IT Tips & Tricks
Q2 2023 Cybersecurity: The Double-Edged Impact of AI
27 November 2023
If the usual threats aren’t enough to sicken even hardened cybersecurity professionals, the adoption of AI for nefarious purposes should be enough to turn all our stomachs. If there’s one thing events of the second quarter definitively prove, it’s that you’re going to need heightened security measures.
Cyber-attacks in the second quarter of 2023 swelled by 74% over the first quarter, and we hope you weren’t one of the 88.9 million organizations affected.
Back in May 2023, we published an article regarding malware attacks during the first quarter of the year. If, like us, you’d hoped that hackers take summer vacations and that things would cool off during the second quarter, we’d both have been wrong. In fact, we’d probably all have been as disappointed as every hacker’s family who sadly missed out on their summer vacations because Dad chose to work instead.
The adoption of AI for nefarious purposes should be enough to turn all our stomachs.
The Changing Face of Cybersecurity
As if there wasn’t already enough to deal with in the cybersecurity arena, there’s a new player in town. And this one comes in a form that we’re probably all familiar with. We’ve played with it, tested it, used it, and we’re probably on first-name terms with it by now: Artificial Intelligence (AI).
Some of the most notable emerging threats come from the exponential maturation and proliferation of artificial intelligence. According to CSO Online™, a leading information source for chief security officers, “Security officials have witnessed hackers adopt AI at a pace that rivals — and sometimes surpasses — that of enterprise technology teams.”
As hackers gain access to new technologies, we need to expect the unexpected. As Mark Ruchie, CISO at Entrust® says, “It’s a cat and mouse game.”
The use of AI allows hackers to increase the scale and speed of attacks, and conduct attacks that no human could conceive of. In addition to using AI to analyze security weaknesses and enhance attack strategies, hackers can also use it to create more sophisticated phishing and smishing* messages whose content accurately mimics the language, tone and design of legitimate emails or text messages. (*Smishing is a social engineering attack that uses fake mobile text messages to trick people into downloading malware, sharing sensitive information, or sending money to cybercriminals. The term “smishing” is a combination of “SMS” — or “short message service,” the technology behind text messages — and “phishing.”)
If that weren’t bad enough, hackers can also use AI to generate phishing or smishing campaigns in virtually any language, which expands their reach into regions where a language may previously have been a barrier.
Phishing remains the most common vector for attacks. The 2023 Comcast Business™ Cybersecurity Threat Report found that nine out of ten attempts to breach its customers’ networks started with phishing.
With AI, the atrocious grammar that would normally be a red flag for most of us, is gone, leaving us vulnerable.
Second Quarter Insights
This second-quarter roundup highlights a few surprising or significant attacks that made headlines in 2023. It transpires, however, that Shakespeare’s Sonnet 18, written in the late 1500s, eerily foreshadows the events of the second quarter: “Rough winds do shake the darling buds of May.”
AI: Who controls who — and what and when?
The month of May was, undeniably, a truly horrendous month in terms of cyberattacks, the fallout of which continues to unfold. Rough winds, indeed.
30 June: Barts Health NHS Trust — the largest health trust in the UK — was hit by a ransomware gang that claimed to have stolen 7TB of sensitive data relating to 2.5 million individuals. This breach has been described as the biggest breach of healthcare data in UK history. The data stolen included employees’ financial details, passports and driver’s licenses. In this particular incident, it appears that the hackers deviated from the traditional deployment of ransomware, instead opting to exfiltrate data alone, allowing operations to continue as usual during the ransom period. The financial implications for Barts Health NHS Trust® are currently unknown.
24 June: A cyber-attack on Canadian energy company, Suncor™, resulted in card readers at more than 1,500 Petro-Canada™ gas stations going offline as hackers gained access to Petro-Points members’ information. Cashless Canadians were stranded during a busy summer travel weekend, creating chaos across Canadian roadways, with thousands of motorists running out of gas, blocking roads, and requiring towing services.
“I’d rather have a root canal than go through one of these attacks again,” Suncor President and CEO Rich Kruger said. It is unknown whether records were exposed. It is estimated that the breach will cost Suncor millions of dollars before the issue is fully resolved, in addition to reputational damage and loss of customer loyalty.
Training employees to spot phishing attempts is of inestimable value to your organization.
27 May: Sadly, the second quarter of 2023 saw the largest cyberattack of the year, which is also the largest in recent history. Hackers zeroed in on the third-party file transfer software known as MOVEit Transfer, where they exploited a zero-day vulnerability to steal data — particularly personally identifiable information (PII) — from customer databases.
In case you’re wondering precisely what a zero-day vulnerability is, it’s an attempt by a threat actor to take advantage of a security vulnerability that doesn’t yet have a fix in place. Once the vulnerability has been discovered and exploited by the bad guys, developers literally have “zero days” to create a fix for it. Hence the name.
The current victim list of this attack is estimated at over 1,200 organizations — spread across the Americas, the UK, Europe, Asia, Africa, and Australia — and approximately 60 million individuals have been affected by the attack thus far. The affected organizations include major names such as AMC Theatres, American Airlines, AutoZone, Bank of America, the BBC, British Airways, Deloitte, Deutsche Bank, DHL, Ernst & Young, Honeywell, Radisson Hotels, Rite Aid, Shell, Sony, TD Ameritrade, Estee Lauder, the Hallmark Channel, Norton LifeLock, several colleges and universities, as well as state and federal agencies. (For a jaw-dropping list of the first 600 identified organizations known to be impacted, see here. For further analysis of all impacted organizations, see here.) The financial implications are virtually incalculable.
3 May: Over 26,000 people were affected when the City of Dallas fell prey to a ransomware attack that took city services offline and disrupted operations for weeks. Hackers accessed names, addresses, medical data and other information through city government servers. The intrusion also impacted municipal courts, water utilities, 911 dispatch services for police and fire departments, and other services. Not only have city employees reported identity theft, but the personal information of their children has also been stolen.
Cyber security expert Andrew Sternke explained that if children have been victimized, it can plague them into adulthood. “This information is released out onto the dark web to be sold,” Sternke said. “When that kid turns 18, it’s a free-for-all and that’s another concerning aspect: that it’s not just the adults we have to worry about.”
Identity theft in the case of minors can go undetected for many years, until the child turns 18, submits a job or college application, opens his own bank account, fills out a rental application for his first apartment, or applies for a tax number. Only at this point do a wide variety of data anomalies come to light, which can be expensive and time-consuming to resolve. The kid is only 18. He or she has most definitely not worked at the XYZ Corporation for the past 12 years. He or she has never taken a personal loan from a bank, is certainly not in debt up to their eyeballs, and has never defaulted on a payment because he’s never had a loan. But someone has done all of the above — using his or her name and social security number.
The Dallas City Council approved $ 8.6 million in payments relating to the attack to cover invoices from various vendors for emergency purchases of hardware, software, professional services, and consultants, and includes two years of credit monitoring for those who have experienced the theft of their personal information.
Nine out of ten attempts to breach customer networks started with phishing.
28 April: At least four Australian banks were caught up in a major ransomware attack via an attack on law firm, HWL Ebsworth™ (HWLE), during which 4TB of data were stolen, including company credentials, credit card information, customer identification details, insurance agreements, and personal information that included health records, financial data, lawyer and client communications, trade secrets, commercial strategy data, political and religious affiliations, sexual orientation and criminal records.
HWLE refused to pay the AU$ 5 million ransom and instead sought a Supreme Court injunction to prevent the Russian hackers from releasing further data. While the Australian injunction isn’t necessarily effective against the Russian hackers, it does, however, also apply to anyone else in possession of the stolen data set.
It's time for the hunters to become the hunted, and AI can help.
Should the hackers, therefore, choose to release any of the data or promote the attack — including to the media — it effectively silences those outlets.
By June, HWLE had spent 5,000 hours and AU$ 250,000 dealing with the hackers and the effects of the attack, with the costs continuing to climb. HWLE is Australia’s largest legal partnership, with 278 partners and 1,400 staff.
19 April: Although the cyber-attack on Shields Health Care Group™ took place in 2022, it wasn’t reported to the Maine Attorney General until April 2023. The breach had been suspected back in March 2022, but the firm’s investigation only concluded in August 2023, revealing the scale of the damage.
Hackers allegedly stole personal data relating to 2.3 million individuals. This data potentially included full names, Social Security numbers, driver’s license numbers, home addresses and phone numbers, billing information, insurance information, and other medical or treatment-related information. A class-action lawsuit has been filed against Shields Health Care Group.
How To Beat Them at Their Own Game
Before you panic or sound the alarm, we should remind you that there’s a flipside to the AI coin. The hackers, luckily, do not have exclusive rights to AI technology, and savvy cybersecurity guys can use AI for highly effective defense strategies.
Many companies are adopting AI as a primary tool in their cybersecurity strategies, as evidenced by a 23.3% compound annual growth rate for AI usage in the cybersecurity market.
According to freeCodeCamp (a non-profit that makes software development education accessible to a global community), “AI algorithms can detect patterns and anomalies that may indicate a security breach, even in the absence of a known threat signature. Organizations can then quickly identify and respond to potential security incidents, reducing the risk of data breaches and other security incidents.”
It's time for the hunters to become the hunted, and AI can help.
Silently apologetic pumps after Suncor’s cyberattack.
The Silver Lining
Although the second quarter increase in cyberattacks sounds pretty bleak, there is, in fact, a modicum of good news. While second-quarter figures were undeniably up over the first quarter, there was an unexpected overall decline of 41% compared with the same period in 2022. Threat researchers at SonicWall Capture Labs ascribe this decline to the following factors:
- Increased scrutiny by law enforcement. In January 2023, the Hive ransomware gang was taken down, removing a major threat from the playing field. By February, US and UK sanctions against Trickbot members impacted the activities of several major cyber-crime groups.
- Changes to the political and economic climate. Organizations are increasingly unwilling to pay ransom demands. This is due to both growing global financial constraints and an increasing awareness that ransomware payments may potentially support a cause that an organization is loath to support.
- Tactical changes. Researchers observed an increase in “pure extortion attacks,” as cyber-criminals opt for the lesser threat of data leaks as opposed to encrypting data to extort victims. This approach frequently does not trigger ransomware detection.
The Right to Self-Defense
“The right to self-defense never ceases. It is among the most sacred, and alike necessary to nations and to individuals.” When James Monroe, the fifth President of the United States spoke these words in the 1800s, he had no idea how much they might resonate — 200 years later — with cybersecurity specialists.
But, of course, you know the deal: Build a smarter rat trap, you get a smarter rat, and the fact that the figures for the second quarter show an increase, tends to indicate that the rats might be regrouping — at least for now. We’ll have to see what Q3 brings.
“The seemingly endless digital assault on enterprises, governments and global citizens is intensifying,” states SonicWall president and CEO, Bob VanKirk, “and the threat landscape continues to expand.”
This statement is backed by research by Chainalysis™ which discovered that in the first half of 2023, ransomware attackers extorted $176 million more than during the same period in 2022, for a total of around $449 million for the first half of 2023.
Like a moth to the flame, they are drawn to even the slightest exploitable vulnerability. And then they hack the hell out of it.
5 Laws To Live by in Cybersecurity
Nick Espinosa, author, respected TEDx speaker, and part of the Forbes Technology Council, says, “It’s my job to be the best nerd-to-English translator I can be to help the world stay safe online.” Here are Nick’s five laws of cybersecurity that are designed to do just that:
Law 1: If there is a vulnerability, it will be exploited — no exceptions.
Over 500 years ago, the first bank was built — in Italy — and some miscreant’s first reaction was, “I’m gonna rob that.” Time travel to 2023 and ask yourself what’s changed. Hackers spend hours, days, and months finding and figuring out loopholes to exploit. They don’t just stumble across a vulnerability by happenstance. They’re out there, actively looking for them, day and night.
Estimates for the cost of the MOVEit breach exceed $60 billion. Ouch.
Law 2: Everything is vulnerable in some way.
Cybersecurity is big business, but no matter how much time and money we throw at it, the hackers are still infuriatingly out there, lurking like fleas, waiting for an opportunity to feed. You only have to look at some of the organizations impacted by the MOVEit disaster to know that organizations much larger than yours, and with significantly bigger security budgets, still fell prey to vulnerability. If you disagree, see Laws 1, 2 and 3.
Law 3: Humans trust even when they shouldn’t.
None of us are born cynical. We trust, unconditionally, until some of us learn not to the hard way. You’re most likely smart enough to recognize that a plea for temporary financial assistance from a Nigerian prince is a scam, but the FBI reports that in 2022, scammers scored $10.3 billion from trusting US citizens caught up in a variety of online cons. Trust the wrong person, email, or website, and it could cost you dearly.
It’s no different when it comes to cybersecurity. We need to exercise an almost fanatical degree of caution when dealing with digital technology and the people using it. Think about it: Hackers and scammers rely on people’s trust and naivety every single day — with great success. Without inducing off-the-chain paranoia, when it comes to cybersecurity, your mantra should be, “Trust no one.”
Law 4: With innovation comes an opportunity for exploitation.
Innovation can be a double-edged sword: equal parts reward and risk. Think about your phone. You can use it for all sorts of cool things, such as checking the football score, messaging a loved one, and so much more. That’s the reward.
You can also find yourself sitting on the sofa beside your partner, each glued to your respective phones, literally nose-to-screen, blatantly oblivious to one another — and that’s just one risk.
Reward and risk go hand-in-hand, and are constant companions to innovation.
AI is a resounding example of this concept. It can do so much for us and improve our lives in multitudinous ways. But it could also end up being responsible for the “dumbing-down” of humanity as we give up our analytical capabilities, turn over critical thinking, and rely on AI to solve our problems for us. Think college students still write their own essays? Lol. Think again.
So go ahead and consider your security setup, bearing in mind that along with innovation comes an opportunity for exploitation. Grab the rewards, by all means, but remember to look out for the risks — and figure out how to negate them.
“It’s a cat and mouse game.” — Mark Ruchie, CISO at Entrust.
Law 5: When in doubt, see law number one.
Some people keep their eyes and ears peeled for weaknesses. It’s just who they are. You know the type: The guy that walks down the street, unobtrusively trying every car door handle along his route. Like a moth to the flame, these people are drawn to even the slightest exploitable vulnerability. And then they hack the hell out of it. To stay safe and secure, you must think like the hackers. You must be the one to find the vulnerabilities — not the hackers — and fix them, fast.
Nick Espinosa sums it all up. “If we ever forget this, we do nothing but ask for trouble. Our ability to defend ourselves properly comes from understanding that human nature makes these laws immutable. And when we start thinking like a hacker is when we can stop them.”
We’ll be back with our next roundup at the end of the third quarter. Until then, stay safe, shields up, and may the Force be with you.
Feel free to share this article on your social media: