AI-Driven Attacks Shrink 'Exploitation Window'
Cybersecurity firm Cynet released a report indicating that AI use by attackers has collapsed the "exploitation window"—the time between a vulnerability's disclosure and its active use—to mere hours. The report notes a shift in tactics, with adversaries now focusing on abusing existing security controls "as designed" rather than breaking them. In a recent podcast, security expert Adam Goslin added that organizations are neglecting essential safeguards during rapid AI adoption, leaving sensitive data vulnerable.
- The Cynet report highlights that attackers use AI to accelerate malware development, enabling less skilled actors to create new variants of credential stealers and loaders that can evade detection. It also facilitates hyper-realistic phishing campaigns that personalize themselves dynamically to manipulate users. - The "living off the land" (LotL) approach is a core tactic where attackers use a system's own legitimate tools and features, such as PowerShell or other system binaries (LOLBins), to carry out malicious activities. This method allows them to blend in with normal network traffic and administrative activity, making detection by traditional security tools significantly more difficult. - A prime example of AI in malware is "PromptSpy," the first known Android threat to use a generative AI (Google's Gemini) in its execution. It uses the AI to interpret on-screen elements and dynamically create instructions to persist on the device, overcoming variations in Android versions and UI layouts to maintain remote access via a VNC module. - The average time between the disclosure of a vulnerability and its active exploitation (Time-to-Exploit or TTE) has dramatically shrunk. While one report in early 2025 cited an average of three days, others noted a drop from 745 days in 2020 to just 44 days by 2025, with some vulnerabilities being weaponized within hours of public disclosure. - Attackers are shifting from "break-in" methods to "log-in" attacks that abuse legitimate credentials and access. Tactics include "identity-bending" social engineering that manipulates collaboration tools like Microsoft Teams for remote access and creating "zombie sessions" with stolen tokens that bypass standard multi-factor authentication. - The abuse of legitimate remote monitoring and management tools, such as AnyDesk and TeamViewer, has become a prominent vector for supply chain and third-party attacks, impacting over 1,200 victims in 2025. - In 2025, more than 40% of the vulnerabilities added to CISA's Known Exploited Vulnerabilities (KEV) catalog were zero-days, meaning they were exploited before a patch was available. The total number of zero-day vulnerabilities also reached an all-time high.
