- The Weekend Byte
- Posts
- AI Agents: Attackers vs Defenders
AI Agents: Attackers vs Defenders
Plus: Ransomware tries a new tactic
In what can only be described as awkward, Google Assitant interrupted a Google executive’s presentation during an Australian Senate hearing…I can’t tell if the Senator’s response was serious or just a troll…you’ll have to let me know what you think.
This week in the cyber world, we’re covering:
AI Battlebots?
A rage-inducing new ransomware tactic
Total ransomware payments in the first half of the year are insane 😱
-Jason
p.s. I found this gif this week, and I needed an outlet to share it because it's just that perfect…enjoy 🥹
AI Spotlight
AI Bots Fight to the Death
AI agents are the future of cybersecurity for both attackers and defenders. If you’re unfamiliar with them, AI agents are just code capable of acting autonomously based on a preset goal. They can monitor their environment, make decisions, and even improve their own performance by acquiring new knowledge. Let me reiterate this…on their own, they can learn, adapt, and execute on a preset mission.
Imagine a world where the power of entire security teams is packed into a team of autonomous AI agents. Each agent has a specific function - reviewing firewall rules, monitoring for suspicious connections, investigating an alert, etc. - all working 24×7.
Now imagine taking the capabilities of hacking groups and packing those into similar autonomous AI agents, each with its own function - scanning for vulnerabilities, stealing credentials, stealing data, encrypting systems, etc. - all working 24×7.
Perhaps we aren’t far off. Researchers continue to test the limits of offensive AI Agents. Let’s look at a few.
BlackMamba: A basic Python script that calls ChatGPT to generate code that records your keystrokes. The log files are sent to an attacker-controlled Teams channel.
EyeSpy: This follow-up to BlackMamba introduces more autonomy. It monitors the system to decide the best malicious actions can be taken. For example, it can see that Zoom is installed and then generates malicious code to record audio.
Red Reaper: Trained on the leaks of Chinese state-sponsored hacking playbooks, this AI agent automates the analysis of stolen emails to identify the juiciest emails with sensitive data or that could be used to facilitate further attacks (e.g., information useful for fraudulent wire transfers and blackmail).
While these tools sound good, they’re still not to the level I’m worried about. They’re just testing the capabilities of what more well-resourced teams can accomplish. Regardless, we are in the early innings of these capabilities and I still put the advantage to the defenders.
There’s a huge opportunity for this technology to bridge the endless security tools and vast amounts of data and streamline basic decision-making and data collection that can leave humans to focus on more critical decisions and research and development.
All I can say is prepare for the AI battle bots.
Security Deep Dive
F’ing Ransomware Groups
I f’ing hate ransomware groups. And a recent Sophos report just adds to my rage. The Sophos X-Ops team observed the Qilin ransomware group stealing credentials stored in Google Chrome during a recent ransomware attack.
This is how it happened.
Initial Access: The group used compromised VPN credentials to authenticate to the victim’s environment. No shocker here: the VPN account didn’t require MFA. So, the attacker could log straight in with the stolen creds. While it’s not stated how the attacker gained those credentials, it’s common to see attackers gain those from infostealers (shocker) or by brute-forcing the VPN credentials.
Lateral Movement: After logging into the VPN with the compromised credentials, the attacker compromised additional credentials with elevated privileges. This allowed them to reach the Windows domain controller. In a Windows environment, a domain controller manages all of the authentication and permissions for users. Gaining access to the domain controller is like wrestling control over the TV remote at a family gathering. The power is unfathomable. For a Windows environment, it means you have control over almost everything.
Credential Harvesting: With the domain controller access, the attacker deployed a malicious script to all systems in the environment that had one job. Dump passwords stored in the Chrome browser when a user logs into their system. The attacker had this run for three days…enough time to do some serious damage.
Encrypt: After harvesting credentials for three days, the attacker deployed ransomware to the environment, hoping to get a payday.
For victim organizations, not only do they have to contend with the encryption of their systems and theft of their data. Now, they have to worry about all the credentials that may have been stored in Google Chrome. It could provide them access to more credentials to compromise the environment again or third parties applications that store sensitive data.
It can massively complicate companies' response efforts. It seems too early to say if this is going to be a tactic that sticks around, but it is something to watch for sure.
Security News
What Else is Happening?
🚗 Toyota disclosed a breach of an unknown third party that exposed information on Toyota employees and customers. The attacker behind the attack claimed to have hacked a Toyota branch in the US and stolen the data, which they released for free on a hacking forum.
🖥️ Microchip Technology, a (you guessed it) microchip manufacturer, was hit with a ransomware attack. Thanks to 8-K filings, we’re learning about more of these attacks before details are released. While helpful for investors to gauge whether a material event has happened, for the security nerds, I’d much rather get a technical rundown of the attack so we can learn more about how these attacks are unfolding.
📱 Maybe it’s just me, but I feel like people gloss over any time I talk about mobile malware because it seems like an unrealistic threat. And maybe it is. But for users of a Czech bank, it’s real. ESET published a blog post on a phishing campaign that resulted in fake banking applications installed on users’ phones that steal their banking credentials.
💰️ Per Chainalysis, ransomware payments topped $459.8M in the first half of 2024. Median payments jumped from $200K in early 2023 to $1.5M in mid-June 2024, a sign of larger attacks with larger ransoms (big-game hunting).
If you enjoyed this, forward it to a fellow cyber nerd.
If you’re that fellow cyber nerd, subscribe here.
See you next week, nerd!
Reply