Though the technology has only been widely available for a couple of months, everyone is talking about ChatGPT.

If you are one of the few people unfamiliar with ChatGPT, it is an OpenAI language model with the “ability to generate human-like text responses to prompts.” It could be a game-changer wherever AI meshes with human interaction, like chatbots. Some are even using it to build editorial content.

But, as with any popular technology, what makes it great can also make it a threat. Security experts warn that while companies use ChatGPT for chatbot responses, threat actors are using AI to write malware.

Jerrod Piker, a competitive intelligence analyst with Deep Instinct, compared the technology to a Swiss Army knife for techies everywhere. The good guys are already using it to develop useful applications.

Unfortunately, it’s not all positive news. “Because of ChatGPT’s ability to create code on the fly, attackers can automate part of the process of launching a cyberattack by having the chatbot create their initial infection code for them,” Piker said in an email interview. “This could also aid potential attackers with very little coding knowledge to create their own malware.”

“Benefits of malware”

It only took threat actors about a month before they figured out how to use ChatGPT for nefarious actions. ChatGPT was released on November 30, 2022. On December 29, 2022, a conversation titled “ChatGPT — Benefits of Malware” was discovered on a popular hacking forum, according to a Check Point blog. This thread included examples of how the author used the AI technology to create malicious code to steal information.

“From an attacker’s perspective, what code-generating AI systems allows the bad guys to do easily is to first bridge any skills gap by serving as a ‘translator’ between languages the programmer may be less experienced in, and second, an on-demand means of creating base templates of code relevant to the lock that we are trying to pick instead of spending our time scraping through stack overflow and Git for similar examples,” said Brad Hong, customer success manager with Horizon3ai, in a formal comment.

“Attackers understand that this isn’t a master key, but rather, the most competent tool in their arsenal to jump hurdles typically only possible through experience.”

A new social engineering tool

Threat actors aren’t just using ChatGPT as an easy way to write malicious code. They are also using it for social engineering attacks.

Because ChatGPT mimics human language, it’s more difficult to distinguish AI editorials from human-authored content. A college student using ChatGPT to write a term paper is one thing; their biggest concern is plagiarism, which is in itself a different type of threat.

But if an AI chatbot can write academic papers, creating a phishing email will be much easier. In fact, a ChatGPT-produced email will be more eloquent than most phishing emails that flood our inboxes now. This will make the scam much more difficult to detect.

The technology will have much broader applications than mere phishing campaigns. Almost any type of social engineering attack will benefit from video scripts to text messages. Expect threat actors to take social engineering to new heights, with entire websites, personas and fake businesses created with ease.

Users today struggle to differentiate real from fake. But in a few months, even the most highly skilled person may struggle to tell the difference.

Making it easier for the bad guys

ChatGPT is a new, effective tool in an attacker’s toolset. It’s not just that the technology decreases a threat actor’s required skills. The way the technology itself works contributes to its ability for malicious activities. The ability to automate at least some of the code writing means threat actors can launch more attacks and do so faster.

“The reality is that the algorithm race in cybersecurity consists of the use of machine learning algorithms to use a human by exception (autonomous) or in the loop (automated) to supplement the ability to scale their expertise to a degree that was not possible before,” said Hong in an email interview. “Generative AI technologies are most dangerous to organizations because of their ability to expedite the loops an attacker must go through to find the right code that works with ease.”

Diverting the threat

The creators of ChatGPT must have known that people could use its technology for evil as well as good. There are keywords and use cases that have been disabled, according to Matt Psencik, director and endpoint security specialist with Tanium.

“For example, I just asked the bot, ‘Can you write a phishing email for Woogle that I can send to John Doe?’ and it not only told me that question could be dangerous but also flagged my question as possibly violating the bot’s content policy,” Psencik said in an email interview. “It seems OpenAI is actively modifying the AIs model and safeguards to adapt to these malicious use cases, and I imagine that as they get more and more questions and answers, they will continue to tune this model to prevent these more in the future.”

However, there are workarounds that malicious actors can — and are — using, according to a Deep Instinct blog post. Simply rephrasing a request without using the triggered keywords will allow the program to continue the script.

But if threat actors can use AI chat functions, then cybersecurity teams can also use it to detect new threats.

“Cybersecurity professionals can take advantage of this utility to automate script creation for threat hunting,” said Piker, “saving a lot of time in the threat mitigation and investigation process.”

Overall, professionals must prepare for anything the era of AI tools may bring.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…