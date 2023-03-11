Paolo Arcagni, Solutions Engineering Director of F5, takes into consideration the advantages and dangers of the protagonist platform of the current moment: ChatGPT.

The superstar of the AI ​​industry today is called ChatGPT. The open source tool which has created scripts for millions of people but – sadly unsurprisingly – has already been used by cybercriminals to scan code for vulnerabilities and create exploits. The time has come for security officials to address the dangers associated with this hugely popular platform. Also consider protective measures.

ChatGPT cioè Chat Generative Pre-trained Transformer

But let’s start from the beginning. ChatGPT (Chat Generative Pre-trained Transformer) was released by OpenAI in November last year. Its main purpose is to imitate the human interlocutor. But the tool is now also able to compose music, write essays, answer questions, play games or write computer programs.

Weaknesses of the platform

In doing so, it exhibits the typical weaknesses that characterize all AI tools: the results are one content playback already existing, even if often modified. They contain neither creativity nor opinions of their own and are often imprecise. By stating completely nonsensical things with absolute certainty or by presenting one’s inventions as fact.

Artificial intelligence is perfecting itself with extreme speed

For its part, OpenAI intends to do everything possible to correct these problems, with the next version of the GPT-4 engine expected to be released this year. According to the latest news, in addition to the technical improvements, OpenAI plans to hire an additional 1,000 people to train the AI. With 400 software developers who will help code the code (not write it), significantly enhancing the platform’s programming capabilities.

The misuse of ChatGPT

OpenAI is committed to preventing misuse of the platform through security measures and blocks, but the hackers managed to get around them without too much difficulty. For example, last December, some criminals managed to crack ChatGPT using various prompt engineering techniques. So that the bot gave instructions for making a Molotov cocktail or a nuclear bomb.

A new helper for hackers

ChatGPT really makes the job of cybercriminals easier. Just like Google, ChatGPT offers a result for a specific question. However, unlike the search engine, the answer provided is much more precise and enriched from contextual examples that can be used without the slightest reworking. This makes “hacking” a breeze. By optimizing the self-learning of AI itself and taking web application threats to a whole new level. With ChatGPT, even laymen can conduct more complex attacks.

The GPT-3 language model can already be used today to examine existing code – even obfuscated and decompiled – for vulnerabilities and for creating exploits. Even the most unskilled hackers in development can use ChatGPT to successfully carry out a complete infection process. From creating a spear phishing email to running a reverse shell.

Some examples of attacks

As we said, ChatGPT is already being used to support numerous attack techniques. One hacker, for example, used it to recreate malware strains and techniques, such as the Python-based Infostealer. The created script searches for the most common file types, copies them to a folder, compresses them in a ZIP format and uploads them to an encrypted FTP server. The platform also helped a hacker create a Python script with signing, encryption and decryption functions.

By generating an encryption key to sign files and using a fixed password to encrypt files in the system. All decryption functions have been implemented in the script so that the code could be transformed into ransomware quickly. Besides creating malware, ChatGPT is perfectly able to write phishing emails. It is also well suited to developing payment systems for cryptocurrencies on dark web markets. Or create NFT artworks that are illegally sold on Etsy and other online platforms.

The dangers increase

The risks of attack and fraud are bound to increase and become ever more dangerous. Some security experts, for example, are able to completely bypass ChatGPT’s built-in content filters by using the API instead of the web version. But not only. In fact, they also discovered that ChatGPT can modify the generated code repeatedly and create multiple versions of the same malware. This type of polymorphic malware is difficult to detect due to its high mutability.

Furthermore, the ChatGPT API can be used within the malware itself to provide modules for different actions as needed. Since malware does not exhibit any malicious behavior as long as it is stored on the hard drive only and often does not contain any suspicious logic, signature-based security tools are unable to detect it.

From AI star to cybercriminal tool: ChatGPT

And that’s not all. Artificial intelligence can also be used as a service (Artificial Intelligence as-a-Service, AIaaS). This means that cybercriminals no longer have to train models themselves or rely on prefab open-sources. By significantly reducing barriers to entry, AIaaS gives even hackers with no programming experience access to breakthrough AI features via easy-to-use APIs, without high costs.

How to fight back? Here are the possible defense measures

With the rapidly increasing level of risk from the malicious use of AI models, companies need to take proactive protective measures. They must therefore make investments in research and development of detection and defense technologies, implement strategies such as AI governance frameworks, take a comprehensive approach to security and perform regular penetration tests.

Artificial Intelligence as-a-Service (AIaaS)

It is precisely here that AI tools themselves can provide – in the same way – essential help. For example, AIaaS can be used to improve the performance of Red Team Tests, especially for phishing emails. Also, let’s not forget that artificial intelligence is able to automatically personalize content based on the background and personality of the target it is targeting. With extraordinarily better results than the manual ones of the Red Teams. In turn, Red Teams can focus on higher-value activities, such as information gathering and analysis.

Phishing attacks

Furthermore, AIaaS-based systems can be used not only in simulations, but also to detect and defend against phishing attacks real. Compared to traditional email filters, language models such as GPT-3 are able to more accurately distinguish between automatically or manually created text. Basic knowledge of AI and few resources are enough to use these models.

Even existing and currently available tools can effectively defend against AI-based attacks. For example, F5 tested the quality of its Advanced Web Application Firewall (AWAF) with an SQL injection attempt generated by ChatGPT. The attempt was automatically detected and blocked, even after URL encryption.

Conclusions

It is clear that the results achieved by ChatGPT to date are mostly quite solid. Or in any case they can be used immediately or only after some small adjustments. With the rapid refinement of language models, it is very likely that the IT landscape will be significantly different in the near future. Anyone who ignores this aspect acts at their own risk. Security managers must therefore prepare now for the possible risks represented by the improper use of artificial intelligence tools, responding with the same technology for their own protection.