Insight

Companies across all industries need to communicate with their employees about the emerging threats from generative AI to corporate verification systems. The use of voice spoofing and sophisticated social engineering techniques by ransomware groups represent a rapidly changing threat landscape. Companies need agile systems to update their threat models and keep their employees and systems protected.

A string of cyberattacks on casinos made headlines last week. Attackers used social engineering to coerce an estimated $15 million from Caesars. MGM—hit by a similar social engineering-based ransomware attack—experienced 10 days of shutdowns across a range of systems including slot machines, hotel room digital keys, and online reservations. Obscured among coverage of these attacks, the business software development company Retool shared details of a social engineering attack they suffered which used generative AI. According to their postmortem:

• "The caller claimed to be one of the members of the IT team, and deepfaked our employee's actual voice. The voice was familiar with the floor plan of the office, coworkers, and internal processes of the company. “

As companies consider the promises and perils of generative AI in their business models, the prevalence of social engineering should serve as a warning sign for these tools’ role in cyber threats that seek to bypass multi-factor authentication (MFA) security controls.

AI and Social Engineering

The fallibility of humans remains a persistent vulnerability even as security tools grow increasingly sophisticated. As a result, social engineering is a component of the vast majority of cyberattacks. While ChatGPT brought discussions about generative AI to the forefront this year, the use of these tools for social engineering is not new.

• In 2019, attackers used AI voice technology to spoof the voice of a UK-based energy company’s chief executive to scam another higher-up out of $243,000.

• By 2022, two thirds of cybersecurity professionals reported that deepfakes were a component of attacks they had investigated the previous year.

Proliferating multimodal Generative AI tools will broaden access to capabilities that accelerate and enable malicious social engineering attacks.

• For example, Microsoft’s VALL-E model can create a voice deepfake based off just three seconds of sampled audio. Attackers can find such samples of executive voices from talks and interviews or collect samples from IT employees’ voice mails. These models allow attackers to turn text to speech to create convincing spoofs of trusted individuals in an organization.

In Retool’s case, attackers convinced an employee over a phone call to provide a MFA code. With this information, the attacker added their own device to the employee’s account giving them full access to MFA codes. In this case, MFA was a hindrance more than a deterrent:

• The added "benefit" of authentication token sync in Google authenticator means users' tokens appear on any authenticated device (including the attackers’…).

Agile Response and Business Resilience

Social engineering remains a critical threat even as a company’s security infrastructure gets more sophisticated. Generative AI will require a posture shift by orgs accustomed to status quo verification tools and processes. Threat models need to be agile and adapt to emerging tactics, and companies need to continuously communicate with staff to warn them when traditional verification, such as recognizing someone’s voice, is no longer sufficient.

• As one of KSG’s experts recently noted, “Trusting the voice on the other end of the line is no longer enough.”

Realizations like these should prompt companies to re-examine their MFA tools & procedures, internal access controls, and update phishing training programs.

Further, firms should pay particular attention to the tactics and targets of groups like Scattered Spider (aka Muddled Libra and UNC3944) which represent a new breed of highly skilled—likely western and native English-speaking—ransomware group.

• Mandiant noted in a recent report that this group operates “with an extremely high operational tempo… [that] can overwhelm security response teams.”

• This group is known to harass and threaten corporate executives—according to this report, there is reason to believe that “hackers tied to Scattered Spider placed bogus emergency calls to summon heavily armed police units to the homes of executives of targeted companies.”

As the MGM hack showed, the potential for serious business disruption from these types of attacks is very real. Firms should engage in functional and full-scale exercises that force executives and key operational and technical staff to rehearse their response to an incident that interrupts key revenue sources, and even presents a direct threat to corporate leadership.

Building business resilience and recovery capabilities can mean the difference between a few hours/days of disruption and a multi-week, debilitating disaster.

For more information or assistance on these issues, please reach out to intel@ks.group.

Forwarded this Exec Brief by a friend? Click below to sign up for our weekly dispatch.

Global Scan

Geopolitics

1. UN General Assembly Showcases Relationships to Watch: With US attempts to reshape Middle East security dynamics, NATO bracing for a long war in Ukraine, and Africa beset by military coups – the diplomatic agenda in New York was full this past week.

2. Why Europe Will Struggle to ‘De-Risk’ from China: The German economy’s dependence, the lack of European-based supply chains, and other key shortfalls are Beijing’s insurance against EU sanctions if China enacts its threats to invade Taiwan.

3. Azerbaijani Forces Retake Breakaway Karabakh Enclave: Armenian forces surrendered as Russian peacekeeping forces began to evacuate civilians, amid fears of a refugee crisis, or worse, ethnic cleansing. The conflict has tested Russia’s role as a treaty partner to Armenia.

Cybersecurity

1. Ransomware Poised for Second Most Profitable Year: The U.S. Department of Homeland Security assesses at least $449.1 million in losses globally during the first half of 2023. Researchers find that businesses need at least 22 days to recover and resume operations after an attack, while recovery often costs 50 times more than the ransom.

2. Cisco Acquires Splunk: The fusion of a networking giant with the security analytics giant is the largest cybersecurity acquisition in recent history, signaling the industry’s emphasis on AI-enabled prediction, prevention, detection, and response to cyberthreats.

3. Apple Issues Emergency Updates for Three More Zero-Days: The vulnerabilities were discovered by researchers at Google and University of Toronto who focus on spyware targeting vulnerable groups. The discovery marks 16 total zero-days identified for iPhone and Mac devices in 2023.  

Strategic and Emerging Technology

1. Google Makes Breakthrough in Identifying Disease-Causing Genes: Researchers’ new model was able to confidently classify 89 per cent of all possible defects, identifying whether they are likely to cause diseases or are benign – compared with a mere 0.1 per cent of all variants confidently classified by human experts.

2. Europe at the Forefront of 3D Printing: The European Patent Office reported an explosion in the field over the past decade – growing eight times faster than all other technology fields combined. Meanwhile, Europe holds top spots for research on additive manufacturing tech. The health and medical sectors have benefitted most.

Policy/Regulation

1. UK Parliament Passes Controversial Online Safety Bill: A key clause enables telecom regulator Ofcom to require tech companies to scan their users’ devices for child abuse content, including files and messages that are protected by end-to-end encryption.

2. US Regulators Put Data Brokers on Notice: Amid a crackdown in recent months on illegal sharing of sensitive personal data, a senior FTC official warned an industry conference that companies will need to evaluate what consumer data they collect and how transparent they are with customers about their data practices.

3. US-UK Data-Bridge Finalized: The UK will piggyback on the US-EU transatlantic data transfer arrangement, after Brussels and Washington reached agreement on adequate privacy protections earlier this year. The latter deal, however, is still subject to legal challenge, which would potentially leave London in the lurch if overturned.

Bookmarks

1. Australian Strategic Policy Institute: Biotechnology and the Tight Race towards the Top

2. Phenomenal World: Trading Order – “Sometimes Losers Pick Governments”