AI, exploit code tied to 178% rise in device compromises

Cisco Talos reported in April that the spread of AI tools and publicly available exploit code has shortened the time between vulnerability disclosure and active exploitation, driving a 178% increase in device compromises. The threat intelligence team identified identity infrastructure, exposed legacy systems and platforms that broker trust as primary attacker targets.

Talos said attackers are automating vulnerability weaponization and focusing on single sign-on (SSO) and multifactor authentication (MFA) workflows. The team noted a rise in incidents where SSO and MFA credentials were bypassed, misused or obtained through social-engineering techniques aimed at employee login flows.

Recent incidents cited by Talos include a breach at a major home-security provider that affected millions of customers after an employee SSO account was compromised in a voice phishing attack. Open-source supply chains were targeted when a widely used Python package with about 1.1 million monthly downloads was altered to deliver an information-stealing payload; a Docker image built from that package propagated the malicious code. Talos also reported active exploitation of a critical flaw in a small-language-model package within 36 hours of public disclosure.

Talos’ Q1 incident response data showed phishing has returned as the top initial access vector against health care and public administration targets. The team also documented cases where ransomware groups leaked each other’s stolen data, illustrating disorder among threat actors.

The report noted that attackers commonly reuse infrastructure and fail to mimic legitimate user behavior. Those patterns produce detectable anomalies when compared with normal activity, according to Talos.

Talos issued operational recommendations for defenders. The guidance includes treating identity infrastructure as a top-priority asset, tightening MFA workflows with stricter verification steps, and hardening SSO configurations. Teams are advised to build baseline detections that track typical post-login actions so anomalous sessions stand out.

On patching, Talos recommends prioritizing vulnerabilities based on internet exposure rather than relying only on severity scores. Security teams should hunt for long-tail legacy risks such as old systems and forgotten services that remain reachable from the internet and are attractive to automated scanners. The advisory also calls for enhanced monitoring of management-plane systems and targeted detection of anomalous events to reduce alert noise.

For security operations centers, Talos recommends establishing clear baselines for normal user and device behavior, enforcing strict verification for high-risk actions such as MFA resets or SSO changes, and applying continuous discovery to locate outdated services that may not appear in inventories. The report framed these steps as ways to detect automated attacks through deviations from regular patterns.

The Talos analysis and recommendations focus on observable and controllable areas: identity systems, MFA workflows, exposure-based patching and active hunting for legacy assets. The advisory lists technical measures-patching, monitoring and MFA hardening-alongside operational practices including active threat hunting and prioritizing fixes by internet exposure.