Introduction to the Cyber Attack
A California man has pleaded guilty to hacking an employee of The Walt Disney Company by tricking the person into running a malicious version of a widely used open source AI image generation tool. Ryan Mitchell Kramer, 25, pleaded guilty to one count of accessing a computer and obtaining information and one count of threatening to damage a protected computer.
The Malicious App
Kramer published an app on GitHub for creating AI-generated art. The program contained malicious code that gave access to computers that installed it. Kramer operated using the moniker NullBulge. The program he used was ComfyUI_LLMVISION, which purported to be an extension for the legitimate ComfyUI image generator and had functions added to it for copying passwords, payment card data, and other sensitive information from machines that installed it.
How the Malicious Code Worked
The fake extension then sent the data to a Discord server that Kramer operated. To better disguise the malicious code, it was folded into files that used the names OpenAI and Anthropic. Two files automatically downloaded by ComfyUI_LLMVISION were displayed by a user’s Python package manager, showing the extent of the malicious code’s reach.
The Attack on Disney
The Disney employee downloaded ComfyUI_LLMVISION in April 2024. After gaining unauthorized access to the victim’s computer and online accounts, Kramer accessed private Disney Slack channels. In May, he downloaded roughly 1.1 terabytes of confidential data from thousands of the channels. This data included sensitive information about the company and its employees.
The Aftermath
In early July, Kramer contacted the employee and pretended to be a member of a hacktivist group. Later that month, after receiving no reply from the employee, Kramer publicly released the stolen information, which, besides private Disney material, also included the employee’s bank, medical, and personal information. In the plea agreement, Kramer admitted that two other victims had installed ComfyUI_LLMVISION, and he gained unauthorized access to their computers and accounts as well.
Conclusion
The case of Ryan Mitchell Kramer serves as a warning about the dangers of cyber attacks and the importance of being cautious when downloading software from the internet. It also highlights the need for companies to educate their employees about cybersecurity and the risks of falling victim to phishing scams. The FBI is investigating the incident, and Kramer is expected to make his first court appearance in the coming weeks.
FAQs
- Q: What was the name of the malicious app used by Kramer?
- A: The malicious app was called ComfyUI_LLMVISION.
- Q: How did Kramer trick the Disney employee into installing the malicious app?
- A: Kramer tricked the employee into installing the app by making it appear as a legitimate extension for the ComfyUI image generator.
- Q: What kind of data did Kramer steal from the Disney employee?
- A: Kramer stole confidential data from Disney Slack channels, as well as the employee’s bank, medical, and personal information.
- Q: Is Kramer being investigated by the authorities?
- A: Yes, the FBI is investigating the incident, and Kramer has pleaded guilty to two counts related to the cyber attack.
