The chief research officer of WithSecure says that fears that companies could lose millions to deep-faked CEOs and CFOs are overblown. For now at least.
Mikko Hypponen, wrapping up the company’s partner event in Helsinki this week, said that he had only seen evidence of two such attacks, and wanted to “calm down…the hype about AI attacks.”
Where AI had been used in such attacks, it had been pre-rendered, rather than used in real time.
While the technology certainly exists to carry out such attacks in real time, “We aren't seeing a massive amount of attacks yet. Is it going to get worse? Frankly it will but it's not a huge problem yet.”
More broadly, he said, as with any technology it was impossible to put the AI genie back into the bottle when it was used for criminal behaviour.
Likewise, he said, the mathematics behind encryption could be read in any library, so governments looking to scale back on encryption or build in backdoors, would simply cede secure messaging to those willing to break the law – ie, cybercriminals.
But the onset of quantum computing meant that traditional encryption would inevtiably be broken. Upgrading to quantum-safe encryption would be a massive undertaking, he said, stretching from government and ecommerce systems, cars, TVs and smart watches
As for more immediate threats, WithSecure execs said enterprises are managing to hold the line on cybersecurity, but mid-sized orgs are struggling with complexity and cost.
And while the industry has hyped the importance of edge computing in recent years, edge devices are a primary vector for attacks, research from the Finnish security vendor shows.
Interim CEO Antti Koskela said that smaller firms were “losing digital confidence...because the cybersecurity playbook for the midmarket is broken.” That was in large part because the current playbook was geared towards the “needs of large enterprises and their allies.”
The largest companies, and their ecosystems, “have been building more projects, more products, more controls, more processes, more everything. And it has made them incrementally safer,” he said, albeit at the cost of more uncertainty, cost and complexity.
Smaller organizations could no longer count on not being a tempting target for attackers, he said. “They don't discriminate targets based on their size. These midsize companies process valuable information.” But they are often left without “viable, affordable and feasible choices.
Meanwhile cybercriminals were operating at an industrial scale. “They can scan the internet in a matter of hours, all the vulnerabilities.”
This has sparked a wave of “mass notifications” and exploits. WithSecure senior threat intelligence analyst Stephen Robinson said January this year had felt like a 90 day month. “Since January, we've just been dominated by these mass notifications”
While there had been a drop in phishing and other attacks via email, he said, from last year “We noted the importance of mass exploitation, that lots of actors were doing it, it was a big and growing infection vector. But volume and severity has really exploded”
The focus was on edge services and infrastructure, he said. Attackers could find credentials or valuable information on such devices. And edge devices were often installed and forgotten – both by admins, and manufacturers. Moreover, attackers could sell on access to more focused or able criminals.
“So this takes away their need to discriminate to be selected incentivizes quantity over quality.”
In 2022, he said, “We found that smaller organizations - so that means a headcount up to 200 - made up 50% of victims.” Now, he said, “Those smaller organisations make up 60% of victims posted to ransomware league sites.”