Bulletins //

NormCyber Threat Bulletin: 16th October 2024

Exploitation of ChatGPT and LLM Tools by Chinese and Iranian Hackers

Introduction
Recent findings from OpenAI have highlighted a concerning trend where state-sponsored hackers from China and Iran are leveraging ChatGPT and other Large Language Models (LLMs) to develop malware and conduct phishing attacks. This report delves into the specifics of these cyber attacks, the methodologies employed, and the implications for cyber security.

Overview of Cyber Attacks
OpenAI’s report has documented over 20 cyber attacks orchestrated using ChatGPT. These attacks have primarily involved the creation of malware, debugging malicious code, spreading misinformation, and executing spear-phishing campaigns. Notable incident:

  1. SweetSpecter Attack by Chinese Hackers:
    • Methodology: Utilised a spear-phishing technique involving a ZIP file containing a malicious payload. Once downloaded and executed, it initiated an infection chain on the victim’s system.
    • Tools Used: Multiple ChatGPT accounts were employed to develop scripts and identify vulnerabilities.
  2. CyberAv3ngers Attack by Iranian Hackers:
    • Methodology: Exploited vulnerabilities to steal user passwords from macOS-based systems.
    • Tools Used: ChatGPT was used to enhance the attack’s effectiveness by generating scripts and debugging code.
  3. Storm-0817 Attack by Iranian Hackers:
    • Methodology: Developed malware targeting Android devices, capable of extracting contact lists, call logs, browser history, and precise location data.
    • Tools Used: ChatGPT facilitated the creation of the malware and the exploitation of system vulnerabilities.

Implications for Cyber Security
The use of generative AI tools like ChatGPT by state-sponsored hackers poses significant challenges to cyber security. These tools can streamline the development of sophisticated malware and phishing campaigns, making it easier for malicious actors to execute attacks with minimal effort.

Mitigation Strategies

  1. Enhanced Monitoring and Detection:
    • Implement advanced monitoring systems to detect unusual activities associated with AI tools.
    • Collaborate with AI developers to identify and mitigate potential misuse of their platforms.
  2. AI Tool Safeguards:
    • Develop and enforce stricter usage policies for AI tools to prevent their exploitation.
    • Integrate robust security features within AI platforms to detect and block malicious activities.
  3. Industry Collaboration:
    • Foster collaboration between cyber security firms, AI developers, and governmental agencies to share intelligence and develop comprehensive defence strategies.

References:
OpenAI confirms threat actors use ChatGPT to write malware (bleepingcomputer.com)
Hackers Misusing ChatGPT To Write Malware: OpenAI Report (techworm.net)
Yahoo is part of the Yahoo family of brands (yahoo.com)
Disrupting malicious uses of AI by state-affiliated threat actors (openai.com)

Remcos RAT distributed through phishing campaigns utilising GitHub repositories

A recent phishing campaign that utilises GitHub links to evade Secure Email Gateway security and distributes Remcos RAT malware has been detected.

What happened?
Phishing emails claiming to assist users with tax filing after the April deadline were distributed during late Q2 2024. The tax-themed malware appears to have only targeted the finance and insurance industries. The emails encouraged the recipients to click the attached GitHub link which would give them an archive of tax-related documents. However, the archive was password protected and contained not PDFs but Remcos RAT.

Fig 1 (example of phishing email containing GitHub link (Cofense.com)

What is Remcos RAT?
Remcos is a Remote Access Trojan (RAT) often deployed through phishing attacks, it is frequently hidden in ZIP files which claim to be invoice or order-related PDFs. After a computer is infected with Remcos it provides backdoor access for the attacker and accumulates sensitive information from the infected machine.

What is a repository and how does it assist in the spread of malware?
A repository is a shared or individually owned locker for code, files and file revision history. Threat actors tend to use less popular and less trusted repositories in their phishing campaigns. However, trusted repositories from HMRC, Inland Revenue and US Taxes have been observed in this campaign.

GitHub is a platform that allows collaboration on software projects between developers. This collaboration stems from the comment sections, allowing users to provide recommendations for new features, receive requests and contribute microtasks.

The malware does not exist in the repository code itself in this instance, the malware was distributed via comment sections of genuine GitHub repositories for genuine tax companies like HMRC. This allows the malware file to be associated with that legitimate repository without altering the source code, and the link to the malware remains alive even if the comment is removed.

References:
Remcos Malware (checkpoint.com)
Tax Extension Malware Campaign: Threat Actors Target GitHub Comment Section to Bypass Secure Email Gateways (cofense.com)
About repositories (docs.github.com)



Patch Management is the unsung hero of Business Continuity

Passwords are the first line of defence against unauthorised access to computer systems and data. Let’s be honest; patch management isn’t flashy. It doesn’t get the same attention as shiny new software or next-gen security tools. When it comes to keeping your business running smoothly, patch management is the behind-the-scenes hero that gets the job done. In fact, it’s one of the most critical pieces of any solid Business Continuity Plan (BCP). In today’s world, where Chained AI and Cybercrime-as-a-Service (CaaS) tactics are supercharging cyber attacks, patch management isn’t just a technical requirement, it’s the backbone of business continuity. Skip it, and your business could be vulnerable to devastating attacks that could cripple your operations and damage your bottom line and reputation.

Why Patching is a big deal
Software vulnerabilities are inevitable. No matter how good the software is, bugs and security flaws will crop up over time. Vendors regularly release patches to fix these issues, but if you don’t apply them in a timely manner, you’re leaving the door wide open to a host of potential threats. From cyber attacks to system failures, and yes, dreaded downtime.

The Rapid7 2024 Attack Intelligence Report highlights that, in 2023, more widespread compromise events were triggered by zero-day vulnerabilities than by previously known vulnerabilities (n-day). These zero-days accounted for 53% of widely exploited threats, reflecting a significant risk for organisations that fail to implement prompt patching.

In today’s evolving threat landscape, patch management is key to defending against zero-day vulnerabilities and supply chain attacks. Zero-day vulnerabilities are particularly dangerous because attackers exploit them before the software vendor is even aware they exist. These types of vulnerabilities are becoming more common, and hackers are quick to capitalise on them. If your patching process is slow, you are giving attackers an opportunity to strike.

The Catch: Patching Isn’t Always Easy
At first glance, patching seems simple, apply the patch, move on. The reality, however, is a little more complicated. Sometimes, patches come with their own challenges. Deploy a patch without properly testing it, and you could find yourself in a situation where the very update meant to protect your business causes disruption instead.

The concept of “Time to Known Exploitation” (TTKE) shows that more than 55% of exploited vulnerabilities were attacked within one week of public disclosure​. Testing patches can also be resource intensive. As your organisation scales, the number of systems to patch grows, and testing each one for every patch can be overwhelming. This is where patch fatigue sets in, too many patches, not enough time.

Zero-day vulnerabilities, supply chain threats, and ransomware attacks don’t wait for you to catch up and when organisations fall behind, they leave their systems vulnerable to exploitation.

Patch Management and Business Continuity go hand-in-hand.
Here’s the bottom line: patch management is critical to business continuity. It’s not just about keeping your software up to date, it’s about keeping your business resilient in an increasingly fast-moving threat environment. With Chained AI driving more sophisticated attacks and CaaS offering hackers access to advanced tools, businesses that fail to prioritise patching are taking enormous risks.

Whether you’re dealing with a cyber attack, a natural disaster, or even a pandemic, you need systems that are secure and up to date. Well patched systems are more resilient, reducing downtime and allowing you to bounce back more quickly from disruptions.

Tackling Zero Days, Supply Chain Attacks, and AI-Driven threats
Businesses can stay ahead of the curve! The rise of zero-day vulnerabilities, supply chain attacks, and AI-driven threats means patch management needs to be a top priority. Automated tools like virtualisation and orchestration technologies can help lighten the load, providing testing environments that simulate real-world conditions before rolling out patches. Vulnerability management software can also help prioritise which patches are most critical based on the risks they pose to your business.

The threat from Chained AI—where cyber criminals combine multiple AI-driven tools to launch sophisticated, multi-layered attacks—along with CaaS, means that waiting too long to patch is no longer an option. Hackers are innovating faster than ever, and manual patching processes just can’t keep up. That’s why proactive, automated patching is key to staying one step ahead.

Wrapping it up
By staying on top of your patches, you’re not just protecting your IT systems, you’re safeguarding your entire business. Patch management might not grab headlines, but it is the foundation of a strong BCP; helping you navigate the complex world of modern cyber threats and ensuring that you can emerge stronger, no matter what challenges come your way.

Using Norm’s Vulnerability Management service can automate patch management and protect your systems against vulnerabilities like these, keeping you safe from potential exploits.

References:
Ransomware attacks have doubled thanks to AI (techradar.com)
Threat Predictions for 2024: Chained AI and CaaS Operations Give Attackers More “Easy” Buttons Than Ever | FortiGuard Labs (fortinet.com)
How to ensure cybersecurity and business continuity plans align (techtarget.com)
Prioritizing Patch Management Critical to Security (securityweek.com)
rapid7_2024_attack_intelligence_report.pdf (rapid7.com)

Get Norm’s threat bulletin direct to your inbox

Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.

You can receive this bulletin for free, every fortnight, by entering your business email address below: