March has been an interesting month. The launch of GPT-4 and the ban of the TikTok app from UK government devices have raised questions about the impact of large language learning models (LLMs) such as GPT-4 on cyber security, and whether the private sector should take a similar approach to use of TikTok on corporate devices. In considering potential and actual attacks it’s clear that the methods used to perpetuate attacks remain largely the same, with social engineering still a key vector. 

GPT-4 launched

Excitement over GPT-4 has been widespread. Many sectors, including accountancy, are exploring its potential to revolutionise the sector. Its creator, OpenAI, has described it as being able to solve difficult problems with greater accuracy.

As demand for adoption grows, cyber security experts are exploring how GPT-4 and other LLMs can affect cyber security. Its ability to generate professional-looking text may allow hackers to create more credible phishing emails. Darktrace has warned of a rise in AI-enhanced scams since ChatGPT was launched. Spelling mistakes and grammatical errors are no longer an effective way to identify fraudulent messages. Although the effort required to write phishing content has reduced, it has not led to new entrants to the cybercrime market, but rather has allowed current criminals to create more convincing social engineering attacks. 

GPT-4’s capabilities are not limited to creating text and messages. It can also create computer code including malicious software (malware). This could have the potential to help less technically competent criminals create malware. However, as LLMs have limitations with accuracy, the code would need to be reviewed to make sure it works as intended. As with phishing messages, malware generated by GPT-4 is more likely to be used by technically competent criminals to save time rather than by criminals without technical skills.

The National Cyber Security Centre (NCSC) has explored the cyber risks associated with LLMs in ‘ChatGPT and LLMs: what's the risk?’. 

Malware in Microsoft OneNote documents 

In our February round-up we highlighted the risk from Microsoft (MS) Excel .XLL add-ins being used to distribute malware. To address this, MS has introduced a default setting change in Excel for Windows so users can no longer enable .XLL add-ins in files obtained from the internet with the click of a button. Instead they get a warning and a link to more information about what to look out for. Where the use of add-ins has been validated as necessary, they have created a guide on how to enable the add-ins: ‘Excel is blocking untrusted XLL add-ins by default’. 

However, cyber criminals can be resourceful and persistent, so with add-ins now disabled by default in MS Word and Excel documents, they have turned to MS OneNote attachments to spread malware. Unlike with Word and Excel, malware in OneNote is not spread via add-ins, but by tricking users into double-clicking a message hiding embedded files, causing them to launch. This could put the whole network at risk. The security firm Bleeping Computer has created a guide, ‘How to prevent Microsoft OneNote files from infecting Windows with malware’ and users are encouraged to block the ‘.one’ file. extension at mail gateways and servers, or to use Microsoft Group Policies to restrict the launch of embedded file attachments in MS OneNote files. 

Phishing attacks continue

Phishing has proven an effective way to perpetuate attacks and cyber criminals continue to use it, leveraging current events to target would-be victims. 

As tickets to the Eurovision Song Contest were launched, attacks on hotel chains and their customers increased. Some of those who booked accommodation have been contacted by parties purporting to be accommodation providers, claiming issues with bookings and requiring a transfer of funds to be rectified.

Neither are state-backed actors strangers to phishing. They have been known to create fake profiles on social media sites such as LinkedIn, in order to gather information about and communicate with targets, as reported in A Spy Wants to Connect With You on LinkedIn. Fake profiles can appear professional and credible, and there is often little hesitation to engage when they make contact. However emails, video calls or in-person meetings can be used to gain confidential information or to deploy malware. This method has been used for a number of years, and the Centre for Protection of National Infrastructure (CPNI) has launched a Think before you Link campaign and guidance to help organisations manage the risk. 

Training on how to identify and mitigate phishing attacks continues to be important for preventing attacks and in helping accountants be more vigilant. The NCSC has provided guidance on how to spot a scam email, text message or call.

TikTok banned

The UK Cabinet Office has decided to ban the Chinese-owned TikTok app on all government devices as part of a wider app review. The decision is in line with those taken by other governments including the US, Canada, and the European Commission. Users must give the app permission to access data (eg contacts, geolocation) that is collected and stored by TikTok, and there are concerns about how this data can be used. Public service organisations are also reconsidering their use of the app as the BBC urges staff to delete TikTok from company mobile phones. 

In the US, legislation to give the commerce department the ability to block the use of technologies that pose a threat to national security is in progress as the White House backs a Senate bill to boost the US’s ability to ban TikTok. 

With no blanket guidance, it is important for private organisations to assess the cyber risks posed by their use of social media apps and to take appropriate actions in line with organisational risk appetite.

Got an interesting cyber story for us? Email esther.mallowah@icaew.com