Cybercriminals taking advantage of the latest AI technology was the predominant theme during a recent talk by cybersecurity experts reviewing their contenders for the most dangerous forms of cyberattacks we can expect in 2023.
Key themes unveiled at the four-day RSA Conference in San Francisco included the intersection of AI and the ways attackers take advantage of highly flexible development environments.
Here’s a quick rundown of their predictions for the most dangerous forms of cyberattacks to be aware of throughout 2023:
- SEO-Driven Attacks
Businesses use search engine optimization (SEO) to reach potential customers by boosting the rankings of certain terms to help market their products and drive traffic to increase revenue. Cybercriminals take advantage of SEO to boost the rankings of malware-laden sites in order to send more victims their way, explained Katie Nickels, senior director of digital intelligence for Red Canary and a SANS instructor. She said that as security defenders do a better job of blocking outbound clicks to malicious sites by blocking phishing attempts and the like, cybercriminals are savvy about luring them through watering hole attacks.
“So, imagine some of you are in marketing and you’re using search engine optimization to get your company’s results to the top,” Nickels said. “Well, adversaries do the same thing, but for evil, right? They use keywords and other SEO techniques to make sure their results, their malicious websites, are at the top of those search engine results.”
Similar to how marketers utilize both organic search techniques via SEO and paid search techniques utilizing advertising, cybercriminals are doing the same. Nickels said drive-by attacks are also similarly fueled by malicious advertising (malvertising) campaigns that artificially boost the rankings of sites for certain keywords.
She shared as an example a lookalike campaign for a free piece of 3D graphic software called Blender.
“Search for that and you get a couple ads and a couple of results,” she said. “That first ad, that’s bad. Second one, if I click that, that would also be into a malicious website. The third one’s gotta be legit, right? No, in this case, the third ad was also malicious. It’s not until the fourth result on that keyword that you get the legitimate software website.”
Contributing to the challenge of these high rankings, she said that the lookalike sites are nearly identical to the legitimate Blender website, as the bad guys are getting really good at mimicking sites.
While neither SEO-boosted attacks nor malvertising are brand-new techniques, she noted, the reason she put them at the top of her list is the increasing prevalence of these attacks this year.
- Developers as a Target
Johannes Ullrich, dean of research for SANS Technology Institute College and head of the Internet Storm Center, said his top cyberattack tactic to watch for is targeting software and application developers.
“What I noticed last year, I think that’s something that’s really going to increase, is that attacks are specifically targeting developers,” Ullrich said. “We talk a lot about dependencies and malicious components. The first individual in your organization that’s exposed to these malicious components is the developer.”
Developers are an enticing target as they usually have elevated privileges across IT and business systems, systems which can be subverted to poison the software supply chain, and they tend to involve machines that are less locked down than the average user in order to enable them to experiment with code and readily ship software.
“A lot of this endpoint protection software is sort of geared towards your random corporate workstation,” Ullrich said. “They’re not necessarily used to or designed to protect systems that have developer tools installed.”
- Offensive Uses of AI
With the explosion of large language models (LLMs) like ChatGPT, defenders should expect attackers — even very non-technical ones — to ramp up their development of exploits and zero-day discovery utilizing these AI tools. This was the attack technique highlighted by Steven Sims, offensive operations curriculum lead for SANS and a longtime vulnerability researcher and exploit developer.
Sims walked through the ease with which he could get ChatGPT to uncover a zero-day. He demonstrated some prompts he used by pointing it at a piece of code vulnerable to the SigRed DNS flaw that recently came to light and had it explore that code to find the flaw as if it was a zero-day flaw.
Additionally, he demonstrated the prompts he used to get ChatGPT to help him write code for a simple piece of ransomware. Though ChatGPT does have some protections built into the system to refuse to develop ransomware code, he was able to convince it by breaking the pieces down into discrete parts.
“From a defensive perspective, there is basically nothing you can do. Sorry,” Sims told the audience. “Defensive depth is important. Expert mitigations is important. Understanding how this works is important. Writing your own AI and machine learning to understand more about it is important. These things are really all you can do because it’s out there and it’s amazing.”
- Weaponizing AI for Social Engineering
In addition to technical offensive uses of AI, expect attackers to ramp up their use of AI to make their social engineering and impersonation attempts even more convincing, said Heather Mahalik, director of digital intelligence for Cellebrite and digital forensics and incident response lead for SANS.
She illustrated her point with a social engineering experiment she conducted with her son in which she used ChatGPT to write convincing texts with emojis to sound like a 9-year-old girl asking her son to tell her his home address.