By Dirk Schrader, VP of Security Research for Netwrix
Yesterday T-Mobile revealed the leakage. T-Mobile has confirmed that 37 million customers have been impacted by a data breach. Threat actor(s) used API vulnerability to obtain information, T-Mobile confirmed. The data stolen includes account holder names, billing addresses, email info, phone numbers, dates of birth and account numbers.
T-Mobile breach
“T-Mobile’s latest data breach sparks a host of questions. In its SEC filing, T-Mobile stated that the unauthorized use of a single API was detected on JAN 5 and shut down within 24h. T-Mobile also reports that the access began on NOV25th, 2022.
APIs are like highways to a company’s data: highly automated and allowing access to large amounts of information. As digitalization heavily relies on this kind of automated interaction using APIs, and time-to-market often trumps security, the risk related to unmonitored APIs is likely to grow even more.
Typically, mid-size organizations and enterprises has tens or hundreds of APIs in their infrastructure. With these technologies implemented, organizations lack to use mutual authentication. Additionally, when there are no controls in place that monitor the amount of data left by the domain via the API, it results into no control over the customers’ data.
The type of data exfiltrated in T-Mobile’s case is set to allow ransomware gangs like the Cuba ransomware (CISA alert #AA22-335A) or any other ransomware group to improve the credibility of phishing emails send to potential victims. Such a dataset would also be of interest for malicious actors, so called Initial Access Brokers, that focus on collecting initial inroads to personal computers and company networks. Simply put, these actors merge data from several leaks (like the one that happened to Twitter recently) to come up with an even more convincing story for the upcoming phishing attack.
Not only will these types of phishing emails get better with any personal detail available to the attacker. Tools like ChatGPT will also increase the credibility and efficiency of any campaign rolled out by these groups. Phishing awareness trainings teach users to look for grammar spelling mistakes or story inconsistencies that identify a phishing email. But the more detailed data is available to cyber crooks, the better phishing campaigns their tools produce, the higher their success rate becomes.
Company should embed tight control about who is going to use the APIs at what time and rate. Zero Trust is the best approach to reduce the attack surface in this situation since it restricts access to resources from both inside and outside of the network until the validity of the request is confirmed.
T-Mobile customers that ended up in the data leak should be very cautious about incoming emails. Not only if they claim to be from T-Mobile or has anything to do with this organization, but also any other unexpected email should be scrutinized very carefully.”
Chat GPT & CyberSecurity
“Cyber criminals will definitely benefit from OpenAI’s ChatGPT. First, using this tool will increase their efficiency and credibility when executing another wave of plain phishing attacks or specific spearphishing campaigns.
These activities are all about the language. Up till today, most phishing emails are just a scrap from a wording perspective. Badly translated, a nightmare in grammar, phishing emails tended to be easy to spot. The use of ChatGPT will change the situation as it is able to create well formulated, correct texts in many languages. That will make it harder for the end user to distinct the phish from the real email. Employee awareness trainings will likely have to change to cater for that threat.
There is also a specific element for spearphishing campaigns. It will be easier for APTs to create a whole ecosystem for these. Emails and landing pages created in needed language with quality content will lure high profile targets to do something unsafe for the organization: download malicious file, provide credentials, etc.
To be prepared for this kind of AI-assisted attack, organizations should pay closer attention to securing their user’s identities. It is essential to strengthen the posture of each regular and privileged account by implementing zero standing privilege approach with privileges only existing when and if they are needed.
Second, if we look into typical APT group inner workings, its ‘organizational structure’, it is possible to assume other ways how ChatGPT can influence their operations.
Code creation, transformation, and variation are certainly the field where ChatGPT is a welcomed tool. It can be used either for writing certain modules of the code or when variations (a rewrite) are needed; for example, to change hash values to avoid easy detection by defensive tools like Virustotal.
Another strong ‘skill’ is the ability of ChatGPT to transform one programming or scripting language to another. This shortens the development cycle of ransomware gangs while increasing their code base and usability across multiple platforms. Scripting languages might be the first focus here as living-off-the-land attacks using, e.g., Powershell require special knowledge and are in a need of frequent reinvention to avoid detection.
Morevover, ChatGPT will get better due to its learning abilities. Potentially it is capable of creating malware and ransomware code snippets available to less advanced cyber criminals. This is a coming threat to be considered.”
