Throughout an eventful 2023, CyberArk Labs remained focused on uncovering emerging cyberattack patterns and producing threat research aimed at helping organizations strengthen their identity security defenses.
We covered a lot of ground this year and had the opportunity to share our findings at events around the world. Today, we’re revisiting some notable threat research projects from 2023:
Chatting Our Way Into Creating a Polymorphic Malware
AI-enabled threats were top-of-mind for security professionals this year – with good reason. CyberArk Labs began experimenting with ChatGPT in its earliest public days to see how attackers might try to use it, starting with polymorphic malware generation. We asked ChatGPT to create an info-stealer, which it delivered after making some major security snafus along the way, such as hardcoding credentials. Ultimately, we found that attackers can use AI-generated polymorphic malware to evade defenses. For example, an attacker could use ChatGPT to generate (and continuously mutate) information-stealing code for injection. By infecting an endpoint device and targeting identities – locally stored session cookies, in our research – they could impersonate the device user, bypass security defenses and access target systems without detection. We expect that automated identity-based attacks like these will become even more prevalent as AI models improve.
The (Not so) Secret War on Discord
Cybercrime groups are increasingly using legitimate resources – from publicly available repositories to enterprise software applications – for their own nefarious purposes. This spring, CyberArk Labs discovered a new malware strain distributed over Discord, a popular chat service loved by developers and used by hundreds of millions of people around the world. Dubbed Vare, the malware uses Discord for dual purposes: for targeting new malware operators via social engineering and as an infrastructure for data exfiltration. Our team’s research exposed the group behind the malware, their attack methods and their potential motivations. Most important, we emphasized caution, as any corporate developer using Discord could potentially put their organization at risk if their endpoint is infected with the Vare malware.
White Phoenix: Beating Intermittent Encryption
Ransomware actors can significantly speed up their attacks by encrypting just enough data to make files useless (but not all of it). Our team set out to combat this “intermittent encryption” method used by BlackCat and other large ransomware groups. The result was White Phoenix: an open-source ransomware recovery tool that allows victim organizations to recover files encrypted by ransomware strains that use intermittent encryption. White Phoenix supports PDFs, Microsoft Office documents and zip files. But other formats, such as video and audio files, may also be recoverable. We welcome continued community contributions to enhance the tool and improve ransomware protection for all.
Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation
Docker is one of – it not the – most-used developer tool in the world today, which makes it an interesting threat research subject. But in this case, Docker wasn’t even on our radar until a CyberArk Labs researcher installed Docker Desktop (the primary Windows service for Docker) as part of unrelated Windows containers research. He observed the service’s various privileged processes communicating with each other via named pipes, which can be risky. Our resulting research found that Docker uses a named pipe with REST API that allowed us to call its methods from a low-privilege user, with the actions done by a privileged service. This enabled us to impersonate the Docker Desktop Service account (SYSTEM) and execute arbitrary system commands with the highest-level privileges. We ultimately discovered six privilege escalation vulnerabilities in Docker Desktop by hunting through a massive maze of pipes, and developed an open source tool named “PipeViewer” to help scan for Windows named pipes and show their permissions.
Explore CyberArk Labs’ Full Threat Research Library
These highlights offer just a glimpse into the many important projects CyberArk Labs worked on over the last 12 months. We invite you to explore the CyberArk Threat Research Blog, where among other topics, you’ll learn how we:
- Used the increasingly popular Ethereum development framework Foundry to create a proof of concept (PoC) for uninitialized smart contract vulnerabilities
- Highlighted innovative rootkit techniques on a non-traditional architecture (Windows 11 on ARM64)
- Turned the tables on phishing as a service attackers
- Dove deep into macOS application penetration testing
- Introduced a network safety tool for fellow cybersecurity researchers
You can also read our 2024 cybersecurity predictions for our team’s perspectives on what’s to come in the year ahead.
Lavi Lazarovitz is CyberArk Labs’ Vice President of Cyber Research.