Hacking with ChatGPT: Five A.I. Based Attacks for Offensive Security

00:03

chat gbt is an AI chat box that combines

00:06

the capabilities of natural language

00:07

processing with the gpt3 framework to

00:10

provide amazing human-like responses to

00:13

virtually any request

00:15

NLP allows a model to understand human

00:17

input while GPT 3 takes on over 175

00:21

billion data points to understand and

00:24

find the answer to the most complex

00:26

Solutions

00:27

this means when a request comes in NLP

00:30

processes the input and runs it through

00:32

a neural network of artificial atoms

00:34

that work just like the human brain to

00:36

process the answer and present it back

00:38

to the user in real time

00:40

the hype around chat gbt is very real in

00:44

fact it's hard not to stumble upon a

00:46

story on how people everywhere are

00:47

utilizing the chat box for new business

00:49

ventures creating complex code and much

00:52

much more

00:53

it should come as no surprise then that

00:55

attackers are also finding ways to

00:57

utilize a chat box for wrongdoing in

01:00

fact within weeks of its release it was

01:02

discovered on various underground forums

01:04

that people are utilizing chat gbt for a

01:07

number of different nefarious purposes

01:09

in this video we'll take a look at some

01:12

of the top five ways that attackers are

01:14

using chat GPT today for various kinds

01:17

of attacks we'll also take a look at how

01:19

to utilize chat GPT to carry out these

01:21

attacks and circumvent some of the

01:24

built-in security measures to get our

01:26

desired results

01:29

the first item on our list is finding

01:31

vulnerabilities in code you see

01:33

programmers everywhere have raved about

01:34

chat gpt's unique ability of debugging

01:37

and writing code a simple request to

01:40

debug the code followed by the code in

01:42

question yields a surprisingly accurate

01:44

result of bugs or problems in the

01:46

provided source code

01:48

of course by asking Chachi BT to find

01:50

bugs and issues attackers could also

01:52

utilize artificial intelligence to find

01:54

security vulnerabilities as well chatgpt

01:57

does have built-in safeguards to protect

01:59

against providing potentially illegal or

02:01

unethical responses so asking the chat

02:04

box to Simply find a vulnerability will

02:06

not be sufficient however if we frame

02:08

our requests around being a security

02:10

researcher that is looking to answer a

02:12

question for a capture the flag

02:13

challenge we get the desired result as

02:17

demonstrated by security researcher and

02:19

Professor Brandon dolan-gavitt we ask a

02:21

chat box to solve a capture the flag

02:23

challenge we then Supply the source code

02:25

to which we need to find the

02:27

vulnerability

02:28

as Brendan demonstrate the chat box

02:30

responds with a shockingly accurate

02:32

assessment which after some follow-up

02:34

questions yields a buffer overflow

02:36

vulnerability in the provided code

02:38

several other examples exist all over

02:41

the Internet showing how chat gbt is

02:43

being utilized to find vulnerabilities

02:45

in commercial and open source code

02:48

not only does chat gbt provide the

02:50

solution but it also offers explanation

02:52

of its thought process for educational

02:54

purposes

02:56

chat gbt's identification and response

02:58

is very impressive and it shows how a

03:01

traditionally complex step in the attack

03:02

process can now be commoditized to be

03:05

used by Script kitties and even the most

03:07

Junior of hacking enthusiasts

03:09

not only can we utilize chat gbt to find

03:12

vulnerabilities but we can also use it

03:14

to exploit the given vulnerability as

03:16

well researchers from Cyber News

03:18

recently wrote an article on how they

03:20

were able to utilize chat gbt to find a

03:23

vulnerability and successfully exploit

03:25

that vulnerability to a popular

03:27

application again because of its

03:30

built-in safeguards we cannot simply ask

03:32

chat GPT to find or write an exploit

03:35

instead researchers told the chat box

03:37

that they were doing a hack the Box pen

03:39

testing Challenge and needed to find a

03:41

vulnerability in the provided source

03:43

code once found they were able to get

03:45

step-by-step instructions on where to

03:48

focus examples of exploit codes that

03:50

they can possibly utilize and samples to

03:52

follow as one researcher puts it there

03:55

are many articles write-ups and even

03:57

automated tools to determine the

03:59

required payload we have provided the

04:01

right payload with a simple PHP info

04:03

command and it managed to adapt and

04:05

understand what we are getting just by

04:07

providing the right payload in other

04:09

words by asking the right requests

04:11

chatgpt provided all the tools necessary

04:13

to successfully exploit the given

04:16

vulnerability the result within 45

04:18

minutes security researchers were able

04:20

to not only find the vulnerability but

04:22

write an exploit to a known application

04:24

here we see another example of how a

04:27

traditionally long and complex process

04:29

can now harness the power of machine

04:31

learning to be leveraged by anyone there

04:34

are many examples everywhere of how

04:36

Chachi PT is being utilized to write

04:38

powerful and complex code in virtually

04:41

any language with very simple human

04:43

requests and while most developers are

04:45

worried about how they may be replaced

04:47

by artificial intelligence attackers are

04:50

already quick at work to harness this

04:52

great power to create Advanced malware

04:54

and other tools in real time

04:56

cyber security company checkpoint

04:58

recently identified within three weeks

05:01

of chat gbt going live they discovered

05:03

multiple instances in underground forums

05:05

of attackers utilizing the chat box to

05:08

develop different types of malicious

05:09

tools in one example we see a user

05:12

utilizing chat GPT to write a

05:15

python-based dealer that searches common

05:17

file types copies them to a random

05:19

folder inside of the temp folder zip Sim

05:22

and uploads them to a hard-coded FTP

05:24

server another example shows chat CPT

05:26

creating a Java program that downloads

05:28

putty and runs it covertly in the

05:30

background using Powershell in this

05:32

request we see how they ask a chat box

05:35

to have the bytes loaded to memory and

05:37

save it as a random name so that it can

05:39

operate stealthily in the background to

05:41

avoid detection

05:42

but perhaps a scariest one of them all

05:44

was pointed out by a cyber security team

05:46

at Cyber Arc who used chat gpt's API to

05:50

create polymorphic malware polymorphic

05:52

malware changes every time that it's

05:54

executed this means that every victim's

05:56

code will look different so that it can

05:58

evade signature based detection from

06:00

antivirus tools their technical write-up

06:03

walks through how they were able to

06:04

bypass some of the built-in safeguards

06:07

on the web version using API directly

06:09

into the python code the end result is a

06:12

new type of malware that continues to

06:14

change from victim to victim making it

06:16

completely undetectable by traditional

06:18

antivirus engines

06:21

as mentioned earlier one of the things

06:22

that makes chat gbt so successful is its

06:25

natural language processing or NLP this

06:28

allows it to write and respond to

06:30

virtually any requests indistinguishable

06:32

from a human this is also why chat TPT

06:35

has been used to create amazing

06:36

marketing and sales materials scripts

06:39

for YouTube screenplays and much much

06:41

more Chachi BT's amazing capability of

06:44

writing well thought out texts can also

06:47

be utilized for writing out a phishing

06:49

email at scale just like our previous

06:51

example however we cannot simply ask a

06:53

chat box for a phishing email instead

06:56

we'll ask it to craft an email about

06:58

year-end bonuses for our targeted

07:00

companies we'll then change our writing

07:02

sound to be warm and friendly or more

07:05

business focused if that's what's

07:06

required for the given phishing attempt

07:08

we can even ask the chat box to write

07:10

the email in the form of a famous person

07:12

or celebrity to make it more lifelike

07:14

what we end up with is a well-written

07:17

thoughtfully created email that can be

07:19

used for phishing and if you've ever

07:21

seen a real phishing email before you'll

07:23

know that oftentimes they're badly

07:24

written with broken English however

07:27

Chachi PT's unique ability of writing

07:29

exceptionally well means that it's

07:31

virtually indistinguishable from a human

07:33

email this means that attackers from

07:35

other countries can now make realistic

07:37

phishing emails free of translation

07:39

errors in any language they desire

07:41

however this is just the beginning of it

07:43

Chachi BT is based off of the gp3

07:46

learning model which can be trained

07:48

offline using local data to write in the

07:51

style of real people provided that there

07:54

are enough samples of their emails this

07:56

means that with enough sample size gpt3

07:59

can be trained to write emails in the

08:01

same sound and format of the victim in

08:04

question with our phishing email in

08:06

place we can now take that message and

08:08

attach a file like a spreadsheet with

08:10

macros again we'll utilize chat gp3 for

08:13

this step as well with our well-written

08:16

email in place all an attacker would

08:17

need to do is embed a link or file into

08:20

the email that the victim would click on

08:22

again using chat gp3 we can create

08:25

macros that can automatically run when a

08:27

file like a spreadsheet is open for this

08:30

request we'll ask chatgbt to create us a

08:32

macro for a regular application like

08:35

terminal calculator or any default

08:37

application in our example we'll ask a

08:40

chat box to provide the code that

08:42

automatically runs calculator.exe when a

08:44

macro is enabled in Excel keep in mind

08:47

that this file could be anything but in

08:49

our example we want our request to be

08:51

benign so that we can move on to the

08:53

next phase of our attack

08:55

next we'll use chatgpt to convert this

08:58

code to LOL bin LOL bin stands for

09:01

living off the land binaries which is a

09:03

way of using trusted pre-installed

09:05

system tools to spread malware in our

09:07

case we'll modify our requests to change

09:09

the calculator.exe to a LOL bin the

09:13

result is a new macro that runs terminal

09:15

when the spreadsheet from our phishing

09:17

email was open the next step for an

09:19

attacker is to run a basic networking

09:21

command like a reverse shell that can

09:23

connect back to our desired machine with

09:25

an open connection back to an attacker's

09:27

machine we've essentially bypassed most

09:29

firewalls and open up the victim to many

09:31

other kinds of attacks as amazing as

09:34

chat gbt is we're only really scratching

09:36

the surface of its true capability Chad

09:39

gpt's architecture is based off as gpt3

09:42

which currently has 175 billion

09:45

parameters in late 2023 gp34 will be

09:48

arriving with 170 trillion parameters

09:51

that's a hundred times more powerful

09:53

than chat gbt's current capability what

09:56

this means to security organizations and

09:58

users alike is that AI is completely

10:01

changing the game at a pace that blue

10:03

team simply cannot keep up with expect

10:06

the attack surface to be much wider now

10:08

they're traditionally complex items have

10:10

become easy for even script kitties to

10:12

deploy this means an increase in less

10:14

sophisticated attacks by amateurs

10:16

overall

10:17

however Advanced attackers have new

10:19

capabilities and tools that they

10:21

previously did not possess this also

10:23

means more advanced kinds of attacks and

10:25

zero days overall

10:27

Security Professionals everywhere need

10:29

to make sure that they're keeping up to

10:30

date with AI advances and think of

10:32

innovative ways to utilize AI for

10:35

defense because rest assured adversaries

10:37

are using it for the offensive all of us

10:40

need to stop worrying about how AI can

10:42

eventually replace our jobs and instead

10:44

think of ways to utilize its great

10:46

powers to improve our processes overall

10:49

AI is of course a hot and controversial

10:52

topic so I'm really interested in

10:54

hearing your thoughts on this matter

10:55

what are some of the ways that you can

10:57

think of to utilize chat gbt and other

11:00

artificial intelligence models for

11:02

offensive and defensive security let me

11:04

know down below by entering your

11:06

comments

11:07

if you haven't already please hit like

11:09

down below to give me a boost in the

11:10

YouTube algorithm and if you got any

11:12

value at all from this video consider

11:14

subscribing so you can stay on top of

11:16

our latest releases here at the CSO

11:18

perspective

11:19

until next time this is Andy and thank

11:21

you for watching