For the third quarter in a row, Gartner reports that cyber attacks using artificial intelligence are the biggest worry for businesses. A survey of 286 senior risk and assurance executives showed that 80% are primarily concerned about AI-enhanced malicious attacks. This concern makes sense given the rising evidence of AI-assisted attacks.
The report also highlights other emerging threats, including AI-driven misinformation, increasing political division, and mismatched organizational talent. Attackers are now employing AI for various activities like crafting malware and designing phishing emails.
In June, HP detected a malware email campaign, and the involved script seemed likely to be AI-generated. The script was well-structured and included explanatory comments—efforts that typically wouldn’t make sense for a human writer. When researchers tried to replicate it using generative AI, the outputs were strikingly similar, indicating that the malware was at least partly crafted by AI.
On the email compromise front, security firm Vipre reported a 20% rise in attacks during the second quarter, with two-fifths of these cases being AI-generated. The main targets were CEOs, HR, and IT staff. Usman Choudhary from Vipre emphasized that criminals are now harnessing sophisticated AI to create phishing emails that convincingly imitate real communications.
Retail sites faced a staggering average of 569,884 AI-driven attacks daily from April to September, according to Imperva Threat Research. Tools like ChatGPT, Claude, and Gemini are being exploited for distributed denial-of-service attacks and other malicious activities.
Interestingly, more ethical hackers are also using generative AI. BugCrowd reported an increase from 64% to 77% over the past year. These researchers utilize AI for various attacks and automation, highlighting that if the ethical hackers find AI useful, criminals will as well.
The surge in these attacks doesn’t surprise experts. AI makes cybercrime accessible, enabling less-skilled criminals to create deepfakes and scan networks. Researchers at ETH Zurich developed a model capable of solving CAPTCHAs on Google, which could further lower barriers for malicious activities.
Radware analysts predicted earlier this year that this accessibility would lead to private generative AI models being used for bad ends, along with an uptick in zero-day exploits and deepfake scams. Google’s Mandiant tracked 97 zero-day vulnerabilities in 2023, a 56% increase from 2022. Microsoft recently identified deepfakes as one of the significant threats from active ransomware groups.
Executives are also increasingly worried about excessive reliance on IT vendors. For the first time, vendor criticality made Gartner’s list of top concerns. Zachary Ginsburg from Gartner pointed out that concentration with one vendor raises risks during outages or unexpected regulatory changes. He referred to the July outage at CrowdStrike, which impacted about 8.5 million Windows devices, disrupting critical services globally.
With these dependencies, organizations often underestimate their potential risks. Gartner anticipates that by 2025, 45% of companies worldwide will have experienced attacks targeting their software supply chains.