The latest cyber-attack techniques were highlighted by a range of experts during the RSA 2023 Conference.
SEO-Based Attacks
There has been a significant growth in threat actors leveraging search engine optimization and malvertising to infiltrate users and organizations, according to, Katie Nickels, certified instructor, SANS Institute, and director of intelligence at Red Canary.
She said this shift is a sign that “perimeter defenses are improving,” but means that attackers’ utilization of legitimate search engine optimization services is a major new challenge for organizations.
Here, threat actors are paying search engine websites to push their malicious sites to the top of search results. Nickels demonstrated that this is proving effective, with the first three results of a particular search she used showing malicious sites.
This technique is used for “lots of different intrusions,” including infecting users with infostealer malware, she said.
Mitigating these types of attacks is difficult, as the perpetrators are utilizing legitimate and trusted services. Therefore, education is vital – for example, encouraging users to directly enter legitimate websites instead of using a search engines.
Nickels added that organizations should utilize tools like ad-blocking software, and most importantly, to report malicious websites being displayed in search engine results on every possible occasion.
Targeting of Developers
Dr Johannes Ullrich, dean of research, SANS Technology Institute College, highlighted a growing number of attacks “specifically targeting developers.” This is an effective tactic, as developers are typically the first employees in an organization to be exposed to code.
There have been numerous cases where threat actors have exploited vulnerabilities in software components to inject malicious software, that are then installed by developers in their business, said Ullrich.
This was shown in the LastPass breaches in 2022, in which the attackers targeted a DevOps engineer's home computer by exploiting a vulnerable third-party media software package. Once installed by the developer, the attackers gained the privileges required for remote code execution.
Ullrich said increased dialogue with developers from security teams, such as educating them about these types of threats, is crucial to mitigating the risk.
Malicious Use of ChatGPT
The next attack trend discussed in the session was the nefarious use of ChatGPT – for malware and exploit development. Stephen Sims, offensive operations curriculum lead and fellow, SANS Institute, demonstrated testing he had undertaken on the AI chatbot, to see if he could get it to write ransomware code.
Although ChatGPT refused to do so when asked directly, Sims was able to find a way round it by instead asking the tool to write code for the individual components of ransomware, such as code just for encryption. Ultimately, “it wrote the whole thing for us.”
Heather Mahalik, DFIR Curriculum Lead, SANS Institute, and senior director of digital intelligence at Cellebrite, also highlighted emerging threats from ChatGPT, focusing on how it can create realistic social engineering campaigns for a range of nefarious purposes. She demonstrated a potentially disturbing use of the tool – to try and sound like a nine-year-old child to entice a child into giving their home address. It proved highly effective in writing a realistic message in this manner.
She argued this type of use of ChatGPT is an underappreciated risk, and “one of the biggest threats is definitely ignorance.”
New Threat Report Insights
During RSA 2023, BlackBerry published its latest Quarterly Global Threat Intelligence Report, covering the period between December 1, 2022 and February 28, 2023.
Ismael Valenzuela, Vice President, threat research & intelligence at Blackberry sat down with Infosecurity at the show to discuss some of the main findings.
The firm detected a significant increase in cross-platform malware, in which code is created that works across different platforms. “That makes sense as attackers are focused on impact,” Valenzuela stated.
Another trend is the rise of infostealers, often used to steal credentials as even relatively minor organizations can provide access to high-value targets, he said. “There’s a lot of people going after credentials, no matter who you are,” added Valenzuela.
The report also highlighted regional differences regarding attack techniques being used. Notably, there was a significant uptick in attacks targeting countries in South-East Asia, with Singapore appearing in the top 10 countries that experienced cyber-attacks and Hong Kong in the top 10 countries where unique malware samples were used.
It is very important to highlight these variations as “the threats we see there are very unique to that region,” said Valenzuela.
He highlighted an attack on a semi-conductor manufacturing company in Taiwan during this period. In this case, a remote access infostealer tool called Warzone was used in a very focused way. “We saw that this malware used geofencing, which means the malware is only going to detonate if it’s executing within a particular region,” explained Valenzuela.
This highly targeted incident is very notable, and something to keep an eye on in Taiwan given the geopolitical situation with China.