“Between November 2022-April 2023, we noticed a 910% increase in monthly registrations for domains, both benign and malicious, related to ChatGPT,” according to the latest Network Threat Trends Research Report from Unit 42, the threat research arm of Palo Alto Networks.
The report, released Tuesday, is based on threat intelligence from various products including the Palo Alto Networks Next-Generation Firewall (NGFW), Cortex Data Lake, Advanced URL Filtering and Advanced WildFire, leveraging telemetry from 75,000 customers globally.
The cybersecurity firm observed a jump in the last few months in attempts to mimic the ChatGPT interface through squatting domains —website names that are deliberately crafted to be similar to those of popular brand or products, in order to deceive people
“Squatting domains can cause security risks and consumer confusion while creating opportunities for malicious actors to profit, such as through advertising revenue or scam attacks,” Palo Alto Networks said in the report.
The popularity of ChatGPT has also led to the appearance of related grayware, which is software that falls somewhere between malicious and benign. This category includes adware, spyware, and potentially unwanted programs. Grayware might not be explicitly harmful, but it can still cause issues or invade peoples’ privacy.
“It suggests that cybercriminals are looking to exploit the popularity of ChatGPT to spread potentially unwanted or harmful software,” Palo Alto Networks said in the report.
The firm says that organisations can prepare for attacks by such software by continuing to employ defense-in-depth best practices. “Security controls that defend against traditional attacks will be an important first line of defense against any developing AI-related attacks going forward,” Palo Alto Networks said in the report.
Vulnerability exploits increase
In its report, Palo Alto Networks also said that there was a 55% increase in vulnerability exploitation attempts, per customer, on average, last year.
Much of this increase can be attributed to the rise in exploitation attempts using the Log4j and Realtek supply-chain vulnerabilities. “We continue to find that vulnerabilities using remote code execution (RCE) techniques are being widely exploited, even ones that are several years old,” Palo Alto Networks said.
To ensure that old and new vulnerabilities are patched regularly, organisations should implement a comprehensive vulnerability management program that includes regular vulnerability assessments, scanning, and prioritisation of vulnerabilities based on risk levels, according to the company.
“Develop a well-defined patch management process that includes the identification, testing, deployment, and verification of patches across all systems and applications. Continuously monitor new vulnerabilities by subscribing to vulnerability feeds, and security advisories, and staying updated on the latest threat intelligence,” said Royce Lu, distinguished engineer at Palo Alto Networks.
“Develop a risk-based approach to prioritise vulnerabilities based on their severity, potential impact, and exploitability. Focus on patching critical vulnerabilities that could have the most significant impact on the organisation's systems and data,” Lu said.
Emails with PDFs used as initial infection vector
Meanwhile, emails with PDF attachments remain a popular initial attack vector among attackers to spread malware.
“PDFs are a common initial vector used by threat actors thanks to their wide usage and popularity in organisations. PDFs are commonly sent as email attachments, making them an effective delivery mechanism for malware,” Lu said.
PDFs are the primary malicious email attachment type being used in 66% of the cases where malware was delivered via email, according to the Palo Alto Networks report.
PDF files are widely used for document sharing and distribution across various platforms. They are designed to be cross-platform compatible, meaning they can be opened and viewed on different browsers, operating systems, and devices.
“This versatility makes them an attractive choice for threat actors as they can target a wide range of potential victims across various platforms,” Lu said.
PDFs can also be crafted to deceive users through social engineering techniques. Threat actors often use enticing subject lines, appealing visuals, or misleading content to get users to open a PDF file, which may contain phishing links, hidden malware, or exploit techniques, Lu said.
The thresat report also noted that threat actors also catch victims off-guard by using Injection attacks — where attackers search for vulnerabilities in websites or in third-party plugins and libraries and exploit them to insert a malicious script into legitimate websites.
“Websites created using WordPress have become a favorite target,” Palo Alto Networks said, adding that this could be an indicator that one or more vulnerable third-party plugins could have allowed threat actors to perform malicious script injections.
Ramnit malware family variants most used
In terms of most commonly used malware, Palo Alto Networks observed that variants of Ramnit were the most commonly deployed malware family last year.
“While reviewing tens of thousands of malware samples from our telemetry, we found that the Ramnit malware family had the most variants in our detection results,” Palo Alto said in the report.
Ramnit is a widespread malware strain that has been active since 2010. It started as a worm and banking Trojan but has evolved into a multifunctional malware strain. It targets online banking portals and injects malicious code into web browsers.
“This code captures user inputs, such as login credentials, banking details, and transaction data, allowing threat actors to gain unauthorised access to victims' financial accounts,” Lu said.
Ramnit infects systems by exploiting vulnerabilities or utilising social engineering techniques to trick users into executing malicious files or visiting compromised websites.
“Once inside a system, Ramnit establishes persistence by creating registry entries or adding itself to startup processes, ensuring that it remains active even after system reboots,” Lu said.
Ramnit can transform infected systems into a botnet. It establishes a command and control (CC) infrastructure that allows threat actors to remotely control and coordinate the actions of the compromised machines. This enables them to issue commands, deliver updates, and orchestrate various malicious activities across the botnet, Lu said.
Critical infrastructure, Linux are popular targets
Palo Alto Networks also saw the average number of attacks experienced per customer in the manufacturing, utilities, and energy industry increase by 238% last year.
The firm also observed that Linux malware is on the rise. Attackers are looking for new opportunities in cloud workloads and IoT devices that run on Unix-like operating systems, Palo Alto Networks said.
“The growing prevalence of this family of operating systems among mobile and 'smart' devices could explain why some attackers are turning their eyes toward Linux systems,” Palo Alto Networks said in the report.
For 2023, Palo Alto Networks predicts that evasive threats will continue to become increasingly complex, spreading malware through vulnerabilities will continue to increase, and encrypted malware will keep increasing.