By Dave Carey

Occasionally tools designed to protect against cyberattacks end up being commandeered by dark web hackers and used against the good guys.

A current example of this is HexStrike AI, which was originally developed as a defender platform for security exercises. The idea was that the tool would integrate with AI models such as GPT, Claude and Copilot – allowing the AI models to detect malicious intent and shoot down attacks on their own initiative.

But it didn’t take long – and by long, I mean hours – before bad actors on the dark web started wondering, “How can we turn this into a tool we can use to launch attacks?”

They found their opening when it was disclosed that Citrix NetScaler appliances had zero-day vulnerabilities, which attackers exploited by dropping webshells that would allow them to achieve unauthenticated remote code execution.

It turns out HexStrike AI actually worked to the attackers’ advantage because it doesn’t have as much of the technical complexity they usually have to get past. It also has the ability to automate and repeat loops so a failed first attempt doesn’t mean the attack ultimately fails. The attackers don’t really need to understand memory operations or authentication bypasses. They put the AI agents to work and they work through these processes for them.

As a result, attacks that used to take days or weeks can now be completed in under 10 minutes.

AI is great until it turns on you, or in this case, until someone commandeers it to turn on you.

As is usually the case, immediate patching is one of the keys to defending your system against these attacks.

Citrix is on top of this and has already released fixed builds to address the issue. And whatever your patching cycle has been to date, it’s a good idea to shorten it.

In addition, make use of adaptive detection, which rejects static signatures and rules, and allows detection systems to ingest fresh intelligence and learn from ongoing attacks.

If you can, keep on top of dark web discussions and underground chatter. These are early signals that will help you be prepared for the next attack.

Finally, engage in resilience engineering. In other words, you have to assume there will be some compromise of your system at some point. The more segmented your system is, and the less you assume privileged access to certain people, the more you can limit the impact of a breach.

I realize some of what I’m recommending is at a pretty advanced level. I will be happy to help you if you like. Email me at dacarey@cybersynergies.io or call 616.217.3019.