The hunt is on to find protections against the coming generation of adaptive AI worm malware in order to head off a global incident on the scale of other famous worm events, such as NotPetya, Stuxnet, MSBlast, or the SQL Slammer worm.

AI adaptive worms will be autonomous agents that rapidly self-propagate by searching for zero-day bugs, known but unpatched software flaws, and unprotected secrets — and they will be able to do this across multiple environments, morphing dynamically as they go. 

To get ahead of this evolution, AI/machine learning (ML) security researchers at the University of Toronto, the Canadian AI incubator Vector Institute, enterprise-software firm ServiceNow, and the University of Cambridge created a proof-of-concept (PoC) agentic AI worm that spreads by adapting to each new environment, searching for vulnerabilities, and creating programs to exploit the systems. And over at cybersecurity firm BeyondTrust, researchers there are also creating and testing the capabilities of an AI worm. The goal is similar to virologists’ “gain of function” research, which creates pathogens to study how to protect the world against potential pandemics.

Related:Novo Nordisk Breach Exposes Software Development Pipeline Risk

Agentic, adaptive AI worms haven’t yet reared their heads in the wild, but Kinnaird McQuade, chief security architect at BeyondTrust, expects such an event in six months to a year, he told attendees at the fwd:cloudsec North America Conference this week.

“I personally believe that an AI powered worm attack is imminent,” he said. “I think it’s going to target developers and engineers … who have broad access, and will pivot through clouds, and I think many companies will not recover.”

Attackers have already started combining self-propagation capabilities, which are historically what defines a “worm,” with malicious AI tools to attack developers and software supply chains. Last September, cybersecurity firms warned that a worm, Shai-hulud, started squirming its way through Node Package Manager (npm) repositories, stealing developer credentials and secrets in order to infect new packages. The next month, researchers discovered the GlassWorm attack, which utilizes VS Code extensions to compromise developer machines.

Other malware operators have started using large language models (LLMs) to improve obfuscation during attack execution, although most attackers use LLMs to help code malware, not as a runtime capability.

An Old Cyber Threat With a New AI Spin

AI worms are the next step, and not necessarily a new idea. These types of AI-powered digital programs have shown up in fiction: Daniel Suarez’s Daemon (2006) had an AI that spread through systems, while Daniel H. Wilson’s AI in Robopocalypse (2011) escaped digital containment and then spread to devices.

Related:Get Out of Security Debt by Tackling the Exposure Problem

The real-world PoC AI agents are more modest: they replace “fixed exploitation code with goal-directed reasoning that adapts to the vulnerabilities of each target in real time,” the University of Toronto researchers stated on their site. The agents spread across a network by jumping from device to device, adapting to its current environment, stealing secrets, and finding vulnerabilities by using the systems’ own resources against them.

“Traditional worms can be stopped by patching the specific vulnerability they exploit,” the researchers wrote. “Our adaptive worm cannot be stopped this way: it uses a recursive reasoning loop to detect and exploit diverse vulnerabilities as it propagates.”

 

A chart showing how an AI worm spreads

The worm only uses small, free AI models to drive its decision-making and reasoning capabilities, the researchers stated. The AI agent autonomously identifies vulnerabilities and sensitive information on each machine, and then uses those weaknesses to spread.

This is the evolutionary process at work, says Gary McGraw, founder of the Berryville Institute of Machine Learning (BIML). If regular worms are “viruses with wings,” AI worms are “viruses with wings and brains,” he says.

Related:UK Social Media Ban for Minors Has Privacy Experts Worried

The problem is that despite three decades of trying to deal with software vulnerabilities, most businesses will be faced with insurmountable patching issues. Even with vulnerability-finding technologies, and the purported power of Anthropic’s Mythos, it will be tough to significantly reduce the attack surface given all the software that’s out there, McGraw says.

“There are two dimensions in vulnerability management,” he says. “We are going to be building better software, and driving down some of our technical debt, but we’re also going to be building more software than ever.”

AI Worms Approach: A Deadline for Stronger Security

Researcher work on adaptive AI worms could itself be the catalyst for malicious development, or at least a harbinger. In August 2002, a paper by a trio of researchers, “How to 0wn the Internet in Your Spare Time,” discussed using lists of vulnerable servers as a preset to speed worm propagation — a so-called “flash worm.” Five months later just such a worm arrived, as the SQL Slammer worm spread across the Internet, infecting 90% of its hosts in less than 10 minutes.

There are technical hurdles for any would-be attackers, however. While cryptojacking shows that attackers can hijack processors and memory without the victim necessarily noticing, an AI worm would be an order of magnitude more obvious, says August Moore of senior AI and security engineer at 7AI, an AI-cybersecurity firm.

“[I]t’s much easier to stay hidden on systems where no one is looking,” he says, while a model running on a typical system will be much more detectable: “Tens of gigabytes resident in VRAM and an ML [machine-learning] runtime on a host with no reason to run inference won’t fade easily into background noise.”

Stop the Worms Before They Start

Making enterprise networks resilient to AI worms will take hardening and visibility, McQuade tells Dark Reading. Least privilege is a critical approach for weathering an AI worm attack — companies should look to get more endpoint and cloud telemetry, and start setting up auto-remediation actions.

“It’s about stopping [an attack] before it starts, and taking action immediately when you notice those signals, and being able to understand that broader blast radius,” he said. “The worm loved when it found over-privileged roles, human access to production environments, and secrets sprawl. We have to deal with this at a scale like we haven’t seen before, and the barrier to creating AI-powered worms is low.”

The University of Toronto researchers also focused on detection, reducing the attack surface, and limiting propagation as the best approaches for defenders. The good news is that the basics are still effective.

“Zero-trust architectures limit lateral movement after a foothold is established, by requiring continuous authentication for every access request,” they said in an FAQ accompanying their research. “Network micro-segmentation constrains the set of hosts reachable from any single compromised machine. Our test environment represented a worst-case flat network — even basic segmentation would substantially limit the worm’s reach.”





Source link

#

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *