• Neeve
  • Posts
  • 🤖 AI Behavioral Analytics Saves $2.22M Per Breach

🤖 AI Behavioral Analytics Saves $2.22M Per Breach

Fines, leaks, and hacks—key cyber updates

Author

Alison Bridge
June 17, 2025

Welcome to your essential briefing on threats at the intersection of cybersecurity and critical infrastructure, brought to you by Neeve, the edge cloud security platform for smart buildings, making built spaces secure, intelligent, and sustainable.

This Week’s Cyber Insights

Traditional security tools that rely on static rules and basic alerts are failing against attacks that target human behavior rather than technical vulnerabilities. As cyberthieves hijack login credentials to move laterally through networks undetected, behavioral analytics powered by machine learning is emerging as the critical defense for critical infrastructure operations.

  • Organizations applying AI and automation to security prevention save an average of $2.22 million in breach costs according to IBM's 2024 report

  • Dynamic risk scoring using Explainable AI evaluates past activity and compares behavior within peer groups to identify anomalies

  • Real-time behavioral interventions block high-risk users attempting data exfiltration while triggering just-in-time training modules

  • Red team simulations replicate Living-off-the-Land techniques using tools like PsExec and Cobalt Strike to test defenses

  • Risk-based training orchestration uses SCIM integration to provide automated, customized security training based on behavior-analytics risk profiles

🤔 The Bigger Picture:

The 2025 Verizon data breach report shows 8% of workforce causes 80% of incidents. Behavioral analytics detects subtle anomalies that attackers use to remain undetected in building automation systems. Facility managers need UEBA solutions to identify when legitimate credentials access R&D blueprints at midnight or building management systems unusually.

Fog ransomware hackers are employing an uncommon toolset that combines legitimate employee monitoring software with open-source penetration testing utilities, demonstrating sophisticated evasion techniques that traditional security tools struggle to detect in critical infrastructure environments.

  • Syteca (formerly Ekran) legitimate employee monitoring software deployed to record screen activity and collect credentials

  • GC2 open-source post-exploitation backdoor uses Google Sheets and Microsoft SharePoint for command-and-control communications

  • Stowaway proxy tool enables covert file transfers while SMBExec facilitates lateral movement across networked systems

  • Attack arsenal includes Adapt2x C2 (Cobalt Strike alternative), Process Watchdog system monitoring, and PsExec for remote execution

  • Data preparation and exfiltration performed using 7-Zip, MegaSync, and FreeFileSync utilities during recent financial institution attack

🤔 The Bigger Picture:

Fog ransomware's use of legitimate monitoring software creates blind spots in traditional security detection, as these tools are often whitelisted in smart building environments. Facility managers need enhanced monitoring of data transfers from building management systems and careful scrutiny of administrative tools that could be weaponized.

Artificial intelligence is turbocharging hackers' operations from writing malware to preparing phishing messages, but its impact has limits according to Gartner research. While GenAI improves social engineering and attack automation, it hasn't yet introduced entirely novel attack techniques that cybersecurity frameworks haven't seen before.

  • HP researchers documented hackers using AI to create remote access Trojans, with Gartner confirming attackers leverage GenAI for new malware creation

  • Fake open-source utilities created by AI trick developers into incorporating malicious code into legitimate applications before production

  • GenAI enables attackers to overwhelm code repositories like GitHub faster than malicious packages can be removed

  • 28% of organizations experienced deepfake audio attacks, 21% deepfake video attacks, but only 5% suffered actual theft from deepfake incidents

  • Attack volume automation allows cybercriminals to scale operations significantly, moving much quicker through full attack spectrum

🤔 The Bigger Picture:

GenAI attack automation poses immediate risks to critical infrastructure by overwhelming defensive capabilities with volume-based attacks. Building operators should implement enhanced code repository monitoring and developer security training, as malicious utilities could backdoor building management systems before deployment.

The cybersecurity landscape has dramatically shifted as bad actors discover new ways to weaponize generative AI tools for sophisticated attacks. From "vibe hacking" to malware development to deepfakes, threat actors are changing cyber attack tactics and using GenAI tools faster than enterprises can adopt defensive measures.

  • "Vibe hacking" enables social engineering attacks using AI to manipulate human emotion or perception at unprecedented scale

  • HP researchers documented hackers using AI to create remote access Trojans and fake open-source utilities targeting developers

  • EchoLeak zero-click vulnerability (CVE-2025-32711, CVSS 9.3) allows data exfiltration from Microsoft 365 Copilot without user interaction

  • Vietnam-based hackers created network of fraudulent AI video generator websites to distribute infostealers via social media ads

  • Advanced persistent threat groups from Iran, China, North Korea, and Russia experiment with Gemini to streamline cyber operations

🤔 The Bigger Picture: 

AI-jailbroken tools enable attackers to generate malicious code and sophisticated social engineering faster than traditional security training can adapt. Building operators must prepare for AI-generated phishing targeting operational technology credentials and enhanced reconnaissance capabilities that reduce attack development timelines.

Further Alerts & Insights

🛠️ Securing The AI Tooling Revolution: Building Cyber-Resilient Future with MCP and CTEM

The Model Context Protocol (MCP) is transforming AI agent interactions but introducing complex security vulnerabilities. Continuous Threat Exposure Management (CTEM) provides structured approaches for securing AI-enabled ecosystems against emerging threats in critical infrastructure environments.

🔒 EchoLeak Zero-Click AI Attack in Microsoft Copilot Exposes Company Data

Cybersecurity firm Aim Labs uncovered a critical zero-click vulnerability in Microsoft 365 Copilot that allows attackers to steal sensitive information without user interaction. The EchoLeak attack exploits LLM Scope Violation, enabling data exfiltration through specially crafted emails that bypass security filters.

🎯 New TokenBreak Attack Bypasses AI Models with Single Character Change

Researchers discovered the TokenBreak technique that exploits tokenization differences to fool AI-powered content moderation systems. Adding a single character to trigger words like "ignore previous finstructions" can bypass protective models while preserving malicious intent for target systems.

🏭 Whole Foods Supplier Hack Leaves Empty Shelves, Stalls Forklifts

United Natural Foods Inc. (UNFI), Whole Foods' primary distributor, shut down nationwide operations after a June 5 cyberattack. The incident demonstrates critical infrastructure vulnerability in just-in-time supply chains, with forklift operators sent home and manual processes implemented.

⚡ N.S. Power Approved for $1.8M Cybersecurity Project Weeks After Ransomware Attack

Nova Scotia Power received approval for cybersecurity improvements just weeks after a ransomware attack affected 280,000 customers' personal data. The utility's network equipment was considered "end of life" since 2016, highlighting critical infrastructure vulnerability concerns.