Ransomware & more: How cybersecurity and AI shape the digital realm
- Cybersecurity and AI are shaping today’s digital threats and defenses.
- AI boosts both cyber threats and defenses like behavioral analytics.
AI is rapidly becoming a focal point for industry experts and regulators. There’s a growing concern that malicious actors might exploit AI to enhance phishing campaigns, develop advanced malware, and engage in other technological wrongdoings.
However, on the flip side, AI has proved invaluable in bolstering cybersecurity defenses. A prime example is how AI was effectively utilized in Ukraine to counter Russian cyber attacks. The evolution of AI-driven cyber defenses is anticipated to be crucial in curbing the rising tide of cyberattacks.
The recent Microsoft Digital Defense Report underscores a changing threat landscape, emphasizing the critical need for closer collaboration between the public and private sectors. Such a partnership is crucial for devising an environment that champions global cybersecurity and innovation.
The shift to Cybercrime-as-a-Service
The findings suggest that cybercriminals increasingly leverage a cybercrime-as-a-service model, orchestrating extensive phishing, identity theft, and distributed denial of service (DDoS) attacks. Criminals have refined their tactics, becoming adept at bypassing multi-factor authentication to launch precise attacks. Data extortion is also on the rise, with the period since November 2022 seeing a significant spike in potential data exfiltration events, indicating unauthorized data transfers.
Notably, 13% of human-initiated ransomware attacks that escalated to the ransom phase involved some element of data exfiltration. Through alerts sent to clients, Microsoft Defender Experts identified this year’s dominant cyber threats:
Identity attacks
Identity breaches have manifested in various forms: traditional brute-force attacks, sophisticated password spray strategies that span different countries and IP addresses, and adversary-in-the-middle (AiTM) tactics. Data from Microsoft Entra, a dedicated analytics unit of Microsoft, paints a grim picture: an alarming rise in attempted breaches compared to the same period in 2022. Attempts surged from approximately 3 billion per month to 30 billion, translating to 4,000 password breach attempts targeting Microsoft cloud identities per second.
A key contributor to these breaches is the lackluster security measures implemented by many, particularly in the education sector. Several institutions have overlooked the importance of Multi-Factor Authentication (MFA), rendering their users vulnerable to phishing, credential stuffing, and brute-force attacks.
Even though MFA introduces an additional layer of protection, it hasn’t deterred malicious actors entirely. Criminals have devised tactics to bypass MFA, including the use of one-time password bots (OTP bots) for unauthorized account access. These bots trick users into sharing their OTPs, received via SMS, authentication apps, or emails. Once the cybercriminals acquire the OTP, they gain unhindered access.
Ransomware’s evolution in the cybersecurity and AI era
Ransomware strategies are evolving, with bad actors leaning more towards manual attacks, employing stealth techniques, and leveraging data exfiltration to bolster ransom demands. Cybercriminals are honing their skills, making it increasingly challenging for users to detect fraud until the damage is done.
The report defines “Ransomware Incidents” as any detected activities related to ransomware, thwarted or leading to notifications. This encompasses various stages of a ransomware attack. One large-scale ransomware attack was specifically noted, one that targeting an organization’s endpoint devices and cloud infrastructure.
Microsoft identified the entity behind this vast campaign as Mango Sandstorm. Its approach was multifaceted, impacting both physical and cloud-based systems. Bad actors escalated access privileges, erasing critical data and ensured prolonged unauthorized presence on networks via OAuth applications spoofing.
There’s also been a noticeable increase in phishing attacks aimed at device compromise and identity theft through AiTM phishing. This involves hijacking vendors for phishing and misusing genuine services to deceive targets.
The rising tide of AiTM phishing attacks: Where cybersecurity and AI meet
Historically, threat actors employed AiTM to capture credentials, distribute malware, or accumulate personal data and session cookies. Microsoft has observed a steady uptick in AiTM phishing campaigns, with some incidents involving millions of phishing emails dispatched in a single day. This trend began in September 2021 and saw a significant surge by mid-July 2022, underscoring a widespread effort to sidestep MFA.
In an AiTM attack, the bad actor creates a reverse proxy server between the victim and the legitimate login page. While reverse proxies can bolster security, they can also be exploited for malicious objectives. In AiTM scenarios, victims are presented with a doctored login page. Unlike traditional phishing, a distinct server owned by the offender is used to relay stolen credentials, triggering an MFA challenge.
Microsoft tracks various threat groups associated with AiTM phishing tools and services, including prominent hackers, using multiple platforms. Malicious tools have been recognized as Caffeine (associated with Storm-0867), EvilProxy (connected to Storm-0835), and NakedPages (linked to Storm-1101). AiTM phishing attempts have been tied to as yet unidentified tools or services.
Other tools, such as Evilginx2, Modlishka, and Muraena, are publicly available. They lack some of the comprehensive features found in paid versions. By introducing AiTM phishing kits to phishing-as-a-service, a broader range of threat actors now have access to advanced tools, thus lowering the entry barrier and amplifying the potency of attacks.
Caffeine, EvilProxy, and NakedPages collectively cater to hundreds of clients, with cybercriminals paying license fees ranging between US$200 and US$1,000 monthly to maintain daily phishing operations. With many threat actors employing these platforms, pinpointing individual culprits becomes a challenge. The emphasis is now on monitoring these services, halting their malicious activities, and bolstering user protection.
Business email compromise: The hidden danger
Business Email Compromise (BEC) entails cybercriminals using varied strategies, from overtaking email conversations to spam distribution, and targeting financial fraud. Hackers send deceptive emails with malicious links and files from a compromised user’s email ID to their contacts. The legitimate appearance of internal phishing emails leads many recipients to engage with malicious content inadvertently.
Microsoft Defender experts have observed that these attackers often create fake email threads, using the guise of genuine business communications to lure unsuspecting victims. The blend of accurate business terminologies, seemingly legitimate files, and familiarity with the sender makes these emails particularly convincing and, thus, more dangerous.
The ongoing trend of Business Email Compromise has also spotlighted another alarming factor: the ease with which cybercriminals can rent or purchase email accounts with high reputations. By using such accounts, attackers can bypass conventional email filters, ensuring a higher success rate for their campaigns.
Several cybercrime forums offer such high-reputation email accounts for sale. The going rate for these accounts typically depends on the perceived reputation and the originating domain. For instance, accounts from educational or governmental fields might fetch a higher price due to their inherent trustworthiness for email recipients.
AI-driven countermeasures: The need of the hour
Additionally, the malware landscape has seen an evolution. While signature-based malware detection tools have proven effective, today’s cybercriminals frequently employ polymorphic malware, which changes its signature to evade detection. Against such threats, AI-powered solutions that focus on behavioral analytics and heuristic patterns are showing promising results. These next-gen security tools don’t just depend on known signatures but assess the behavior of software and processes to identify any strange patterns indicative of malicious activities.
Considering the mounting threats, what’s evident is the paramount importance of collaboration across industries, government bodies, and private entities. Shared knowledge, pooled resources, and collective intelligence can form a potent defense against the sophisticated strategies of modern cybercriminals.
For organizations, a multi-layered approach to security is no longer optional but essential. This includes employing advanced AI-driven tools and instilling a culture of cybersecurity awareness among employees. Regular training sessions, mock phishing tests, and real-time feedback can significantly enhance an organization’s defense, turning its personnel from potential vulnerabilities into security assets.
In conclusion, while AI continues to be a double-edged sword in cybersecurity, its potential as a formidable defense mechanism can’t be ignored. As we navigate through an era dominated by digital threats, our focus should be on harnessing the positive aspects of AI, fostering global collaborations, and creating robust systems resilient to the evolving strategies of cyber adversaries.
READ MORE
- 3 Steps to Successfully Automate Copilot for Microsoft 365 Implementation
- Trustworthy AI – the Promise of Enterprise-Friendly Generative Machine Learning with Dell and NVIDIA
- Strategies for Democratizing GenAI
- The criticality of endpoint management in cybersecurity and operations
- Ethical AI: The renewed importance of safeguarding data and customer privacy in Generative AI applications