ChatGPT & modern Nigerian princes 🤴🏽| Azure's 'by design' flaw?
CyberInsights #89 - ChatGPT for Phishing scams | Microsoft Azure account takeover
ChatGPT makes phishing scams less labour intensive
LLMs are making your job easier. They are also making the scammers job easier!
If you have been marvelling about ChatGPT making your job easier, you are right. Read this article on the Wired about how it is making the job of scammers easier too.
While OpenAI tries to put in place controls that do not allow creation of phishing emails, they are very easy to bypass. For example, when I tried creating a phishing email, this is what ChatGPT said:
However, with a little bit of cajoling, this is what ChatGPT gave me:
As Bruce Schneier & Barath Raghavan said in the article:
This is a change in both scope and scale. LLMs will change the scam pipeline, making them more profitable than ever. We don't know how to live in a world with a billion, or 10 billion, scammers that never sleep.
It’s a new scamming world that we are entering.
Take Action:
This is really important. BEFORE the barrage of email scams begin, do the following:
Design a specific training session for your employees around the following risks:
What are LLMs? How are they being used to generate scam emails?
Why should you be more careful than ever?
Back to the basics - checking for emotions like ‘fear’, ‘greed’, etc.
Detecting and reporting phishing email
Use of LLMs like ChatGPT
How to use LLMs without sharing company confidential data
Why was ChatGPT banned in Italy?
Organisation’s policies on the use of LLMs
Azure shared key authorisation can lead to remote code execution
Microsoft calls this a ‘by-design’ flaw that makes fixing it tougher
Shared keys are always a vulnerability. When a shared key is a ‘not a bug, but a feature’, it only gets worse.
The way Microsoft Azure allows access to shared keys, can allow for lateral movement and even remote code execution. Read this post for more information.
This is applicable if you are using ‘managed identities’ for functions.
Take Action:
This can go away if you just disable shared key access. Microsoft recommends it as the solution.
Ask your cloud engineering team to check if they are using shared keys in general. If yes, pull an inventory and systematically plan how to move from shared keys to Azure AD authentication.
This might have to be done at a fair clip, considering your CVSS score for each exposure.