Cyber-criminals are infamous for their ability to pivot quickly in the face of improving defenses and keeping up with their evolving tactics, techniques and procedures (TTPs) is a huge challenge for security professionals.
During Infosecurity Europe 2023, Infosecurity Magazine spoke to a range of security experts on the attack trends they are observing and that organizations must be aware of. These primarily revolved around two key areas – malicious use of AI tools such as ChatGPT and identity-based attacks.
Nefarious Use of ChatGPT and AI
Craig Terron, Director of Global Issues, Insikt Group at Recorded Future, said that financially-motivated cyber-criminals are making far more extensive use of AI tools than nation-state actors so far, with these technologies lowering the barrier to entry to engage in cybercrime.
“Immediately as ChatGPT was launched, cyber-criminals on many different forums were talking about it – they immediately saw the opportunity just like the rest of us did,” he told Infosecurity.
One major way the AI chatbot is now being utilized is in leveraging malware. Terron explained that this comes under two categories – one is helping to build new malware and the other AI embedded malware. The latter is “where malware decides the best way to compromise a particular victim – we’re seeing more on the AI-aided side right now,” commented Terron.
A particular concern is ChatGPT’s role in creating polymorphic malware, which uses an encryption key to change its shape and signature to evade detection. Terron added: “There have been some cases where we’ve seen ChatGPT be used to develop polymorphic malware to overcome antivirus solutions.”
Another trend is the use of ChatGPT to assist more sophisticated phishing campaigns. “You can ask ChatGPT to write an email that appeals to authority, urgency and emotion,” noted Terron.
Adenike Cosgrove, VP, cybersecurity strategist for EMEA at Proofpoint, said that cyber-criminals are using tools like ChatGPT and Bard to create country-specific phishing campaigns, which remove language-barriers. “They’re using these tools to create country-specific lures that are much more convincing because you’re using these tools to create in-language phishing messages,” she said.
Terron also highlighted the growing use of deepfake voice cloning technology to for scams and misinformation purposes. While deepfake audio and video remains relatively easy to recognize, audio impersonations of public figures who have done a lot of public speeches is now highly accurate as “its based on the data out there.”
Identity-Based Attacks
Cosgrove observed that while cyber-criminals have long targeted individuals to bypass technical controls, the methods they are using to do so are changing.
In particular, they are finding novel ways to overcome privileged access management (PAM) and multi-factor authentication (MFA) to continue targeting individuals’ identities.
“They want to use that individual’s trusted identity to install malware, get access to the domain, escalate privileges and get access to other parts of your organization,” she outlined, adding: “In 2023, your identity is your crown jewels.”
One MFA bypass technique Cosgrove was keen to highlight was reverse proxy, which enables threat actors to steal users’ credentials and MFA codes by redirecting them to lookalike websites.
Harman Singh, Managing Director and Consultant at Cyphere, has observed rising ‘MFA bombing’ attacks as a growing means of bypassing extra layers of authentication. This is where attackers repeatedly send second-factor authentication requests to the target victim’s email, phone or registered devices until they finally accept the request.
It is for this reason that Richard Meeus, Director of Security Technology and Strategy EMEA at Akamai, describes MFA as both “a blessing and a curse.” While it reduces the risk of compromise, it can also lead to complacency with organizations believing it is a magic bullet when this is no longer the case.
Another approach to identity-based attacks being seen by Cosgrove and Singh is the compromise of third-party suppliers’ credentials to target organizations, which are very hard to detect.
Singh gave the example of multi-stage adversary in the middle attacks (AiTM) against banking and financial services organizations “where the attack originates from a compromised trusted vendor and then threat actors infiltrate via AiTM and business email compromise (BEC) attacks across multiple organizations.”
He added: “This is a trust abuse attack vector between suppliers, vendors and partners.”
During Infosecurity Europe 2023, Bitdefender released a new report analyzing custom malware called RDStealer. This malware utilized the DLL sideloading technique, which Richard De La Torre, Technical Marketing Manager at Bitdefender, said “is becoming an increasing way that attackers are exploiting different operating systems vulnerabilities.”
In the case of the RDStealer malware, De La Torre noted that it aims to steal passwords and intercept tokens – “so its stealing credentials and that’s something new, we haven’t seen that before,” he outlined.