We're still very much in the early days of the AI revolution. It might be years before we fully understand how it's changed the technology landscape but, in the meantime, a new vulnerability disclosure from GreyNoise Intelligence gives us a glimpse into what the future of cybersecurity looks like with AI thrown into the mix.
GreyNoise reached out to me to reveal that they've detected several key vulnerabilities in IP-enabled live-streaming cameras which could potentially be used to seize complete control of the devices. From what I've seen of the relevant CVEs, it looks like they're the full exploit chain for these cameras. Now, as interesting as these exploits are, what's truly mind-blowing is how they were discovered.
The anomalous web traffic that these exploits generate wasn't picked up by a particularly attentive software engineer, as we've seen in the XZ Utils debacle, nor was it picked up by a traditional intrusion detection system. Instead, GreyNoise's discovery came about as a result of their internal AI system identifying unusual web traffic which was escalated to analysts for review. Read on and I'll discuss their findings in greater detail, why it matters for the future of cybersecurity, and what you can do to future-proof yourself against zero-days (AI-detected or not).
Which zero-days did GreyNoise find?
First, let's talk about the exploits GreyNoise uncovered. They're tracked as CVE-2024-8956 and CVE-2024-8957 respectively. When used together, these exploits allow a skilled hacker to bypass the HTTP authentication process (basically, providing a username and password) of an NDI-enabled remote IP camera and send commands directly to the operating system that powers the camera.
If one of these cameras is accessible from the internet, an attacker can use these techniques to completely compromise the device and edit the video stream, enroll the device in a botnet, or use it as an entry point to pivot past web-facing network defenses and move deeper into a target organization.
NDI cameras are an ideal target to compromise to conduct intelligence gathering
There are plenty of different manufacturers that sell NDI-enabled cameras, including PTZOptics, Multicam Systems SAS, and SMTAV Corporation.
NDI cameras are used in a wide range of contexts as they accept remote input which allows for pan-tilt-zoom capability. This makes them attractive as security cameras and a key part of teleconferencing in academic, business, and government settings.
From an attacker's point of view, they're an ideal target to compromise to conduct intelligence gathering and as an initial platform from which to launch other cyberattacks.
So, if you're using an NDI-enabled camera for any reason, you should pause here and check if your vendor has released a firmware update that patches these exploits. We're aware that PTZOptics has already released firmware updates for its cameras, and that other vendors are currently in the process of releasing fixes, too.
How did GreyNoise find the zero-days?
With the urgent exploit advisory out of the way, we can talk a little more about how this discovery came about.
GreyNoise Intelligence is a cybersecurity company that specializes in providing threat intelligence, obtained by scanning web traffic from a variety of proprietary sources, to enterprises and governments. Much of this work involves dedicated support agents analyzing unusual web traffic flagged by traditional rule-based systems.
However, this work is being augmented by Sift, GreyNoise's proprietary large language model which automatically processes and categorizes web traffic at a rate completely unheard of using traditional methods. We're talking millions of web requests per day. By running an LLM trained on "normal" web traffic, GreyNoise can use Sift to easily identify traffic that violates that normality far quicker than a human can.
GreyNoise uses Sift to easily identify traffic that violates normality far quicker than a human can
I reached out to GreyNoise for an explanation of how the process.
"GreyNoise Sift trawls through the millions of events seen every day in our honeypot network and, due to its understanding of how to "read" internet traffic, it surfaces newly observed items to present to our researchers. At this point, the AI doesn't know these are necessarily bad, or effective, or zero-days, or a new twist on commodity attacks – it just points out that these deserve a little more scrutiny.
"That's where our researchers come in. With their wide understanding of the threat landscape and capabilities to dive deep, they can take the samples brought up by Sift and see if they are truly worth calling out, like for this 0-day. The AI-powered tool and the researchers work together to make an unmanageable amount of data and complexity actionable.
In this case, when Sift identified the anomalous traffic patterns, the next actionable step for the GreyNoise Research Team was to thread the needle by querying our vast 400-terabyte dataset of honeypot logs dating all the way back to late 2019, and search the internet for public exploits, write-ups, or malware samples.
"In most cases, this allows us to determine (or at least approximate) the affected product, but in this specific instance, every consecutive step of the human-led discovery phase yielded nothing, thus making an observed payload very peculiar. Finding product documentation that referenced an endpoint we'd been interested in was a key moment that allowed us to make a pivot to obtaining and reverse engineering the firmware.”
Pretty impressive stuff. The key takeaway here is that GreyNoise's discovery still has a very human element at the core of the story. In some ways, it's the ideal of what we've been promised by AI: large-scale data processing by an LLM that, in turn, empowered human security researchers to dial in on a software flaw that might have otherwise gone undiscovered until it was far too late.
While there are plenty of examples out there of AI-powered threat detection software catching unusual behavior on a victim's internal network, this is one of the first stories I've seen where AI has been used at scale to discover a new zero-day vulnerability in the wild. It's a far cry from the doom and gloom we've seen regarding AI stories in the past.
For more context, I'll let Andrew Morris, Founder and Chief Architect at GreyNoise Intelligence, explain.
“This isn't about the specific software or how many people use it – it's about how AI helped us catch a zero-day exploit we might have missed otherwise. We caught it before it could be widely exploited, reported it, and got it patched. The attacker put a lot of effort into developing and automating this exploit, and they hit our sensors. Today it’s a camera, but tomorrow it could be a zero-day in critical enterprise software. This discovery proves that AI is becoming essential for detecting and stopping sophisticated threats at scale.”
There's plenty of evidence that criminal hackers have rapidly embraced AI to make cybercrime both easier to carry out and more effective.
Generative AI creates phishing emails in a matter of seconds and puts that ability into the hands of non-native language speakers, collapsing many of the global barriers to fraud. Inexperienced script kiddies can quickly create custom botnet scripts using code generators without significant development experience, too. Bots have dominated every sphere of discourse you can think of and are being used to wage political warfare.
It's easy to be pessimistic about the future of AI, but GreyNoise's discovery shows us that some of the more optimistic forecasts about AI are coming to fruition as well.
What can you do to protect against Zero-days?
There's no easy fix to stop your device from being compromised by a zero-day attack. Zero-days, by their very definition, are vulnerabilities that are unknown to all but a select number of hackers before they're exploited.
However, there are a few security principles that you can apply to mitigate the risk of a zero-day attack occurring, as well as dampening the impact if you're caught up in one.
- Apply Principle of Least Privilege (PoLP): in essence, the Principle of Least Privilege dictates that users and systems are only able to access the resources necessary to carry out their job. Hackers often use outdated or mismanaged user settings to pivot deeper into a network, so by restricting user and application access permissions to only what is necessary, you make it harder for attackers to escalate privileges even if they exploit a vulnerability to gain an initial foothold on your system. This can also involve applying just-in-time privileged access management, meaning that users can request heightened access for a set amount of time to carry out privileged actions on an irregular basis.
- Regularly patch and update systems: while zero-days are, by nature, unpatched initially, you should still keep your systems, software, and firmware up to date to reduce the number of vulnerabilities in your environment. While a zero-day might allow a hacker to create an initial entry point into your network, they are still reliant on finding other ways to elevate access and pivot to other machines. Ensuring that you have a regular, automated patching process dramatically narrows the attack surface available to an attacker once they’re in your environment.
- Use device monitoring: implementing EDR solutions provides real-time monitoring of devices, allowing for anomaly detection and prompt response. Advanced EDR can often identify suspicious behavior patterns, even if the exploit is new. Anomaly-based IDS and Intrusion Prevention Systems can also detect unusual network or application behaviors. This helps identify zero-day threats based on behavior rather than specific signatures. Centralized logging and real-time log analysis can quickly identify unusual activities associated with zero-day attacks, and advanced logging solutions with machine learning can detect patterns that may signal an exploit attempt. A WAF protects against many web-based zero-day exploits by inspecting HTTP requests for malicious payloads and blocking suspicious activities before they reach the application layer.
- Conduct regular vulnerability assessments and penetration testing: scheduling routine security testing helps you identify weaknesses in your security policy before attackers can exploit them. You can ask penetration testing teams to conduct an internal test, in which you assume that the attacker has already managed to compromise credentials or deploy a zero-day and now has an attack vector inside your local network. This gives you a better idea of how effective your current security tools are against an internal threat, as well as allowing your blue team to perform a "dress rehearsal" against a realistic attack.
- Educate and train staff regularly: if a security incident does occur and your IDS has failed, your staff are the first line of defense. Making sure you have a tested incident response plan that your employees are aware of is key to mitigating the full impact of a breach. Additionally, running regular security awareness training keeps your employees vigilant against phishing or social engineering attacks. A hacker who isn't able to gain deeper access through technical means may rely on the intelligence they've found so far to conduct targeted spear phishing attacks instead.
- Use threat intelligence feeds: zero-day threats are particularly challenging because they target vulnerabilities that are unknown to software vendors. However, subscribing to threat intelligence feeds gives your security team immediate insight into how newly discovered zero-days are being employed by threat actors, as well as highlighting key indicators of compromise that can be fed into your IDS. More broadly, intelligence feeds can also drive strategic decisions about security in the face of a constantly evolving threat landscape.
- Encrypt your network traffic: even if an attacker can gain access to your network, wrapping all of your network communications in end-to-end encryption using one of today's best VPNs means that the attacker has a reduced capacity to eavesdrop on local network segments and conduct local man-in-the-middle attacks.
