Kroll cyber threat landscape report: AI assists attackers

AI is simplifying various tasks, but not always for the better—cybercriminals, too, are leveraging it. According to Kroll’s frontline threat intelligence report for Q1 2024, cybercriminals are adopting AI to enhance their methods. Traditional tactics like business email compromise (BEC) are now being bolstered by AI technologies.

BEC defenses, such as the requirement for verbal confirmation of requests from C-suite executives, are being undermined by AI-generated voice clones and deepfake messages to approve fraudulent transactions. The report highlights that phishing remains the most common method for email compromise. However, tactics are evolving, with a rise in SMS lures and voice phishing.

Ransomware incidents have declined to 16% from 23% in the previous quarter, possibly due to law enforcement actions against ransomware-as-a-service groups like LockBit and BlackCat.

Insider Threats Predominantly Malicious

Insider threats have been particularly impactful in professional services, accounting for 23% of incidents, followed by financial services (14%) and technology and telecom (11%). The technology and telecom sector is notably susceptible to insider threats, often involving malicious actors with access to multiple technology providers, potentially leading to supply chain attacks. Alarmingly, 90% of insider threat incidents were intentional and malicious, underscoring the need for vigilant monitoring of insider activities.

Rise in Social Engineering and Zero-Day Exploits

Phishing remains the most common initial access method at 39% of incidents. However, social engineering attacks surged from 6% in Q4 2023 to 20% in Q1 2024. Exploitation of zero-day vulnerabilities and CVE-documented flaws also increased slightly, with these types of attacks often resulting in ransomware incidents. Attackers are now exploiting CVEs faster than ever after their publication. For example, vulnerabilities in ConnectWise’s ScreenConnect tool were exploited within 48 hours of their announcement.

Rapid Exploitation of Vulnerabilities

On February 19, ConnectWise alerted users to two vulnerabilities (CVE-2024-1708 and CVE-2024-1709) in its ScreenConnect tool. Kroll noted that by February 21, these vulnerabilities were being actively exploited. Larger threat actor groups were involved in the initial exploitation, while less sophisticated groups took over as patches were implemented.

WebDAV Vulnerabilities

The report also noted increased exploitation of WebDAV, a protocol for remote file access in Windows, due to vulnerabilities in Microsoft SmartScreen software. These vulnerabilities allowed attackers to bypass security controls and download malware. Kroll advises enterprises to block WebDAV traffic where possible to mitigate these risks.

Mitigating Deepfake Threats

The report concludes with recommendations to counter deepfake threats, emphasizing that detecting AI-enabled attacks should be part of security training. Tips for identifying deepfakes include:

• For prerecorded deepfakes: Check the sender’s address and use reverse image searches to detect poor-quality deepfakes.
• For live deepfakes: Ask individuals to make extensive movements to spot abnormalities like discoloration, distorted limbs, or irregular hair flickering.
• For AI-enabled deepfakes: Train detection models on specific individuals rather than generic deepfake detection.

Comprehensive Security Strategy

In response to growing AI threats, organizations must adopt proactive, multi-layered security strategies rather than relying solely on defensive measures. This approach ensures comprehensive protection across the entire attack surface.

This detailed analysis underscores the evolving nature of cyber threats and the need for continuous adaptation and vigilance in cybersecurity practices.

For Reference

https://www.csoonline.com/article/2123595/kroll-cyber-threat-landscape-report-ai-assists-attackers.html