The Lies You Hear About GenAI and Hackers

Plus: Debrief on the latest Okta breach update

Greetings fellow cyber nerds,

It’s December and the holiday season is in full swing. Or, if you’re like some of my neighbors, it started four weeks ago when their Christmas trees first appeared. But that’s a debate for another day…

In this week’s newsletter, we’re covering:

  • The latest Okta incident update 😭

  • GenAI and attackers - a love-hate relationship ❤️ 💔?

  • Law enforcement gets a win 🏆!

-Jason

The Exaggerated Response to Okta’s Latest Update

Fred Armisen GIF by Showtime

Gif by showtime on Giphy

The security (and media) world briefly lost its mind this week when Okta published an update from their prior incident. The headlines read “Breach Affected All Customer Support Users”.

Sounds scary. But how bad was it?

Background: In October, Okta came public about a security incident impacting their customer support application. That gave the attackers access to HAR files for a subset of Okta customers. Some of those HAR files contained session tokens for those customers. A later update from Okta on November 3rd, tallied five customers that the attackers targeted using the stolen access tokens.

Note that at that time, Okta said that the attacker gained access to files in the customer support system to 134 Okta customers, which was less than 1% of their total customers. Remember this, because it’s important.

The Recent Update: After the November 3rd update, Okta continued to review their initial analysis to ensure they had a solid understanding of what happened. On November 29th, Okta released an update that said the attacker ran a report that contained the names and email addresses of all Okta customer support system users. It’s important to note that it’s not all Okta users in every organization that was impacted, mainly just IT admins of Okta.

The Beef: The pitchforks and torches came out to bash Okta for “missing this” in their initial investigation and calling out Okta for not providing a timely notification. If you refer back to the November 3rd update, the known impact was on files that the attacker accessed in the customer support software.

This latest update called out a much broader number of impacted customers but with less sensitive data (e.g. no passwords or session tokens). For 99.6% of the impacted customers, it only included names and email addresses of a subset of Okta users (again, mainly the IT team).

My Reaction: NBD. Names and email addresses, all of which are already likely leaked somewhere. Sure, this one attacker has contact information for IT members…but that’s not really all that hard to get, especially if this attacker wanted to target specific organizations. This is a marginal increase in risk, not a game changer.

So yes, be on guard for some phishing emails, but more emphasis should be placed on the controls you should already have implemented after the first update anyway.

If you’re taking the appropriate steps to secure your Okta instance, your risk profile hasn’t changed that much. So it’s unfortunate the attacker grabbed this information. And it could make the attacker’s job easier in the future, and we will all get over it and move on with our lives as always.

Chill Out: Security is not a game of perfection. Incident response is messy. Things happen. In any investigation, it takes time to understand the full story. When you are someone like Okta, you have to get answers out fast. That means there is more room for error. In IR, speed and accuracy do not go hand in hand.

Spotlight: Attackers and GenAI

Milk Eww GIF by Way Nation

Gif by WayNation on Giphy

Here’s something I hate with a passion. Every news article and blog post from “experts” touting how cybercriminals use GenAI to massively uplevel their attacks.

It sounds great…but it’s just a flat-out lie. Catchy headlines, but not accurate.

Sophos X-Op’s team just released a great blog post that started to seek the truth behind this. They scoured cybercrime forums to get a direct scoop on what attackers were saying…

The Research

The Sophos X-Ops team reviewed four of the most popular cybercrime forums for research. This included:

  • Exploit: Russian-language forum focusing on Access-as-a-Service listings (initial access).

  • XSS: Another Russian-language forum that doubles as a marketplace and discussion forum.

  • Breach Forums: An English-speaking forum focusing on data leaks

  • Hackforums: Another English-speaking forum that is home to many script kiddies (little to no skilled hackers).

While this list is not exhaustive, it gives a general sense of how some attackers are seeing the use of GenAI in their attacks. What this won’t cover is nation-state threats who are likely investing much more in tool development.

What Getting Advertised on the Forums?

Many current advertisements related to GenAI come in the form of GPT derivatives. These are ChatGPT-like tools that the sellers claim will help with social engineering (e.g. phishing message creation), malware creation, and general hacking advice.

While it sounds super fancy, like a McDonald’s McRib, it sounds delicious, but it’s questionable if it’s actually real meat.

Sophos dug in and found that many of these tools appeared to be jail-broken versions of ChatGPT, which bypasses some of ChatGPT’s constraints. Or, in most cases, it was just advertisements for compromised ChatGPT accounts.

Early news cycles focused on tools like WormGPT and FraudGPT. Both of which disappeared just as quickly as they arrived.

I’ve also been hard-pressed to find any real-world evidence that attackers used any of these tools to facilitate their attacks.

So Where Are Attackers Using GenAI?

Some attackers have found uses including generating test data and porting some code to different languages as a starting point. This is not surprising given the general benefit of AI is to help automate many of the mind-numbing repeated tasks people do every day.

Where Sophos found the most traction on adoption was enhancing the cybercrime forums themselves. The XSS forum created “XSSBot”, which used ChatGPT (model gpt-3.5-turbo). But even that was more for fun than a practical application.

This section and the AI-bot are designed to solve simple technical problems, for the technical entertainment of our users, to familiarize users with the possibilities of AI.

From Sophos blog post - XSS announcement on the launch of XSSBot

It’s a No From Me Dawg

Sophos found many users on the forums were skeptical of the capabilities that LLMs would contribute to cybercrime and general fear around using it due to Operational Security (OPSEC) concerns (keeping your identity and information hidden from security researchers and law enforcement) and its ability to generate malware that could evade AV or EDR.

What to Watch For

While cybercriminals haven’t adopted GenAI at the speed “experts” are saying, in time it will come. My sense is that we’ll see the following occur over the years:

  • Within the next year…

    • GenAI will expedite the creation of disinformation. This will play a pivotal role in the upcoming US elections.

  • In the next few years…

    • Basic hacking tasks will improve in efficiency. This includes information collection and summarization to support targeted attacks.

    • Post-exploitation attack automation will incrementally improve.

And in the same time period, the tools that defenders rely on will also invest in AI capabilities that will expand detection and response capabilities.

Let’s Wrap It Up

We will need to monitor advancements in AI and its applications to cyber security. Changes and improvements will happen. The short-term focus will be on dealing with an influx of disinformation. In the long term, we must be ready for advancements in attacker capabilities.

The good news is that many of the defenses we rally behind now are well-positioned to defend against near and mid-term advancements in AI. The attacker’s playbook will not substantially change, it will just become more efficient.

So focus on the basics and get those security programs shored up! Defense in depth and a strong detection and response capability can make a difference!

Top Five Stories of the Week

🚔 Europol arrested five members of a hacking group that attacked organizations in 71 countries. Their RaaS of choice: LockerGoga, MegaCortex, HIVE, and Dharma. Like current dating practices, attackers don’t settle for just one ransomware variant.

🖇️ The office supply store Staples reminded the world that people still buy paper products. Not through clever marketing but through a cyber security incident that impacted online ordering.

🐈‍⬛ A BlackCat does mean deja vu, at least for Henry Schein a Fortune 500 healthcare product and service provider. The BlackCat ransomware group encrypted them again following an initial attack in October.

👮A 25-year-old received 8 years in federal prison after being convicted of a slew of hacking charges. This included hacking Instagram accounts, performing SIM swaps, and other social engineering hacks that caused $740K in damages to individuals.

💰Customer information for nearly 2 million Dollar Tree customers was compromised due to a vendor breach. The vendor in question is Zeroed-In, a people analytics and data management company. Impacted data included name, date of birth, and some SSNs.

See you next week!

Bye Bye Reaction GIF by GritTV

Gif by Grittv on Giphy

Send me feedback, questions, or topics for future newsletters! Just reply to this email directly.

Not subscribed? Click here:

Share this with a friend!

Reply

or to participate.