There has been a lot of hype around AI to the point where some people are simply tuning it out. I think this is a mistake. While there are limits to what AI can do, there also are sophisticated attacks that we'd miss without it. The need for AI is driven by three fundamental yet significant changes in the enterprise computing environment. Taking all of these factors together leads me to believe that AI is not only a viable solution, but it may be the only solution.
Sophisticated threat actors can often maintain a long-term presence in their target environments for months at a time, without being detected. They move slowly and with caution, to evade traditional security controls and are often targeted to specific individuals and organizations. AI will also be able to learn the dominant communication channels and the best ports and protocols to use to move around a system, discretely blending in with routine activity. This ability to disguise itself amid the noise will mean that it is able to expertly spread within a digital environment, and stealthily compromise more devices than ever before. AI malware will also be able to analyse vast volumes of data at machine speed, rapidly identifying which data sets are valuable and which are not. This will save the (human) attacker a great deal of time and effort.
The group behind a notorious banking trojan have expanded their operations are are now offering to deliver other forms of malware on behalf of other attackers. The Mealybug hacking operation has been active since at least 2014 and is known for its custom-built Emotet trojan, a form of self-propagating malware which has mostly targeted banking customers across Europe. But now Mealybug has changed its approach to cyber crime, with a shift towards using Emotet as a way for other groups to steal information with the US by far the biggest market for this malicious activity, accounting for 90 percent of detections. The evolution of Emotet from banking trojan to distributor of threats for other malicious actors has been detailed by researchers at security company Symantec, who have been monitoring its activity. Emotet arrives via a phishing email containing a malicious link or a malicious document which is used to download the payload.
Trojan malware attacks against business targets have rocketed in the last year, as cyber criminals alter their tactics away from short-term gain and in-your-face ransomware attacks towards more subtle, long-term campaigns with the aim of stealing information including banking information, personal data and even intellectual property. Figures from security company Malwarebytes Labs in a new report suggest that trojan and backdoor attacks have risen to become the most detected against businesses – and the number of trojan attacks has more than doubled in the last year, increasing by 132 percent between 2017 and 2018, with backdoors up by 173 percent. Malwarebytes classifies trojans and backdoors separately, describing a trojan as a program "that claim to perform one function but actually do another", Meanwhile, a backdoor is defined as "a type of trojan that allows a threat actor access to a system by bypassing its security" and gaining access to systems undetected. Attacks using spyware -- malware that gathers information on a device and sends it to a third-party actor -- have also jumped hugely, up by 142 percent in the same period. "When you say spyware, people think of how it's been around for a decade or more and it's old and boring -- but it's really effective and it's really come back into fashion with the rise in attacks on businesses and a thirst for data exfiltration," Chris Boyd, lead malware intelligence analyst at Malwarebytes told ZDNet.
The Panda banking Trojan, used to steal money from organizations worldwide, is now being distributed through the Emotet threat platform. According to researchers from Cylance, Panda Banker, a variant of the Zeus banking malware, is still an active threat over two years after discovery. The Zeus spin-off is used in targeted phishing attacks conducted over email, as well as attacks launched via exploit kits including Angler, Nuclear, and Neutrino. Cyberattackers utilizing the malware often embed the malicious code in crafted Microsoft documents, designed to deploy the payload through macros. Once Panda Banker has compromised a victim machine, the malware connects to a command-and-control (C2) server and sends along information including the OS version, latency, local time, computer name, data relating to any antivirus software which has been installed, and what firewalls are in operation.