AI is the new battleground, according to a report released by SophosLabs this week. The 2020 Threat Report highlights a growing battle between cybercriminals and security companies as smart automation technologies continue to evolve.
Security companies are using machine learning technology to spot everything from malware to phishing email, but data scientists are figuring out ways to game the system. According to the report, researchers are conceiving new attacks to thwart the AI models used to protect modern networks… attacks which are starting to move from the academic space into attackers’ toolkits.
One such approach involves adapting malware and emails with extra data that make them seem benign to machine learning systems. Another replicates the training models that security companies use to create their AI algorithms, using them to better understand the kinds of properties that the machine learning models target. That lets attackers tailor malicious files to bypass AI protections.
The other big AI-related worry is generative AI, which uses neural networks to create realistic human artefacts like pictures, voices, and text. Also known as deepfakes, these are likely to improve and present more problems to humans who can’t tell the difference. Sophos predicts that in the coming years, we’ll see deepfakes lead to more automated social engineering attacks – a phenomenon that it calls ‘wetware’ attacks.
Automation is already a growing part of the attack landscape, warns the threat report. Attackers are exploiting automated tools to evade detection, it says, citing ‘living off the land’ as a particular threat. This sees attackers using common legitimate tools ranging from the nmap network scanning product to Microsoft’s PowerShell in their quest to move laterally through victims’ networks, escalating their privileges and stealing data under the radar.
Online criminals are also tying up admin resources with decoy malware, which they can drop liberally throughout a victim’s infrastructure, the report warns. This malware carries benign payloads, enabling them to misdirect admins while they furtively drop the real payloads.
The third weapon in the attackers’ automated arsenal are potentially unwanted applications (PUAs). Unlike the benign malware decoys, PUAs often don’t garner much attention because they aren’t classified as malware. Yet attackers can still program them to activate automatically and deliver damaging payloads at a time of their choosing, Sophos warns.
Automated attacks also pose a threat to machines exposing specific ports online, the report points out. By way of example, Sophos uses computers with public-facing remote desktop protocol (RDP) ports, which are common targets for brute-force password attacks. This is just one example of what the company calls ‘internet background radiation’ – the constant hubbub of online activity that contains an ocean of malicious traffic.
But while AI is the threat of tomorrow and automated technologies present real and present dangers, we shouldn’t ignore infections from the past. Malware that swept the internet years ago still highlights inherent insecurities across large swathes of online infrastructure. The report singles out ‘zombie’ WannaCry infections that are still lurking on many networks. These infections, based on variants of the original malware, show that there are still vast quantities of unpatched machines online.
The same goes for Mirai, the IoT-based botnet that swept the world in 2016 and still exists today. SophosLabs has seen Mirai-infected networks launching attacks on database servers using sophisticated strings of commands that can take over an entire system.
The report highlighted plenty of other threats, including a growing diversity of attacks on smartphone owners. Attackers are resorting to everything from SIMjacking to adware and ‘fleecing’ apps that charge exorbitant amounts for legitimate assets of very little value.
As technology evolves at a breakneck pace, one thing is certain: the creativity of the cybercrime community will continue to evolve with it. However, while companies may fret over tomorrow’s technologically sophisticated threats, the first place to begin any cybersecurity effort is with basic steps such as software patching, strict access policies, proper system and network monitoring, and user education. Measures like these don’t need sophisticated AI practitioners to implement, and they can save many headaches down the line.
Pete
I have recently seen how Sophos for Android didn’t detect viruses from 2014, 2015 that sat in .mp4 files. It caused major embarrassment when I stuck that microSD into a Windows box and it cried blue murder in a public place. Me being the Linux geek (supposedly.)