Threat intelligence reports play a crucial role in helping enterprises keep tabs on emerging threats. These blog posts detail the tactics, techniques, and procedures (TTPs) of a threat group or dissect the makeup of a particular malware strain.
New research, however, shows they could also be doing more harm than good. According to research from Trend Micro, hackers are now using AI to analyze these reports and use them to refine their tactics.
The study showed large language models (LLMs) can translate technical blogs into “partial malicious code” in a dark twist on the “vibe coding” trend.
This not only allows threat actors to speed up attacks or reverse engineer malware strains, it also helps them mimic other group’s TTPs, creating challenges with the attribution of attacks.
Speaking to ITPro, Robert McArdle, Director of Forward Threat Research at Trend Micro, said the company’s findings highlight the latest example of cyber criminals jumping on the vibe coding bandwagon to wreak havoc.
“We already know that cyber criminals are using vibe coding,” McArdle said. “We’ve seen that in their discussions on criminal forums. We’ve seen existing malware that very much looks like it was vibe coded.”
“It got us thinking, what if you can actually clone an analysis by a researcher to try to re-implement the malware from what they've described?”
McArdle told ITPro the company decided to test this by using AI tools to dissect its own blog posts, which showed some initial promise.
“What came back was quite good,” he said. “It wasn’t the final product. It did need a little bit of tweaking to get it to work, but it certainly took a lot of work out of the way.”
This ‘lightening of the load’ is a key concern, McArdle noted. While AI tools are unlocking productivity gains for workers on the right side of the law, they’re proving equally powerful for criminals.
Worse still, these tools are helping lower the barrier to entry for up-and-coming cyber criminals and accelerating processes for those with a higher level of technical know-how.
“AI lets you jump from your current level of proficiency up to the next level faster,” he told ITPro. “So if you’re a complete novice and you know very little about code, you can vibe code a reasonably okay malware.”
“If you're already skilled and you go to an in-depth analysis of something even more advanced, then it certainly helps you get up to speed on that faster and go from those examples and have some sort of working code," McArdle continued. “So in each case it levels up the skill set of the attacker.”
Time to tone down the technical details?
Faced with this, McArdle said Trend Micro’s view on threat intelligence reports is that industry providers should consider toning down the technical details.
The company itself has taken this on board and McArdle said a key factor in releasing this research was to raise awareness and let industry counterparts know what’s going on.
“We often release these [threat intelligence reports] to raise awareness, to let people know that you know something is going on,” he said.
“Within those, it's the level of detail that you put in the post that’s the difference. We need to let people know this new attack is happening. Here's the main details you need to know to defend yourself. Here's the bigger world context, and so on,” McArdle added.
“But we probably don't always need to go down to the low-level code of ‘this is exactly how this was implemented, from start to finish’.”
“The more and more you go to that level, the more an AI is capable of reconstructing an approximation of the malware from it,” he said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Non-human identities: Are we sleepwalking into a security crisis?Industry Insights Machine identities have exploded - yet security strategies remain human-focused
-
Windows 10 extended support costs could top $7 billionNews Enterprises sticking with Windows 10 after the October deadline face huge costs
-
Security experts call for better 'offboarding' practices amid spate of insider attacks by outgoing staffNews Enterprises should act swiftly to revoke rights and access, regardless of the manner of an employee’s departure.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
The Salesloft Drift victim list keeps growing: Zscaler is the latest to confirm a breach, warning customers to remain wary of follow-up phishing attacksNews The company has warned customers that their data may have been accessed, saying it's implemented extra safeguards in response
-
Anthropic admits hackers have 'weaponized' its tools – and cyber experts warn it's a terrifying glimpse into 'how quickly AI is changing the threat landscape'News Security experts say Anthropic's recent admission that hackers have "weaponized" its AI tools gives us a terrifying glimpse into the future of cyber crime.
-
Google hits back at 'entirely false' reports of major Gmail security breachNews Reports of a massive Gmail hack affecting billions of users have been denied by Google
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
Warning issued to Salesforce customers after hackers stole Salesloft Drift dataNews Customers were targeted through compromised OAuth access tokens from Salesloft Drift integrations
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
