Video: Embracing the Hacker Mindset for Innovation | Duration: 52s | Summary: Description: Embracing the hacker mindset can be advantageous to stay ahead in cybersecurity
Video: Social Engineering Attack Unlocks Cloud Encryption | Duration: 93s | Summary: A detailed account of a sophisticated social engineering attack targeting IT support vendors with ransomware.
Video: AlphaVee: The Alpha Cats of Ransomware | Duration: 74s | Summary: Black Cat, or AlphaVee, is a notorious ransomware gang known for targeting top entertainment and casino operators.
Video: Ransomware Revenue Soars: LockBit's Cloud Success | Duration: 111s | Summary: Insights into the lucrative ransomware industry, highlighting LockBit's cloud-based ransomware model and global recruitment strategy.
Video: Evolution of Ransomware: Cloud-Based Criminal Innovation | Duration: 59s | Summary: Description: Ransomware as a service enables criminals to recruit affiliates, use innovative marketing tactics, and demand high ransom payments with double extortion
Video: Using AI for Phishing: A Dark Reality | Duration: 127s | Summary: Generative AI empowers hackers with fast, varied phishing tactics, credential theft, and network exploitation.
Video: Augmenting Cybersecurity: Enhancing Defense with AI | Duration: 98s | Summary: Recommendations for leveraging AI in cybersecurity defense to enhance threat detection and decision-making processes.
Video: AI, Cybersecurity, and the Technology of Tomorrow | Duration: 1672s | Summary: AI, Cybersecurity, and the Technology of Tomorrow | Chapters: Hacker's Journey Begins (28.91s), Ransomware and Innovation (157.315s), LockBit's Business Model (288.81497s), BlackCat Ransomware Tactics (517.805s), Evolving Cybercrime Collaboration (682.02997s), BlackCat's Ransomware Aftermath (768.1s), Emerging Ransomware Threats (925.61s), Ransomware's Criminal Renaissance (1026.765s), AI-Powered Cybercrime Evolution (1116.7849s), Future of Cybersecurity (1372.015s)
Transcript for "AI, Cybersecurity, and the Technology of Tomorrow":
Hi, everyone. I'm Karen Anazari, and this is a talk about AI, cybersecurity, and the technology of tomorrow. We're going to take a look at what's happening in the world of cybersecurity and AI from the perspective of a hacker, myself. So I'm known online as the friendly hacker, but most hackers know me by my nickname, k three r three n three, and that's how you can find me online. Thinking about learning from hackers might seem scary at first, but trust me, I've learned everything I know about the world of cybersecurity by following in the footsteps of hackers. Ever since I was a very curious young little girl growing up right here in sunny Tel Aviv, Israel, I asked my parents so many questions about the world that at some point, I just got volumes of the encyclopedia instead of a bedtime story. And in 1993, when we first got access to the World Wide Web and the Internet, I begged my parents for a computer of my own. I was learning everything I could about the digital world, finding answers to my many burning questions. Sometimes those answers were on other people's computers because I was teaching myself how the Internet worked by taking apart web pages and by hacking into web servers. I didn't quite realize my activities were called hacking at the time. Not until I met my first hacker mentor, the woman who changed my life. In 1995, I met Acidburn. You might know her as Angelina Jolie as she portrayed Acidburn, the hacker, in this Hollywood film that immediately captured my imagination and sparked my passion about the hacker's world. If you haven't seen the movie, spoiler alert, Angelina and her merry crew of misfits, geeks, and weirdos were not the bad guys. In fact, they were the cool hacker kids who saved the day. And that Hollywood movie in 1995 also featured one of the first cases of ransomware in history, and we'll get soon to that. So I learned so much by following in the footsteps of fictional hackers and real world hackers, and I decided this is what I want to do with my life. I've dedicated my career and my life to learning everything we can from hackers, friendly hackers and malicious hackers. And one of the most important lessons I've learned is that your adversary can sometimes be a really good teacher because bad guys show us where technology is going, whether we like it or not. And when it comes to data, data is the most critical resource in the twenty first century. But it's not just about data. It's about access to data and who gets to access it or manipulate it. And this is something bad guys know really well. So naturally, stealing data is a very attractive activity for them. And specifically, criminal operators that are focusing on ransomware are really enticed by data, whether it's stored in house or in the cloud. So I want to walk you through some of the malicious innovations that are happening in the cybercriminal world with ransomware and around AI. Because I think it's not just intriguing, it's a world that can teach us so much, and it's often quite dark and quite scary. Now when it comes to ransomware specifically, it is not just very innovative. It is perhaps the most successful form of cybercrime on the planet. If you think about it, for bad guys, it's almost the perfect crime. All they have to do is steal your access to your data and then sell it back to you. And this is why ransomware last year in 2023 was making more than a billion dollar in revenue. Be advised, these are not the damages or how much it cost a company to recover. This is the actual payment. So these are actual payments tracked through cryptocurrency transactions that companies actually paid ransoms to some of the most leading and successful ransomware gangs. Notice that big red stack in there? That's LockBit, perhaps the king of ransomware until recently. And LockBit became so successful because they were one of the first to adopt the cloud. They came up with a ransomware as a service cloud distribution model where they developed the core ransomware product, the tools, the malware, the kit, and then they recruit affiliates that can take advantage of the cloud in order to get access to that malware and then find targets, victims, organizations that will be infected with that malware. When those organizations end up paying the ransom, the affiliates kick back about 20% commission to the original developers, the leaders of LockBit. Now because of this unique business model, LockBit has actually had to recruit and attract talent, affiliates from all over the world. So they've actually given YouTube interviews like this one to a Russian language channel in YouTube that specializes in these types of interviews. In the interview, they've said, come and work with us. And there is no target that's off the table. If a company is big enough to pay us, we'll try and go after them. But that's not where they stop with their recruitment efforts. This is what the lock bit two point o, the previous version of lock bit ransom screen looks like. And if you're as unfortunate as some companies and you have this lock screen at your organization, I want you to notice the fine print. Let me bring it up for you. Not only all of your important files are stolen and encrypted, there's information about how to get in touch with them, but there's also a recruitment ad hidden in the message. Would you like to earn millions of dollars? Our company requires access to the networks of various companies and organizations as well as insider information. Here's how they get in touch with us. So, basically, they are even as bold as to recruit people from amongst their victims, and that's not all. Another innovative marketing trick that the leaders of LockBit had, offering a payment of thousand dollars in Bitcoin to those affiliates who would tattoo the logo on their body. Yes. Criminals have logos, and they're offering people money in as an incentive to tattoo this on their on their bodies. As the leader of LockBit said, his name is LockBit Sup, affiliates come and go, but LockBit is forever. We'll see about that. In 2023, LockBit has gone big and bold, and they went after targets like Boing. They went after targets like ICBC, which happens to be the world's largest lender by assets, a bank that has more than $20,000,000,000 in assets. And they even went after Taiwan Semiconductor Manufacturing Company that many of you might know is the world's largest chip manufacturer. Another interesting thing about LockBit is that their ransom demands have gone up and up. Specifically with TSMC, they demanded a ransom of $70,000,000. Another point to note is the double extortion threat. So not only did LockBit steal and encrypt the files, they are also threatening that if the company, the victim doesn't pay, all of their files will be published. And specifically, LockBit really popularized this model with that countdown timer to add that additional fear into fear element into the equation. So this is LockBit and they were so successful last year. They even had the time to help out some other competitors of theirs. Check this out. This is a screenshot from the support forums of LockBit. And in this forum, another operator called black cat forty six is actually thanking LockBit for their help and their assistance. Thank you, LockBit sub, for your support. And LockBit sub replies, oh, you're very welcome. I'm always happy to help people close in spirit and profession. So is there some honor among thieves? And perhaps even further than that, as a very heartwarming message, LockBit Sapp also adds, you know, today, the FBI may have gotten him, but tomorrow, they'll get to me. It can happen to anyone in our hard line of work. We have to stick together so we don't get killed alone. The FBI doesn't catch us alone. It joins forces with all of the special services in the world. We have to do the same. This is what LockBit Supp said to BlackHat in December of twenty twenty three. So who is Black Cat? Well, Black Cat is another ransomware gang, sometimes also known as AlphaVee, and they are definitely the alpha cats in town. Specifically, you might have heard about them when they went after the two biggest entertainment gambling and casino operators in Las Vegas, MGM and Caesars. And in both of these attacks, which took place days apart, there were a couple of innovative elements to the attack. First, there was a social engineering attack on an outsourced IT support vendor with a phone call that convinced an operator to give these criminals super administrator access to different cloud based technologies and accounts, but also to systems that these operators, these casinos were using. Specifically, Black Cat launches ransomware that is written in Rust, so it's very innovative, and it goes after VMware ESXi hypervisors. So when a hundred ESXi hypervisors are encrypted, like what happened to MGM, that organization is effectively locked down. Another interesting aspect to Black Hat is that their encryption is actually intermittent. What does that mean? They use an innovative intermittent encryption model that basically makes it a lot harder to detect that a large scale encryption of a lot of files and data is happening because only bits and pieces of files are being encrypted. And it can even selectively only target and encrypt specific file types and not the entire system, making that encryption process a lot faster and a lot harder to detect. But I wanna go back to the initial access vector, that voice phishing, that social engineering call to the support center. There was something unique about it because a multibillion dollar company was defeated in a ten minute voice conversation. That according to the hacker underground. That phone conversation took place with a native English speaker with perfect accent who had all the information to masquerade as an employee, including personal details of how that employee's life and his his career had developed so that they could even answer any questions that were intended to verify that employee's identity. What's more, this is not the traditional MO for Russian based cybercrime gangs calling and help desk and speaking in English. In fact, what we've learned is that with that particular attack, there was a really interesting and new emerging trend, a dangerous team up between a Russian based organized cybercrime gang, Black Hat, and another group, a group of American and UK based hackers, gen z hackers that go by different names. One of them is the COM. You might have heard about them as scattered spider. That's one of the names that the security industry has given to this group. And it's a really widespread community of gaming obsessed, violent, and very capable, technically, hackers that are based in The US and The UK and are collaborating with these organized criminals. So this is part of what the FBI has called a gen z cybercrime ecosystem, and we haven't seen this type of collaboration in the past. What's also interesting is that after that bold attack, after MGM and Caesars, who allegedly paid the ransom, something else happened. As you saw from that previous forum post, something bad happened to BlackHat. That's why they posted and asked for LockBit support. What could it have been? Well, in December of twenty twenty three, the FBI together with other law enforcement organizations were able to seize and take control of one of Black Cat's darknet websites, the website where they trade information and publish information about their victims. So Black Hat had to go undercover for a short while, but it didn't stop them going after Change Healthcare and UnitedHealthcare in February of twenty twenty four. So just two months after, the cat had nine lives and they have gone after this huge health care provider in United States. I'm sure you heard about this. What I don't know if you've heard is that, again, this company, this victim, allegedly paid the ransom. This is the actual cryptocurrency transaction totaling 20 something million dollars, almost $22,000,000. Now what happened is that after this transaction took place, Black Cat returned this image of the seized website to their dark net forums and disappeared. So what's happening here? The UK's national crime agency denied that they took any action against Black Cat in March. Some security researchers have claimed this is a so called exit scheme. So Black Cat received the $22,000,000, did not pay their affiliates the 80% of that payment, but ran away with the money. Perhaps we'll never know how things took place, and maybe that collaboration with the American and UK Hackers wasn't as fruitful as the Russian hackers hoped for. But as things stand, Black Cat and LockBit had to deal with law enforcement action. Because in May of twenty twenty four, the NCA and the FBI again took action against LockBit, this time seizing their site and revealing information about the operation of the kingpin of ransomware as a service LockBit. The event went as far as to reveal the identity of the master of LockBit himself when Dmitry Juravich Khorshev. So if you know where he is, that's a $10,000,000 bounty on the kingpin of ransomware. But if Black Cat and LockBit were stopped, who else is out there? Well, don't worry. A lot of other ransomware gangs have stepped up. You might have heard of CLOP who made a really big splash in the summer of twenty twenty three with an attack on the progress, IT and transfer product. Or you might have heard about APOS, which presents the ransomware as if it is a data security product. Or you might have heard about Akira that has a really unique eighties look. So let's take a look at Akira. They are quite interesting, and they have a little bit of a sense of humor. This is what their leak site looks like, and it's got this eighties green screen aesthetic. But they've gone after interesting targets, not necessarily the biggest targets in the world. They've actually gone after Stanford University, but also after studio Daniel Libeskind, who is an architecture firm. They are behind the design of the World Trade Center in Manhattan and many other important landmark, but they are not necessarily a multibillion dollar organization. It's very curious sometimes to see how these ransomware groups choose their victims. But there's some good news as well. In in another international collaboration effort, a project called no more ransom has been set up that actually offers decryptors for some of these popular ransomware strains. So now there are decryptors available for Akira as well as LockBit and many other ransomware strains. So this is almost like a cure, but it is not a vaccine and we'll talk about that in a few minutes. But I wanna review some of the stories I told you just now about ransomware groups. Ransomware as a service is a cloud based innovation. As a distribution model, it's allowed criminals to recruit affiliates and even insiders to help them spread their malware. They actively advertise with YouTube channels and marketing stunts like the tattoos I mentioned. The double extortion model has allowed them to go to higher and higher ransom payments, dozens of millions of dollars if companies don't pay because they threatened to publish the data. There's a constant product evolution from lock bid version two point o to three point o with using Rust in the case of BlackHat and other innovations like intermittent encryption. There's this incredible use of fast and wide exploitation of bugs like we saw with CLOP and the move it transfer file transfer product where an exploit was available within days for the CLOP ransomware group to use. And they sometimes collaborate and coop, but sometimes they compete as well. Now if I was describing a new technology company with all of these characteristics, we would call this fearless innovation. And to me, it's absolutely no surprise that in the last two years, we've really experienced a criminal renaissance when it comes to ransomware and different types of fraudulent business models. And all of that was true even before the g word, generative AI. As soon as generative AI stepped on the scene in the form of generative transformers, a lot of criminals suddenly got rocket fuel for their innovations. They were available to take advantage not just of ChetGPT, which I'm sure you're familiar with, but also other malicious generative AI models and large language AI models. Dark Bard, which is based on Dark BERT, allegedly trained on data from the dark net, dark GPT three bot, worm GPD, which is based on GPTJ, another open source model, ThreatGPT, triple xGPT, WERF GPT, FraudGPT, and a recent model called SpyEye, which was actually designed as a proof of concept autonomous malware AI model created by a Korean cybersecurity firm. Now let's take a look at WormGPT. The creators of WormGPT actively advertise it in forums, and they're actually charging other criminals for money, a subscription fee. To date, it's still not clear whether this model can actually do what it says, can actually write Python malware or create phishing campaigns, but it has successfully gotten paid by other criminals. So perhaps this entire gen AI thing is just another tool for criminals to fleece other less technical criminals. That wouldn't be the first time. Another tool which does have actual technical capabilities is Predator AI. And this tool is built with 11,000 lines of code and a pretty terrible graphical user interface, but it's designed to take advantage of misconfigured and vulnerable cloud services. Things like WordPress or Drupal or v bulletin and other servers as well. So it's got built in scanning capabilities for these specific types of technologies and servers, including AWS, and it's got the tools to exploit and take advantage of these vulnerable sites. And it is developed and sold on Telegram by a merry group of hackers. Now if we think about ransomware, where does gen AI take place? Well, the classic infection vectors for ransomware are three. Emails with a phishing email, with a link, or an installation file, credential reuse or theft, so hacking into an organization by logging in with some of these passwords, or direct exploits on network products and VPN products. In all three of these vectors, generative AI has been fantastically capable of helping hackers do what they do best, but do it faster. So when it comes to crafting phishing emails, AI can write text, translate it, localize it, come up with images, and do that with 10 or a hundred different variations in a fraction of the time it takes a human. And the English or the language that it writes is much more believable. So when it comes to phishing, Gen AI is very helpful for bad guys. When it comes to credentials, Gen AI and other forms of automation have helped with credential harvesting, credential stuffing, password cracking, with coming up with phishing pages, web pages that would look legitimate and convince people to give their passwords away. And when it comes to direct scanning and exploitation of network connectivity technologies and VPNs, again, malware created by GenAI, like predator AI or other tools using AI and automation have helped bad guys. And even when it comes to legitimate uses of chat GPT, OpenAI themselves have identified malicious uses of AI by state affiliated threat actors. So they actually terminated some of these accounts that were using or trying to use ChatGPT to create malware or even for reconnaissance, learning about satellite communications, rather imaging, technical translation of different terms. So basically, OpenAI had to stop these rogue nations from trying to take advantage of their product. And these are the countries that were specifically mentioned in the report by both Microsoft and OpenAI. So my friends, it comes down to this. Our job as security practitioners and IT professionals used to be watch out for the 500 ton gorilla that's throwing buckets of flaming oil at us, like poor Mario before he was super. But now the bad guys can do it a hundred times faster. There's an exponential rise in the speed and agility that bad guys can bring to bear. So what should we do? I wanna give you a few recommendations, a few ideas of some things we can do better. The first and most immediate response to what's happening in the world right now is to think about fighting fire with fire. So if bad guys are using AI, we should take the time to understand how AI can supercharge our cybersecurity defenses and our understanding. And granted, there are a lot of great predictive models out there that can help us detect ransomware or anomalies happening in our network and in our data. But first, we also need to invest the time and attention to understand how we as people, as humans, can do more with AI. How we can use existing security tools and technologies that we have to improve our effectiveness and our visibility. I think there is a lot to be said for the benefit of augmenting naturally human intelligence with artificial intelligence. And I think one of the places we should start is understand how we can use AI to help people make better cybersecurity decisions every day. When we click on links, when we enable new connection or install new application, the scope of information that we now need to process as humans is really daunting. And this is where I believe AI can help us. And it really comes down to this. It comes down to visibility because you can't defend what you can't see. And this is what we call in the cybersecurity business attack surface management. So what's on your radar? And what are the tools and technologies that you have available to you to help you gain visibility and understanding? I think that even though those tools might not be called security technologies, they're gonna bring you some of that return on security investment. And that's gonna come to have an impact on our security poster. But, again, it requires our time and our attention to understand how we can use data and how we can use intelligence to gain that kind of visibility and understanding. When I speak to security leaders and forward looking companies, I hear three main challenges that they share with me. One, we have way too much data and we don't understand what's going on. Two, we don't have enough insights and actionable information about what's going on with our data. And three, we don't have enough people. So too much data, not enough insights, not enough people. These are exactly the areas where AI and data intelligence can help improve the impact of your efforts. But we do need to understand how to make that happen and how to make it happen at scale. And, yes, I think there's both an art and science to how to use these things, how to use AI and automation smartly so that we can build future proof systems to help us reduce the impact of threats and identify them proactively. And I hope today during this event, you've learned more about that and how you can use AI and gain insights and intelligence about your data. Oh, but there's one more thing. My final advice for you to consider is how you can actually harness the hacker mindset. I believe the hacker mindset can be really beneficial, if sometimes chaotic, element. And I think we actually need that to stay ahead. You've seen the incredible innovations and the adaptability of bad guys. So, yes, we might need to look at what hackers are doing. And there are a lot of friendly hackers out there that can help you gain an understanding to what's happening. Not all hackers are malicious, even if we wear black clothing and our hair is a little weird. When I go to the world's largest convention of hackers in Las Vegas, Defcon, I don't see 30,000 criminals. I see 30,000 passionate, creative individuals that are as curious about what technology can do and are eager to learn and teach others. I see kids, people who bring their kids to a hacker convention because they think that's a good key for their child's future, and I couldn't agree more. So as you consider everything I shared with you today and everything you've learned, is it a time to keep calm and carry on? Do things like we did five years ago? I think it's time to do just like the hackers, adapt and evolve. Thank you so much for your time today, and I hope you stay safe wherever you are in the world. Sayonara.