{"id":78700,"date":"2023-05-31T10:00:41","date_gmt":"2023-05-31T17:00:41","guid":{"rendered":"https:\/\/forescoutstage.wpengine.com\/?p=78700"},"modified":"2025-04-16T09:52:40","modified_gmt":"2025-04-16T13:52:40","slug":"ai-assisted-attacks-are-coming-to-ot-and-unmanaged-devices","status":"publish","type":"post","link":"https:\/\/www.forescout.com\/blog\/ai-assisted-attacks-are-coming-to-ot-and-unmanaged-devices\/","title":{"rendered":"AI-Assisted Attacks Are Coming to OT and Unmanaged Devices \u2013 the Time to Prepare Is Now"},"content":{"rendered":"

Malicious code is not difficult to find these days, even for OT, IoT and other embedded and unmanaged devices. Public exploit<\/a> proofs-of-concept (PoCs) for IP camera vulnerabilities are routinely used by Chinese APTs<\/a>, popular building automation devices<\/a> are targeted by hacktivists and unpatched routers<\/a> used for Russian espionage<\/a>.<\/p>\n

Threat actors typically port these PoCs into something more useful or less detectable by adding payloads, packaging them into a malware module or rewriting them to run in other execution environments They may also change them slightly to hide from detection tools that rely on signatures such as hashes, API functions, program modules and libraries.<\/p>\n

This porting process increases the versatility and potentially the damage of existing malicious code. However, it still takes some time and effort from threat actors.<\/p>\n

Enter artificial intelligence (AI).<\/p>\n

One of the latest developments in AI is large language models (LLMs), such as OpenAI\u2019s ChatGPT<\/a> and Google\u2019s PaLM 2<\/a>. These well-publicized tools are remarkable for the variety of questions they can answer and tasks they can perform based on simple user input (\u201cprompts\u201d). Some of these tasks include generating and converting computer code into different programming languages.<\/p>\n

Malicious actors<\/a>, academic researchers<\/a> and industry researchers<\/a> are all trying to understand how the recent popularity of LLMs will affect cybersecurity. Some of the main offensive use cases include exploit development, social engineering and information gathering. Defensive use cases include creating code for threat hunting, explaining reverse engineered code in natural language and extracting information from threat intelligence reports.<\/p>\n

There has been much research into automatic exploit generation and its integration with human vulnerability finding<\/a>. Those tools required very specialized knowledge. Recent AI tools take simple natural language as input.<\/p>\n

As a result, companies have already started to observe the first malware samples<\/a> created with ChatGPT\u2019s assistance. We have not yet seen this capability used for OT attacks, but that\u2019s just a matter of time.<\/p>\n

Using ChatGPT\u2019s code conversion capability to port an existing OT exploit to another language is easy, and that has huge implications for the future of cyber offensive and defensive capabilities.<\/p>\n

Experimental setup to create an AI-assisted cyberattack<\/h2>\n

Our goal was to convert an existing OT exploit developed in Python to run on Windows to the Go language using ChatGPT. This would allow it to run faster on Windows and run easily on a variety of embedded devices \u2013 or become a module in a ransomware developed in a coding language that is gaining popularity<\/a>. For the existing exploit we used one we created for our R4IoT PoC<\/a> to demonstrate ransomware moving between IT and IoT\/OT environments.<\/p>\n

The R4IoT exploit, shown redacted below, has two parts: a network scanner that finds vulnerable devices, such as building automation controllers and PLCs, running the Nucleus FTP server<\/a> on port 21 (based on a tool we open-sourced<\/a> in the past); and a payload exploiting CVE-2021-31886<\/a> to crash the targets found.<\/p>\n

\"\"<\/p>\n

Even though we had no previous experience with Go<\/em>, with carefully chosen prompts, we were able to rewrite the exploit in less than 15 minutes without activating the <\/em>malware creation safeguards<\/em><\/a> in ChatGPT<\/em>.<\/p>\n

Prompting ChatGPT to port an exploit<\/h2>\n

We wanted to create a minimal version of this code that skips phase 1 \u2013 scanning for vulnerable devices \u2013 and goes directly to phase 2: attack a given IP address with the payload.<\/p>\n

The prompts couldn\u2019t say that we are creating a malware code, but rather focus on the technical goals, which are:<\/p>\n