Add to collection(s) Add to saved
  1. No category
Uploaded by Chike Emenike

it Threat Landscape Briefing March 2023

advertisement 
Threat
Landscape
Briefing
March 2023
Agenda
Can ChatGPT Become a Cybersecurity Threat?
A look into how polymorphic malware is created.
Security Leaders Weigh ChatGPT’s Potential for
Good and Evil
AI helps threat actors, too.
Canadian Tool Manufacturer Hit by Cyber Attack
Unpacking the alarming disruption caused by
cyberattacks.
The FBI’s Role in Combatting Ransomware
From negotiation to prevention.
Erythrite Emerges as a Legitimate
Industrial Cybersecurity Threat Actor
IOT is also a target.
A Technique That Allows Persistence Through
AWS User Federation
Threat actors can persist after credentials have
been revoked.
2
Can ChatGPT Become a Cybersecurity
Threat?
A look into how polymorphic malware is created.
Description
Summary:
• The rise of ChatGPT, an AI-powered chatbot, has been making headlines
for its ability to respond to sophisticated queries. Since its release less
than four months
various organizations have been looking into
Prevention
(Ifago,
applicable)
leveraging this technology to stay competitive in their industries.
•
• Detection
However, the technological
advancement of ChatGPT has opened
• •Mitigation
(If applicable)
opportunities for threat actors to potentially use the chatbot for their
malicious activities.
• This was done by researchers asking ChatGPT more direct, openended queries, which instructed it to obey the command provided,
including using multiple constraints to create the code.
• The researchers were also able to mutate the malware by prompting
ChatGPT to create multiple variations of the code, which enables the
possibility for the malware to be polymorphic. This could ultimately
expand the security threat landscape, as it would be difficult to
detect the malware if it is constantly mutating.
• Researchers have identified techniques that can be used to create
malware using ChatGPT. Their queries, which command the chatbot to
create no malicious code using python, bypass their content filters which
are set to prevent ChatGPT from creating malicious tools.
Ahmad Jowhar
Research Specialist
Source: Gizmodo, DarkReading, Infosecurity Magazine
3
Can ChatGPT Become a Cybersecurity
Threat?
A look into how polymorphic malware is created.
Analyst Perspective
• Although ChatGPT is a new technology which has attracted many
industries to harness the benefits it provides, the potential security
impact and risks needs to be further studied. Its ability to create
polymorphic malware using no malicious code shows the potential
sophistication of this technology when used by bad actors.
• Organizations should be aware of these type of emerging threats
and work with subject matter experts to identify mitigation
strategies for these potential threats. This includes reviewing their
ransomware mitigation and response plan, as well identifying their
crown jewels to protect from future attacks.
Recommendations
• Related Info-Tech Research
o Build an Information Security Strategy
o Build Resilience Against Ransomware Attacks
• Further information
o Cyberark
o The Stack Technology
o Infosecurity Magazine
o DarkReading
Ahmad Jowhar
Research Specialist
Source: Gizmodo, DarkReading, Infosecurity Magazine
4
Security Leaders Weigh ChatGPT’s
Potential for Good and Evil
AI helps threat actors, too.
Description
Summary:
• 51% of security leaders believe that ChatGPT will be used in a cyberattack within the next twelve months, and 71% believe
that nation states
already using this technology against foreign adversaries.
Prevention
(If are
applicable)
•
• •Detection
The fear is that ChatGPT will help threat actors produce more effective phishing emails, write more complex malware,
disseminate misinformation
more easily, and help less-skilled attackers overcome their technical gaps to achieve these
• Mitigation
(If applicable)
ends, thus elevating cyber risk globally.
• Presently, detection of ChatGPT-based attacks remains the same for standard attacks, though it is possible that in the
future such technology may make detection more difficult.
• Calls to regulate the technology will likely grow in the near term, with the majority of IT professionals believing it is
necessary.
Logan Rohde
Senior Research Analyst
Source: Infosecurity Magazine, Blackberry
5
Security Leaders Weigh ChatGPT’s
Potential for Good and Evil
AI helps threat actors, too.
Analyst Perspective
• Keep an eye on ChatGPT-related risks, but
don’t panic. Just like the benefits of
ChatGPT, a lot of the fears sounding it are
still hypothetical.
• Right now ChatGPT is not surpassing
what attackers can do on their own, so
normal risk considerations apply.
Recommendations
• Related Info-Tech Research
o Combine Security Risk Management Components Into One
Program
• Further information
o Infosecurity Magazine
o BlackBerry
Logan Rohde
Senior Research Analyst
Source: Infosecurity Magazine, Blackberry
6
Canadian Tool Manufacturer Hit by
Cyber Attack
Unpacking the alarming disruption caused by cyber attacks.
Description
Summary:
• Canadian manufacturer Exco Technologies reported that three of its production facilities in the Large Mould Group were hit by a cyberattack. The
company statement did not provide details about the nature of the attack or whether personal or corporate data was accessed, but independent experts have been
hired to help the company deal with the issue.
• Prevention (If applicable)
• The company expects to have operations substantially restored and confirmed that customer shipments were not and are not expected to be materially
• Detection
interrupted. However, the firm temporarily disabled some computer systems while investigating the incident and is in the process of bringing these systems back
online.
• Mitigation
(If applicable)
• Exco has two business segments: a casting and extrusion division with three business units, and an automotive solutions group with four businesses. According to
the company's latest financial report, it had a profit of just under $19 million on sales of $498.9 million for the 12-month period ending September 30, 2022.
• While details of the attack are yet to be disclosed, it is believed to not be ransomware-related, according to Dave Masson, director of enterprise security for
Darktrace Canada. He noted that in some cases, companies need to disable or shut down their manufacturing or production systems as a precaution, leading to
delays in their overall business process, which can be more disruptive than the initial attack itself.
Danny Hammond
Research Analyst
Source: ITWorld Canada, GlobeNewswire,
7
Canadian Tool Manufacturer Hit by
Cyber Attack
Unpacking the alarming disruption caused by cyber attacks.
Analyst Perspective
• In the past, most cyberattacks were often carried out by opportunistic
hackers looking to make a quick profit, or employees with limited
knowledge of core security responsibilities. Today's cyberattacks are often
highly targeted, well-planned, and financially motivated.
• While cyberattacks in general can be caused by both internal and external
threat actors, they mostly result in significant financial and reputational
damage, as well as disruptions to critical business operations. Therefore,
organizations need to take a multilayered approach to security that
includes both technical and non-technical controls. This approach
includes implementing strong endpoint protection, regularly backing up
critical data, training employees to identify and avoid phishing attacks, and
having an incident response plan in place.
Recommendations
• Related Info-Tech Research
o Build Resilience Against Ransomware Attacks
o Develop and Implement a Security Incident Management
Program
o Secure Your High-Risk Data
• Further information
o ITWorld Canada
o GlobeNewswire
• In addition, organizations also need to be proactive in monitoring for and
responding to potential threats, including using threat intelligence to stay
up to date on the latest tactics and tools used by cybercriminals.
Danny Hammond
Research Analyst
Source: ITWorld Canada, GlobeNewswire,
8
The FBI’s Role in Combatting
Ransomware
From Negotiation to Prevention
Description
Summary:
• In January 2023, the FBI announced that it had infiltrated Hive,
• Prevention
applicable)
a major player (If
in the
ransomware space. The group extorted
more than $100 million from 1,500 victims in 80 countries
• Detection
since 2021. The news highlighted the FBI’s role in combatting
• Mitigation
ransomware. (If applicable)
• The FBI has access to a wide local and global intelligence
network that can help organizations profile threat actors and
accelerate the analysis of common tactics and techniques. It
can also sometimes infiltrate ransomware gangs, steal
decryption keys without their knowledge, and share them with
victims to accelerate system recovery.
• Cyber criminals draw on a series of tactics and techniques to execute
their attacks, such as MITRE ATT&CK: T1027: Obfuscated Files or
Information; T1047: Windows Management Instrumentation; T1036:
Masquerading; T1059: Command and Scripting Interpreter; T1562:
Impair Defenses; T1112: Modify Registry; T1204: User Execution; T1055:
Process Injection; TA0010: Exfiltration; T1490: Inhibit System Recovery;
and T1486: Data Encrypted for Impact.
• Hence, the FBI recommends testing the resilience of information
systems against these tactics and techniques, and implementing
controls that can disrupt the workflows of attackers, such as Data
Backup - M1053, Network Intrusion Prevention - M0931, and Network
Segmentation - M0930. Ultimately, prevention is still the best strategy
in dealing with ransomware threats.
Michel Hébert
Research Director
Source: NIST, CISA, FBI, DOJ
9
The FBI’s Role in Combatting
Ransomware
From Negotiation to Prevention
Recommendations
Analyst Perspective
• The likelihood and impact of ransomware attacks on
organizations of all sizes remains high. Conduct a ransomware
resilience assessment and identify the protection, detection,
response, and recovery capabilities you need to mitigate the
risks they pose to your organization.
• Once an attack is underway, your priority is to contain the
incident and initiate incident response and recovery plans.
Recent events highlight the crucial role law enforcement can
play in profiling the attacker and providing alternatives to victims
who are feeling the pressure to pay a ransom.
•
Related Info-Tech Research
o Build Resilience Against Ransomware Attacks
o Are Your Industrial Control Systems Safe From
Ransomware?
o State/Provincial Government Cybersecurity & Risk
Management Report
•
Further information
o NISTIR 8374: Ransomware Risk Management
o CISA Cross-Sector Cybersecurity Performance Goals
o The FBI’s Perspective on Ransomware
o US Department of Justice Disrupts Hive Ransomware
Variant
Michel Hébert
Research Director
Source: NIST, CISA, FBI, DOJ
10
Erythrite Emerges as a Legitimate
Industrial Cybersecurity Threat Actor
IOT is also a target.
Description
Summary:
• Erythrite is a relatively new threat actor, starting its operations in 2020. Initially Erythrite focused on oil and natural gas
(ONG) service firms,
followed by diversification to beverage, electric, and IT service providers that support the industrial
Prevention
(If applicable)
sector. Thus, Erythrite poses a real concern as around 20% of Fortune 500 firms have been attacked by the group so far.
•
• Detection
Historically, Erythrite
mounted search engine optimization (SEO) poisoning campaigns in conjunction with an aggressive
• •Mitigation
(If applicable)
development lifecycle to evade endpoint protection and detection platforms. Furthermore, Erythrite malware is
continuously being recompiled to evade detection and follows a two-pronged attack. First, it compromises legitimate
websites to install its malware, then it uses a variety of techniques such as “cloaking” or “link farming” to increase the
page rank of Erythrite-optimized search terms.
Carlos E. Rivera
Principal Research Advisor
Source: Dragos, DarkReading, ZDNet
11
Erythrite Emerges as a Legitimate
Industrial Cybersecurity Threat Actor
IOT is also a target.
Analyst Perspective
• Search engine algorithms work by ranking the importance and trust of
content based in part on the number of links to a web page. Erythrite’s
attack uses search engine algorithm gaps by presenting links leading
users to their malware. In a recent example, the links injected by the
Erythrite SEO poisoning led users to a poisoned PDF. Additionally, Erythrite
leveraged a popular WordPress plugin, Formidable Forms, to upload
hundreds of PDFs with large numbers of keywords, hoping to lure and
poison a victim.
• Erythrite aims to steal credentials and sensitive information from an IT
network granting them remote access. This positions Erythrite as initial
access brokers (IAB) to OT environments, joining other OT threat actors
such as Conti and Lockbit. Conti and Lockbit 2.0 had 2021 on lock-down
(no pun intended), executing more than 50% of attacks on the industrial
sector. Of those, 70% were targeted at manufacturing firms, which is the
most attractive industry for ransomware groups to go after.
Recommendations
• Related Info-Tech Research
o Build an Information Security
Strategy
o Secure IT/OT Convergence
• Further information
o Dragos
o DarkReading
o ZDNet
Carlos E. Rivera
Principal Research Advisor
Source: Dragos, DarkReading, ZDNet
12
A Technique That Allows Persistence
Through AWS User Federation
Threat actors can persist after credentials have been revoked.
Description
Summary:
•
•
•
• CrowdStrike has observed attackers using a technique that allows
Prevention
applicable)
them to persist(If
in Amazon
Web Services (AWS), despite the use of
common containment practices by incident responders. The
Detection
technique relies on the use of valid API credentials to create a
Mitigation
(If applicable)
federated session
through the AWS Security Token Service API.
• Fortunately, federated sessions cannot have permissions that exceed
the base IAM user’s permissions, nor can it access the AWS command
line interface. However, if the IAM user has the AttachUserPolicy or
PutUpdatePolicy permissions, then the attacker will be able to
escalate their privileges.
• The related MITRE ATT&CK techniques are T1098: Account
Manipulation and T1078.004: Valid Accounts: Cloud Accounts.
• The federated session allows attackers to maintain access even after
the base user’s API credentials have been deactivated. This happens
because the federated session is independent of the IAM user, and
responders can reduce or revoke privileges of the federated session by
updating the policies on the base IAM user.
Bob Wilson, CISSP
Research Director, Security and Privacy
Source: CrowdStrike, AWS Security Blog, AWS STS API Reference,
13
A Technique That Allows Persistence
Through AWS User Federation
Threat actors can persist after credentials have been revoked.
Analyst Perspective
• Persistence technique demonstrates the need for responders to
have a good understanding of underlying technologies. The
conventional thought is that containment can be achieved by
deactivating the credentials of the compromised base user, but in
this scenario that will not work.
• Thus, organizations should never configure API keys for the root
user. Organizations should also avoid using IAM users and longlived AWS API keys, which are needed to create federated sessions.
Furthermore, when responding to compromised IAM users, a denyall IAM policy must be applied to the compromised IAM user to
override permissions inherited by the federated session.
Recommendations
• Related Info-Tech Research:
o Identify the Components of Your Cloud Security
Architecture
o Build a Cloud Security Strategy
• Further Information:
o CrowdStrike Blog
o AWS Security Blog
o AWS Security Token Service API Reference
Bob Wilson, CISSP
Research Director, Security and Privacy
Source: CrowdStrike, AWS Security Blog, AWS STS API Reference,
14
Thank You
Related documents
poster-4-stop-clicking-suspicious-emails
poster-4-stop-clicking-suspicious-emails
350-201 Dumps PDF Format
350-201 Dumps PDF Format
RYUK Ransomware Continues to Attack U.S. Businesses
RYUK Ransomware Continues to Attack U.S. Businesses
ex_buisness_expansion
ex_buisness_expansion
Presentation ()
Presentation ()
1984 Anticipation Guide
1984 Anticipation Guide
405d-PrepareReactRecover-Ransomware
405d-PrepareReactRecover-Ransomware
Apocalypse Assignment
Apocalypse Assignment
Download
advertisement