AI-powered voice cloning now enables highly realistic vishing, enabling attackers to impersonate executives or IT staff and manipulate victims into revealing credentials or transferring funds. Mandiant’s Red Team has demonstrated these techniques in a controlled exercise, underscoring growing risks and the need for stronger awareness and verification. #Mandiant #RedTeam #VoiceSpoofing #VoiceCloning #Deepfakes #Vishing
Keypoints
- AI voice cloning can replicate human speech with high realism, amplifying the effectiveness of vishing attacks.
- There are real-world impacts, including reported theft of over HK$200 million using voice cloning and deepfakes.
- Voice spoofing can be used across the attack lifecycle: initial access, lateral movement, and privilege escalation.
- Mandiant’s Red Team used AI voice spoofing in a proactive case study to test defenses and demonstrate feasibility.
- Attack workflows involve collecting voice data, scripting, OSINT targeting, and spoofed VoIP calls to elicit actions.
- Defenses emphasize awareness, source verification, and future tech like watermarking and enterprise chat restrictions; unimproved voice security remains a vulnerability.
MITRE Techniques
- [T1071] Initial Access – Threat actors impersonate executives, colleagues, or IT support to trick victims into revealing confidential information or granting access. Quote: “There are various ways a threat actor can gain initial access using a spoofed voice. Threat actors can impersonate executives, colleagues, or even IT support personnel to trick victims into revealing confidential information, granting remote access to systems, or transferring funds.”
- [T1021] Lateral Movement – Chaining impersonations to move laterally within a network. Quote: “The chaining of impersonations enables the attacker to move laterally, potentially gaining access to more sensitive systems and data.”
- [T1021] Lateral Movement – Using captured audio to train new AI voice spoofing models for impersonation. Quote: “This captured audio can then be used to train a new AI voice spoofing model, allowing the attacker to seamlessly impersonate the administrator and initiate communication with other unsuspecting targets within the network.”
- [T1068] Privilege Escalation – Gaining higher access levels by impersonating trusted individuals. Quote: “Gaining higher access levels by impersonating trusted individuals.”
- [T1068] Privilege Escalation – Leveraging voice recordings from compromised hosts to impersonate specific individuals. Quote: “Leveraging voice recordings from compromised hosts to impersonate specific individuals.”
Indicators of Compromise
- [Voice/Audio] context – voicemails, meeting recordings, and training materials
- [Phone Numbers] context – employee phone numbers used for targeting and spoofed call setup
Read more: https://cloud.google.com/blog/topics/threat-intelligence/ai-powered-voice-spoofing-vishing-attacks/