Welcome to The Cybersecurity 202! I accidentally sparked some fake-meat debates with yesterday’s chatter. For the record, Beyond Burger is good, but I prefer Impossible Burger. Also, I still sometimes dig “fake meat” that isn’t even really trying much to taste like meat, like a spicy black bean burger.
Yes, ChatGPT can write malicious code — but not well
Hackers are using this AI chatbot as a weapon, but it only can do so much — for now
ChatGPT users have used the artificial intelligence chatbot for a wide-ranging array of tasks, employing it to draft legislation, compose a rap song about tech CEO qualifications and write a cover letter to apply for a job as a professional consumer of dog food.
Naturally, the AI tool has been a subject of fascination in the cybersecurity world, too. For now, ChatGPT’s potential impact in areas such as writing malware is real but limited, concludes a report from Recorded Future out this morning.
Within days of ChatGPT’s launch nearly two months ago, Recorded Future’s report found examples on the dark web of cybercriminals advertising “buggy, but functional, malware, social engineering tutorials, scams and moneymaking schemes, and more,” all enabled by ChatGPT.
“While none of these activities have risen to the seriousness of impact of ransomware, data extortion, denial-of-service, cyberterrorism, and so on — these attack vectors remain future possibilities,” the cybersecurity firm’s report reads. Recorded Future also said the malicious material they examined falls short of the caliber of malware that nation-backed hackers would use, pointing to additional limitations for the time being.
The potential cyber uses for ChatGPT don’t stop at malware, either. They include applications like developing phishing lures and spreading misinformation — or even, on the other side of the coin, helping cyber pros counter cyberthreats.
The Recorded Future report builds on a solid body of cyber-related studies and examinations of ChatGPT and tools like it:
- Last month, cyber firm Check Point demonstrated how researchers could use ChatGPT to generate every step of the process by which hackers infect victims. Later research from the company found examples of how Russian hackers were trying to get around safeguards from its developer, OpenAI, that are meant to prevent its abuse.
- OpenAI researchers themselves collaborated with Stanford University and Georgetown University — although mostly before ChatGPT launched — on a report released this month that warns about the dangers of AI-assisted influence campaigns. On Monday, researchers from NewsGuard, which monitors online misinformation, produced a study about how effective ChatGPT was at writing “eloquent, false and misleading” misinformation 80 percent of the time.
- CyberArk researchers last week went so far as to conclude that ChatGPT could write malware capable of mutating its appearance to dodge detection. And Redditors are among those who have crowdsourced cyber options for ChatGPT.
But it’s not all bad. Juan Andres Guerrero-Saade, senior director of SentinelLabs at the cybersecurity company SentinelOne, told Bloomberg News’s Katrina Manson that ChatGPT is more knowledgeable about computer code than he is when it comes to trying to learn the secrets of malicious code.
“There’s really not that many malware analysts in the world right now,” he said. “So this is a sizable force multiplier.”
The material Recorded Future found on the dark web wasn’t just stereotypical cybercriminal bluster, as the firm was able to replicate the work independently. It wasn’t entirely free of self-promotion, of course: Some of the forum members touted the above-mentioned studies, and news articles about them, to hype their bona fides.
There were, however, limits to the quality of the ChatGPT-enabled malware. “We do not believe, at this moment, that nation-state actors have a use for ChatGPT that is more effective than current tools and resources available to them,” Recorded Future said.
One of the most important lessons of ChatGPT studies so far is that it matters an awful lot who uses it.
“We believe that ChatGPT lowers the barrier to entry for threat actors with limited programming abilities or technical skills,” Recorded Future’s report observed. “In order to maximize its use, ChatGPT does require at least a basic-to-intermediate level of understanding in the fundamentals of cybersecurity and computer science. ChatGPT is not immediately usable out of ‘the box,’ without prior knowledge.”
Or, as Johns Hopkins’s Thomas Rid put it after several days of class with ChatGPT:
AI isn’t going to replace people. People who use AI well will replace people who don’t use AI well.
— Thomas Rid (@RidT) January 23, 2023
Limits today, though, don’t necessarily mean limits tomorrow.
“With the continued development of advanced artificial intelligence models like ChatGPT, we expect these technologies to see increases in speed, accuracy, and comprehension, which may provide additional functionality to handle more complex tasks in the future,” Recorded Future said in the conclusion of its report.
“Notably, these tasks could include handling inputs from a wide array of data types — far beyond simple text-based formats — potentially providing bad actors additional avenues to quickly assemble code or other malicious infrastructure.”
Greece’s opposition leader called for a censure vote amid spyware scandal
Alexis Tsipras, who is a former Greek prime minister, said that Labor Minister Konstantinos Hatzidakis was wiretapped when he was the country’s energy minister, and military officials were also surveilled, Bloomberg News’s Sotiris Nikas reports. Tsipras has called for a censure vote against the government, which will be held Friday. He has accused Greek Prime Minister Kyriakos Mitsotakis of being behind the spying.
Greece’s government has been roiled by the spyware scandal for months. “The spy scandal in Greece broke in August and since then Mitsotakis has been under pressure from the opposition because his office oversees the spy agency,” Nikas writes. “The national intelligence service was revealed to have been spying on Nikos Androulakis, the leader of Greece’s opposition socialist [PASOK] party, as well as on a reporter investigating powerful business figures. As a result, the general secretary of Mitsotakis’s office, who is also the premier’s nephew, resigned, along with the head of the spy unit at the time. Mitsotakis has admitted that the surveillance was conducted, but he has repeatedly said he wasn’t behind it.”
Government spokesman Ioannis Oikonomou told Bloomberg News that the country’s government and prime minister didn’t know about the spying. “No information and no evidence ever came to their knowledge,” Oikonomou said.
Police say they arrested Dutch seller of addresses and birth dates of nearly everyone in Austria
Austria’s Gebühren Info Service, which collects television broadcasting fees, hired a contractor to restructure a database, but they may have accidentally used real data on a testing server that was publicly accessible, Austria Press Agency reports. The data — which had around 9 million rows in all — was apparently online for a week, and someone on a hacking forum offered the data for sale.
Investigators purchased the data for several thousand euros and investigated the identity of the seller, who they said is a 25-year-old Dutch citizen who was arrested in November.
Austrian police warned that “[s]ince this data was freely available on the [i]nternet, it must absolutely be assumed that these registration data are, in full or in part, irrevocably in the hands of criminals,” Reuters reported.
Hackers targeted federal agencies with refund scams
Cybersecurity officials say that the hackers sent federal employees phishing emails and were able to steal money from their bank accounts after they downloaded remote monitoring and management software, the Record’s Jonathan Greig reports. Employees of at least two federal civilian agencies were targeted, the officials said.
“CISA and the NSA warned that while this specific campaign was financially motivated, there are concerns that this tactic could be used for other nefarious purposes,” Greig writes. “The agencies theorized that threat actors could sell access to an exploited victim to government-backed hacking groups — noting that both cybercriminals and nation-states use RMM software as a backdoor to maintain their access to a system.”
Exploit released for Microsoft bug allowing attacker to masquerade as legitimate entity (The Record)
Thanks for reading. See you tomorrow.
Gloss