SE

Security Now (Audio)

TWiT

Autonomous Espionage Campaign Analysis

From SN 1082: The Malicious Use of AI - Anthropic's Red Team ReportJun 10, 2026

Excerpt from Security Now (Audio)

SN 1082: The Malicious Use of AI - Anthropic's Red Team ReportJun 10, 2026 — starts at 0:00

It's time for security. Now, Steve Gibson is here. This is a big day. Anthropic just released a new version of its AI, the Fable model U appropriate because we're going to talk about how What Anthropic has learned from years of abuse of their AMI models will also talk about the malicious use of AI, some really scary Examples And which US law firm paid a twenty million dollars ransom to ransomware authors? And why A a lot more coming about Podcasts you love. from people you trust. This is toight This This is Security Now with Steve Gibson. Episode one thousand eighty two, recorded Tuesday, june ninth, twenty twenty six The malicious use of AI. It's time for security now. the show we cover the latest security and privacy and a little bit of AI in here with this guy right here, mister Steve Gibson, the guy in charge at grc. com. Hello, Steve. Hello my friend. Great to be with very That's to do the live longong. great to be with you again So so Um For a long time, we've been saying predicting it was a prediction getting getting great stretch of imagination. that the bad guys be using AI just like the good guys are And in fact, the reason that Anthropic did its sort of semi controversial laud Mythos preview, limited, you know, strictly limited release was that their feeling was It was enough of an advance bad guys got a hold of it then there wouldn't be time for the good guys to fix their broken code So Turns out that there's a red team operating at Anthropic which has for the last year from march twenty twenty five to march twenty twenty six been cataloging The abusers use of their AI, various versions of Claude through the last year and They've mapped it on to something we've never talked about before, which is the Miter Tack. taxonomy It's spelled ATT Ampersand CK because I guess you're going to have to be a hacker Um And what they found is really interesting Yeah H Just as worome as you could possibly imagine. I mean, like U you know, I'm not one to lare that the sky's falling occurred to me So We got security now episode ten eighty two. for this june ninth titled The Malicious Use of AI where we are going to byy the end of the podcast have a Bracing understanding. of like Bad guys are not sitting around They're not waiting. They're on this and and what an AI enabled attack like well orchestrated malicious campaign can do Truly Bone chilling So Oh, I I you know, I just hope that everybody who's got some jewels they need to protect are on the on the ball here and using all of the most state of the art available tools and one just dropped like what? an hour ago Um a new table just came out. Yeah, the this is reputedly kind of a simpler. Strip down mythos. And at the same time, apparently Anthropic turned on Anthony tried to put your show notes into the previous version, four point eight and it and then they have turned on some sort of gate that says Yeah, let me read you the actual text. I actually saw that. I I saw that. Yeah. And there was a slide switch where would fall back to a less potent model thinks that you're asking for things that it's not sure it wants to give you It says it won't work on cyber security. And it's apparently your show notes are too dangerous. Opus four point eight is a chat's paused OPS four point n eight and safety measures that flag messages on most cybersecurity or biology Wa They may safe, normal content as well. These measures let us bring you mythos level capability in other areas sooner So interesting. So because they're having a problem filtering They they did a crude filter that is to say, you know, it's difficult a perfect example is my show notote. There's nothing you know malicious in our show nototes except we're talking about malicious things. I mean, we're talking about cybersecurity stuff. and you so the idea is like that's just since they don't know that they can slice it correctly They're just completely blackly blacking it out, notothing to do with cybersecurity, nothing to do with biology because we don't yet know how to d differentiate enough. to give you access to that. Now I have just fed your show notes to the new model, which just came out this morning called Fable. Fable is kind of likeike Mythos, right? It's And it has no trouble. No trouble at all. going through your show notes, no complaints whatsoever. So U, it's something's up. I did in fact, and I think you saw it earlier on MacBreak Weekly, run some of my old claud generated code through Mth I saying, find some security flaws. And it did. and it did a nice job stuff that it had previously audited and aw no problems with. Yeah So I was very impressed not merely with how quickly it worked and how well it did, but I was actually very impressed with the verbiage it used it seemed quite impressive. and it's much faster It whipped through a large number of files Both in Rust and Python and Go and found faults, found flaws. Now I know you I know well, we know from the announcement that it uses it's twice the token Consumption rate as opus, right? Fable does. Yes. they say this right on the front And so it's twice as expensive essentially. Now. I've got the twenty dollars a month plan. And I'm never hitting a ceiling because I'm not really well, I have to say though, that the only time I saw the thermometer like start going up. was when I gave it More of an agenticke kind of thing to do. where it sat and churned for a while. I thought, oh, I wonder how expensive that was. And I went over to check my account. It's like, oh, look, I just used up twenty percent of something Whereas normally it just doesn't even get off the ground for the little simple things I'm asking So it was it was able to find these. I feel like this it just feels a little smarter quicker, a little more effective I was quite quite impressed. This is all. I'm just stunned by this pace, Leo I mean, the They just released four eight tes like three weeks ago. It's breath takeake crazy Well, so you know, I don't know if this is mythos, but in a way, something mythos like has arrived already, which means I think you should start looking for Tomorrow. Tim to start running your code through Yeah through Fable I did have it fix everything it founds, by the way. Very cool. Yeah. Okay. so in addition to getting to the malicious use of AI where we're going look at exactly what's going on We're going to answer some questions. Was a U. S. law firm right pay a twenty million dollars ransom Could Ciskco have yet another SD Wan Zero day in the wild? Like really, Ciskco? really Why is it so difficult to author secure PHP code Turns out that teens are using something called weed hacks. to spy and attack each other which McAfee's security people found and were quite disheartened to like see what was going on researchers have created the first AI enabled Internet worm And Oh boy. let's the good thing is It's not clear that a worm makes anyone any money And money is the name of the game for the bad guys now Otherwise It would be game over Uh Also, just a little editorial annoyance because while I was working, I got a weird chrome pop up telling me that I could shop with confidence as I wasn't even using probe I was in Firefox. It's like what the heck? what We've also got something was really wrong here, an irresponsible disclosure of a very bad problem discovered in HTTP two You know, we always had HTDP one then we got one point one. reccently we got well a couple years ago, we got two There's an HTTP two bomb, which can basically bring any contemporary web servers to their knees. and Cretans who discovered it, said, Yeahah, you know, what the heck? We're gonna force everyone to upgrade by releasing it Uh, and then we're going to get to what Anthropic has learned from their past year of monitoring Claude's abuse. And in two words Maybe it's three. I don't know if you if you count a contraction as two. anyway It's bad. Wow. Well, we have lots to talk about in a picture of the week come in just a little bit You're watching security now with Steve Gibson And our show today brought to you by a great sponsor. We really like threat lockers, Steveven and I went to their Zero Trust World Conerence a few months ago in Orlando had a great time to the presentation For them, I'm a big fan of zero trust. Threat locker zero trust, but they announced, by the way I think it's Zero trust world, Maybe it our sec couple of weeks later. They have now the industry's most comprehensive suite of zero trust solutions, not merely protecting endpoints But now they protect company networks. In the cloud This is great by extending zero trust enforcement to cloud services and company networks Threat lockers ensuring The devices, not only, you know, are the endpoints protected, but devices are validated Th a secure broker before they can connect to your cloud platforms, your SaaS apps, things like Salesforce and Microsoft three hundred sixty five, Asana Google Worspace GitHub The impact of this is huge, even if a user is successfully fished It happens all the time. atttacker still cannot access those resources. They can't access those SaS apps, the cloud resources unless Well, in order to do that, they'd actually have to have physical possession of the user's trusted device. and then they you know, I presume you're going have biometrics on there at Windows Hello or something. So they'd have to get through all of that So you're really locked down. This is so much better. Threreat lockocker works across all industries provides U S. based twenty fourty seven support, really good support It works everywhere. Windows, Mac, Linux environments. I got them to demonstrate it on the Mac for me because I was very interested. It works beautifully. And it enables comprehensive visibility and control. This is one of the real benefits of Threat locker is it's great for compliance Ask Rob Thacker, he's the end user technical architect at Heathrow Airport. After a number of incidents, they switched to Threat locker. He says quote Threat loocker was the most intuitive solution we tested And the responsiveness of the organization, the willingness to engage with us, to set up a demo to work with us on weekly audit reviews was very good. It's great to have an ongoing relationship with a company that is so responsive to our So not only great technology, but great support, great service from really suuperb company No wonder threat lockers trusted by some of the biggest and best in the world, Global enterprises like Jet Blue The Indianapolis Colts, the port of Vancouver uses threat locker They can't afford to be down for one minute. Threreatlocker consistently receives high honors and industry recognition. G two gave them their high performer and best support for Enterprise summer twenty twenty five. Perpot ranked Threreatlocker number one in application control, and they got GApp's bestest Functionality and features awward last year The warards just keep on coming. you can find them all at the website With Threreat Locker, you can confidently ensure that users have access consistent safe network connection offffices, remote users, internal servers, critical services, all can maintain smooth operations You don't need to open inbound ports, you don't need to deploy traditional VPN solutions Your end users will get the same secure, reliable internal system access they're need and they're used to without the complex infrastructure changes And it's so much more secure. G gotta try threat locker, get unprecedented protection quickly. easily and effectively with threreatlocker. visit threatlocker. com slash twwit You get a free thirty day trial and you can learn more about how Threat loocker can help mitigate unknown threats and ensure compliance. againg Threat locker sllash, we thank him so much for supporting Security now And now ladies and gentlemen, sureure So there's no security angle here, but I just Love this. Okaykay I gave this the headline, There may be hope for humanity after all All right, I'm going gonna scroll up. I haven't seen this before All right, you describe this one. So we have That's great. We have Tw signs. you're the the yellow diamond sign that says dip ahead, right Like where there's just to warn drivers that there's going to be some sort of a of a dip in the road that they need to take advantage of. then slightly after that along the road is one of those Uh prorogrammable boards where, you know, for like whatever the the people working on the road need to warn drivers about In this case, the signage has been programmed to say And this is again to to following the dip ahead sign Bring chips Yeah So And to which our Discord chat room has responded. with this picture of you and me as u as chips Let me know up the image. In this case, Chips is the California Highway Patrol. see? Oh goodness, yeah. you look good Very nice. Thank you, a pretty fly for assisky. Last time I was in a uniform was the Boy Scouts and that was lots of stories came from that. Okay so The large law firm U while gosh, Gothshaw and Mges. u which reported I mean this is there are firms you never hear about. I've never hear heard about these guys, but Two billion dollars in revenue last year. Right? So they're like so high end that they don't do any retail advertising or they don't have any sort of a public presence at all. They're whatever it is they're doing, you know, military contractors or who knows what maybe international stuff Anyway, they're breaking in the bocks. h They recently paid twenty million dollars ransom Yeah And I did the math That's one percent their annual take So They did so in order to prevent the release of their confidential client data. And we don't know who their clients are. But again, two billion dollars of revenue and people we've never heard of before. They probably got it going on. The company said that their clients' confidential data had been stolen from an external cloud storage site. earlier this year by a group known as the Silent Ransom Group the FBI sent out a private industry alert last year warning in advance that this silent ransom group been spotted and that they were specifically targeting U. S. law firms for their extortion campaigns Now what appreciate about this strategic value of targeting law firms. for extortion. everyveryone knows, I'm not endorsing the practice far from it. but I think that highigh end law firms an interesting and clever ransom target We've been seeing and reporting on the surprising and welcome dramatic decline percentage of ransoms that are being paid Lately You know, many more companies are simply saying no now than were ten years ago Then being hacked. was much more of a blackm on an enterprise's reputation than it has I frankly sadly become today I'm not happy that being hacked is almost routine now With cyber attacks having become a nearly daily occurrence, No one who's observing them from a distance really cares that much anymore. Now as a consequence, companies are just saying no to ransom demands and putting out a press release saying that, o, well, we were hacked comoming up with some spin about how the bad guys didn't really get anything of any super secret value and then offering their customers twelve months of free credit reporting As if that makes restitution So nothing to see here, move along So against that backdrop rather than just stumbling upon targets of opportunity bad guys have needed to find targets where the apologize, obfuscate and move on practice would not be available And the confidential client data being retained by major deep pocketed law firms pererfectly fits that bill There's no doubt This Wild, Gothsaw and manges New that the disclosure of their clients' data would result not only in massive reputational harm you know, which a law farm a law firm can ill afford but also in a mass of breach of fiduciary responsibility lawsuits, right by their own current and past clients whose data they have not protected adequately. We know that the FBI and others cautioned the law firm. Over and over that there's absolutely no guarantee whatsoever Bad guys honor their side of the agreement, which after all is voluntary and they're bad guys by deleting all the stolen data Given twow billion dollars in annual revenue Even a twenty million dollar payout That's just a one percent tax. on the company's annual revenue When weighed against the alternative absolutely certain disclosure of highly damaging data Well, that's a bet that's entirely understandable As I've been observing the only thing These Criminals care about is money They could not possibly care less about the actual data they've stolen from this wild gototh shawl and manges They know that the only chance they have of reliably obtaining voluntary ransom payments from their victims is if those victims believe from all past evidence payment of a ransom will result in the deletion, as far as they can tell. Or it's certainly not the disclosure of the stolen data so that it can then hopefully never be disclosed Yes It may be a bargain with the devil. But it almost certainly paid off So takeaway here is the observation that the overall drop in ransom payment likelihood. Did did Lee the attackers targeting. to those specific enterprises Law firms being a perfect example of that which have the most to lose their stolen data is publicly disclosed. That's the threat And so it's got to be a threat where the pain of that threat being actualized is so high that the company says, Ohh, well, we don't like it It's You know, a gamble we're willing to take So compomanies like the regular run of the mill companies who merely have, you know, millions of small customer transactions You know, they're just increasingly shrugging off such breaches as unfortunate. But unfortun but all equally unfortunate nowadays, almost inevitable So it's like,h, we got we got hacked. How'd you like a year of free credit monitoring We would rather that you hadn't been hacked, but you know banks anyway. If I were to share the news that Another patched. Zero day flaw In Cisco's SD Wan manager being actively exploited in the wild Our listeners could be forgiven for thinking that perhaps they were listening to a previous podcast But sadly no, And their' reporting on this latest rerun of a story that pretty much writes itself at this point You know, you only need to change the date and tweak some CVE numbers Laping computer reminded us They wrote last month Cisco so so we have one like last week, right? a new SD Wan. Zero day fllaw exploit. And to give some background, they finished their coverage Bleeping compomputer did saying last month Ciskco also tagged a maximum severi Catalyst SDWAN controller authentication bypass flaw. and that was the CVE twenty twenty six u two hundred one hundred eighty two as an actively exploited Zero day to gain admin privileges on unpatched devices While Cisco, they wrote, has not yet released patches for today's most recent problem On may fourteenth, it advised customers to upgrade to the software that had been fixed for two hundred one eighty two CVE Then they said in February Ciskco patched another catalyst SD WAN manager information disclosure security flaw That was two hundred one thirty three Sisa. flag is actively exploited in late April And two weeks later warned that two more flaws two hundred one twenty eight and two hundred one twenty two. We're being abused in the wild In March, it also addressed and flagged a critical authentication bypass vulnerability, which is, you know, the polite way of saying anyybody who wants to can get in. And that would be two hundred one twenty seven that has been exploited in zero day attacks since at least twenty twenty three And they said Over the past several years, CisA has tagged ninety, nine zero, ninety Cisco vulnerabilities as abused in the wild, four of them in catalyst SD WN Manager and six others exploited by ransomware operations So ninety vulnerabilities In just the past several years, abuse in the wild, Cisco has certainly earned their reputation for providing hackers with a ready and so far unending supply of remotely exploitable security vulnerabilities Two months ago on april seventeenth, I'm sorry, april seventh. So just just over two months ago, todayod's the ninth of June. Ciskco wrote For some time We have been stress testing our own products and infrastructure against the most advanced AI powered security tools available including Anthropics's latest unreleased AI model, Claud Mythos prereview What we have found They said What we have found has been illuminating Uhu Now the real work begins AI powered analysis uncovers data at a scale and depth that legacy frameworks were not designed to accommodate. Okay, whatever that means, this industry will recalibrate together And Ciskco is committed to leading that conversation. All I could say is that I hope they mean it. I hope they really do suddenly care more than they have ever appeared to in the past. And given the evidence It's like, how do you explain that? This is Cisco Yeah, you know, pererhaps Something needed to make security much easier for them to deliver And perhaps AI will be that something that's been missing until now It's It is inexplicable to me How a company that is so important and has been such a leader you know, a pioneer on the internet continue year after year to have so many damaging security problems. What is the culture over there Reall that years ago They We're surprised to discover The firmware of their own machines had been shipping with embedded authentication credentials in the firmware so that anybody who knew the username and password could log in remotely I bet your Mythos would have found that Yes, if yes, given access to the firmware, Mythos would have said the equivalent of WTF So No know, Ciskco, perhaps they just really crappy doing software and the only reason you the only reason they were ever off top is that they were first And so it's like, you know, once upon a time, they were the only game in town And maybe they just always sort of sat back on their laurels and thought, well, you know, everyone's buying our stuff. It doesn't it's broke I want take back. a wild guess that part of it was the number of acquisitions they did because Cisco grew very fast by acquiring a lot of other Comanies. That's fair It'd be my guess that some of those companies themselves didn't have the best practices. And sometimes when you have mismatched systems, you get these kinds of problems pererfect example was that Hilton attack. Remember? R? It was that they bought another another cha. Yeah, yeah, yeah, yeah, yeah And it was that Yeah it was that if was like they they they they bought the thing they they bought was had, you know, some serious problems. And they just we at the time, we argued that they didn't vet it as well as they should have, which I think is a reasonable position to take, but Wow, Cisco, come on, you know, get your AI going and fix this because too much of the now of course problem Once there is firmware, which The latest AI agrees has no more problems that it can detect. is how do you get it deployed Because it's one thing to have it. It's another thing to have it out there running Okay, uh I mentioned before My desire to host web forums required me to run a PHP interpreter. on a GRC domain, you know, forums. gc. com. Um and even GRC. SC that little short that little link shortener is also some PHP Due to the long history of security incidents surrounding PHP, the idea off running a PHP interpreter on a GRC domain terrified me And I was and still am. unwilling to allow any such server to share a network with the rest of GRC's infrastructure. u In other words, I took my own advice in the same way that I do for residential IOT devices which is to firmly sequester the things, those those things whose security we have no control over and are inherently suspicious of on their own network obain them sandbox on Fortunately, my choice of the PHP based ZenfO for forums and the PHP based Nuevo mail, which is what I use to send out GRC's weekly mailings They've both been solid choices and I've never had any problem with them, but I'm still not allowing anything that runs PHP anywhere near the rest of GRC's network. The reason I'm mentioning this today is that once again PHP based third party WordPress plugin come under active widespread global attacks And the means by which the pluggin is being attacked is just so marvelously pHP that I wanted to take the time to share it Last Wednesday The word fence WordPress security company And based on everything we've we haven't talked about word fence for a long time They got a strong recommendation last time and they'll get it again because I think anybody who is running WordPress stuff with any add on plugins, especially, which is where the problems generally are, WordPress you know, itself is generally been so well cared for and and maintained that we don't see problems in the core WordPress system. Anyway, they posted word, Wd fence posted the news of this latest vulnerability, which carries a CVSS of nine point eight which as we know is hard to achieve. You basically have to let anybody who wants to anywhere in the world crawl into your system and set up shop to get a nine point eight Wordfence wrote On march thirtieth, twenty twenty six, we publicly disclosed a critical Remote code execution, vulnerability Everest forms P a WordPress plugin with an estimated four thousand active installations This vulnerability can be leveraged by unauthenticated attackers, meaning anyone. to execute arbitrary pHP code. on the server. leading to complete site compromise The vendor released the fully patched version on march eighteenth, twenty twenty six. Our records indicate that attackers started exploiting the issue on april thirteenth twenty twenty six. So Okay less than a month later. So march eighteenth fully patched version that fixed the problem april thirteenth it came under attack. So again Anybody who's keeping their site up to date is checking for it like checking for and following through with them would have been safe The word Fs firewall, they wrote, has already blocked overver twenty nine thousand three hundred exploit attempts targeting this vulnerability And they said Word fence premium, Word f fence care and Word fence response users received a firewall rule to protect against any exploits targeting this vulnerability on february twenty seventh, way up in advance of the plugin being updated. Sites using the free version, which is what I mean, like, why wouldn't you use the free version of this protection system of Wordfence received the same protection thirty days later on march twenty ninth. So still well in advance of when the bad guysy started attacking They said considering this vulnerability is being actively exploited, we urge users to ensure their sites are updated with the latest patched version of Everest Fs Pro, version one point nine point thirteen time of its writing as soon as possible As I said, we've covered the work of the Wdfench people in the past And I have no problem allowing them to promote themselves by sharing their posting here since any site that has chosen to employ third party plugins would be well served to at least run the free version And you know, pay something for the added protection. if nothing, if for no other reason to support them in the same way that Leo and I do for Bwardward Yeah In other words, you know these are good guys offering an important service at a reasonable price. U and if you're running a WordPress and you've got, you know, random plus plugins that you've added on You really ought to have Wd feds watching your back Then they explain they found. really what I wanted to get to. They wrote examining the Everest Formms pro code reveals that the plugin uses the Process underscore filter function in the process class to evaluate user defined calculation formulas Now there's the key. user defined meaning Visitor based calculation formulas. The function catinates submitted form field values into a pHP code string which is then passed to the eValve function Now again All that phrase that that that string of words should make anyone's blood run cold. Catenates submitted form field values into a pHP code string which is then passed to the e valve function So This is a variation of the infamous Bobby Drop tables flaw, you know Anytim any user user provided, you know, visitor, web visitor traffic passed to a function might confuse data with commands which is what PHP does in the same way the seQel can That user provided input must be scrupulously sanitized. Really, you should never have a situation where that could be done But if you have to for some reason, Then Really makeake sure there's no way that The user can provide something that can get that can be switched from data to command prevent malicious users from managing to use a web form for their own command input Word fenceces write up continues, saying Although User input is sanitized with sanitized text field function. This function does not escape single quote And by escape, they mean convert a single quote into something that isn't a single quote, but like it carries the same meaning. That's known as escaping in programming parlance. It does not escape single quotes or other characters that are significant PHP code Sting based fields such as text, emails, select and radio fields The submitted value is placed inside single quotes ly added PHP code string unauthenticated attacker can exploit this by submitting a value containing a single quote foollowed by malicious PHP code comment character allowing them to break out of the string and inject PHP code that is later executed through the eValve function This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server by submitting a crafted value in any string type form field As long as the targeted form uses the complex calculation feature As with all remote code execution vulnerabilities, this could lead to complete site compromise through the creation of admin accounts, the use of webshells and other techniques Okay, so This is exactly Why PHP terrifies me when When I've made the mistake of stating PHP is fundamentally insecure Our well informed listeners have written someone indignantly argue that it's entirely possible to write secure PHP systems. I assume that's true. since I've never had any trouble with Zen four o And their security record has been very good, not perfect but still very good So I suppose a more balanced assertion on my part be that authoring Cure PHP websites inherently requires much more understanding of the security pitfalls inherent in the use of PHP. which are many than the typical PHP author possesses In other words can write secure PHP PHP is targeted at people who don't Wordfence explains that their WordPress application firewall has explains what their excuse me what their world their WdPress application firewall has intercepted by writing The most common payload observed in our blocked requests attempts to create a new admin account named U D I K S I Marina M A R IN A. Sea Marina, I guess you'd say on the affected site The attacker submits a value for a text field that begins with a single quote Close the wrapping string literal followed by a PHP statement that calls WP underscore, insert underscore user press insert user create a new admin account with the user Dixie Marina The trailing slash slash comment marker ensures the rest of the generated PHP code which was, you know, there in the original form, including its closing quote. the attacker put first is treated as a comment and does not cause a syntax error because that would crash PHP and then the attackerss code wouldn't get to execute When the form is processed and the calculation is evaluated, the injected PHP code is executed and the militia's admin account is created Once authenticated as a new administrator, the attacker can fully compromise the site by uploading webshells, modifying themes or plugins, or installing further backdoors to obtain persistent access. problem with PHP is that while it correctly advertises itself as very easy to use The less well appreciated fact is that it's also extremely easy to abuse Thus It's running on a server GRC on its own network segment with no contact to the rest of my stuff because I will never trust it But Leo You know? You trust. Yeah. I trust you and I trust our next sponsor. Well, it's a good thing it's a good thing you do because they trust you and, you know. The fact that they're advertising this show is is a measure of this. I'm talking about O Sys. Security now is brought to you this week by O Ss. O Systems is an amazing tool. They've been at it for a long time. They I think It's safe to say are the leading Aentic systems platform They help businesses bridge the enterprise gap into that aenic future we're all looking forward to where the constraints of the past give way to Unlimited capacity and scale. Without systems you can architect, deliver and scale. governed Very important word there, Aenic systems withith agility And trust using one open and unified platform. You could power secure company wide Eenic orchestration for core business operations Outsystems provides the only eugenic systems that are unified aggile and enterprise proven. let me explain. it's O system is unified It enables you to build, run, and govern absent agents on a single platform. Out Systems is agile because it allows you to innovate at the speed of AI But very importantly without compromising quality or control. And O Systems is enterprise proven and trusted by enterprises for mission critical AI applications and durable innovation. O Systems is the secret weapon behind the world's most successful companies and not just for little one off apps, these we're talking massive Comx systems, systems that run banks, insurance companies and government services right now Out Systems even helps companies with aging IT environments bridge the gap to the AI future without a rip and replace nightmare. I'll give you some examples. Out systemstem provides the safest and fastest way for an enterprise to go from We need an AI strategy to we have a functioning. aetic system. Stop wondering how AI will change your business and start building the agents that will lead it. Visit outsystems. com slash twwit To see how the world's most innovative enterprises use out systems to engineer orchestrate and govern aenic systems quickly. cost effectively without minimizing reliability and security That's out Sys. O UT S Y S T EMS. com Sash T W I T a deemo out systems slash. we thank him so much for supporting Steve and the vital work he is doing here Uh I looking at the Information about Claud Fable five, which was released today by anthropic and mythos. and I'm looking at the benchmarks provided by anthropic, but man. They say this is even better than the Mythos preview that they've been offering to some people is incredible ten dollars million tokens in fifty dollars per million tokens out. It is a very expensive model, although they' cheaper than Myethos's prereview They also say they can work longer than any previous claud models So they have a lot of benchmarks A lot of examples I wish I was thinking about this the other day. I wish that unused tokens But up a balance in your Io I know because my use is very erratic and you know, a lot of times I'm not using Caud for anything. Well, do you have a description or do you pay as you go you can't pay go I have a subscription Yeahes, so the subscription is all you can eat. And as you've probably noticed, if you really bang on it, it'll time out after five hours. It'll say, Well, you got to wait toil one or whatever. Right. And you can also use up more tokens than you're supposed to in any given week or even month But generally the all you can eat's pretty good The API is pay as you go So if you don't use it at all, it's zero So maybe, but the problem is It's a lot more expensive to pay as you go than it is to buy a subscription for most people. I don't know what it's going to be like eventually. I think eventually Anthropic wants everybody to go API ' I think for a lot of users, they're losing money on the All you can eat buffet that some people are real pigs. U but you know, I'm just playing with it right now and it's very fast. It also, they said, if if if it gets in a situation where you're asking about security stuff, it will fall back to for eight. It's going to try to prevent you from using it Yes Yes. And that's why we're getting that four eight warning. It security or biology, apparently. Yeah But anyway, yeah You can't make dangerous bugs with it, either Y. Exactly of any kind Oh o, so McAfee's report Their headline caught my attention because it was newew malware targeting Minecraft infects two thousand daily And teens are becoming attackers So this is all pretty sad U But it's worth us knowing what's going on McAfee writes McAfee Labs has discovered a massive ongoing and massive because of how cheap it is ongoing malware campaign called Weed Hack that disguises itself as free minecraft mods and game clients to infect players' computers It's january twenty twenty six. It has logged more than one hundred and sixteen thousand victim infections averaging between two thousand and three thousand new hits every single day What makes weed hack different from most malware is how cheap and easy it is to use Typically, a hacker would pay hundreds of dollars per month to access attack tools through underground criminal networks. Now this is all, you know, malware is a surface, which is the new thing They said we'd hack offers a free version to anyone with a discord account premium upgrade, which includes the ability to secretly watch victims through their own webcam It starts at just five dollars a month This low barrier has attracted a younger crowd of would be attackers. manyany of them appear to be teenagers or young adults. Our researchers were startled. to discover teens using these tools Not just for financial theft to harass and bully their peers pattern we've documented and like posting the webcam footage that they capture from other people's machines. pattern we've documented and that makes this campaign especially concerning We'd hack is a malware as a service MAAS, malware as a service campaign, meaning it's a criminal business that sells hacking tools to customers The same way a legitimate software company sells subscriptions product in this case is malware gets secretly installed on a victim's computer when they download what they think is a minecraft mod or client Once installed, it can steal passwords, hijack accounts, and for paying customers, it can give the attacker live access to the victim's screen Webcam and files campaign operates a polished professional looking dashboard hosted openly on the internet Not hidden on the dark web dashboard lets customers track their victims, download stolen data and launch remote access features all from their browser One of the most disturbing findings from our investigation is how weed hack is being used While monitoring the campaign's telegram channel which had over eight hundred and fifty members during the time of our research, we observed that many customers appear to be teenagers and young adults and a significant portion of using the remote access tools we're using the remote access tools not for financial gain, but to harass and intimidate other players We observed attackers recording victims through their webcams without consent and sharing those recordings in a telegram channel as trophies Others use knowledge of victims' IP addresses and system address to threaten them Impant to note At the current time of publishing, the telegram channel has been taken down and no replacement channel has appeared McAfee's continuing to monitor any new channels that may be established by the threat actors for further communication Still What we observed is a form of cyber buullying with unusually invasive tools behind it If you or your child has been contacted by someone online claiming they've hacked your computer have your webcam footage or know your IP address. Take it seriously Do not Follow the attacker's instructions It only makes things worse. Tell a trusted adult immediately, a parent, a guardian or school counselor Contact your local law enforcement. This may constitute a criminal conduct Do not engage with the attacker or attempt to negotiate So How do people get infected We'd hack spreads in two main ways. And the campaign even provides its customers with step by step tutorials on how to carry out both firstirst fake YouTube videos attackers create convincing YouTube videos reviewing or demonstrating minecraft clients and mods The videos are well produced. some include voiceover narration, The link to malicious download sites in the description and comments is present One video McAfee identified had over seven thousand five hundred views before being flagged. Comments are also sometimes planted by the attackers claiming the files are safe Second way, fake mod websites Weed Hack instructs customers to build convincing looking websites that mimic official Minecraft mod pages These sites are deliberately designed to show up high in search engine results for popular mod names, a teactnic called SEO poisoning. some fake sites include fake security warnings, discord links, and GitHub references to appear legitimate In one case, a site warned players to Only download from us, unquote while actively distributing malware. clients and mods specifically targeted include Meteor client, radium client worst W U RST client bounce, impact client, future client and others So what happens when you're infected Infection occurs in four stages that happen silently in the background after a victim opens the downloaded file. First stage First contact The malitious file launches quietly without showing a console window connects to a hidden network and phones home to receive further instructions. It uses a sophisticated technique involving the Ethereum blockchain. to locate its command server in a way that's difficult to block or take down Remember we talked about one such method using DNS domain names which are created dynamically based on a timestamp This uses the Ethereum blockchain Stage two, taking hold The malware disables Windows Defender protections. gathers detailed information about the victim's computer. processor, graphics card, RAM operating system and so forth and takes a screenshot of their screen then steals their discord tokens Browser passwords Cookies Stage three digging in The malware installs itself so that it automatically restarts every time the victim logs back into their computer. It sets up a hidden scheduled task that runs continuously with the highest system privileges And finally stage four. obtaining full access premium customers, an additional component is installed connects the attacker to the victim's computer in real time This includes live screen sharing with keyboard and mouse control Webcam access, key logging recording every keystroke a reverse shell, full command line access to the computer and the ability to upload or download any files A separate component specifically hunts for telegram credentials and cryptocurrency wallets, sending that data to a different server every five minutes. attackers steal. The free tier reports the theraft of Minecraft session IDs, which are used to hijack Minecraft accounts saved passwords and cookies from thirty six different browsers Credentials from Discord, Steam and Telegram Browser based crypto wallets, fifty six are currently supported and desktop crypto wallets, twelve are currently supported Files matching twenty four different search keywords, screenshots of the victim' screen, and system information, the computer name, their IP address, and hardware specs For five dollars a month, which is the premium tier You get live webcam access in addition to all of those things, live webcam access, live screen sharing with keyboard and mouse control Ky logging, every key the victim types Full remote shell, command line control of the computer, and file management. Uload, download and delete files remotely Okay, so Just to be completely clear, what now exists is a service. which for as little as five dollars per month Apparently in a play for user volume Anyone and often teens No longer need to have any, not any Packing skills Apparently, all they need is some marketing skills All the hacking all the technology, all of that has been done for them They're able to subscribe to this new malware as a service. Weed hack. O on the public open web And then trick others using their marketing skills into downloading a Minecraft mod or client then gives them access to that infected users saved passwords and cookies, their social media credentials, their crypto wallets and more includluding their webcam and full remote keyboard and mouse access to their computer And The service is going gangbusters logging between two thousand and three thousand new infected newly infected victims per day with more than one hundred sixteen thousand infections spotted since this past January So Leo the world we live in today Wow. out No kidding You know, basically turning teens into criminals because this is all criminal abuse. I mean, these are criminal this is criminal Network intrusion thanks to a third party that's only asking for five dollars per month and taking all of the hard work, all of the knowledge, all of the technology out of the loop You pay us w mazing kids to get to their I presume to get to their parents' accounts, right? I mean, because Can be, but I guess the kids might have money. I don't know. But yeah, it's not clear where I guess the kidss play Minecraft, but it's mostly kids, right? It's got to be, hey, mom, can I can I, you know, charge five dollars a month for this cool service that I found that will allow me to do something with Minecraft and mom says, you o's fine. whatever Yeah Wow. Okay, so so evil. It's so bad It is, it is and and Tens are like, Well, wait, it's a service on the internet. What do you mean I'm breaking the law? What do you mean I'm a criminal? It's actually smart because yeah, exactly this is taking advantage of their naive And getting and getting five dollars a month off of all of their parents' credit cards. Right Okay, so What have we done? You know Somebody was bound to try it. So far contained inside a lab. Yikes Researchers? I don't like that open. No. Yes. We've known of other things that were supposed to be contained inside a lab and got loose Researchers with the University of Toronto And the Vector Institute wondered Temporary AI powered Network worm might look like and how effective it might be. So of course, they made one The paper they just published is titled AI agents enable adaptive computer worms And they explain, quote in our pursuit of new knowledge, That's always the excuse, right or the justification in our pursuit of new knowledge to enhance the security of artificial intelligence, We uncovered a cybersecurity threat with implications across society. Okay, so you know, since the idea of an AI enhanced network worm is not a stretch for anyone I'm just going to share the high points from the research Oview which they published However, even this overview makes me somewhat queasy. Here's what they wrote They said can I just scroll off. They said Large language models now demonstrate the capacity for structured problem solving combined with tool access. enables agentic AI systems to solve complex tasks We show that when these capabilities are embedded, in a self replicating agent produce a fundamentally new The cybersecurity threat Pwter worm. devises target specific attack strategies gain control of machines and spread across networks Each compromised machine becomes part of the worm's own infrastructure providing comput or reach for further attacks A computer worm, they write, is self replicating malware spreads across a network without human intervention The Wanna cry worm In twenty seventeen disrupted critical infrastructure across one hundred and fifty countries by exploiting a single vulnerability Traditional worms can be stopped by patching the specific vulnerability they exploit Our adaptive worm cannot be stopped. This way It uses a recursive reasoning loop and exploit diverse vulnerabilities as it propagates We demonstrate these capabilities in a controlled experiment prrototype AI driven worm powered by an open weight LLM running locally propagated across a heterogeneous network of Linux,ow Windows and IOT devices. common corporate network vulnerabilities The experiment was conducted in an isolated virtual network We believe this work highlights Three important dimensions of the impact of AI on the cyber threat landscape First It establishes a qualitative shift in threat capability The worm replaces fixed exploitation code with goal directed reasoning. to the vulnerabilities of each encountered target in real time our agent self replicates across network devices, subverts control of systems and self sustains on stolen resources Second The AI driven worm requires only an open weight model that can run on a single local GPU does not rely on any commercial AI platform. This renders vendors centralized safety controls, including service refusal, content filtering and rate limits structurally irrelevant The Worm's tier design, where each compromised GPU equipped node provides reasoning for lightweight agents on downstream devices, extends the attack surface to any network device And I'll note that it gets smarter as it propagates, right because it's continuing to have access to all the GPU's it's already taken over So that's kind of creepy And finally The traditional economic barrier in cybersecurity collapses The traditional economic barrier in cybersecurity collapses The worm parasitically uses the victim's own computational resources. reducing the attackers' marginal cost to zero as consumer devices increasingly support LLM inference, meaning they're getting the GPU compute locally the reasoning resources available to such adversaries grow accordingly This work proves, this work provides empirical evidence that autonomous cyber offense crossed from theoretical risk to demonstrated capability challenge that spans AI research cybersecurity and public policy. We believe This transition demands rigorous transparent evaluation of model capabilities across the open and closed weight model ecosystems to which I say, yeah, good luck because there's going to be unrestricted open weight models there already are. They're only going to get better So I'm not sure. clusion is supposed to mean, You know, we believe this transition demands rigorous, transparent evaluation of model capabilities across the open and closed weight model ecosystem. What this actually means you know, and for the first time demonstrates is that the defenders of cyberspace had better get serious about tightening up their code. This leaves the huge problem of the existing installed base of systems. And that's where we're really going to have our next problem We know that becausecause they're not going to update themselves And they, you know, Many will never be updated without some form of you know, more than typical intervention I don't know how this happens But it is the big problem The one bright spot here. is that you know, knock on wood We seem to be past as I mentioned earlier, we're past those frolicking days controlled internet worms. Most mischief now. is about bad guys focusing Solely upon making money And internet worms do not do that You know, the way that targeted you know, targeted extortion can place I could see a worm being deployed as an offensive cyber weapon is not by a criminal organization that wants to make money as its first priority, by a nation state The U. S. China, North Korea, or Russia And in that case, its worm code would be carefully written to restrict its reach and spread to within a targeted geography So this feels more like an interesting academic exercise This is not to say that someone might not release such a thing just to see what it could do That's always a possibility, but as these researchers also noted The world does not yet have suufficient protect potential victims with infrance engines capable of supporting a roaming large language AI model. By the time that changes The world's exposed vulnerabilities should be You know so new that any potential worm would starve So You know, hopefully we're going to get the internet cleaned up And as we evolve to next generation systems that do have de acquired inference engines They'll be running newer firmware or newer software hopefully that will never have the vulnerabilities that the current Thankfully dumb installed base of hardware does And Leo, I mentioned to you before I think before we began recording that The weirdest thing happened or I guess I did run run through it and the things I want to talk about As I was writing the show notes. I was rudely interrupted by an unsolicited Windows ten notification. Google Chrome I wasn't using Chrome As we know, I don't use Chrome unless there's no alternative, sometimes there's a site that Firefox won't display. Open table. com is the one that keeps biting me and now I've learned I just have to go over and use openen table from Chrome Um, I haven't even used Chrome in recent memory Yet What we know is that today's web browsers are all running agents in the background which serve to keep those browsers up to date. And that's a good thing. We know that we want our web browsers to be, you know, patching themselves to keep themselves current. I'm all for that U But the operative phrase here is in the background Chrome which I have installed, as I said, I've not been using without you know, like for any reason like for quite a while Certainly since that machine was booted It without invitation pops up a notification telling me can shop with confidence and that I can quote prices across the web and get alerts if the price drops on any site. First of all, I don't do that It's no longer in the background And it's an annoyance in my foreground. You know, the internet appears to be silent on this issue. I went searching like is this happening to people? I like what So I don't know what's going on You know, perhaps this is Google trying to get traction for some of its new agetic AI crap In any event I hope more than ever that Mozilla is able to somehow keep Firefox alive a web browser you know is serious business and keeping one going. and secure and up to date the never ending and ever changing worldwide web consortium standards, it takes a huge amount of work So I appreciate what Mozilla is doing I need my firefox and I sure want as little of Chrome as I can get Yeah, I agree I grabbed a copy of this of this notification from from Chrome. I put it in the show notes is like, what? I don't want to hear from a browser that I'm not using that about shopping tips They don't get any windows doing this, right? How could Chrome Well, you have notifications turned on in Chrome, I guess. Yeah. And they are off now, but I hadn't turned I hadn't turned them off before. So so get out of my way Chrome Okay. afterfter our next our next sponsor note. I'm going to talk about this HTTP two bomb attack and how annoyed I am with the people who just said, Well, we're going to make everybody update their web servers by publishing an exploit What? Hh? Well, that'll work. It's twenty twenty six guys ur show today brought to you by Gard Square. This is for you, mobile app developers. First of all, thank you For the job you do, mobile apps today are an inescapable part of life ranging I mean, everything from financial services to health carere retail entertainment We users trust mobile apps with our most sensitive personal data. That's what makes them great. But it's also a risk. Recently, a survey came out that showed that seventy two percent of organizations have experienced a mobile application security incident past year ninety two percent of respondents reported rising threat levels over the last two years Meanwhile, attackers who, you know, want your personal your users' personal data are constantly finding new ways to attack your mobile app. You know what the latest one is it's really insidious. They take your app, they reverse engineer it. You could do this actually fairly easily with Claude and Gidra Rverse engineer of the app package it. modifying it, put a little malware in there and then distribute that modified app via Fishing campaigns are side looading. Third party app stores all sorts of ways to do this. Little popus on Steve's machines saying you need this app Well, you don't want this. This affects you. this affects your users. this affects your reputation By taking a proactive approach to mobile app security, you can stay one step ahead of these attacks and maintain the trust of your users. and that's why you need Gard square Gard square GuardSquare is an amazing tool for app developers delivers mobile app security without compromise in a couple of ways providing advanced protections for both Android and IiOS apps Combined with automated mobile application security testing, so it can find vulnerabilities in your app And then I guess the third thing they do is real time threat monitoring. They're always looking out for how apps are being attacked and let you know, you know what to watch out for. I think you need as a mobile app developer, you need to find out more about how Guard Square provides industry leading security for your mobile apps. Go to Guard Square. Gard square Mbile app developers, thank you for the job you do and Thank you for taking the extra steps to make us secure with Gardsquare at Gardsquare. All right, Mr. Gibson What else you got Okay, so Uh it's been a while since the abuse of a core Internet protocol was able to take down a wide variety of servers But the recently discovered and as I've said very irresponsibly disclosed HTTP slash two bomb attack as it's called can knockdown Engine X Apache IIS envoy Cloud fllares, Pingora presumably any other modern web server that accepts and terminates HTTP two connections and queries as all of the current state of the art web servers do An independent observer of this wrote Since the bug is an HTTP two protocol bug, O services may also be affected with Engine X which is used in hardware load balancers the most popular open source reverse proxy and the ingress controller for Kubernetes. Envoy which is a reverse proxy for large cloud and tech companies such as Google, Amazon, Netflix, and Airbnb An Azure, which uses IIS All of those can be knocked off the air with this thing So they said a large portion of modern public facing web infrastructure is affected And when they say Affected, they're not kidding They wrote Given these circumstances, We had to take a close look at the write up and assess the impact in order to determine Which of our customers were affected and to incorporate the new attack directly into our platform And they wrote and oh boy That attack is effective With one single notebook We were able to bring down any of our own HTTP two servers small and large A single attacker consume twenty to thirty gig of RAM on the target. This is a resource consumption attack where thirty two gigs are are consumed and then locked. And it makes the server crash They said RAM slash memory remains locked even after the attack is stopped This allows for a low and slow attack in which the attacker starts with a low connections and stream rate, but gradually consumes more and more of the target's RAM resources over time. Once a certain RAM usage threshold is reached, the affected Engine X instance crashes and must be restarted via a hard reboot. So this creates permanent damage. And they said with these attacks, even a small bot net of just ten bots down services of any size. for a low and slow attack with fewer than ten requests per second net of only one hundred bots is sufficient. And due to the slow query rate, such an attack would be undetectable and unstoppable. by any web application firewall, which would normally be blocking high rate attacks Okay, so Given the discovery, of a truly devastating attack against pretty much all of the current internet infrastructure The fact that it's disiscoverer chose to release the details without coordinating with the rest of the industry Well, in this day and age, it's truly unforgivable We first encountered Caliph. That's the name of this group, CALIF, like as an abbreviation for California, C but I don't know what it is. Caliph counted them recently and I didn't think much of them at the time. Now unfortunately, I do think something of them. And it's not good Their website's homepage declares inlge font type pushing the frontier of vulnerability research with AI and the subhead is Lite hackers and top models G wrong Let's find out Okay. posting about this sets the tone for them and for their site O week ago today june second Their blog posting carried the title Codex, you know, open AI's, code u AI codex. discovered a hidden HTTP slash two bomb And they wrote teen years ago. So this is written in the first person by the person at Caliph. who was the discoverer. So he wrote T or G They fourteen years ago I helped break HTTP header compression then was asked to review the fix, which became part of HTTP two Life has come full circle Today, we're releasing an attack I missed publishing HTTT HTTP to Bom. a remote denial of service exploit against most major web servers, including Engine X, Apache HTTPD Microsoft IIS, Envoy and Cloud Flare Pingora The vulnerable behavior exists in each server's default HTTP two configurations. The attack was discovered by OpenAI's Codex which chained two techniques known to humans for a decade deression bomb and they slow Loris style hold bomb targets H pack. which is HTTP two's header compression scheme One bite on the wire. comes one full hitter allocation on the server repeated thousands of times per request Be hold is a zero byte flow control window that keeps the server from ever freeing any of it Curious search on San revealed more than E hundred and eighty thousand Websites porting HTTP to and running one of those one of these servers In other words Before releasing this or at the time of its release, They know Thanks to showhdan eight hundred eighty thousand websites can be brought down with this release it they do. They said though many oh here, so here's a cavey to that. many may sit though many sit behind a CDN. which is much harder to bring down They wrote a home computer on a one hundred megabit connection can render a vulnerable server inaccessible in seconds. against Apache HTDPD and envoy, a single client can consume and hold thirty two gigs of server memory in roughly twenty seconds They then get into the details of this potentially debilitating vulnerability that's sufficient for anyone proficient to design an attack That won't be necessary becausecause not only did these irresponsible jerks describe something for which they knew there was no current defense but they also published a fully working proof of concept exploit Not surprisingly, the folks over at Envoy produce that reverse proxy front end used by companies such as Google, Amazon, Netflix, and Airbnb We're not humored by the behavior of these irresponsible glory hounds So they posted to the feedback thread for this announcement blog posting They wrote P ignored responsible disclosure policy and released a zero day for Envooy's ecosystem Envoy Community was in process of releasing a patch For this problem And then they have a link to the Evoy security advisories U which is at gitHub d. com to which posting Calh Gy replied Thanks for fixing the issue so quickly This is a win for Envoy users Yes, you jerk We believe the traditional disclosure model is increasingly outdated in the era of AI assisted vulnerability discovery And we explain our rationale for disclosure in the post So they've unilaterally decided, well And that old responsible disclosure doesn't make any sense anymore. So We're going to, you know Stir this all up The envoy guy replies and irresponsible disclosure is a huge loss. Oh. so So This guy says this is a win for Envoy users, right? It's a win for Envoy users. Envoy replies and irresponsible disclosure is a huge loss for Envoy ecosystem possibly wider industry Did you disclose this to all H two implementations. This should have really been coordinated via Vince. to make sure all H two vendors are aware And if the ninety day disclosure policy is outdated, what's the new policy that you believe is appropriate? You have filed advisory on may twenty seventh published this blog on june second. So Is your new embargo policy four days Caliph responds and finishes with We disclose details Once we believe that anyone monitoring public commits could reproduce the issue using AI assisted analysis I guess that means instantaneously. In our view withholding information After the relevant commits are public does more harm than good We recognize that reasonable people may disagree. and we respect that perspective Thanks a lot for your respect What a mealy mouth position. Ippose we're going to be seeing more of this sort of thing as those could not have disclosed this attack on their own I'm sorry, not those who not have who could not have discovered this attack on their own Now use AI to find the attacks for them. in the era before AI. Wquiring True expertise. generally be accompanied by the acquisition of some maturity about it or they would value the attack they discovered because it was so hard to discover it. And so then they would responsibly disclose it to the people who it affected. Now, discovering a new attacks is free cost anything. When AI hand someone who has never done the hard work They don't have the maturity to guide their handling of such a gift In this case, it is utterly unconscionable. that this exploit would have been publicly posted without a far more widely coordinated vulnerability, you know and private vulnerability disclosure Engine X has scrambled. to assemble a patch and has made it available through standard update channels But we know that's not the same as it being online Apaches fix exists in a standalone module that has not yet been bundled into any release that package managers will pick up So again Not enough time Microsoft IIS has no patch and no CVE has even been assigned to the IIS variant yet And we know that Envoy also has just had to scramble As I said, I suppose we're going to be seeing more of this sort of thing in the future I'm not unhappy that I'm still running an HTTP one point one only web server for a change I'm sure that by the time I'm ready to deploy GRCs new servers, which I've talked about recently, Microsoft will have updated IIS to protect from this But in the meantime What a mess for everybody else Wow Um Another little related uh, AI. note for me. I've I've mentioned that I am Currently working, speaking of GRC servers reduce the purchase friction for GRC's software by supporting a range of one click purchase options such as PayPal, Google Pay, Apple Pay, Benmo, and so forth Since my plan is to create a few more low cost commercial products. Before I plow back into spinite for Windows I want to make purchasing those as simple as possible So I've been working to upgrade the e commerce system, which I wrote twenty two years ago briefly flirted with the e commerce provider Stripe since I liked their integration solutions But I decided to go in another direction during that Brief flirtation. They got hold of my email address So I' actually an alias that I use just for them, but still it's alive So I've been receiving occasional notes from Chet at Stripe rememinding me how wonderful they are And they just kind of come in and I ignore them I've noticed that every email from Chat contains a link. inviting me to set up a time for further discussions U You know, the wonders of using stripes But I've just been ignoring those emails and letting them go unanswered. Until this past Sunday evening. What I decided to explain to Chet that since they do not support PayPal payments pe is a non starter for me Yesterday morning reply was waiting for me from my Sunday evening email, informing me of the good news that Stripe did support PayPal payments so that as the email put it It didn't need to be one or the other And as with every email quickly ended with a link to quote, Book of Time for a Stripe Discovery callall Now what I'd failed to mention to this chet was that I needed to have everyone able to use PayPal. including U. S. domestic purchasers. And that is not something PayPal allows. anyone else to do So Stripe does offer PayPal, but only for some international users Joting a short note back to Chet I was hit by the question Am I interacting with a person? because Thinking back on all those previous emails And itss response to me when I finally did answer it I suddenly had that question, Is there actually any chat at the other end of this email dialogue I realize that these days, it's entirely possible now all of this sort of front end sales lead development already been automated by AI I'm being pushed by automation Cick a link to make an appointment with a real person And the cost of that pushing from the pusher's end may have been reduced to zero. They don't need to be paying a human any longer It's not a great job, you know, even when they were paying a human, but still Now all of the cost of that interaction is at my end It's actually a new form of business spam and The other thing that clicked into place for me is that it's becoming prevalent because one of the things I've been noticing is the degree to which an increasing percentage other enterprises that I'm noticing are being having Stuff outsourced. When I was interacting with Digisert a few months ago I noted that many of the links, which looked like theirs actually pointed to salesforce. com Digaert is outsourcing. a large chunk of their customer service communication handling Now a second order consequence of this. e of this increasingly prevalent outsourcing is that is the degree I guess of what I'd call Presence broadcasting has been steadily increasing. I've been noticing it happening Good old days. company needed to design and develop They're forward, you know, they're they're outward facing communications for themselves Every was It was varied and it was minimal. being only what they really needed for them. what really made sense for them But now company signs up, for example, with Salesforce. They simply check off all of the various crappy outreach services they want to offer in their name And inherently subjects everyone to that they can find And that service provider then makes it happen. And today, Now we add to that Patient Never tiring Proactive emailing AI agent. Uh which is going to have zero cost conversations as a means of what used to be work in the phones or in this case, work in the email. So It seems clear to me that many businesses soon are soon to become much more annoying I just, you know, I had this weird thought, Leo likeike as Ily replied to these emails, they're all very succinct, very short Chat And they all invite me to, you know, find a time when we can have a conversation. I doubt that there's any chet at that end Be nothing I've done really requires one Yeah And I don't know if you've noticed, but You know, I'm feeling A homogeneity Aong very different companies that have identical feeling outreach. And I realized it's because oh they didn't write it They're now they're now subscribing to to an outsourcer that just does this And Unfortunately, it just means we're going to get a lot more of this crap We as internet users, we get good at ignoring stuff Bubs Bam I mean, it's just endless. It is unfortunate. Yeah Okay, we have two more breaks. Let's take one now And then we're going to get into looking at malicious use of AI, and we'll take our next break Okay, you know, about halfway through that Okay, that's good. I'm ready to talk about our sponsor for this segment of security now Dpple Yeah, maybe that voicemail is an urgent message from your CEO. sureure, sounds like your CEO You ever think it could be a deep fake trying to target your business happens more and more, AI can impersonate trusted individuals and Dppl's platform illustrates how frequently Users fall for phishing attempts. U we, you know, we did a little demo. I've played this for you before of This is this is in four minutes Anthony Nielsen was able to train a model for my voice and make this message This is definitely not Leo asking you to buy gift cards, but seriously, can you grab me one hundred Apple gift cards? Just kidding. This is Anthony testing teext to speech. How's it sound Fortunately, Those better Uh, but you know, that sounded just like me, right? It wasn't me I never said those words. It was an AI And unfortunately, this fools people. it fools your employees inoice calls, simulation, deployment, stopleded Target users get this spent six minutes. On average, conversing with the deep fake A hundred percent of them believe the AI was human couldn't tell the difference That's why you need Dpple. Dpple is the AI Native Social Engineering Defense platform Dpple strengthens human risk management by training employees to recognize reception Wh Dpple's digital risk protection Tects and disrupts attacks across every channel. You need both As I mean, attackers now and we're going to talk about this more in a bit. they are turning to AI power increasingly soopphisticated strikes And your employees are practically helpless against this. but Dppel can help them fight back withith automated takedowns multi channel coverage and AI defenses that build intelligence with every fight. DPO works relentlessly to protect people brands And most importantly DppL offers best in class integrations and partnerships to seamlessly integrate into your existing security stack And Dppel' industry awards and testimonials speak for themselves. Dpp' recognized as a winter twenty twenty six G two leader of ussers most likely to recommend and Momentum later and best support Join hundreds of companies already using Dppel to protect their branded people from social engineering attacks Dopel Pacing, what's next Is social engineering learen more com D OPP E L . com. We thank them so much for their support. of security now. It's scary out there Stopook can help Back to you, Steve And it is rapidly getting scarier. It is. So okay We all knew it was coming But it is no longer coming. It is arired. It's here Last Wednesday, Anthropic published a red team report which examined abuse of their clawed AI by malicious actors We need to understand and examine how AI is being used h, by those who are You know, aiming at nefarious ends in order to protect ourselves. So the report's three authors at Anthropic open their report by writing We spent the last year investigating how threat actors are weaponizing AI cyber operations Today we're sharing a new analysis that maps these real world attacks ono the Miter attack framework database of tactics and techniques used by cyber attackers Doing so reveals patterns that challenge traditional assumptions about cybersecurity For example the level of risk a threat actor poses can be assessed via metrics like technical sophistication or breadth of techniques partnered with Verizon to include some of these results in their twenty twenty six Verizon data breach investigation report publishing this report to offer a longer form analysis of trends we see in AI enabled cyber operations Okay, so What I'm about to share from their report You'll hear these researchers referring to accounts counts. Anthropic is referring to our clawed AI accounts whoose holders We're attempting to use or abuse their access to clawd AI for malicious purposes The other key to understand is this Miter MI T R E attack T Amersan CK, the Miter A attack framework, which we never had the occasion to look at closely The Miter attack homepage explains They said Mitor attack is a globally accessible knowledge base adversary tactics and techniques based on real world observations. And I'll just note that at the end of this report, they they observed that the Miter attack Knowledge base is gonna to need updating based on the impact of AI So they so Miter says the attack knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community with the creation of attack Mider is fulfilling its mission to solve problems for a safer world. bringing communities together to develop more effective cybersecurity. Tack is open and available to any person or organization for no for use at no charge Okay, so This Miter attack database is really nothing more than a well thought out and carefully constructed taxonomy. all the various things bad actors have been seen to do through the years And right it makes sense to have like a common vocabulary, a common enumeration system where we can say like this technique and this tactic were used and have those meanings well defined and described So for example breaks malicious conduct down into fifteen categories reconnaissance Resource development initial access execution Persistence Privilege escalation Stealth. Defense impairment Credential access Discovery Lateral movement Collection, command and control exfiltration and impact And so basically thoseose fifteen broad categories, you can you can They're enough to contain whatever we see And then each of those broad categories of malicious conduct then broken down into a specific behavior. I'll just give you an example of one. So for example taken that first category, which was reconnaissance That's broken down. by this miter attack framework into the into twelve specific techniques of reconnaissance. of scanning gather victim host information gather victim identity information gather victim network information gather victim org information Fishing for information. quuery public AI services search closed sources search open technical databases, search open websites and domains, search threat vendor data and search victim owned websites So again, this is meant to be a comprehensive description of anything that the bad guys do And so what that anthropic researchers have done is to they they took everything that they saw during a twelve month period from March of twenty five to this past March of twenty six and and plugged all of the behavior into this mitor attack database in order to talk about it. And so terms from the database are what I will be then describing It is. a widely agreed upon system for categorizing and naming. So Here's what we know from their explanation. They there' three researchers, right For this study We analyzed eight hundred and thirty two accounts. Ag, accounts meaning guys had a clawed AI account which is what they found where where they found the misbehavior So for this study, we analyzed eight hundred and thirty two accounts associated with malicious cyber activity Over the course of one year, from march twenty fiveth to march twenty sixth Anthropic banned these accounts from using Claud for violating our usage policy. countounts in this analysis are just a subset of those we investigated banned during this time period We selected them because we had enough detail about their malicious activities to map their techniques onto the Miter attack framework The eight hundred and thirty two accounts in our analysis used AI models H. teen tactics and four hundred and eighty two unique sub techniques across the framework from initial reconnaissance through final impact. We also developed a risk scoring framework to assess how much AI assistance helped theseese actors plan their attacks Most strikingly, we found that the percentage of actors labeled as being Medium or high risk jumped thirty three percent. to fifty six percent between the first and second halves of the year Okay, let me make sure everybody gets that because this is an important issued We found that the percentage of actors that they were labeling as being medium or high, went from a third thirty three percent to more than half fifty six percent between the first half of their analysis period and the second half of their analysis period. They wrote This suggests that AI is helping attackers conduct increasingly sophisticated cyber operations Greater ease. Our analysis resulted in three key findings F The number of actors using AI for cyber operations is growing and their actions carry higher risk As mentioned above, the percentage of medium or high risk actors increased by a factor of about one point seven in under a year thirty three percent during the first half of our study window to fifty six percent during the second growth is concentrated in actors using AI for some of the most harmful activities, including lateral movement Credential dumping and webshells carry the highest per actor risk weight. in our scoring rather than the commodity, build and obfiscate work that dominates the rest of the population. Traditionally Only the most technically sophisticated actors could operate across the entire kill chain or the sequential stages of a cyber attack But our analysis found that this is no longer the case. platform through which they access the model. such as an API or an a Gentic coding platform like Clawud Code also has no bearing on how high risk their actions are does distinguish the highest risk factors is which techniques They're asking the model to perform Aentic scaffolding will make it possible for cyber attacks to be far more Autonomous As AI enabled cyber techniques become more common among this population It will become harder to differentiate 's risk level based on what they're asking a model to do Inead The differentiator will become the scaffolding The surrounding code architecture and tooling that makes AI models more capable that actors build around the model so they can chain together attack stages autonomously This was starkly apparent In the cyber espionage campaign, we disrupted in november twenty twenty five which had a maximum risk score of one hundred only used a number of techniques comparable to medium risk actors. That attack was distinct because of the number of techniques it employed because of how the attackers used an AI agent to orchestrate them Third The Miter attack framework does not yet cover the autonomous actions that make these actors so dangerous Autonomous kill chain orchestration real time pivot decisions and AI directed execution with no human intervention do not yet have ID numbers in the attack framework report included thirteen thousand eight hundred and seventy three observations of malicious activity all of which mapped to categories laid out in the framework But the behaviors that distinguish the highest risk actors and determine the speed and scale of their operations do not yet have such IDs taxonomy that threat that modern threat intelligence relies on must be evolved to capture them Claude Mythos's preview demonstrates where frontier AI cyber capabilities are heading Mels able to find and exploit vulnerabilities at a level approaching the most skilled human researchers This report tells us how threat actors are already misusing generally available models today. It also serves as a guide to how threat actors are likely to misuse increasingly capable models in the near future. giving defenders a chance to get ahead of them I hope. And they finish What we learned from this. and other analysis directly shapes how we build aud to prevent such misuse. For example We've updated the classifiers into Claude the highest risk actors and have expanded our probe detections to cover high risk behavior indicators revealed by this analysis findings point to a landscape where the dividing line between low and high risk actors is no longer technical skill orchestration And where defenses, detections and the shared frameworks we all rely on will need to evolve as fast as the attacks they describe Okay, so There's so much here No one Wh's been following this podcast has ever heard me Run around said that the sky is falling But what we learned from this report is as close to that as we've ever seen. This extremely sobering report shows that while we've been focused upon and enraptured by all of the many productivity benefits the use of LLM AI can bring to our lives Malicious actors have been exploring the many ways That same power. can be used to attack our world And unfortunately, there are many the extreme leveraging power of AI Both ways. during the many years of this podcast before AI Our longtime listeners will have often heard me suggest M major cyberpowers Must 've been assembling atttaining and growing. a large database of known vulnerabilities because we know Most of the world is not updating their systems The database will be large, unfortunately, because there are so many vulnerabilities which we've encountered over the last twenty years My thought was always When a nation state actor wanted to attack someone specifically They would determine which equipment and versions were being used thenen look up The known vulnerabilities in their carefully curated master vulnerability database and launch their attack Turns out That's not the way it's going to happen Inead All of the well meaning security researchers and software publishers around the world have been publishing As we have for the last twenty years of this podcast all of this information Thanks to AI model training It doesn't need to be curated into any master reference database. Instead, any well trained malicious AI will have absorbed all of that knowledge. and will have it at its at the tip of its virtual fingers when it's asked to target a specific entity The most important point to appreciate is that Bad guys only using publicly available cloud based AI, such as Claud, GPT, or Gemini, whatever because we're still in the earliest days of where this is all headed I cannot say that enough. I mean, just the fact, Leo, that we see you know, a new model comes out an hour ago And it's a dramatic improvement over what we had that came out three weeks ago. I mean, this is just moving So fast And and I guarantee you It's not like this we're running out of steam here. We're still accelerating You know, AI's legs are just being stretched at this point So widely available public cloud based AI services. cururrently investing a tremendous amount of time, effort and resources into erecting, maintaining and refining the guardrails. around their AI because they have no choice, right? They Must everything they can prevent the abuse of their publicly available services And the essential nature of LLM based AI means that even that is not easy. as we saw Anthropic is saying, well You just can't talk to us on our most advanced model about cybersecurity or biotechnology because we're just going say no We're not We don't believe that we can determine you know, well meaning cybersecurity questions from malicious ones. And in fact, there may not be really any difference because if if a security researcher wants to know about something bad That's the same as a bad guy wanted to know about something bad. They're just going to use the information for different purposes can't give out the information Here's the problem We already know that AI is able to run Quite well off the cloud Locally on local hardware. It may not be super strong, not like what you have in the cloud with massive data centers and crazy H two hundred chips that cost what is it? forty thousand dollars some insane amount of money that NVidia is getting for these chips That's going to change loocally run AI will have no safeguards, no guardrails of any kind to limit its actions. In the very near future, it will be local models. the malefactors will be employing to direct their real time attack campaigns. They're not going to be using anthropics Claud, where it's wheres it's booting eight hundred thirty eight of them off or eight hundred thirty two of them off of their accounts. They're going to invest in local hardware just like Bitcoin miners did back in the day You know the strongest hardware available and that's going to be running future attacks and it'll have no safeguards That's what's going to happen. And while it's against my nature to warn that the sky is gonna to fall, the sky is falling for sure. In the near future, I'm not sure I'd want to be spending too much time out in the open. Okay, chicken little. We have far too much legacy mess to clean up and not nearly enough time or incentive to do it. We don't we just don't see people updating the systems that are not giving them any trouble, Even that they are they are old and bug ridden probably already harboring some malware. Well they're going to get some company We're in trouble The bad news is that once attackers move to the use of their own local AI Our ability to monitor their actions as Anthropic did at the AI prompt level. It's going to disappear So we're not going to know what they're using their AI for. We're only going to see astonishingly sophisticated attacks. as if world class hackers who knew everything about everything We're entering systems and pivoting like masters and moving A uh, u through through through networks and taking them over. Like I said be good times Oh The good news is that as anthropics year long study shows This has not happened yet So moment we're able to see what these miscreants have been up to Ananthropic rights The findings in this report Drawn eight hundred and thirty two accounts that anthropic bann for violating cyber related parts of our usage policy between march twenty fiveth and twenty six We identified these accounts through a combination of automated safeguards and investigations by our threatened I sorry, I'm hiccupping. by our threat intntelligence team for each account produced a summary of the observed activity. We then extracted the tactics, techniques and procedures, you know, the TTPs described in those summaries and maed them to the version of the Miter attack framework that was live at the time, which was version eighteen It all We observed thirteen thousand eight hundred and seventy three actions across four hundred and eighty two unique techniques All fourteen tactics We gave each actor a risk score from zero to one hundred based on a new methodology we've developed called the AI Risk Enablement score. So it's AI R ES, which they're calling Aries. We've anonymized the data so that actors cannot be identified in the analysis that follows. Okay, so I'm going to skip past the description of their scoring system because you know the most interesting part of Anthropics report They learned of the way threat actors are using I would say abusing AI today And Leo, let's take our last break and then we're going to look into this breakdown All right. What is actually being done by the bad guys And while you've been talking, I've been getting all sorts of security work done with Fable. Wow. tching all my holes. It's amazing what it's finding And these are holes that that previous AI did not didn't see four six And actually previous AI wrote that code. That's right That's right. So these holes which are which are security vulnerabilities were created by previous generation AI. Good point. Yeah, That's a good point. Yeah. It's been fun just running through everything with Fable Fable' very smart, very fast very impressive. It's really interesting to see this at work. another big jump in capability. just happenens It's hard to believe. I know. I know. It's happening pretty fast here now. There was an article I read this morning saying that math Generically, mathematicians. It's falling. to AI in the same way that Chess did to computation. Yeah. basically there are High end math Theoretical math that has been eluding mathematicians and AI is now Resolvevinges and in fact, it's now it's It's It's not producing the proofs, it's now the mathematicians are trying to understand the proof that the AI provided. So the AI says, Yeahah, here you go. now the now the humans are like, what the heck It doesn't seem like this is pulling stuff out of its knowledge base and applying it. It seems like it's creating new stuff. it's kind of amazing What's happening? anyyway I love I love following these stories. I do and we will continue to do that more With Steve and security Now in just a little bit actually we'll learn how the bad guys are using it next. But first, security Now is brought to you this week by Cyberhoot. There are a lot of bad guys out there. Cyberhoot is there to protect you. If you've ever rolled out security awareness training and thought This is this feels more like a compliance exercise. that actually teaching me security That is a universal feeling, right Most platforms work basically the same way. They try to catch users making mistakes Then they go, gotcha They send you know, fake phishing emails to inboxes, they wait for somebody to click and then they go and assign training after the fact And frankly, could feel a little punitive And It doesn't change behaviors. That's most important. You don't learn when you're being punished That's where Cyberhoot takes a completely different approach This is what Lisa is doing right now. Instead of trying to trick. Your users cyberhoots hoot fish I love the name. Hootfish focuses on teaching them first. So she's in the little class right now not in their inbox after a mistaken click, but in their browser through a trusted, realistic phishing simulation. It's actually really fun. The goal is simple to build instinct before that click ever happens. Oh, and for you, you'll love it because it's automated. Cyberhoot is fully automated training campaigns Reminders, escalation to managers' reporting is all handled for you So instead of chasing users, you clear visibility into who has completed what and where your risks are And here's something interesting. Cyberhoot also adds a light in social layer. In fact, it was telling me? Lisa just sent him an owl because she' shearing an owl, right? Here's my owl. Users connect with coworkers and engage in a friendly competition around the training process, not forced gamification enough fun to increase participation without turning it into some sort of Punitive Gacha system And it really works. G two reviewers rate Cyberhoot four point nine out of five stars. I've never seen such a good score The reviewers repeatedly praise ease of use hyper participation Brief content Non punitive training, full automation and strong support If your organization is ready to stop punishing people for being human and start actually buildilding cyber smart employees head to cyber hoot ot com slash security Now and by the way, use the code Security now, one word to checkout and you're going to get twenty percent off your first year, twenty percent off That's CYB E R H O O T dot com slash Security now the promo code, security now for twenty percent off your first year. Just remember, cyber hoot, laugh, learn and hoot up. Cyber cyberhoot dot com slash security. Now it really is a hot. and don't forget to use the offer code. Security now. to Gibson Okay, so What did they find They wrote our empirical analysis of thirteen thousand eight hundred and seventy three observed techniques reveals clear patterns in how adversaries are using AI across the attack life cycle and the most common techniques that models are being used for today The most common technique family we observed was develop capabilities. That's one of the miter attack categories, develop capabilities by five hundred and seventy four. out of the total eight hundred and thirty two actors in our analysis, which is sixty nine percent The majority of this behavior manifests as malware development used by five hundred and sixty out of those five hundred and seventy four this we observe threat actors misusing models buildild and refine custom scripts to run DLL injection code with detailed guidance on how to implement it as well as Canvas fingerprinting evasion and automated account management The next most prevalent techniques are obfuscated files or information employed by sixty four point seven percent of threat actors Data from local system employed by fifty five point nine. and impair defenses employed by fifty four point nine also Together these top techniques show that threat actors most commonly seek LLM's help build P engagement offensive tooling making thoseoles those tools harder to detect and harvest data from compromised systems On the other hand, actctors are much less likely to use LLMs for real time adaptive decision making, which that's where the real danger is, right onnce they've gotten inside a target network, so less likely For example, only fifty four of the eight hundred and thirty two threat actors, which is six point a fiveal percent used models for lateral movement and less than twelve actors use models for remote services like RDP, SSH, and SMB Only twenty two and a half percent of actors use LLMs for privilege escalation and impact stages. So those are all you know Post infiltration actions technique families that are staples of real world cyber attacks, such as active directory exploration, Kerberos ticket attacks, cloud infrastructure, manipulation,, AWS, Azure, and GCP and container escape They noted have lower representation within the data set. So Basically the bad guys are sort of still using AI to in the old model, not for dynamic real time app. attack build malware that's G change All So one observation I have is that Anthropics's view of what the bad guys are doing is is probably skewed by the fact that their AI is deeply wrapped in guardrails So the lack of more sophisticated AI, the sophisticated use of AI's potential Also probably a combination of the resistance cloud based services already have built in against abuse with how early we are still in the game. As I said, it's going to change And boy, when they start using local unrestricted models We're really going to see a change The strongest supporting evidence for this is the fact that anthropic noted that large jump in their own risk assessment of what bad actors were doing. Remember it jumped from a third of them to more than half of them up to fifty six percent of them in the second half, which suggests that we are nowhere near reaching any sort of steady state This is all still very much growing so they continue writing the top techniques and the frequency with which actors use them did not change much over the one year period we studied bothoth the first and second halves of the period, the median The number of techniques the model is used for is sixteen Meaning, right? sixteen, there were just as many threat actors who used fewer than sixteen as who used more than sixteen. so median as opposed to average In the second half of the year, we observe a subtle directional shift with threat actors using models less to build standalone malware or obfuscation scripts and more to help with specific operational phases in a cyber attack and for on target discovery and collection techniques. In other words That's where the sophistication is and that's where the bad guys are going Specifically, we observe an eight point nine percent increase in account discovery occurrences as well as a six point two increase in automated ex ffiltration alongside a twelve percent decrease develop capabilities, which was that front end stuff and an eight point six percent decrease in fishing. againg let let you know, more in the post infiltration and less on the getting ready to do so They said defense evasion. the single largest category in the dataset present in the behavior eighty four point four percent of the actors we studied Miter defines sixty four techniques under broad category of defense evasion across its enterprise and mobile specific frameworks We observe thirty two, so exactly half of these techniques in our data set twenty five for entnerprise and seven for mobile. techniques observed within this tactic include stated files or information where sixty four point seven percent of threat actors in their sample used AI to implement techniques like. X or or base sixty four encoding So so this is obfuscation of information, right? Polymorphic variants and antid detection wrappers to evade signature based detection fifty four point eight percent used impai defenses. where the AI was used to bypass, disable or tamper with the endpoint security tools, getting around whatever was there to try to catch them. thirty point three percent of actors used AI in for process injection to write malicious code that could be injected into legitimate processes such as hollowing out processes and DLL injection to execute payloads from trusted process memory less frequently used tactics include packed exXfiltration. privilege escalation and lateral movement. Tether, these account for just eight point seven percent of all observations less than defensiveasion alone So they said overall, the actors with the highest risk scores used AI mostost heavily Post compromise hands on keyboard techniques such as remote services, credential dumping, webs shell deployment, internal network and account discovery. Lateral movement was the strongest marker of a high risk actor fifty four actors in their data set who used lateral movement had an average risk score of fifty six point four, which was ten points higher above the average, which was forty eight point six No other technique came close to having such predictive power So lateral movement is what the heavyweight hitters are using So Uh The aspect of this entire study that's most unclear to me again, and I mentioned this before, Leo, is how these researchers avoided the problem tering the behavior their abusers They're describing wide ranging malicious activity they apparently directly observed So Does that mean that they allowed Claude Pform these services for the bad guys Did they drop their guardrails in order to see what the bad guys would do U You know, that's difficult to imagine did not then those attempted malicious actions would have been ed and blocked. D would think. Yeah. you know in the model card for the new fable, it says we will We have put in all sorts of hidden things prevent this And u it it will it will You know, and they said it's not jailbreakable, which I find to be a very cocky thing to say and very unlikely. But They are definitely trying to keep bad guys from using these models for malicious code whether they'll succeed is another. So they said what this means for defenders, right? So here we are, the good guys They saw mean They wrote the population of AI enabled actors is not only growing but also drifting toward the riskiest activities in our framework. without requiring the actors themselves to become any more skilled. So there's the gota, right? Yeah. That's the danger is that it has lowered the bar of skill level So less skilled and there of course, it's a pyramid, right? There are many more less skilled threat actors than there are Th the cream of the crop at the top They said, if this trend continues, these operational techniques will not be a differentiating factor anymore That is you won't be able to tell the skill of an actor because they'll all be doing the fancy stuff and will become the baseline for tomorrow And we'll need to find a new way to measure the riskiest factors. I don't care about measuring them. I mean, they're bad. Okay, they said looking at our highest risk threat actors also underscores Calculating the risk of AI enabled cyber operations based on number, type, or breadth of attack techniques is insufficient Yeah, I would Are you irrelevant We need a way to understand the scaffolding Threat actors are able to build chain these techniques together and Leo, I just see this being automated. I see it being sold on the Dark Web. There will be scaffolds which the advanced guys sell to the junior guys Eactly which automate all of this for them Yeah And they said this will allow them to use AI models to autonomously execute large swaths of a cyber attack without human intervention Now, get a load of this. Here's there the one guy. they said, we analyze the behavior of the threat actor who orchestrated the AI enabled cyber espionage campaign We reported on in november twenty twenty five. They labeled this threat actor GT G thousand two We see that this actor achieved the maximum possible risk score of one hundred Remember that the average was down at forty six point two. So this guy, this was an elite successfully compromised government critical infrastructure targets across multiple countries and developed a scaffolding to use clot code not as an advisor. but as an autonomous operator overall miter profile. thirty techniques across thirteen tactics. is comparable dozens of medium risk actors in this dataset Median actor deploys sixteen techniques, so they were even below the median Several low risk actors also exceed thirty In other words ique count or tactic type loan. could not explain GTG one thousand two the highest risk factor we've observed thus far does explain This actor's high risk score is the increasingly agentic Components They used how they were able to orchestrate and chain together techniques to take action on their objectives GTG one thousand two weaponized Flawed code rununning on a Cali Linux machine integrating open source penetration testing tools as MCP. Mel context protocol servers effectively Turning the AI into an autonomous attack platform rather than a code writing assistant. The AI didn't just suggest commands or generate attack scripts, it executed them. and reasoned about attack environments autonomously Some indications of their ageticness show up proxied through the types of techniques we track GTG one thousand two employed operational techniques such as remote services, SSH exploitation of remote services and archived collected data Those are the minor categories. theirir analysis includes concludes with a very clear description of what they observe this most advanced threat actor, which they codenamed GTG one thousand two doing. and if If you want a chill to run up your spine, Just remember that we have barely begun And that what may be a single operated risk profile actor today almost certainly become everyvery threat actor Once the understanding of how to best leverage these tools becomes widespread And we know it will become widespread So Anthropic explains what this one actor, GTG one thousand two did firstirst I have three bullet points. first. Autonomous execution with within stages GTG one thousand two deployed clawed code running on a Cali machine to orchestrate dozens of MCP tools operations autonomously scanning and mapping dozens of internet facing services during reconnaissance, then discovering internal admin portals, databases, logging servers, and temporal workflow systems once inside the network The AI didn't just suggest commands, it executed them making tactical decisions about what I'm getting goosebumps. making tactical decisions about what to probe next without waiting for operator input Next, live exploitation and pivoting. operating within GTG one hundred one thousand two scaffolding, the AI exploited an SSRF, a server side request forgery vulnerability in a public facing web server to proxy commands into the internal cloud environment harvested SSH private keys from internal infrastructure and service account tokens from cloud metadata devices and AWS secrets manager and use those harvested credentials to move laterally across the victim's cloud environment. These are the operational phases, discovery, credential access, lateral movement that were more rare in our data set And finally humuman intent AI execution GTG one thousand two provided strategic direction while the AI handled tactical implementation The AI operated autonomously. I can't believe I'm even reading this Le. this year ag a year ago, this was sci fi I mean, it was a year ago, this was science fiction And and and it is now real The AI operated autonomously during reconnaissance and internal discovery adapted its approach when it encountered unanticipated infrastructure like container image signing workflows and service account identities. It staged and compressed Tens of thousands of proprietary workflow records and internal architecture documentation for exfiltration the final data extraction downloading to the attacker's machine via Curl MCP tool calls was human directed, suggesting the operator retained control over the consequential decisions while delegating the operational work to the AI TG one thousand two s activity was novel for using an AI agent autonomously chained together manyany stages of the cyber attack life cycle. Reconnaissance, exploitation, lateral movement and exfiltration into a coherent operation making real time decisions about what to do and what data to collect This is the dimension AI enabled uplift that a technique frequency table cannot capture And it is the dimension We expect to matter most as agentic tooling matures So while the good guys cururrently excited about the promise of using awesome The awesome leverage of a gentic AI to transform our lives for the better We should also soberly recognize that malitious forces throughout The cyber world every bit. as excited ability they are now receiving to dramatically magnify the power of their cyber attacks this new AI technology a with a gentic agents coupled with MCP to remotely control existing tools is you know, it's neither good nor bad in itself what it is Unfortunately, is a great deal of both Yeah. And we got it. Nothing you could do about it now It's it's here. It's know, but I mean, but take everybody take this seriously. Yeah Well, I think today's the day because of the release of Fable. I think. it is now. It's here Right. It's not as fully capable as Mythos, I guess, but I'm Really impressed by what I've seen so far. Pretty amazing Steve Gibson I was going to say so so fable is not mythos. It is it is an u Mythak Jason They're calling on on six It's the next Cotm But I think it's very related to mythos It has certainly security capabilities But Mythos remember wasn't trained specifically for security capability It's just a really good model That's what's that's what's happening. Yeah U S Sorry, cld five, not clad six. I skipped one A last clock four, six four five, four, six for seven four eight and we're now Well, and they're calling it Fable five when it popped up, it was fable five Yeah. Yeah I'm sure. I mean, this just it's just came out. This is we're going to see a lot more but so far the buzz is very, very positive everywhere I look Which it wasn't for for eight. For eight was pretty much universally reviled U I think four eight was an interim release because they wanted something to fall back to when they released Mythos. And you know, when you said this, I was reminded of how Windows versions always alternate between good and bad. Oh yeah You know, it's it's like me Yeah it's I don't know why But now like every other window major release was right was famous for that. Yeah ye famamous for that mister Gibson is at gRc d. com. He's famous for a lot of things, including shhields up, which tests your network Spin write, which tests your hard drive, affects the world's Best mass storage maintenance, recovery and performance ennhancing utility, effect if you've got mass storage of any kind You need spin rightite. sixix ones the current version. This is Steve's bread and butter. He also has his newest program, the DNS Benchmark Pro which tests various DNS servers from your loccale to find the one that's best for you whichich is, you know, it's not the same for everyone by any means You'll find all that at GRC. com along with this show. He has A couple of unique versions of this show. a sixteen kilobit audio version, which is a little scratchy, but small A sixty four kilobit audio version, which is just fine And he also has the show notes, twenty two, twenty three pages of excellence Hand crafted no AI. You don't use AI on the show notes, do you? That's that's Elaine. In fact, our show last week was three hours. And so she transcribed. She said normally by this point I I'm done transcribing, but I still have thirty seven minutes left I got them Friday and midnight. She did not sleep or at least don't. Lane will be happy. This was only two and a half hours this time. So thank you, Steve. Yeah, Lane Ferris, a human writes the transcripts. Those are also available at gRC. comot You can send Steve email, go to gRC. com slash email Whitelist your email address. It won't go through until you do that. That's an important step. After you do that, you might want to look at those two boxes below. you can As Steve to email you the show notes the minute they're available, usually a couple of days before the show He also has a mailing list which will announce new products, which he never uses, but you might might as well sign up for that because when you get an email from that, that's like a red lightter day. That's a big deal All of that at gRC d. com. We also have the show at our website twit. tv slash sn We have audio, yes, but also video. That's our unique format. You'll also find it on YouTube. There's the video there. Great way to share clips. I know a lot of people like to do that with this show. and then you can always subscribe and your favorite podcast client. get it automatically as soon as it's done Audio or video or both We do stream it live. if you want the absolute freshest version, We do this show Right after Mac Break weekly, that's usually about one thirty Pacific on a Tuesday We're thirty easastern twenty thirty UTC Uh it's also, uh u Let's see what Oh yeah It's in the discord for club members and I do hope you're a club member. I keep forgetting, Lisa reminded me If you want chapters, a lot of people say, Hey, I would love to be able to skip throughue stuff. onsecurity. Now we can't do that on ad supported shows because The ads are variable lengths and in many cases inserted after the fact. so we couldn't tell where the time markers would go. right. YouTube could do that because they insert all the ads. but for us we have different parties asserting ads. So And they're different lengths, so we just don't know. However, if you're a club member, we do put chapter markers in for club members. So that's another benefit. adddd free versions of the shows plus the ability to apter by chapter or go back a chapter if you want to hear something again. I think that's more likely with Steve If you want to look at that, I got hear that one again That is part of the benefit of being a club member, ten bucks a month. It also really supports us. It helps us keep doing what we do here and I think it's really important that we do. I know it is. So please join the club. We'd love to have you at Twit that TV slash Twit You can watch live even if you're not in the club on YouTube, Twitch, X. com, Facebook, LinkedIn and kick Every a Tuesday afternoon, Steve, I'll see you right back here Next week for another gripping edition. S you now Rato Hi there Leola Bord here. I just wanted to let you know about some of the other shows we do on this network. You probably already know about this week on tech. Every Sunday, I bring together some of the top journalists in the tech field to talk about the tech stories. It's a wonderful chance for you to keep up on what's going on with tech, pllus be entertained by veryer bright and fun minds. I hope you'll tune in every Sunday For this week in tech, just go to your favorite podcast client and subscribe This weeknd tech Security now

This excerpt was generated by Smart Features

Listen to Security Now (Audio) in Podtastic

For listeners, not advertisers

All podcast names and trademarks are the property of their respective owners. Podcasts listed on Podtastic are publicly available shows distributed via RSS. Podtastic does not endorse nor is endorsed by any podcast or podcast creator listed in this directory.