Generative artificial intelligence is making it easier to harvest credentials. Phishing emails written by generative AI had a click-through rate of 54%, compared with 12% for those written manually, per the report.
In one instance, a company made a $25.6 million wire transfer in response to an emailed deepfake video. Companies are also unwittingly hiring North Korean attackers who create fake LinkedIn profiles with generative AI, then use deepfake videos during their interviews while answering questions via generative AI.
“Not only are these adversaries using different techniques, different capabilities, they’re also doing it faster,” Meyers said.
The average breakout time — the time it takes an adversary to move laterally within a network — was 48 minutes in 2024, down from 62 minutes the year before. The fastest breakout recorded was just 51 seconds, according to the report.
Some threat actors, known as access brokers, gain access to a target and then sell it to the highest bidder. This activity jumped 50% in 2024, per the report.
LEARN MORE: Identity and access management’s role is evolving in the era of AI.
Don’t Underestimate Cloud-Conscious Adversaries
CrowdStrike further found a 26% increase in cloud intrusions, and abuse of valid accounts has become the primary method attackers use to access the cloud, accounting for 35% of cloud incidents in the first half of 2024. This signals that adversaries are improving their ability to target and operate in such environments.
Once inside the cloud, adversaries are targeting generative AI models — one reason China and North Korea are increasing their cloud collections, Meyers said.
Salt Typhoon often accesses the cloud by finding vulnerabilities in edge-facing devices.
“You can gain access to an older VPN concentrator or network router and then pivot from there, deeper into the environment,” Meyers said. “And because those things don’t run modern security tools, they’re softer targets.”
Organizations need to prioritize what they patch based on intelligence assessments of what adversaries are exploiting, especially as threat actors increasingly chain vulnerabilities together, he said.
Plenty of adversaries do their homework, scouring public research, disclosures and blogs for new exploits targeting small parts of identities.
“If you're not looking across all of those domains, then you’re going to miss all of these attacks,” Meyers said.