Current Trends in Automated Cyber Attacks

The window between vulnerability disclosure and active exploitation is collapsing. Recent reports show threat actors weaponizing new vulnerabilities within 24 hours of disclosure. AI tools are compressing this timeline even further. Researcher Matt Keeley recently showed that AI models can analyze code differences between patched and vulnerable versions to produce functional exploits—sometimes before any public proof-of-concept is available. Tasks that once took days of manual review now get solved in hours. This trend regularly surfaces during offensive security engagements. Threat actors aggressively scan for the latest disclosed vulnerabilities, especially in Content Management Systems. Once initial access is gained, these systems are used for phishing infrastructure or lateral movement inside networks. The takeaway: ➡️ Traditional patch cycles are fundamentally broken compared to today's threat actors ➡️ Attack surface management needs to be continuous, not periodic ➡️ Organizations must validate security patches within hours, not days How quickly is your organization deploying critical patches—and how are you confirming that those patches are actually closing the gaps? #Cybersecurity #RedTeaming #ThreatIntelligence

New findings from OpenAI reinforce that attackers are actively leveraging GenAI. Palo Alto Networks Unit 42 has observed this firsthand: we've seen threat actors exploiting LLMs for ransomware negotiations, deepfakes in recruitment scams, internal reconnaissance and highly-tailored phishing campaigns. China and other nation-states in particular are accelerating their use of these tools, increasing the speed, scale, and efficacy of attacks. But, we’ve also seen this on the cybercriminal side. Our research uncovered vulnerabilities in LLMs, with one model failing to block 41% of malicious prompts. Unit 42 has jailbroken models with minimal effort, producing everything from malware and phishing lures to even instructions for creating a molotov cocktail. This underscores a critical risk: GenAI empowers attackers, and they are actively using it. Understanding how attackers will leverage AI to advance their attacks but also exploit AI implementations within organizations is crucial. AI adoption and innovation is occurring at breakneck speed and security can’t be ignored. Adapting your organization’s security strategy to address AI-powered attacks is essential.

Over the weekend, I dug into the Google Cloud Threat Intelligence Report on Adversarial Misuse of Generative AI. The report outlines the tactics used by adversaries, identifies specific threat actors from countries like China, Russia, Iran, and North Korea, and how to mitigate the misuse of AI by threat actors. 🇨🇳 China (APT31, APT40, and other state-affiliated groups) Chinese threat actors have experimented with generative AI to enhance social engineering, phishing, and deepfake campaigns. APT31, known for espionage targeting government and tech entities, has reportedly used AI-powered translation and content-generation tools to improve spear-phishing attempts and craft realistic fake personas for influence operations. 🇷🇺 Russia (Sandworm, Fancy Bear/APT28, and other groups linked to GRU/FSB/SVR) Russian cyber units have been exploring AI for disinformation campaigns, using generative AI to create large volumes of realistic fake news articles, deepfake videos, and AI-generated social media engagement. AI-driven bots are used to amplify narratives favorable to Russia’s geopolitical goals. There is evidence that Russian actors are also using AI to automate cyberattack planning and vulnerability exploitation. 🇮🇷 Iran (Charming Kitten/APT35, Mint Sandstorm, and other IRGC-linked groups) Iranian cyber units have used generative AI for voice cloning, allowing for more effective phone scams and impersonation of political figures. AI is being leveraged to generate fake documents and fabricated news stories as part of influence operations in the Middle East and North America. Iran has also tested AI-enhanced malware that can adapt dynamically to evade detection. 🇰🇵 North Korea (Lazarus Group, Kimsuky, and associated actors). North Korean hackers have been using generative AI to craft highly convincing job application profiles and social engineering lures aimed at infiltrating crypto and financial firms. AI-powered scripts and chatbots have been used to automate interactions with victims, making fraud and scam operations more efficient. Generative AI has also been exploited to write malicious code, helping less-skilled North Korean hackers develop sophisticated malware. 💻Cybercriminal Groups and AI-Enabled Crime. Ransomware gangs are using AI-powered reconnaissance tools to identify high-value targets and refine their extortion tactics. Scammers have employed AI to generate fake identity documents, enabling large-scale financial fraud. Darknet marketplaces are increasingly offering AI-driven hacking tools for sale, allowing low-skill criminals to execute advanced attacks. The report also highlights the need for advanced AI-driven detection systems, stronger regulations, and international cooperation to mitigate misuse by adversarial nations and criminal networks. For more read the full report in the comments below as well as TRM Labs new report on "The Rise of AI-Enabled Crime." From the TRM report ⬇️

Cyberattacks by AI agents are coming - MIT Technology Review Agents could make it easier and cheaper for criminals to hack systems at scale. We need to be ready. Agents are the talk of the AI industry—they’re capable of planning, reasoning, and executing complex tasks like scheduling meetings, ordering groceries, or even taking over your computer to change settings on your behalf. But the same sophisticated abilities that make agents helpful assistants could also make them powerful tools for conducting cyberattacks. They could readily be used to identify vulnerable targets, hijack their systems, and steal valuable data from unsuspecting victims.  At present, cybercriminals are not deploying AI agents to hack at scale. But researchers have demonstrated that agents are capable of executing complex attacks (Anthropic, for example, observed its Claude LLM successfully replicating an attack designed to steal sensitive information), and cybersecurity experts warn that we should expect to start seeing these types of attacks spilling over into the real world. “I think ultimately we’re going to live in a world where the majority of cyberattacks are carried out by agents,” says Mark Stockley, a security expert at the cybersecurity company Malwarebytes. “It’s really only a question of how quickly we get there.” While we have a good sense of the kinds of threats AI agents could present to cybersecurity, what’s less clear is how to detect them in the real world. The AI research organization Palisade Research has built a system called LLM Agent Honeypot in the hopes of doing exactly this. It has set up vulnerable servers that masquerade as sites for valuable government and military information to attract and try to catch AI agents attempting to hack in. While we know that AI’s potential to autonomously conduct cyberattacks is a growing risk and that AI agents are already scanning the internet, one useful next step is to evaluate how good agents are at finding and exploiting these real-world vulnerabilities. Daniel Kang, an assistant professor at the University of Illinois Urbana-Champaign, and his team have built a benchmark to evaluate this; they have found that current AI agents successfully exploited up to 13% of vulnerabilities for which they had no prior knowledge. Providing the agents with a brief description of the vulnerability pushed the success rate up to 25%, demonstrating how AI systems are able to identify and exploit weaknesses even without training. #cybersecurity #AI #agenticAI #cyberattacks #vulnerabilities #honeypots #LLMhoneypots