The latest cyberattack techniques were highlighted by various experts at the RSA 2023 conference.
SEO based attacks
According to Katie Nickels, SANS Institute Certified Instructor and Red Canary Intelligence Director, there has been a significant increase in threat actors leveraging search engine optimization and malvertising to infiltrate users and organizations.
She said the change shows “better perimeter defenses,” but that attackers’ use of legitimate search engine optimization services represents a major new challenge for organizations. Stated.
Here, attackers pay search engine websites to boost their malicious sites to the top of search results. Nickels has demonstrated this to be effective. Her first three results for the particular search she used pointed to malicious sites.
The technique is used for “various intrusions,” including infecting users with infostealer malware, she said.
This type of attack is difficult to mitigate because perpetrators use legitimate and trusted services. Therefore, education is essential. For example, encourage users to go directly to her legitimate website instead of using a search engine.
Organizations should make use of tools such as ad-blocking software and, most importantly, report malicious websites appearing in search engine results at every opportunity, Nickels said. added.
Developer targeting
Dr. Johannes Ullrich, Dean of Research at SANS Technology Institute College, highlighted an increase in attacks “specifically targeting developers.” This is an effective tactic, as developers are typically the first employees in an organization to touch code.
There are many examples of attackers exploiting vulnerabilities in software components to insert malicious software that developers install into their businesses, said Ullrich.
This was demonstrated in the 2022 LastPass breach. Attackers targeted a DevOps engineer’s home computer by exploiting his package of vulnerable third-party media software. Once installed by the developer, the attackers gained the necessary privileges to execute code remotely.
Ullrich said increased dialogue with developers on security teams, including educating them about these types of threats, is essential to reducing risk.
ChatGPT abuse
The next attack trend discussed in the session was the abuse of ChatGPT for malware and exploit development. Stephen Sims, Offensive His Operations Curriculum Lead and Fellow at the SANS Institute, demonstrated the testing he did to see if AI chatbots could write ransomware code.
ChatGPT refused to do so when asked directly, but Sims instead asked the tool to write code for individual components of the ransomware, including code just for encryption. We managed to find a way around it.
Heather Mahalik, SANS Institute’s DFIR Curriculum Lead and Senior Director of Digital Intelligence at Cellebrite, also highlighted the emerging threat posed by ChatGPT and how to create realistic social engineering campaigns for a variety of malicious purposes. focused. She demonstrated a potentially offensive use of the tool by sounding like a 9-year-old and tricking a child into giving her home address. It proved to be very effective in writing realistic messages like this.
Using this kind of ChatGPT is an underestimated risk, and “one of the biggest threats is definitely ignorance,” she argued.
New Threat Report Insights
During RSA 2023, BlackBerry will Quarterly Global Threat Intelligence Reportcovering the period from 1 December 2022 to 28 February 2023.
Ismael Valenzuela, vice president of threat research and intelligence at Blackberry, said: Information security On the show, we discuss some of our key findings.
The company has detected a significant increase in cross-platform malware, where code is written to work across different platforms. “This makes sense because attackers are focused on influence,” he said.
Another trend is the rise of infostealers. It is often used to steal credentials because it can provide access to high-value targets even in relatively small organizations. “No matter who you are, there are a lot of people who want to qualify,” added Valenzuela.
The report also highlights regional differences in the attack techniques used. In particular, there has been a significant increase in attacks targeting countries in Southeast Asia, with Singapore ranking among the top 10 countries experiencing cyberattacks and Hong Kong among the top 10 countries where his samples of proprietary malware were used. ranked in.
It is very important to emphasize these differences. “The threats we see there are very specific to the region,” he said.
READ MORE: Experts Urge to Apply Lessons Learned from Russian-Ukrainian Cyberwars to Potential China-Taiwan Scenarios
He highlighted attacks on Taiwanese semiconductor manufacturers during this period. In this case, a remote access infostealer tool called Warzone was used very intensively. “We found that this malware uses geo-fencing, which means that the malware only explodes if it is running within a certain region,” he explained to Valenzuela. increase.
This highly targeted incident is highly noteworthy, and notable in Taiwan given its geopolitical situation with China.
