Kroll cyber threat landscape report: AI assists attackers

In its frontline threat intelligence report for the first quarter of 2024, risk and financial advisory firm Kroll revealed that, as in virtually every other industry, cyber criminals are using artificial intelligence (AI) to further their goals. Well-known tactics such as those used in business email compromise (BEC) are being augmented with AI.

And, it added, security controls designed to reduce the success of BEC attacks, such as the requirement for verbal authentication of requests from C-suite executives, are being circumvented by using AI to clone the executives’ voices and create deepfake messages approving fraudulent transactions.

“Phishing was the most likely vector for email compromise incidents,” the report noted. “Kroll observed that in Q1, while phishing was typically synonymous with an email message, actors continued to evolve tactics and introduce others, such as SMS lures and voice phishing, which seem to be rising in popularity.”

Ransomware, on the other hand, saw a decline to 16%, from 23% of incidents in the preceding quarter, Kroll noted, possibly because of the law enforcement takedowns of ransomware-as-a-service organizations such as LockBit and BlackCat.

Insider threats mostly malicious

Insider threats, the report said, are hitting professional services hardest, accounting for 23% of incidents, with financial services (14%) and technology and telecom (11%) following. But, it observed, incidents involving technology and telecom were most likely to be insider threats.

“With most technology providers working with multiple downstream customers, an insider with access to multiple technology providers may have the ability to cascade malicious activity to clients, posing the risk of a supply chain attack,” it said. And virtually all insider threat incidents – 90% of them, in fact – were deemed to be intentional, and thus malicious. Kroll said, “This highlights the importance of insider threat not being overlooked as a threat incident type by companies.”

Zero-day and CVE threats

Although phishing remained the most common method for initial access, at 39% of incidents, attacks launched via social engineering leaped from 6% in Q4 2023 to 20% in Q1 2024. Exploitation of zero-day vulnerabilities and CVE-documented flaws saw a small uptick as well, going from 6% in Q4 2023 to 7% in Q1. Those attacks were most likely to result in a ransomware incident, according to the report.

However, it noted, attackers are exploiting Common Vulnerabilities and Exposures (CVEs) faster than ever after publication. CVE is a standard for identifying, defining, and cataloging publicly disclosed cybersecurity vulnerabilities; each vulnerability is described in detail and has a unique CVE identifier.

How fast are they moving?

On February 19, software firm ConnectWise notified customers of two vulnerabilities (CVE-2024-1708 and CVE-2024-1709) that affected its remote management tool, ScreenConnect. Kroll subsequently assisted a number of customers whose networks were attacked by exploiting the flaws, and described what it saw.

“A majority of its ScreenConnect cases had an initial access date of February 21, indicating that actors were exploiting the vulnerability within less than 48 hours of the original announcement,” the report stated. “Based on a review of these cases, Kroll observed a wide range of threat actors leveraging the vulnerability. In Kroll’s review, cases occurring within the first five days of the publication were more likely to be associated with larger-scale threat actor groups. Three weeks on from the publication date, fewer cases were observed, likely due to widespread patching. Cases observed during this time period were more likely to be associated with lone wolf actors or less sophisticated threat actor groups.”

WebDAV

The first quarter also saw increased activity by attackers using WebDAV, a protocol allowing users to communicate over HTTP to create, modify, and move documents, to gain remote file access to Windows. Vulnerabilities in Microsoft SmartScreen software let attackers send an internet shortcut with an embedded malicious URL that bypassed security controls, allowing malware to download.

Because of WebDAV’s security issues, Kroll recommends that enterprises block WebDAV traffic at the perimeter where possible.

Deepfake mitigation recommendations

The report concluded with recommendations that could help mitigate the increasing threats involving deepfakes. Detection of deepfakes and AI-enabled attacks should be part of a security team’s training, it said.

Kroll offered these tips to help determine whether a deepfake is in use:

For prerecorded deepfakes:

• Check the video sender’s address; a deepfake sender’s is often spoofed or unknown. 

• Investigative reverse image searches can often be used to detect poorer quality and mass produced deepfake videos. 

For live deepfakes:

• The individual on screen can be asked to make extensive movements. Watch for discoloration, abnormal body shapes, distorted limbs and irregular hair flickering. 
• Make a policy whereby standard movement protocols must be followed to avoid deepfake scenarios part of regular compliance procedures. 

For AI-Enabled Deepfakes

• Train detection models on individuals, rather than generically trying to identify deepfakes.
• Secure the entire attack surface

“Faced by the growing AI challenge, organizations can no longer risk relying on purely defensive or one-dimensional approaches to security,” the report concluded. “Instead, they must ensure that their vigilance translates into a strategy that proactively addresses all layers of the attack surface.”