Cybercriminals harness AI for new era of malware development
The alliance between ransomware groups and initial access brokers (IABs) is still the powerful engine for cybercriminal industry, as evidenced by the 74% year-on-year increase in the number of companies that had their data uploaded on dedicated leak sites (DLS), according to Group-IB’s Hi-Tech Crime Trends 2023/2024 report.
Global threat actors also demonstrated increased interest in Apple platforms, exemplified by the fivefold increase in underground sales related to macOS information stealers.
The growing appetite of nation-state sponsored threat actors, also known as advanced persistent threat (APT) groups, has shown that no region is immune to cyber threats. Group-IB experts discovered a 70% increase in the number of public posts offering zero-day exploits for sale, and also identified cybercriminals’ malicious use of legitimate services and artificial intelligence (AI) infused technologies as the main cyber risks for 2024.
The Hi-Tech Crime Trends 2023/2024 report includes a section outlining the relationship between AI and cybersecurity threats. It details how this new technology is being leveraged by cybercriminals, including the misuse of large language models (LLMs) such as ChatGPT, and the potential risks to corporate data through AI integration.
Nothing artificial about this threat
Threat actors have already shown how AI can help them develop malware only with a limited knowledge of programming languages, brainstorm new TTPs, compose convincing text to be used in social engineering attacks, and also increase their operational productivity.
Large language models such as ChatGPT remain in widespread use, and Group-IB analysts have observed continued interest on underground forums in ChatGPT jailbreaking and specialized generative pre-trained transformer (GPT) development, looking for ways to bypass ChatGPT’s security controls. Group-IB experts have also noticed how, since mid-2023, four ChatGPT-style tools have been developed for the purpose of assisting cybercriminal activity: WolfGPT, DarkBARD, FraudGPT, and WormGPT – all with different functionalities.
FraudGPT and WormGPT are highly discussed tools on underground forums and Telegram channels, tailored for social engineering and phishing. Conversely, tools like WolfGPT, focusing on code or exploits, are less popular due to training complexities and usability issues. Yet, their advancement poses risks for sophisticated attacks.
Group-IB’s Hi-Tech Crime Trends 2023/2024 also highlighted the sale of compromised ChatGPT credentials on the dark web, building upon past research. With more employees relying on ChatGPT for work optimization and its storage of past interactions, compromised logins could expose sensitive information, posing significant security risks for businesses.
From January 2023 to October 2023, Group-IB detected more than 225,000 logs up for sale on the dark web containing compromised ChatGPT credentials. Group-IB found these compromised credentials within the logs of information-stealing malware traded on illicit dark web marketplaces.
Notably, the number of compromised hosts with access to ChatGPT detected between June 2023 and October 2023 was more than 130,000, an increase of 36% compared to the preceding five-month period (January-May 2023). The number of available logs containing ChatGPT logs peaked in the final month of the study – in October 2023 – when 33,080 were registered. Group-IB’s analysis found that the majority of the logs containing ChatGPT accounts were breached by the LummaC2 information stealer.
Double trouble: ransomware gangs and IABs wreak havoc
Group-IB’s Threat Intelligence unit constantly monitors all ransomware activity and detected 4,583 companies that had their information, files, and data published on ransomware DLSs in 2023. This marks a growth of 74% compared to the previous year, when 2,629 such posts were made. Group-IB researchers note that the number of total ransomware attacks worldwide is likely to be much larger, with probable instances of organizations paying the ransom or groups deciding not to go ahead with their threat of publishing data on a DLS.
Companies based in North America most commonly appeared in the DLS posts of ransomware groups, accounting for 2,487 (or 54%) of the annual total, and more than double the corresponding figure in 2022 (1,192 companies). Roughly 26% of posts on ransomware DLSs related to companies from Europe (1,186, up 52% YoY) and 10% were from the APAC region (463, up 39% YoY).
The United States was the most common target for ransomware groups, as 1,060 US-based companies were the subject of ransomware DLS posts in 2023. The next most affected countries were Germany (129), Canada (115), France (103), and Italy (100).
In terms of affected industries, attacks as per ransomware DLS on manufacturing (580 instances) and real estate (429) companies rose year-on-year by 125% and 165%, respectively, and these key sectors were the two most targeted worldwide. Notably, Group-IB observed a 88% year-on-year increase in ransomware DLS posts related to healthcare companies, and a 65% rise in posts concerning government and military organizations.
Throughout the reporting period, Group-IB experts uncovered 27 new advertisements for ransomware-as-a-service programs on dark web forums, including well known groups such as Qilin, as well as other collectives that have yet to be seen in the wild. As was the case in 2022, LockBit was 2023’s most prominent ransomware-as-a-service group with 1,079 posts on its DLS (24% of the annual total). In second place was BlackCat with 427 posts (9% of annual total) and third was Cl0p (385 posts or 9%).
Researchers also found that IABs are continuing to play a significant role in the ransomware market. In 2023, they found 2,675 instances of corporate put up for sale – almost an identical figure compared with 2022, when 2,702 offers were found.
Group-IB data shows that the average price for corporate access in 2023 was $2,470, which represents a 27% reduction compared to the preceding year. Group-IB analysts believe that this drop in average price is due to a rise in the number of new sellers entering the market that have lowered the price of their offers in order to attract buyers.
Companies in the United States (29%), the United Kingdom (4%) and Brazil (4%) were the most commonly featured in IAB offers. Professional services, government and military organizations, financial services, manufacturing, and real estate were the verticals that appeared most frequently.
APTitude test
Group-IB researchers discovered that the Asia-Pacific region was the world’s main battleground for nation-state sponsored threat actors, also known as advanced persistent threat (APT) groups last year. In sum, Group-IB attributed 523 attacks to nation-state actors across the globe in 2023.
Attacks on APAC organizations accounted for 34% of the global total, with Group-IB experts asserting that this may be due to the high level of financial technology development in this global economic hub in addition to geopolitical tensions. Europe was the second-most targeted region, accounting for 22% of all APT attacks, and the Middle East and Africa (MEA) was third (16% of APT attacks in 2023).
Unsurprisingly, government and military entities were the prime target of APT attacks in 2023, accounting for 28% of the annual figure. This strengthens the theory of Group-IB’s Threat Intelligence unit that APT actors are predominantly striving to gain access to strategically important evidence and weaken government entities in their country or region of target. Financial services (6%), telecommunications (5%), manufacturing, IT and media (all 4%) were also heavily affected, Group-IB researchers found.
In the past year, prominent APT groups, including the North Korean collective Lazarus, launched new tactics. Lazarus executed the first-ever double supply chain attack, exploiting a vulnerability in X_TRADER, a software by Trading Technologies. This allowed access to the network of the widely-used 3CX Desktop App for VoIP calls, compromising a wide range of 3CX clients. Group-IB researchers also noted APT groups’ ongoing malicious use of legitimate services like Dropbox, OneDrive, Google Drive, and messengers like Telegram.
Turbulence ahead
In 2023, cyber threats shifted focus from Windows and Android to Apple platforms due to their rising popularity and market share, with iOS becoming increasingly targeted. Malware spread through the App Store, alongside increased use of Apple cloud services, contributed to this trend. By March 6, 2024, Apple is expected to allow third-party app stores for iOS apps in Europe, posing security concerns amidst 1.7 million app rejections in 2022. Threat actors have already adapted Android schemes to iOS, exemplified by GoldFactory and the GoldPickaxe.iOS malware – аctive in Thailand and Vietnam – which prompts victims to record videos of their faces and submit them to the threat actors, which could be used by the latter to gain unauthorized access to the victim’s banking accounts. Additionally, the number of sales posts on the most popular underground forums (xss[.]is and exploit[.]in) for information stealers designed to operate on macOS increased fivefold in 2023, from 8 in 2022 to 49.
Javascript sniffers, also known as malicious JavaScript code implanted in compromised websites designed to intercept payment card details from customers who make online transactions, are also likely to pose a risk to online store owners, consumers, and banks in 2024. Group-IB researchers discovered 5,037 websites compromised with JS-sniffers in 2023, of which 2,474 were unique. A total of 14 new JS-sniffer families were also discovered in 2023, highlighting the continued development of this threat.
“As highlighted by Group-IB’s Hi-Tech Crime Trends 2023/2024 report, the rise of AI in both legitimate businesses and the cybercriminal underworld was a critical trend of 2023. With the increased misuse of ChatGPT and the development of underground LLM tools, the potential for sophisticated attacks has escalated, compounded by the alarming surge in compromised ChatGPT credentials. This along with cybercriminals’ increased interest in malware designed for macOS demonstrates that it is imperative for organizations to recognize and address this evolving threat landscape, safeguarding sensitive information and fortifying cybersecurity measures to mitigate risks posed by AI-driven cybercrime,” said Dmitry Volkov, CEO at Group-IB.