Threat intelligence reports play a crucial role in helping enterprises keep tabs on emerging threats. These blog posts detail the tactics, techniques, and procedures (TTPs) of a threat group or dissect the makeup of a particular malware strain.
New research, however, shows they could also be doing more harm than good. According to research from Trend Micro, hackers are now using AI to analyze these reports and use them to refine their tactics.
The study showed large language models (LLMs) can translate technical blogs into “partial malicious code” in a dark twist on the “vibe coding” trend.
This not only allows threat actors to speed up attacks or reverse engineer malware strains, it also helps them mimic other group’s TTPs, creating challenges with the attribution of attacks.
Speaking to ITPro, Robert McArdle, Director of Forward Threat Research at Trend Micro, said the company’s findings highlight the latest example of cyber criminals jumping on the vibe coding bandwagon to wreak havoc.
“We already know that cyber criminals are using vibe coding,” McArdle said. “We’ve seen that in their discussions on criminal forums. We’ve seen existing malware that very much looks like it was vibe coded.”
“It got us thinking, what if you can actually clone an analysis by a researcher to try to re-implement the malware from what they've described?”
McArdle told ITPro the company decided to test this by using AI tools to dissect its own blog posts, which showed some initial promise.
“What came back was quite good,” he said. “It wasn’t the final product. It did need a little bit of tweaking to get it to work, but it certainly took a lot of work out of the way.”
This ‘lightening of the load’ is a key concern, McArdle noted. While AI tools are unlocking productivity gains for workers on the right side of the law, they’re proving equally powerful for criminals.
Worse still, these tools are helping lower the barrier to entry for up-and-coming cyber criminals and accelerating processes for those with a higher level of technical know-how.
“AI lets you jump from your current level of proficiency up to the next level faster,” he told ITPro. “So if you’re a complete novice and you know very little about code, you can vibe code a reasonably okay malware.”
“If you're already skilled and you go to an in-depth analysis of something even more advanced, then it certainly helps you get up to speed on that faster and go from those examples and have some sort of working code," McArdle continued. “So in each case it levels up the skill set of the attacker.”
Time to tone down the technical details?
Faced with this, McArdle said Trend Micro’s view on threat intelligence reports is that industry providers should consider toning down the technical details.
The company itself has taken this on board and McArdle said a key factor in releasing this research was to raise awareness and let industry counterparts know what’s going on.
“We often release these [threat intelligence reports] to raise awareness, to let people know that you know something is going on,” he said.
“Within those, it's the level of detail that you put in the post that’s the difference. We need to let people know this new attack is happening. Here's the main details you need to know to defend yourself. Here's the bigger world context, and so on,” McArdle added.
“But we probably don't always need to go down to the low-level code of ‘this is exactly how this was implemented, from start to finish’.”
“The more and more you go to that level, the more an AI is capable of reconstructing an approximation of the malware from it,” he said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Is diversity still a challenge in the channel?Industry Insights Despite progress, diversity remains a challenge in the tech channel, as women represent less than a quarter of the UK’s tech workforce and still face structural and cultural barriers
-
How the UK is leading Europe at AI-driven manufacturingIn-depth A new report puts the country on top of the charts in adopting machine learning on the factory floor in several critical measures
-
HPE selects CrowdStrike to safeguard high-performance AI workloadsNews The security vendor joins HPE’s Unleash AI partner program, bringing Falcon security capabilities to HPE Private Cloud AI
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
