinforces the message that cybersecurity now demands both vigilance and adaptability. Advanced AI solutions, seamless digital integrations, and civic networks all face unique threats—often enabled by the very tools intended to streamline operations. Organizations should think not just in terms of stronger individual defenses, but in the robustness and trustworthiness of the processes and pathways connecting those defenses. As always, informed, security-focused decision-making stands as the best shield against an ever-shifting threat horizon.

Transcript

A (0:02)

A simple prompt attack undermines GPT five model safeguards Google plays malware problems grow NIST launches AI specific controls the state of Nevada is the latest government shutdown from a cyber attack, and Shiny Hunters striked again, launching another attack using a CRM. This is Cybersecurity Today. I'm your host Jim Love. Attackers have found a simple way to bypass the security defenses of GPT5 by exploiting how the system routes prompts between different models. Here's how it works. ChatGPT doesn't always use its most advanced model for cost and speed. It decides whether to send your prompt to GPT5 or to smaller versions like GPT4 or the so called mini models. Normally the tough Questions go to GPT5, where the strongest safeguards are in place. But researchers at Adversa AI showed that with a few carefully chosen words like respond quickly or use compatibility mode, an attacker can trick the system into flagging a dangerous prompt as simple. That causes the request to be routed to a weaker model, one without GPT5's guardrails or ability to deal with complex prompts. Once downgraded, it becomes far easier to jailbreak the system and generate harmful content. Adversa compared this discovery to what they call an SSRF moment. Those in web security will remember that SSRF stands for server side request forgery, a classic flaw where attackers were able to trick a server into making requests it should never make. The same principle applies here. User input is being trusted to control internal routing, with potentially dangerous results. As Adversa put it, the AI community has ignored 30 years of security wisdom promise. Q Root is our SSRF moment the lesson? AI security isn't just about building stronger models. It's about securing the paths that your prompts take. Because if attackers can hijack those, they can walk around the defenses designed to keep us safe. Security researchers say that the Google Play Store is still struggling to keep out malware. Zscalers Threat Labs recently identified 77 malicious apps with more than 19 million downloads on the Play Store. Many were disguised as everyday utilities or personalization tools. And among them was Anaza, a banking Trojan capable of stealing credentials through key logging, intercepting text messages, and even bypassing security checks. Researchers say it has already targeted over 800 financial institutions worldwide, including banks and even crypto platforms. And if managing the Play Store wasn't challenging enough, Google is also facing regulatory pressure to open Android's ecosystem to more competition. That means allowing more third party app stores and easier sideloading of apps. So Google's answer is to do some massive cleanup in the Play Store, which they claim they've done, but also to require developer identity verification for apps distributed outside the Play store. Starting in September 2026 in markets like Brazil, Indonesia, Singapore and Thailand. Developers who sideload apps or publish through alternative stores will have to provide personal information, including their legal name, contact details and in some cases, government ID. The plan is to roll this out globally by 2027. The goal is to make sure bad actors can't simply vanish and reappear under a new name. But the bigger Challenge remains balancing Android's open ecosystem with the needs for real security. On August 14, NIST published a concept paper and proposed action plan introducing control overlays for securing AI systems, or COSIS. These are extensions to the familiar SP 8053 security controls, but are crafted specifically for different AI use cases. Traditional cybersecurity frameworks, it turns out, weren't designed to handle AI threats like data poisoning, model integrity attacks, adversarial examples or prompt injection. COSASE aims to fix that gap by adapting well known security controls into overlays that organizations can customize for AI scenarios. The first will focus on five areas generative AI, predictive AI, single agent systems, multi agent systems, and guidance for AI developers themselves. This creates a starting point for securing the different ways AI is built and deployed. NIST says these overlays won't stand alone. They're meant to complement its broader suite of AI guidance, including the AI Risk Management Framework, secure software development practices and research into adversarial machine learning. To encourage community input, NIST has opened a Slack channel for discussion and plans to release its final public draft in early 2026, followed by a workshop to refine the details. If you want to dig deeper, the concept paper is available from NIST. We'll put a link on the show notes@technewsday.com the Takeaway by building on existing frameworks, COSASE offers a structured and hopefully a familiar way for organizations to start addressing AI's unique security risks. Late on Sunday, the state of Nevada was forced to close government offices after a serious cyber incident disrupted websites, phone systems and key IT platforms. The disruption began at about 1:52am Pacific time, prompting immediate containment steps that left services online and staff working around the clock to restore operations. Importantly, 911 and emergency services remained fully operational throughout the outage State officials also said there's no evidence that personally identifiable information has been stolen at this time. However, if this does turn out to be ransomware, then even if defenses stopped, encryption attackers likely still had extended access to the network to exfiltrate data. That's a common tactic in modern double extortion schemes. And this wasn't an isolated disruption. It mirrors a troubling trend. Back in February, the city of Hamilton in Canada faced a major ransomware incident that shut down roughly 80% of its network and led to an $18.5 million ransom demand. The city refused to pay. More recently, the city of St. Paul, Minnesota was hit by a deliberate coordinated digital attack, forcing officials to shut down IT systems entirely, and the National Guard was called in to assist under a state of emergency. And a ransomware gang claimed to have stolen 43 gigabytes of data. Yet again, the city refused to pay, and the state of Maine has been hit as well. Cyber attacks on government agencies often cause widespread disruption, but they are increasingly rarely ending with ransom payments that can leave the attackers empty handed while at the same time drawing greater attention from law enforcement. So the takeaway, Whether it's Nevada, Hamilton or St. Paul, civic infrastructure is proving to be a prime target. But with governments standing firm against paying ransoms, criminals may be forced to abandon these or escalate tactics, raising the stakes for public sector security even further. Another CRM related breach has been linked to Shiny Hunters, also known as the Scattered Spider Collective. This campaign, tracked by Google's Threat Intelligence Team as UNC 6395, was designed to obtain high value credentials and vault tokens, keys that could be used to widen access and increase extortion payouts. The breach wasn't a technical exploit, it was a social engineering triumph. Attackers used phishing and vishing tactics to trick employees into granting OAuth permissions to malicious apps disguised as legitimate Salesforce tools. For context, I'm sure most of you know, but OAuth is a standard that lets you log into one service using your account from another, for example, authorizing a third party app to access Salesforce on your behalf. It's designed for convenience, but once granted, these tokens can provide deep trusted access without requiring a password every time. Between August 8th and August 18th, Shiny Hunters compromised SalesLoft's Drift chat agent and its integration with Salesforce. The stolen OAuth tokens gave them an API level access, enabling exfiltration of sensitive data including AWS keys, login credentials and access tokens. Salesloft and Salesforce responded by revoking all compromised tokens, forcing customers to re authenticate. But this was just one phase of a much larger campaign. Shiny Hunters have been using these techniques across industries, from airlines and luxury retailers to tech and finance, leveraging OAuth trust relationships to gain persistence and scale their attacks. The takeaway? OAuth was built for seamless integration, but in the wrong hands, it becomes a powerful backdoor. Enterprises relying on Salesforce and similar platforms need to audit connected apps, enforce the least privilege access, and scrutinize authorizations because attackers are showing that the weakest link may be the tools designed to make life easier. And that's our show for today. You can reach me with tips, comments, or even occasionally, constructive criticism. Just go to technewsday.com or CA and use the Contact Us form. And while you're there, if you want to support the show, click the Donate tab. And for the cost of a cup of coffee per month, you can support us in what we're doing. I'm your host, Jim Love. Thanks for listening.