Hacking with ChatGPT: Five A.I. Based Attacks for Offensive Security

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

chat gbt is an AI chat box that combines the capabilities of natural language processing with the gpt3 framework to provide amazing human-like responses to virtually any request NLP allows a model to understand human input while GPT 3 takes on over 175 billion data points to understand and find the answer to the most complex Solutions this means when a request comes in NLP processes the input and runs it through a neural network of artificial atoms that work just like the human brain to process the answer and present it back to the user in real time the hype around chat gbt is very real in fact it's hard not to stumble upon a story on how people everywhere are utilizing the chat box for new business ventures creating complex code and much much more it should come as no surprise then that attackers are also finding ways to utilize a chat box for wrongdoing in fact within weeks of its release it was discovered on various underground forums that people are utilizing chat gbt for a number of different nefarious purposes in this video we'll take a look at some of the top five ways that attackers are using chat GPT today for various kinds of attacks we'll also take a look at how to utilize chat GPT to carry out these attacks and circumvent some of the built-in security measures to get our desired results the first item on our list is finding vulnerabilities in code you see programmers everywhere have raved about chat gpt's unique ability of debugging and writing code a simple request to debug the code followed by the code in question yields a surprisingly accurate result of bugs or problems in the provided source code of course by asking Chachi BT to find bugs and issues attackers could also utilize artificial intelligence to find security vulnerabilities as well chatgpt does have built-in safeguards to protect against providing potentially illegal or unethical responses so asking the chat box to Simply find a vulnerability will not be sufficient however if we frame our requests around being a security researcher that is looking to answer a question for a capture the flag challenge we get the desired result as demonstrated by security researcher and Professor Brandon dolan-gavitt we ask a chat box to solve a capture the flag challenge we then Supply the source code to which we need to find the vulnerability as Brendan demonstrate the chat box responds with a shockingly accurate assessment which after some follow-up questions yields a buffer overflow vulnerability in the provided code several other examples exist all over the Internet showing how chat gbt is being utilized to find vulnerabilities in commercial and open source code not only does chat gbt provide the solution but it also offers explanation of its thought process for educational purposes chat gbt's identification and response is very impressive and it shows how a traditionally complex step in the attack process can now be commoditized to be used by Script kitties and even the most Junior of hacking enthusiasts not only can we utilize chat gbt to find vulnerabilities but we can also use it to exploit the given vulnerability as well researchers from Cyber News recently wrote an article on how they were able to utilize chat gbt to find a vulnerability and successfully exploit that vulnerability to a popular application again because of its built-in safeguards we cannot simply ask chat GPT to find or write an exploit instead researchers told the chat box that they were doing a hack the Box pen testing Challenge and needed to find a vulnerability in the provided source code once found they were able to get step-by-step instructions on where to focus examples of exploit codes that they can possibly utilize and samples to follow as one researcher puts it there are many articles write-ups and even automated tools to determine the required payload we have provided the right payload with a simple PHP info command and it managed to adapt and understand what we are getting just by providing the right payload in other words by asking the right requests chatgpt provided all the tools necessary to successfully exploit the given vulnerability the result within 45 minutes security researchers were able to not only find the vulnerability but write an exploit to a known application here we see another example of how a traditionally long and complex process can now harness the power of machine learning to be leveraged by anyone there are many examples everywhere of how Chachi PT is being utilized to write powerful and complex code in virtually any language with very simple human requests and while most developers are worried about how they may be replaced by artificial intelligence attackers are already quick at work to harness this great power to create Advanced malware and other tools in real time cyber security company checkpoint recently identified within three weeks of chat gbt going live they discovered multiple instances in underground forums of attackers utilizing the chat box to develop different types of malicious tools in one example we see a user utilizing chat GPT to write a python-based dealer that searches common file types copies them to a random folder inside of the temp folder zip Sim and uploads them to a hard-coded FTP server another example shows chat CPT creating a Java program that downloads putty and runs it covertly in the background using Powershell in this request we see how they ask a chat box to have the bytes loaded to memory and save it as a random name so that it can operate stealthily in the background to avoid detection but perhaps a scariest one of them all was pointed out by a cyber security team at Cyber Arc who used chat gpt's API to create polymorphic malware polymorphic malware changes every time that it's executed this means that every victim's code will look different so that it can evade signature based detection from antivirus tools their technical write-up walks through how they were able to bypass some of the built-in safeguards on the web version using API directly into the python code the end result is a new type of malware that continues to change from victim to victim making it completely undetectable by traditional antivirus engines as mentioned earlier one of the things that makes chat gbt so successful is its natural language processing or NLP this allows it to write and respond to virtually any requests indistinguishable from a human this is also why chat TPT has been used to create amazing marketing and sales materials scripts for YouTube screenplays and much much more Chachi BT's amazing capability of writing well thought out texts can also be utilized for writing out a phishing email at scale just like our previous example however we cannot simply ask a chat box for a phishing email instead we'll ask it to craft an email about year-end bonuses for our targeted companies we'll then change our writing sound to be warm and friendly or more business focused if that's what's required for the given phishing attempt we can even ask the chat box to write the email in the form of a famous person or celebrity to make it more lifelike what we end up with is a well-written thoughtfully created email that can be used for phishing and if you've ever seen a real phishing email before you'll know that oftentimes they're badly written with broken English however Chachi PT's unique ability of writing exceptionally well means that it's virtually indistinguishable from a human email this means that attackers from other countries can now make realistic phishing emails free of translation errors in any language they desire however this is just the beginning of it Chachi BT is based off of the gp3 learning model which can be trained offline using local data to write in the style of real people provided that there are enough samples of their emails this means that with enough sample size gpt3 can be trained to write emails in the same sound and format of the victim in question with our phishing email in place we can now take that message and attach a file like a spreadsheet with macros again we'll utilize chat gp3 for this step as well with our well-written email in place all an attacker would need to do is embed a link or file into the email that the victim would click on again using chat gp3 we can create macros that can automatically run when a file like a spreadsheet is open for this request we'll ask chatgbt to create us a macro for a regular application like terminal calculator or any default application in our example we'll ask a chat box to provide the code that automatically runs calculator.exe when a macro is enabled in Excel keep in mind that this file could be anything but in our example we want our request to be benign so that we can move on to the next phase of our attack next we'll use chatgpt to convert this code to LOL bin LOL bin stands for living off the land binaries which is a way of using trusted pre-installed system tools to spread malware in our case we'll modify our requests to change the calculator.exe to a LOL bin the result is a new macro that runs terminal when the spreadsheet from our phishing email was open the next step for an attacker is to run a basic networking command like a reverse shell that can connect back to our desired machine with an open connection back to an attacker's machine we've essentially bypassed most firewalls and open up the victim to many other kinds of attacks as amazing as chat gbt is we're only really scratching the surface of its true capability Chad gpt's architecture is based off as gpt3 which currently has 175 billion parameters in late 2023 gp34 will be arriving with 170 trillion parameters that's a hundred times more powerful than chat gbt's current capability what this means to security organizations and users alike is that AI is completely changing the game at a pace that blue team simply cannot keep up with expect the attack surface to be much wider now they're traditionally complex items have become easy for even script kitties to deploy this means an increase in less sophisticated attacks by amateurs overall however Advanced attackers have new capabilities and tools that they previously did not possess this also means more advanced kinds of attacks and zero days overall Security Professionals everywhere need to make sure that they're keeping up to date with AI advances and think of innovative ways to utilize AI for defense because rest assured adversaries are using it for the offensive all of us need to stop worrying about how AI can eventually replace our jobs and instead think of ways to utilize its great powers to improve our processes overall AI is of course a hot and controversial topic so I'm really interested in hearing your thoughts on this matter what are some of the ways that you can think of to utilize chat gbt and other artificial intelligence models for offensive and defensive security let me know down below by entering your comments if you haven't already please hit like down below to give me a boost in the YouTube algorithm and if you got any value at all from this video consider subscribing so you can stay on top of our latest releases here at the CSO perspective until next time this is Andy and thank you for watching

Info

Channel: The CISO Perspective

Views: 32,337

Rating: undefined out of 5

Keywords:

Id: AwQE3jof63U

Channel Id: undefined

Length: 11min 25sec (685 seconds)

Published: Wed Feb 15 2023