GoKawiilThe Google Threat Intelligence Group (GTIG) has just published a report on the hacktivities of blackhats everywhere, and the painted picture is quite sobering. Not only are attackers predictably using clankers to automate their efforts, but they're also putting them to rather creative use in almost every area of cybercrime, including developing at least one zero-day exploit. Even more concerning, malware that can modify its own source code and create exploit payloads dynamically, and even generate decoy code, has been detected.
The attack in question was a Python script that allowed bypassing 2FA in a "popular open-source, web-based system administration tool." According to the GTIG, the exploit's code bore all the hallmarks of AI usage and abuses a logic flaw. GTIG remarks that for authorization flows, even the latest LLMs "struggle to navigate complex enterprise [...] logic," but they're really good at contextual reasoning. This means they have the ability to read source code and validate the developer's intention versus what's actually implemented, and thus quickly find unconsidered corner cases.
That's only one small slice of the report, though, seeing as GTIG found pervasive usage of AI over a good handful of cybersecurity operation types. Malicious hackers have always had their own software suites for creating and distributing exploits, but they can now rely on bots to significantly augment their capabilities. Agents can alter their source code in real-time or tweak their attack as they go along in an effort to evade detection.
Latest Videos From
The bots are also used to improve obfuscation in several layers, be it in adding filler code to their attack logic or adding multiple layers of indirection so that the code manages to hide its true intention. Needless to say, all these characteristics make it much harder for security software to detect or contain; examples include CANFAIL and LONGSTREAM.
Software like the PROMPTSPY Android backdoor leverages Google Gemini (the cloud service, not the on-device variant) to deviously manipulate the user's phone. Nifty tricks, including taking screenshots and working out the UI elements presented to the user to then simulate interactions on their behalf, down to capturing PIN/pattern authentication, or intercepting Uninstall button clicks.
Additionally, the GTIG found instances of malware that can modify its own source code and create exploit payloads dynamically, and generate decoy code.
All those real-time morphing abilities extend to phishing and network attacks. For example, malfeasants ask bots to generate a company's organizational chart and generate custom phishing emails laden with real information collected from news, LinkedIn pages, or press releases.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter Get Tom's Hardware's best news and in-depth reviews, straight to your inbox. Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors
One would imagine that the more data that users provide in their replies, the more convincing the counter-responses can be, too. GTIG says that information collected about financial, internal security, and human resources departments generally makes for the best phishing bait — all expertly cooked to best suit each targeted individual.
... continue reading