Introduction to AI-Generated Zero-Day Exploits
Google has recently published a report summarizing its observations on the use of artificial intelligence in the cyber threat landscape. The report draws on data collected by Gemini, Google Threat Intelligence Group (GTIG), and Mandiant. One of the most notable findings is that a prominent cybercrime group leveraged AI to develop a zero-day exploit designed to bypass two-factor authentication (2FA) on an open source web-based system administration tool.
The exploit was implemented in a Python script, and although the hacker group and the targeted tool have not been named, Google said it worked with the impacted vendor to prevent mass exploitation, which appeared to be the threat actor’s plan. Google explained that it has high confidence that the actor likely leveraged an AI model to support the discovery and weaponization of this vulnerability, based on the structure and content of these exploits.
Characteristics of AI-Generated Exploits
Google highlighted that the script contains an abundance of educational docstrings, including a hallucinated CVSS score, and uses a structured, textbook Pythonic format highly characteristic of LLMs training data. For example, the script includes detailed help menus and the clean _C ANSI color class.
State-Sponsored Threat Actors and AI
Google also noted that Chinese and North Korean state-sponsored threat actors have been particularly interested in leveraging AI for vulnerability discovery. A China-linked actor was observed deploying agentic tools such as Strix and Hexstrike in attacks targeting a Japanese tech firm and a major East Asian cybersecurity company.
UNC2814, a Chinese group known for targeting telecoms and government organizations, used a persona-driven jailbreak — in which the AI is instructed to act as a senior security auditor — to enhance vulnerability research on embedded devices, including TP-Link firmware with OFTP implementations.
North Korean Threat Actors and AI
The North Korean group tracked as APT45 sent out thousands of repetitive prompts to recursively analyze CVEs and validate PoC exploits. This results in a more robust arsenal of exploit capabilities that would be impractical to manage without AI assistance, according to Google.
Autonomous Malware Operations and AI-Augmented Defense Evasion
The full report also covers autonomous malware operations, AI-augmented defense evasion, supply chain attacks, and threat actors pursuing premium access to LLMs. Google noted that the use of AI in cyber attacks is becoming increasingly common, and that defenders must be aware of these new threats in order to stay ahead of attackers.
Google’s report highlights the need for increased awareness and education on the use of AI in cyber attacks, as well as the importance of developing effective defenses against these types of threats. As the use of AI in cyber attacks continues to evolve, it is essential that defenders stay up-to-date with the latest threats and trends in order to protect themselves and their organizations.
- Google has identified a zero-day exploit believed to have been developed using artificial intelligence.
- The exploit was designed to bypass two-factor authentication on an open source web-based system administration tool.
- Chinese and North Korean state-sponsored threat actors have been particularly interested in leveraging AI for vulnerability discovery.
- The use of AI in cyber attacks is becoming increasingly common, and defenders must be aware of these new threats in order to stay ahead of attackers.
Source: SecurityWeek