Cybercriminals exploit generative artificial intelligence (GenAI) to enhance attack strategies and infiltrate systems. The advantage is theirs. They get to blend the power of GenAI with all their social engineering tactics to trick us into giving up our credentials. Once they have this information, they log in without hacking. Essentially, you will grant them unlimited access to your systems. This trend has seen a severe uptick in the past year as GenAI adoption has become more mainstream. According to a 2024 IBM report, attacks leveraging valid credentials surged by a staggering 71% year-over-year.
We all know the best practices well at this point. Be cautious with emails and links. Don’t click on, open or engage with anything from someone you don’t know. Don’t open or download attachments from an unknown sender. Be wary of spelling errors, and never give away any information about yourself. But today, we need to be wary of convincing and natural-sounding text messages from your team. Or maybe a fake legal subpoena from a legitimate source or a voice memo from your CEO. There have even been reports of entire Zoom calls filled with deepfakes of all your colleagues. The latest trend is an uptick in savvy cybercriminals leveraging GenAI to catch you during periods when you are distracted.
Distractions make you a prime target for cybercriminals. What do I mean by that? Cybercriminals leverage times of distraction, times when you might be thinking about something new, trying something new, or meeting new people. Holidays are prime time for you to be off your guard. There are report of fake links from recruiters for those on-the-job hunters. Think about global events like the Olympics or elections. I expect that we are all experiencing a flood of emails and text messages from our campaigning candidates in our regions. How do you know for sure that link you were just sent was actually from their campaign or a malicious trap? Even back to school is a prime target. Think about all the increased communications and chaos around back to school for your kids. It is more likely that you might answer, open or respond to messages from unknown people or organizations. Cybercriminals are smart. They know that you are starting something new, and they might try to quickly mimic your new teacher, fellow parent or school district. All the information they need is often on your social media accounts. Remember all those cute back to school pictures you take every year and proudly post. Many list your child’s favorite activities and sometimes even schools and teacher’s names. That is all they need to craft the compelling bait.
Cybercriminals leverage and exploit information learned about you online. GenAI can quickly and succinctly gather personal data and habits. It can also find details about tastes, communication patterns, and networks. The technology is now sophisticated enough that cybercriminals can generate texts, emails or phone calls that mimic the tone and style of legitimate correspondence. That’s right, written, digital and video are all being leveraged, making it harder for victims to recognize them as scams. The heightened personalization makes spotting these clever ruses increasingly challenging for unsuspecting targets. Especially when distracted.
Deepfakes utilize GenAI to create fake, yet realistic, audio and video content. In the hands of Cybercriminals, this technology can impersonate individuals in vishing (voice phishing) or video attacks. This tricks victims into thinking they're talking to someone they know. As a result, it opens the door to fraud or theft of information.
GenAI can scale to massive amounts of data and cybercriminals can harness to supercharge their attacks. Automation blanket targets with minimal effort. Think about the difference between a few attempts to contact you a week to 1,000 different ways to catch you off guard in a day.
AI-powered tools now crack common passwords in minutes. Cybercriminals exploit vast datasets, generating variations to swiftly breach weak defenses. Reports reveal a significant portion of passwords fall quickly to these advanced attacks, highlighting the urgent need for stronger digital security measures.
New threat to most, cybercriminals can hijack Large Language Models (LLMs) output to override user prompts, inserting any text they choose into AI-generated responses. This technique enables the covert injection of malicious code, compromising the integrity of AI outputs and potentially harming unsuspecting users.
Cybercriminals now wield AI to supercharge ransomware attacks. Smart algorithms pinpoint lucrative targets in networks, while automated systems spread malware with ruthless efficiency. This deadly combo amplifies the financial damage, making each strike more profitable for digital extortionists.
AI-driven attacks now pose a threat to supply chains. Hackers are embedding malicious code in trusted software and hardware. This method allows them to bypass detection. They exploit legitimate channels, compromising organizations from within. Hence, companies now face the growing challenge of securing their digital systems against these advanced attacks.
GenAI tools can probe systems for weak points, dissect their findings, and craft tailored exploits. The result? Malware that learns, adapts, and slips past defenses, drawing on lessons from past intrusions. This evolving threat poses a formidable challenge to cybersecurity efforts worldwide.
Denial of Service (DDoS) attacks can also be enhanced in both scale and sophistication. Coordinated swarms of GenAI bots inundate targets with data floods. These synthetic onslaughts overwhelm systems, paralyzing critical services and sowing digital chaos.
With the rapid expansion of GenAI-powered apps and as integrations and APIs multiply, they create fresh entry points into company networks. These digital doorways, if left unguarded, could become security vulnerabilities. Firms must balance innovation with robust safeguards to protect their digital infrastructure from emerging threats.
GenAI also aids cybercriminals to automate stealing intellectual property. It analyzes large datasets to find valuable trade secrets and sensitive information. This aids their theft for a competitive edge. These advancements show the dual-edged nature of AI.
Vigilance against evolving threats is paramount for organizations and employees. Today it is not just a technology issue but a human one too. It is vital to continue to educate and train employees to be aware and alert at all times in their professional and personal lives. Especially as we all head into periods of high distractions like holidays, back to school, government elections etc. It is also important to remind employees to review their privacy and security settings on social media applications and follow best practices for keeping your social media posts secure. In addition, employees should make sure they are using approved, up-to-date, and secure communications platforms for work collaboration, even on personal devices.
On the technology side, Veritas recommends implementing robust defenses like Multi-Factor Authentication (MFA), Multi-Person Authorization (MPA), Privileged Access Management (PAM), and other robust defenses. We also suggest implementing fundamentals like Zero Trust, immutability, anomaly detection, and malware scanning across your organization.
Our teams are dedicated to leveraging new GenAI technologies to help you stay ahead of the threat actors and their innovative tactics. Last spring, Veritas unveiled a series of new capabilities designed to help combat AI-powered cyber threats with our own AI-powered solutions. This includes our adaptive self-defense solution, improved entropy anomaly detection, and a new GenAI-powered operational copilot. Veritas also announced new cyber resiliency assessment and recovery services, and new security ecosystem partners. These solutions ensure you are prepared to be resilient in the face of an attack and set up with tools that proactively prevent attacks. You can learn more by reading this helpful blog, “The Human Factor of Cyber Resilience” written by my colleague, Liji Kurvilla.
For a comprehensive list of foundational security and data protection controls you need to implement, check out the Cyber Recovery checklist.
Subscribe to the Veritas Cybersecurity Newsletter on LinkedIn for continuing insights on enterprise-grade cyber resilience.