Forescout predicts that AI-assisted attacks will soon target OT, unmanaged devices

Forescout Technologies outlined how AI-assisted attacks are coming to target OT (operational technology) and unmanaged devices. The shift comes as hackers are exploiting publicly available proof-of-concept (PoCs), increasing the versatility and potentially the damage of existing malicious code, though it still takes some time and effort from threat actors. These developments demonstrate how generative AI can be used to improve productivity, while also being deployed for nefarious purposes.

“Malicious code is not difficult to find these days, even for OT, IoT, and other embedded and unmanaged devices,” Amine Amri and Daniel dos Santos, researchers at Forescout Vedere Labs, wrote in a Wednesday blog post. “Public exploit proofs-of-concept (PoCs) for IP camera vulnerabilities are routinely used by Chinese APTs, popular building automation devices are targeted by hacktivists and unpatched routers used for Russian espionage.”

They added that hackers typically port these PoCs into something more useful or less detectable by adding payloads, packaging them into a malware module, or rewriting them to run in other execution environments. “They may also change them slightly to hide from detection tools that rely on signatures such as hashes, API functions, program modules, and libraries.”

The researchers also took into account the latest developments in AI including large language models (LLMs), such as OpenAI’s ChatGPT and Google’s PaLM 2. “These well-publicized tools are remarkable for the variety of questions they can answer and tasks they can perform based on simple user input (‘prompts’). Some of these tasks include generating and converting computer code into different programming languages,” they added. 

The Forescout researchers evaluate that AI will soon play an important role in helping researchers and attackers find vulnerabilities directly in source code or via patch diffing, write exploits from scratch, and even, craft queries to find vulnerable devices online to be exploited.

“We have witnessed an exponential increase in the number of vulnerabilities, especially given the number and types of devices connected to computer networks increasing at a similarly high rate,” according to Amri and dos Santos. “This has been accompanied by threat actors keen to attack devices with fewer security protections. The use of AI to find and exploit vulnerabilities in unmanaged devices will likely accelerate these trends dramatically.”

They highlighted that ultimately, AI and automation for different parts of the cyber kill chain can allow threat actors to go further faster, by greatly accelerating steps such as reconnaissance, initial access, lateral movement, and command and control that are still heavily reliant on human input – especially in lesser-known domains such as OT/ICS. 

Amri and dos Santos outline that AI could potentially explain their output in a much easier way for an attacker who is unfamiliar with a specific environment; describe which assets in a network are most valuable to attack or most likely to lead to critical damage; provide hints for next steps to take in an attack; and link these outputs in a way that automates much of the intrusion process.

“Besides exploiting common software vulnerabilities, AI will enable new types of attacks. LLMs are part of a wave of generative AI that includes image, audio, and video generation techniques,” they added. “Some of these techniques have been used to tamper with medical images, and to generate deepfake audio and video for financial scams.”

The researchers executed an experimental setup to create an AI-assisted cyberattack. “Our goal was to convert an existing OT exploit developed in Python to run on Windows to the Go language using ChatGPT,” Amri and dos Santos wrote in the post. “This would allow it to run faster on Windows and run easily on a variety of embedded devices – or become a module in a ransomware developed in a coding language that is gaining popularity. For the existing exploit, we used one we created for our R4IoT PoC to demonstrate ransomware moving between IT and IoT/OT environments.”

The R4IoT exploit has two parts: “a network scanner that finds vulnerable devices, such as building automation controllers and PLCs, running the Nucleus FTP server on port 21 (based on a tool we open-sourced in the past); and a payload exploiting CVE-2021-31886 to crash the targets found,” the researchers disclosed.

They added that “even though we had no previous experience with Go, with carefully chosen prompts, we were able to rewrite the exploit in less than 15 minutes without activating the malware creation safeguards in ChatGPT.”

When it came to prompting ChatGPT to port an exploit, the researchers wrote that they ​​wanted to create a minimal version of this code that skips phase 1 – scanning for vulnerable devices – and goes directly to phase 2: attacking a given IP address with the payload. The prompts couldn’t say that they were creating a malware code but rather focus on the technical goals, which are pinging an IP address to verify that it is online, and sending a payload on an FTP socket to that IP address.

The researchers added that the code provided by ChatGPT needed some fixing, and (a very courteous) ChatGPT itself was instrumental in doing so. 

Vedere Labs has previously disclosed with OT:ICEFALL that offensive OT cyber capabilities are easier to develop than suspected just by using traditional reverse engineering and domain knowledge. “However, it is clear from this experiment that using AI to enhance offensive capabilities is even easier and more effective. Consider, for instance, that we used the same exploit as part of the deep lateral movement attack, which means this is the fourth time we used a slight variation of the same exploit. Having an AI tool to help with the porting greatly accelerates development,” the researchers added.

Last month, a bunch of OT cybersecurity companies unveiled plans for ETHOS (Emerging THreat Open Sharing), an open-source, vendor-agnostic technology platform for sharing anonymous early warning threat information across industries with peers and governments. The OT-centric, open-source platform is a cooperative development in the OT security industry, intending to share data to investigate early threat indicators and discover new and novel attacks.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.