- Table of contents
The author
Table of contents
Related Articles
DeepSeek: A Deep-Dive into the Latest AI-powered LLM
What is DeepSeek?
DeepSeek is a Hangzhou-based startup founded in December 2023 by Liang Wenfeng. It released its first AI-based large language model in 2024. The company recently received widespread attention after releasing a new open-source AI model that rivals OpenAI’s work. The app shot to the top of the app stores’ downloads list and has sparked much interest.
The startup claims that its AI models, DeepSeek-V3 and DeepSeek-R1, are on par with the most advanced models from OpenAI ‒ the company behind ChatGPT. It also claims that the models were built at a fraction of the cost of industry-leading models because they use fewer advanced chips and less memory than their rivals, ultimately reducing the cost of performing tasks.
The company also announced the release of a new open-source AI image generation model, the Janus-Pro-7B, on Monday (27 Jan 2025). The startup says the model outperforms Stability AI’s Stable Diffusion and OpenAI’s DALL-E 3, which generate images based on text prompts.
Some Countries Restrict Access to Deepseek
Due to cybersecurity and national concerns, some countries, like Taiwan and Italy, have restricted the access and use of Deepseek by their government agencies and critical infrastructure. Texas became the first state to ban Deepseek on government-issued devices in the United States. The United States Navy has also banned its members from using Deepseek.
CYBERSECURITY CONCERNS WITH DEEPSEEK’S AI MODELS
Exposed Sensitive Databases and Privilege Escalation
Recently, a cybersecurity firm, Wiz, tested the security of DeepSeek and provided a concerning report. A publicly accessible ClickHouse database belonging to DeepSeek was discovered, which was completely open and unauthenticated. The database allowed privilege escalation and complete control over database operations, including the ability to access internal data. Additionally, it contained a lot of sensitive information, such as user chat history.
Below are the details of the data as discovered by Wiz:
| Timestamp | Logs dating from January 6, 2025 |
|---|---|
| span_name | References to various internal DeepSeek API endpoints |
| string.values | Plaintext logs, including Chat History, API Keys, backend details, and operational metadata |
| _service | Indicating which DeepSeek service generated the logs |
| _source | Exposing the origin of log requests containing Chat History, API Keys, directory structures, and chatbot metadata log |
Vulnerability Towards Jailbreaking
Researchers discovered they could replicate attacks and get DeepSeek to help them code ransomware and other malware. Describing the model as highly vulnerable and easily bypassed, the hackers also designed it to grab credit card data from specific browsers and send it to a remote server. They found that DeepSeek would suggest that users buy stolen data from specific underground markets and would provide tips on money laundering. They concluded that the models were vulnerable to jailbreaking techniques.
Cybercrime researchers are warning that DeepSeek’s AI services appear to have fewer guardrails around them to prevent hackers from using the tools to, for example, craft phishing emails, analyze large sets of stolen data, or research cyber vulnerabilities.
Concerns About Data Privacy
Several concerns about the lack of data privacy within DeepSeek’s AI models have been raised. Some users have pointed out the terms and conditions, including the collection of keystroke patterns or rhythms, which involve tracking every interaction made with a button on the user’s keyboard. Its privacy policy also states that the models will retain information as long as necessary, providing no precise estimate of the data retention timeline. This lack of data privacy could lead to unauthorized access to sensitive user information, potential misuse of data, and violation of user privacy rights.
DeepSeek has also been observed collecting other indicators and user information such as IP address, email address, cookies, payment information, and all interactions with its chat tool. It assigns a uniquely identifying device and user ID to each individual user, meaning that the user can be tracked across multiple devices.
DeepSeek Cybersecurity Attack
On Monday (27 Jan 2025), DeepSeek confirmed it was hit by outages on its website and announced that registration may be busy due to large-scale malicious attacks on its services. While no details about the attack were shared, news articles have shared that the company might be facing a distributed denial-of-service (DDoS) attack against its API and Web Chat platforms.
DEEPSEEK IDENTIFIERS
The uncertainty of security guardrails around DeepSeek has led many private and government organizations to block access to the company’s models on their corporate networks. Cyberint, now a Check Point Company has analyzed some of its domains and subdomains and has curated two preliminary lists of identifiers related to DeepSeek. These lists of 241 domains, subdomains, and 78 IP addresses can be blocked using company-specific MDE tenants, DNS filters, or other Allow/Deny lists.
Although these lists might not be exhaustive, they provide a good starting point to identify the indicators, develop IOCs, or block access to the tool.
RECOMMENDATIONS
Cyberint, now a Check Point Company, strongly recommends the following:
1. Raising awareness: It’s crucial to raise employee awareness about the potential risks of using DeepSeek. Until security researchers fully understand the nature of the company’s models, caution and alertness are necessary.
2. Restricting access to the tool in corporate networks: Given the information so far, it’s best practice to restrict employee access to the platform. This measure will ensure the security and protection of your corporate network until all security concerns have been addressed.
3. Avoid Sharing Company Information: Cyberint strongly advises against adding proprietary company information to the platform. Due to its weak data privacy policies, it’s important to be cautious and protective of your company’s sensitive data.
Domains and IP Addresses Relating to DeepSeek
| deepseek.com | ssl.deepseek.com | relay1.deepseek.com |
| platform.deepseek.com | vip.deepseek.com | relay2.deepseek.com |
| status.deepseek.com | vps.deepseek.com | remote.deepseek.com |
| api-docs.deepseek.com | auth.deepseek.com | smtp01.deepseek.com |
| chat.deepseek.com | blog.deepseek.com | static.deepseek.com |
| sqlserver.yinghuo.deepseek.com | beta20240807.chat.deepseek.com | zimbra.deepseek.com |
| api.deepseek.com | home.deepseek.com | clearml.deepseek.com |
| oauth2callback.deepseek.com | sc.mail.deepseek.com | copilot.deepseek.com |
| download.deepseek.com | ptr1.sc.mail.deepseek.com | gateway.deepseek.com |
| cdn.deepseek.com | ptr2.sc.mail.deepseek.com | grafana.deepseek.com |
| file2.deepseek.com | smtp.mail.deepseek.com | mailapp.deepseek.com |
| mail.deepseek.com | mta1.deepseek.com | mailsrv.deepseek.com |
| coder.deepseek.com | mx01.deepseek.com | newmail.deepseek.com |
| ss.deepseek.com | mx02.deepseek.com | outmail.deepseek.com |
| argocd.deepseek.com | mx10.deepseek.com | proxies.deepseek.com |
| attack.deepseek.com | pop3.deepseek.com | server1.deepseek.com |
| platform-test.deepseek.com | post.deepseek.com | webmail.deepseek.com |
| test.deepseek.com | root.deepseek.com | 0.yinghuo.deepseek.com |
| gitlab.deepseek.com | seed.deepseek.com | 3.yinghuo.deepseek.com |
| yinghuo.deepseek.com | smtp.deepseek.com | 4.yinghuo.deepseek.com |
| api-test.deepseek.com | spam.deepseek.com | a.yinghuo.deepseek.com |
| cocopilot.deepseek.com | thor.deepseek.com | o.yinghuo.deepseek.com |
| chat-test.deepseek.com | vnet.deepseek.com | q.yinghuo.deepseek.com |
| en.deepseek.com | admin.deepseek.com | y.yinghuo.deepseek.com |
| api-openai-us1.deepseek.com | email.deepseek.com | 13.yinghuo.deepseek.com |
| m.deepseek.com | mail2.deepseek.com | da.yinghuo.deepseek.com |
| cs.deepseek.com | mail3.deepseek.com | hw.yinghuo.deepseek.com |
| gw.deepseek.com | mail5.deepseek.com | is.yinghuo.deepseek.com |
| mx.deepseek.com | mail8.deepseek.com | kb.yinghuo.deepseek.com |
| ns.deepseek.com | mail9.deepseek.com | lb.yinghuo.deepseek.com |
| aim.deepseek.com | posta.deepseek.com | mb.yinghuo.deepseek.com |
| art.deepseek.com | relay.deepseek.com | my.yinghuo.deepseek.com |
| box.deepseek.com | smtp1.deepseek.com | ox.yinghuo.deepseek.com |
| cis.deepseek.com | smtp2.deepseek.com | pm.yinghuo.deepseek.com |
| com.deepseek.com | smtp3.deepseek.com | qa.yinghuo.deepseek.com |
| dev.deepseek.com | smtps.deepseek.com | s6.yinghuo.deepseek.com |
| eml.deepseek.com | tiger.deepseek.com | sc.yinghuo.deepseek.com |
| ipe.deepseek.com | wandb.deepseek.com | ptr2.sc.yinghuo.deepseek.com |
| ms1.deepseek.com | zmail.deepseek.com | sv.yinghuo.deepseek.com |
| mx0.deepseek.com | direct.deepseek.com | v3.yinghuo.deepseek.com |
| mx1.deepseek.com | hermes.deepseek.com | w2.yinghuo.deepseek.com |
| mx2.deepseek.com | mail01.deepseek.com | cdn.yinghuo.deepseek.com |
| 104.143.9.110 | 104.18.27.90 | 54.215.62.21 |
| 199.91.74.220 | 104.143.9.111 | 110.40.132.52 |
| 76.76.21.21 | 90.84.249.33 | 13.248.169.48 |
| 122.8.180.101 | 2a05:d014:58f:6200::65 | 18.245.31.82 |
| 34.102.136.180 | 189.1.217.84 | 172.67.135.19 |
| 108.156.201.53 | 52.128.23.153 | 60.204.193.34 |
| 104.21.6.175 | 108.156.201.67 | 76.223.54.146 |
| 45.56.79.23 | 2606:4700:3037::ac43:8713 | 108.156.201.8 |
| 45.33.2.79 | 190.92.204.164 | 2606:4700:3036::6815:6af |
| 108.156.201.98 | 45.33.18.44 | 213.250.129.127 |
| 124.71.128.233 | 13.226.22.12 | 45.33.20.235 |
| 100.28.201.155 | 94.74.87.192 | 13.226.22.39 |
| 45.33.23.183 | 34.234.106.80 | 1.94.179.165 |
| 13.226.22.87 | 45.33.30.197 | 76.76.21.21 |
| 199.91.74.176 | 13.226.22.8 | 45.79.19.196 |
| 3.24.193.232 | 199.91.74.177 | 18.245.31.92 |
| 72.14.178.174 | 3.75.10.80 | 199.91.74.178 |
| 99.84.203.21 | 72.14.185.43 | 3.124.100.143 |
| 199.91.74.187 | 99.84.203.57 | 96.126.123.244 |
| 3.125.36.175 | 199.91.74.188 | 99.84.203.73 |
| 173.255.194.134 | 3.107.135.208 | 199.91.74.214 |
| 99.84.203.97 | 198.58.118.167 | 13.248.155.104 |
| 199.91.74.215 | 110.41.227.233 | 75.2.26.18 |
| 76.223.27.102 | 199.91.74.216 | 159.138.5.218 |
| 99.83.153.108 | 13.238.3.121 | 199.91.74.217 |
| 104.18.26.90 | 13.52.115.166 | 199.91.74.218 |
About Cyberint, a Check Point Company
Cyberint, now a Check Point company, reduces risk by helping organizations detect and mitigate external cyber threats before they have an adverse impact. The Check Point External Risk Management solution provides superior visibility through continuous discovery of the evolving attack surface, combined with the automated collection and analysis of vast quantities of intelligence from across the open, deep and dark web.
