2026-06-25 AI创业新闻
Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access
An unknown threat actor exploited a recently disclosed high-severity security flaw impacting Cisco Catalyst SD-WAN as a zero-day at least two months before it was publicly disclosed, according to new findings from Google-owned Mandiant. The vulnerability, tracked as CVE-2026-20245 (CVSS score: 7.8), allows an authenticated, local attacker to execute arbitrary commands with elevated privileges by supplying a crafted file to the affected system by taking advantage of the device’s insufficient validation of user-supplied input. Earlier this month, Cisco acknowledged that it became aware of exploitation of this vulnerability, adding that a malicious actor must have netadmin privileges on an affected system to pull off a successful attack. “Throughout the intrusion, to maintain operational security and avoid detection, the threat actor consistently employed anti-forensic techniques, selectively deleting and restoring system configuration files that were modified during their activities,” Mandiant researchers Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan said .
The incident, the tech giant’s incident response and threat intelligence arm added, targeted an unspecified communications service provider to elevate a compromised admin account to full root-level access. Two distinct periods of unauthorized activity have been detected, one taking place between late 2025 and January 2026 and the other in March 2026. At this stage, it’s unclear if these two events are connected and the work of the same threat actor. During the first wave, the victim is said to have experienced unauthorized peering connections that likely exploited one of two authentication bypass flaws in Cisco Catalyst SD-WAN controllers ( CVE-2026-20127 or CVE-2026-20182 ).
It’s worth noting that both the security vulnerabilities were undisclosed zero-days at that point. Then in March 2026, a second wave of rogue peering connections targeted a device running a newer software version that was patched against CVE-2026-20127. Cisco has since confirmed that these connections did not leverage CVE-2026-20182, raising the possibility that the attacker, who may or may not have been behind the previous unauthorized peering connections, relied on stolen certificates from a prior breach of the same device to obtain initial access. “The attacker then changed default admin credentials before exploiting CVE-2026-20245 as a zero-day via a malicious CSV file upload (evil_tenant.csv),” Mandiant said.
“This exploit allowed them to escalate privileges and create a rogue user account (named ‘troot’) with full root-level shell control.” The attackers have also been found to consistently cover their tracks by deleting files created by them, reversing configuration changes, and running scripts to ensure that no evidence was left behind and limit defenders’ ability to assess the full extent of the compromise. “After changing the default admin password and exfiltrating the SD-WAN fabric configuration, the actor changed the password back to its original value so an administrator logging in would not notice anything was off,” Austin Larsen, principal threat analyst at Google Threat Intelligence Group (GTIG), said . “They escalated to root through a malicious CSV upload, created a hidden “troot” account in /etc/passwd and /etc/shadow, then deleted every file they touched and ran a validation script to confirm their indicators were gone.” Google pointed out that the activity once again highlights the “continuing trend” of bad actors weaponizing zero-days in edge devices like SD-WAN, as they lack the telemetry needed for deep forensic analysis, and a foothold in those systems can facilitate persistent visibility into internal traffic across the fabric. “Advanced adversaries continue to primarily target and exploit network devices and other systems that don’t natively support EDR solutions,” Charles Carmakal, chief technology officer of Mandiant Consulting, said in a post on LinkedIn.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
CISA Warns Critical Lantronix EDS5000 Flaw Is Being Actively Exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday warned of active exploitation of a critical security flaw impacting Lantronix EDS5000 Series devices, urging Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 26, 2026. The vulnerability in question is CVE-2025-67038 (CVSS score: 9.8), a code injection flaw that could result in the execution of arbitrary commands with elevated privileges. “The HTTP RPC module executes a shell command to write logs when the user’s authentication fails,” according to the vulnerability’s description on CVE.org.
“The username is directly concatenated with the command without any sanitization. This allows attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.” The security flaw was disclosed by Forescout Research Vedere Labs in April 2026 as part of a broader set of vulnerabilities collectively codenamed BRIDGE:BREAK that impacted serial-to-IP converters from Lantronix and Silex. There are currently no details on how the vulnerability is being exploited, or who is behind the efforts.
The disclosure comes as CISA also confirmed active exploitation of three maximum-severity security defects in Ubiquity UniFi OS, days after Defused Cyber said it detected in-the-wild abuse of the remote code execution chain comprising CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 to deploy commodity malware. CVE-2026-34908 - An improper input validation vulnerability that could allow a malicious actor with access to the network to conduct command injection CVE-2026-34909 - A path traversal vulnerability that could allow a malicious actor with access to the network to access files on the underlying system that could be manipulated to access an underlying account. CVE-2026-34910 - An improper access control vulnerability that could allow a malicious actor with access to the network to make unauthorized changes to the system. Earlier this month, Bishop Fox detailed a proof-of-concept (PoC) that chains together the three shortcomings to obtain a reverse shell with full root privileges in a single request.
Patches for the flaws were released by Ubiquiti late last month. “The vulnerabilities could allow remote attackers to make unauthorized system changes, access sensitive files, disclose information, or execute arbitrary commands on vulnerable systems, highly impacting the confidentiality, integrity, and availability of targeted devices,” Belgium’s Centre for Cybersecurity said . “Given that UniFi OS devices are often centrally integrated into networks, successful compromise could enable lateral movement and broader network compromise.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered
A coordinated law enforcement operation, in partnership with private sector companies, including Bitdefender, Bitsight, ESET, and Microsoft, has resulted in the takedown of criminal infrastructure powering Amadey and StealC. “The main common goal was to disrupt the ‘assembly lines’ cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure,” Europol said in a statement. The development comes days after authorities from the Netherlands, Canada, Germany, and the U.S. disrupted malicious infrastructure associated with SocGholish and cleaned up nearly 15,000 infected WordPress websites.
As part of the two-week-long action, cryptocurrency assets of criminal origin valued at more than $47 million have been identified, flagged, and restricted from use. In addition, as many as 27 million stolen login credentials have been recovered, and the malware distribution network has been hindered by dismantling 326 servers and 142 domains. “This takedown is a powerful demonstration of what public and private sector collaboration can achieve in dismantling the infrastructure that enables cybercrime at scale,” Alex Cosoi, chief security strategist at Bitdefender, said in a statement. “It also sends a clear message to those behind malware ecosystems: no matter how sophisticated the tools or how distributed the network, coordinated international action will find them.” All three malware families are known to be advertised under a malware-as-a-service (MaaS) model, allowing customers to deliver additional payloads or steal sensitive information from compromised hosts.
SocGholish and Amadey function as loaders for introducing next-stage malware, with the malware primarily disseminated using compromised WordPress sites and phishing campaigns, respectively. Amadey has also been propagated via other loaders like Emmenhtal and SmokeLoader . A C++-based modular backdoor, it’s known to be active since October 2018 and advertised by a threat actor known as InCrease. The service is priced at $600 for a single license, with an extra $50 charged per rebuild.
The latest version of Amadey is 5.87. Some of the supported commands are listed below - Fingerprint the machine Downloads files, DLLs, MSI, or PowerShell scripts Run commands using “cmd.exe” Take screenshots Spawn a SOCKS proxy Open a VNC or reverse proxy session Capture clipboard contents and credentials Enable RDP According to data published by Mitsui Bussan Secure Directions, the daily number of active Amadey command-and-control (C2 or C&C) servers ranged roughly between two and 18 until around September 2022. “From January 2023 to early December 2023, however, this figure rose to between 5 and 30, suggesting that Amadey had come into widespread use,” the Japanese cybersecurity company said . “In 2024, after a brief dormant period, the daily count gradually declined from a peak of 17 and has continued to fall to the present day.” The number of malware samples distributed via Amadey is said to have scaled a high of 11,635 in 2025, up from 66 in 2019, 260 in 2020, 1,231 in 2021, 3,500 in 2022, 8,360 in 2023, and 7,619 in 2024.
Since the start of the year, 1,837 payloads have been distributed through the malware loader. Malware dropped by Amadey in 2025 and 2026 and StealC in 2026 StealC, on the other hand, has leveraged various initial access vectors ranging from malware loaders (including Amadey ) and ClickFix lures, and is equipped to extract sensitive information, such as screenshots, credentials, session cookies, autofill entries, credit card data, browsing history, and extension data. The malware first surfaced in the wild in January 2023 and sold for $300 per month (or $1,000 for six months) by a threat actor using the moniker “plymouth.” Like Amadey, StealC has been actively maintained by its operators. As of June 2026, the latest version of the stealer is 2.2.1.
The highest infection concentrations have been reported in the U.S., Poland, and Italy. Besides targeting Chromium browsers, the malware harvests data from desktop applications like Discord, FileZilla, Foxmail, Microsoft Outlook, Steam, and Telegram, as well as files matching certain naming patterns. It also acts as a secondary loader, capable of downloading and executing EXE, MSI, or PowerShell payloads based on commands from an external server. Written in C++, a notable aspect of the stealer is its ability to query the system’s default language and terminate itself if the locale matches countries like Russia, Ukraine, Belarus, Kazakhstan, or Uzbekistan.
Amadey also features a similar check to skip certain functionalities like credential stealing and clipboard stealing when running on a Russian, Ukrainian, or Belarusian host. A representative infostealer to ransomware attack chain Earlier this January, CyberArk disclosed a cross-site scripting (XSS) vulnerability in the web-based control panel by the StealC operators that made it possible to glean insights into the MaaS operation, including one of its customers named YouTubeTA, who has relied on Google’s video sharing platform to distribute the stealer by advertising cracked versions of Adobe Photoshop and Adobe After Effects. IBM X-Force and Proofpoint also noted that multiple security flaws were identified in the C2 panel, one of which was a directory traversal bug that made it possible to upload a web shell to the StealC C2 server. The issue was patched by StealC developers in February 2026, but not before it was likely exploited by an affiliate to steal data from other affiliates.
“In both ecosystems, affiliates receive a self-hosted administration panel that must be deployed on their own server infrastructure,” ESET researchers Jakub Tomanek and Tomáš Procházka said . “Amadey used a pay-per-rebuild model. Affiliates purchased a license and then paid an additional fee each time they needed to generate a new build, for example, when rotating to a new C&C server.” Proofpoint researchers told The Hacker News that “the vulnerability we reported on is different than the ones reported by CyberArk,” adding it does not participate in active exploitation or “hacking back” activities. “Where applicable, if our researchers identify exploitable aspects of malicious infrastructure or tooling that can be used for investigations, we will report them to the proper authorities,” it said.
“StealC took a more affiliate-friendly approach, offering unlimited build generation as part of its subscription. This lowered the operational cost of rotating C&C infrastructure and made it easier for affiliates to generate new samples as needed.” A total of 53 unique clusters have been inside the Amadey ecosystem, with the largest botnet cluster distributing payloads like Lumma Stealer, Vidar Stealer, StealC, Rugmi, PureCrypter, Agent Tesla, Rhadmanthys Stealer, RedLine Stealer, SmokeLoader, XWorm, and AsyncRAT. Microsoft has revealed that not only do Amadey and StealC employ the same infrastructure, but the malware families have been linked to more than 140,000 infected computers globally in the first two weeks of May 2026. The tech giant said it has identified over 18,000 victim computers and severed criminal control of those devices.
In all, the tech giant said it flagged 200 malicious Amadey and StealC C2 domains and IP addresses, all of which have since been shut down using a combination of court orders, domain seizures, registrations, and provider notifications. Daily trend in the number of active Amadey C2 servers “Loaders and stealers are the two halves of the commodity malware pipeline,” Bitsight said . “A loader gets the first foothold and rents it out; a stealer leverages that foothold to collect credentials, cookies, and wallets, to then be sold on underground forums (including Telegram).” The latest effort, which took place between June 15 and 19, 2026, marks the latest chapter of Operation Endgame. It involved judicial authorities and law enforcement from Belgium, Canada, Denmark, France, Germany, the Netherlands, the U.K., and the U.S.
“Operation Endgame targets the initial access malware used to infect devices,” Eurojust said . “Cybercriminals use this malware as a gateway to silently infiltrate victims’ systems and steal sensitive data. By fighting the initial stage of the attack chain, the operation strikes at the heart of the entire ‘cybercrime-as-a-service’ ecosystem.” (The story was updated after publication to include a response from Proofpoint.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attacks
Cybersecurity researchers have flagged a new class of CI/CD workflow weakness that allows attackers to hijack workflows and compromise open-source supply chains. The “critical exploitable pattern” has been codenamed Cordyceps by Novee Security. The issue can allow full attacker control of repositories at dozens of the largest organizations worldwide, including Microsoft, Google, Apache, and Cloudflare. “The flaw is exploitable by any unauthenticated user,” Elad Meged, founding engineer and security researcher at Novee Security, said .
“No org membership or special privileges; a free account is enough to forge approvals, push code, or steal credentials.” The penetration-testing company’s scan of about 30,000 high-impact repositories has revealed more than 300 to be fully exploitable, enabling attacker-controlled code execution, credential theft, and supply chain compromise, which can have severe downstream impacts. The core of the problem trickles down to weak CI/CD configurations that grant pull requests (PRs) more permissions than they should have. PRs are proposals to merge code changes from one branch into the main project. However, because an untrusted PR can trigger privileged workflows, it can open the door to command injection, privilege escalation, and supply chain compromise.
“This supply chain vulnerability lies in the foundational open-source plumbing the entire industry runs on, and the kind of issue that hides from scanners because, technically, every individual piece is working as designed,” Novee explained. “The workflow does what it was told. The vulnerability exists only in the composition – untrusted data crossing a trust boundary that no one audited.” On Microsoft’s Azure Sentinel, for example, Novee found a comment on a PR that could run anonymous attacker code on Microsoft’s CI and steal a non-expiring GitHub App key. In a similar case, a PR on Google’s AI Agent Development Kit (“adk-samples”) could execute attacker code on Google’s CI to gain complete authority over a Google Cloud repository.
Other findings are listed below - Apache Doris, where two zero-click attacks cause a single comment on any PR or a forked PR to run attacker code and exfiltrate hard-coded CI credentials or a token with full write permissions Cloudflare Workers SDK, where a PR with a crafted branch name can execute arbitrary commands on Cloudflare’s CI runners Python Software Foundation’s Black, where a single pull request from anyone could execute attacker code on Black’s build systems and steal the automation token, which can then be used to approve pull requests. Following responsible disclosure, both Microsoft and Google confirmed impact, while Cloudflare, Python, and Apache have applied hardening and patches, respectively. “The nature of agentic coding means these CI/CD vulnerabilities are reproduced persistently, at scale, ‘infecting’ repositories at an exponential rate,” Meged said. “Because anonymous users can use them to gain control over the software supply chain, we like to think of it as ‘puppeteering’ the repositories of some of the world’s biggest companies, silently manipulating their workflows.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Dawn of the Apex Agentic Adversary
We are standing at the end of an era we never thought to mourn: the era of human-speed threats . For years, cybersecurity moved to a rhythm organizations could follow. A researcher found a bug, a CVE was cataloged, a vendor navigated a patch cycle, and weeks or even months later, a fix was deployed. In this era, dwell time was measured in days, sometimes weeks.
We are now approaching an inflection point in the threat timeline unlike any that came before it. The trigger was the emergence of frontier agentic models in early 2026: AI entities that no longer just suggested code, but actively tested it. These models don’t merely accelerate the offensive lifecycle; they radically compress the time between discovery and weaponization. The predator wearing a productivity badge There is a reason the old saying warns about the wolf in sheep’s clothing.
In the scramble to stay competitive, organizations have handed AI the keys to the deepest layers of their infrastructure: granting LLM agents write access to repos and allowing third-party AI wrappers to plug into internal APIs. These are the sheep: the helpful, fluffy productivity boosters sitting in our software ribbons. But there lie wolves in the fabric. The same technology that allows a developer to refactor code in seconds gives agentic offensive models the power to hunt for logic flaws at the same speed.
These tools are capable of finding an exposure, weaponizing it, and executing a breach before a human defender has even finished their first cup of coffee. The operational agility that modernized our workflows is now the same agility an adversary can turn against them. The death of the Catalog The most unsettling part of this cusp is not just the speed, but the increasing anonymity. In the pre-AI era, we relied on public exploitation accounting like CISA’s KEV Catalog and EPSS.
We looked for known signatures and documented behaviors. But as AI-driven breaches become autogenous and self-generating, they become ephemeral. Attacks will soon be so fast, so targeted, and so mutated that they will not even stay in the room long enough to be cataloged. If attack design, creation, and execution happen at machine speed and there is no signature to find, did it even happen?
- By the time your SIEM triggers an alert, the AI agent has already pivoted, exfiltrated, and potentially left no trace. The illusion of separation in a converged world
- The risk compounds because our fabric is no longer just digital; it is physical. The continuing convergence of IT and OT has created a unified playground for AI attackers. We used to rely on the
- segmentation illusion
- the comfortable assumption that our critical industrial assets were air-gapped or safely tucked away behind firewalls.
In a converged world, that air gap or segmentation is a design flaw. An AI agent does not see a firewall; it sees an exploitable asset. In this evolving landscape, lateral movement is an automated reflex. The AI identifies the technician’s laptop that bridges the corporate Wi-Fi to the factory LAN and traverses that gap in milliseconds.
It treats insecure-by-design industrial protocols like Modbus, BACnet, and S7comm as open expressways. When an IT-originated breach cascades into the OT environment at machine speed, it is no longer just a data leak. It is a factory floor shutdown or a safety valve opening. It is the wolf moving from the screen to the physical world.
Taking the tactical high ground (Layer 2 and below) The agentic adversary wins on information asymmetry. They thrive in the information gap : the space between what you think is on your network and what is actually there. Asset inventory is no longer a compliance formality; it defines the boundaries of your hunting ground. While your attention is focused on the imminent exploit hitting your secure servers, an AI agent is already identifying the choke points you didn’t know you had: the single multi-homed device or forgotten workstation that grants total access to the critical areas of your network.
You cannot outrun a predator if you are tripping over your own blind spots. To survive, defensive strategies must shift from reactive to proactive environmental hardening. runZero built their latest capabilities to deny the adversary the shadows they need to operate: Mapping the unmappable: runZero introduced the ability to peek behind protocol gateways. Where traditional tools see a single gateway IP, runZero leverages its unrivaled library of proprietary IT, IoT, and OT protocol safe-probes to walk the backplane.
It natively queries and unmasks the dozens of PLCs and field-level devices sitting downstream, ensuring no industrial asset stays hidden. Illuminating the unknown: Agentic models can swiftly hunt for rogue access points, forgotten IoT devices, and shadow IT that lack security coverage. runZero’s unauthenticated discovery uses these same advanced protocol insights to identify unmanaged assets without requiring agents or credentials, ensuring that your blind spots don’t become an adversary’s primary point of entry. Validating the assumption: Recent research on network segmentation shows that many of these paths are accidental.
Interactive attack path mapping allows you to move past assumptions, visualizing exactly how an attacker could use these multi-protocol environments to move laterally through your IT and OT systems alike. Acting on Asset Intelligence: Knowing you have exposures isn’t enough; you need to know which ones are most critical to address first. runZero prioritizes your risk by identifying the exact choke points where your vulnerabilities intersect with viable cross-protocol attack paths. Instead of wasting cycles fixing everything, you can fortify the precise defensive bottlenecks that completely cut off the intruder’s route to your critical assets.
Identify the predator or become the prey We have not yet reached the point where every attack is an instantaneous strike. While frontier AI’s offensive capabilities haven’t reached total autonomy yet, here is the sobering truth: this is the least capable these models will ever be. The predator is learning. We are currently moving through the tall grass of the perimeter’s blind spot.
While most organizations are still scanning for the tracks of yesterday’s hunters, a new breed of agentic adversary is already circling. Your only hope of survival is to spot the predator before it breaks cover. See what’s on your network in minutes with runZero, start a free trial or book a demo . Found this article interesting?
This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
DoJ Seizes Huione Cloud Account Tied to Cyber Scam Money Laundering
The U.S. Department of Justice (DoJ) on Tuesday announced the seizure of a cloud computing account put to use by subsidiaries of Cambodia-based corporate conglomerate HuiOne Group, as the Treasury unveiled fresh sanctions against nine individuals and 26 entities linked to Prince Group . “These subsidiaries are alleged to have assisted individuals and organizations in transferring proceeds of cryptocurrency investment frauds, cyber scams, and other criminal activities on cryptocurrency blockchains and allowing for the conversion of the proceeds of these schemes to the legitimate banking sector undetected,” the DoJ said. The seized account, the Justice Department added, hosted backend infrastructure for the subsidiaries, including HuiOne Guarantee (aka Haowang Guarantee), which operated an illicit Telegram-based marketplace that engaged in transactions with billions of dollars between 2021 and 2025 by peddling a wide range of crimeware tools.
These included personal and financial data, money laundering services, web development services for setting up fraudulent investment platforms and phishing websites, the procurement of individuals for human trafficking schemes, as well as software to facilitate face swapping, voice cloning, and deepfake-powered impersonation during video calls with victims. “HuiOne Guarantee also provided escrow services for criminals transacting on its platforms to facilitate transactions, including money launderers laundering cryptocurrency,” the DoJ said. “In doing so, HuiOne Guarantee facilitated the movement of considerable funds stolen by Southeast Asian scam centers .” A July 2024 analysis from Elliptic revealed that merchants on HuiOne also marketed tear gas, electric batons, and electronic shackles for use by scam compound operators to imprison and torture their workers. “The merchants refer to ‘preventing escapers’ and controlling ‘runaway dogs,’” the company noted at the time.
“Those working within the scam compounds are commonly referred to as ‘dogs’ or ‘dog pushers.’” “The HuiOne Group used this cloud computing account as part of a technological backbone that allowed billions in fraud proceeds to be transferred, moved, and concealed – much of it stolen through Southeast Asian scam centers,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “Seizures of these marketplaces is critical in the fight against fraud that affects so many Americans, and to stop avenues for criminal proceeds to be laundered.” Although HuiOne announced it was ceasing operations in May 2025, a new analysis from Flare has revealed that more than 30 marketplaces have emerged since to fill up the void left by the guarantee platform, with the operators building proprietary messaging platforms to bypass Telegram’s bans. “The wave of enforcement in 2025 was the first coordinated attempt to reach both the financial and physical layers of the ecosystem at the same scale,” Flare researcher Chris d’Eon said .
“It has produced visible adaptation, including reshuffled channel branding, redistributed flows across successor markets, and accelerated work on alternative venues. However, it has not meaningfully reduced volume across the ecosystem in aggregate.” In tandem, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) has assessed H-Pay Service PLC as a primary money laundering concern to guard against “HuiOne Group’s attempts to circumvent being cut off from the U.S. financial system .” It’s worth noting that FinCEN designated HuiOne Group as a “primary money laundering concern” in May 2025.
“Merchants sold money laundering services, stolen personal data, websites and other goods and services necessary to perpetrate so-called ‘pig butchering’ scams and other online fraud,” Elliptic said in a statement. “By the time HuiOne was forced offline, it had received more than $31 billion in cryptoasset transactions, making it the largest illicit online marketplace ever recorded, more than 25 times larger than Silk Road and AlphaBay combined.” The development also comes as the Treasury levied sanctions against Prince Group’s leadership, investors in scam compounds , and front companies, a little over eight months after it was classified as a Transnational Criminal Organization (TCO) for its role in furthering a criminal enterprise built on the foundations of scam compounds, fraud, and money laundering. Prince Group’s chairman, Chen Zhi has since been arrested, extradited to China, and stripped of his Cambodian citizenship. “Transnational criminal organizations based in Southeast Asia, like the Prince Group TCO and with support of their enablers like HuiOne Group, continue to target Americans through large-scale cyber-enabled fraud and scam operations,” Treasury said .
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Cisco Unified CM Flaw Exploited After PoC Reveals File-Write Path to Root
Threat actors have begun to exploit a recently disclosed critical security flaw impacting Cisco Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME). The vulnerability, tracked as CVE-2026-20230 (CVSS score: 8.6), is a case of improper input validation for specific HTTP requests that could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device. “An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device,” Cisco said in an advisory released earlier this month. “A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root.” In a post shared on X earlier this week, Defused Cyber said it observed active exploitation of the vulnerability in attacks.
“This is currently being exploited from a single source using an unvetted PoC, with genuinely-formatted file:// file-write payloads landing on our decoys,” it noted. However, for successful exploitation to occur, the WebDialer service must be enabled. It’s disabled by default. To check if the WebDialer is enabled, users can complete the following steps - Log in to the Cisco Unified CM Administration interface From the Navigation menu, choose Cisco Unified Serviceability and click Go From the Tools menu, choose Control Center - Feature Services In the CTI Services section of the page, check whether the current status of the Cisco WebDialer Web Service is Started or Not Running If the status is Started, WebDialer is enabled The vulnerability has been patched in Unified CM and Unified CM SME versions 14SU6 and 15SU5.
If immediate patching is not an option, it’s advised to disable the WebDialer service until a fix can be applied. SSD Secure Disclosure has since published additional technical specifics of CVE-2026-20230, describing it as a flaw that allows unauthenticated attackers to arbitrarily write files in the server by leveraging the Webdialer component to obtain the true hostname of the target and ultimately achieve code execution. Cisco has yet to update the advisory to reflect the exploitation status. Last week, the network security company released security updates for a medium-severity security flaw in Catalyst SD-WAN Manager ( CVE-2026-20262 , CVSS score: 6.5) that has come under active exploitation in the wild.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation
A Russian-speaking initial access broker (IAB) driven by financial gain is assessed to be behind a large-scale credential-harvesting operation known as FortiBleed that has targeted over 430,000 FortiGate firewalls globally. The campaign , active since February 2026, involves collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying bespoke sniffers on compromised firewalls. “Once deployed, these sniffers capture cleartext and hashed credentials from traffic passing through compromised devices,” SOCRadar said [PDF] in a fresh report. “The actors then crack, validate, and reuse the credentials against Active Directory domains and other exposed services.” Central to the operation is a Golang-based tool called FortigateSniffer that takes advantage of the FortiOS built-in diagnostic command -diagnose sniffer packet to passively capture authentication traffic from the infected appliances.
Appearing in both Windows and Unix versions, the tool is designed to monitor traffic across 24 protocols, parse authentication data, and extract the credentials. It’s suspected that the threat actors may have sought the help of an open-source, AI-native offensive security platform dubbed CyberStrike to assist with some “parts of the workflow.” Interestingly, another open-source framework called CyberStrikeAI was put to use in connection with a separate automated mass scanning campaign targeting FortiGate devices that Amazon Threat Intelligence exposed earlier this year. “The campaign shows a heavy focus on Small and Medium Businesses (SMBs) with fewer than 200 employees,” SOCRadar explained. “The actor targets multiple sectors and regions, with notable emphasis on the United States and India.
The IT services sector appears to be a key target. This targeting choice likely helps the actor maximize downstream access, as compromised service providers can create access paths into customer environments.” Perhaps the most interesting finding is that FortiBleed appears to be part of a broader, multi-vendor initial access operation that’s orchestrated to not only target Fortinet devices, but also breach Synology NAS, Sophos firewalls, RDWeb portals, Citrix SSL-VPNs, and MS-SQL servers using automated brute-forcing since February 28, 2026. In all, the attackers are estimated to have launched no less than 659 credential-harvesting pipelines between May 31 and June 15, 2026, resulting in the identification of over 110 million credentials. This included - 14.8 million Remote Authentication Dial-In User Service (RADIUS) credentials 924,000 NTLM hashes 130,000 Kerberos hashes 89 million MySQL authentication tokens The FortiBleed campaign takes place over five stages - Perform widespread reconnaissance using tools like Masscan and Shodan to identify vulnerable internet-facing FortiGate firewalls, followed by using a custom utility dubbed FortiProbe-fast and GeoSplit to filter FortiGate systems and group them by country, respectively.
Compromise the devices with a credential checker named “forticheck” that specifically targets FortiGate’s administrative panel and SSL-VPN portal, along with using tools to obtain administrative SSH access via credential stuffing and dictionary attacks. Upon establishing access via SSH, FortigateSniffer is deployed to passively intercept authentication traffic across 24 protocols (e.g., TACACS+, Kerberos, RPC, SMB, LDAP, SMTP, FTP, Telnet, RDP, WinRM, MS-SQL, MySQL, PostgreSQL, and RADIUS) using native FortiOS diagnostic commands, making it possible to harvest cleartext credentials and password hashes. The password hashes are cracked using Hashmat and Hashtopolis, and orchestrated by a Telegram bot named HASHBOT, after which they are used for lateral movement, Active Directory enumeration, Kerberos validation, and SMB authentication. Sensitive data from network shares is exfiltrated while stolen session cookies are used to maintain persistent, authenticated access.
“The group does not treat all targets equally,” SOCRadar said. “Instead, targets are ranked according to economic value before exploitation resources are allocated.” What’s more, the sniffing mechanism includes a geofencing filter that restricts operations to specific IP ranges, not to mention limiting the activity to between 7 a.m. and 6 p.m. Moscow Time.
According to a timeline of events shared by SpyCloud, the FortiGate-related capture cycle is said to have commenced on May 19, 2026, with the hash cracking infrastructure set up towards the end of the month. “The operation runs in a pipeline of 300-minute (five-hour) cycles, with status every minute,” Zenox said . “In each cycle it loads a regional target list […] and validates with 1,000 simultaneous threads, displaying counters of success, failure, timeout, and warning. In the first cycles, the successful validation rate hovered near 90%.” The Brazilian cybersecurity company also said it found certain username and password pairs to be repeated across thousands of distinct IP addresses, raising the possibility that the accounts may have been planted by the attacker as a clandestine backdoor entry point.
“The frequency counts were produced by aggregating the username:password column of the actor’s own validated-credentials file, all_valid.txt, which is a device-keyed inventory in the format IP:PORT:USERNAME:PASSWORD (one record per firewall, 21,976 records),” Acassio Silva, co-founder and head of threat intelligence at ZenoX, told The Hacker News. “The same pairs also appear in the actor’s input target list EU.txt (the file their Go scanner reloads and re-validates every cycle, also IP:PORT:USER:PASS) and in downstream derivatives (valid_.txt, matched_targets, corps.txt, targets_300M_plus.txt, and the loot JSONs). In all_valid.txt, adminin:ITAdmin@888 is present on 3,947 distinct devices; within the EU batch alone (EU.txt, 6,175 records) the same pair appears on 1,562 devices.” The assessment that these pairs could be planted accounts rather than organic credentials stems from three factors: the same credentials being used to validate thousands of unrelated organizations, the absence of passwords from some credential sources (“top200_fortigate.txt”), and the fact that the usernames mimic legitimate Fortinet/FortiCloud services likely in an attempt to blend in with targeted environments. The development comes as a Russian-speaking account named “ SantaAd “ has advertised access to thousands of Fortinet devices for a starting price of $30,000, before increasing it to $60,000 hours later.
However, it’s unclear if this has any connection to the FortiBleed exposure. “The threat actor group behind ‘FortiBleed’ was not just targeting FortiGate VPNs,” SpyCloud said. “They were actually targeting a range of different internet-facing appliances with a standard spray-and-pray attack chain that relies mostly on mass scanning and brute-forcing logins.” FortiBleed’s Use of CyberStrike Harvester v1.5 Arctic Wolf, in a follow-up report, described FortiBleed as a campaign using a “credential pipeline that utilizes credential stuffing, password spraying, configuration harvesting, offline cracking, and post-authentication capture processing,” adding the “FortiGate access becomes multi-protocol credential extraction, hash cracking, VPN-bound AD/SMB access, and file-share exfiltration.” An important characteristic of the attacks is that they do not exploit any new zero-day vulnerability, with Fortinet noting that the threat actors are likely reusing credentials from previous incidents, as well as brute-forcing passwords on devices with weak passwords and that have not had multi-factor authentication (MFA) enabled. “Its defining feature is the credential feedback loop: successful perimeter access creates configuration or traffic artifacts; those artifacts produce more credentials and crackable hashes,” Arctic Wolf said.
“Cracked credentials feed VPN, Kerberos, SMB, and share-access validation, and validated access then supports further collection and exfiltration.” The activity also involves exporting configuration files from internet-facing FortiGate devices and cracking the stored credential hashes, while making use of a custom information-extraction suite called “harvest_orig” that turns passive network captures into “actionable credentials, crackable hashes, web sessions, identity intelligence, and downstream attack inputs.” The Go-based ELF binary, which identifies itself as CyberStrike Harvester v1.5, contains functions for reading pcap, pcapng, and FortiGate text inputs, parser and formatter functions for processing cookies, sessions, and tokens associated with the two dozen protocols. “The cracking layer is carefully engineered rather than ad-hoc,” it added. “A Telegram bot accepts hash input, restricts access by Telegram username, detects hash modes, requests contextual hints, schedules jobs, allocates GPUs, launches multi-stage Hashcat workflows, monitors ETA and progress, and returns cracked results.” “Hashcat modes include NetNTLMv2, FortiGate256, RAKP, MS-SQL, and multiple Kerberos formats. Hashtopolis and a custom HashPanel provide additional distributed cracking management, while setup scripts prepare GPU workers and agent enrollment.” In scenarios where recovered credentials enabled access, the attackers have been found to leverage authenticated SSL-VPN tunnels for Impacket tools for Active Directory enumeration, Kerberos validation, SMB authentication, admin-share checks, SMB share spidering, and DFS/SMB collection.
Affected organizations are recommended to rotate credentials, invalidate sessions, audit configuration exports, review SSL-VPN logins, inspect AD and SMB activity from VPN pools, scan for outbound SSH transfer patterns, and review SMB share access logs for bulk recursive reads. “FortiBleed demonstrates how exposed perimeter credentials can become full internal-network exposure,” the company added. “The most important finding is the engineering discipline around the workflow. The operator lab, sniffer panel, CyberStrike Harvester, cleaning scripts, Hashcat/Hashtopolis infrastructure, Kerberos QA tools, domain/folder/revenue enrichment, and SMB/DFS tools form a repeatable system.” Calling the activity an “indiscriminate internet wide sweep,” CloudSEK said the toolchain devised by the threat actors feeds a revenue-sorted catalog of remote access targets likely for sale on underground markets.
“The directory also contains at least one live SSL VPN configuration file pointing into a victim network, confirming that the operators held usable, active access, not merely a list of cracked passwords,” it said . (The story was updated after publication on June 24, 2026, with additional insights from Arctic Wolf, CloudSEK, and Zenox.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents
Security firm AIR built a fake AI agent skill, pushed it through a popular skill marketplace and an Instagram ad, and says it reached roughly 26,000 agents, including some on corporate accounts. Every skill security scanner the firm tested it against marked it safe. The payload was harmless by design: it collected the user’s email address and did nothing else. The point was to show that none of the signals people lean on to trust a skill caught it: not the scanners, not the GitHub stars, not the open-source reputation.
A skill is a bundle of instructions an agent loads into its own context and follows with roughly the authority of a user prompt. That trust is the whole problem, and it is the reason skill-scanning tools exist in the first place. The skill, named brand-landingpage , claimed to build a landing page using Google’s Stitch design tool, aimed squarely at non-technical users. To make it look credible, AIR went after two trust signals: GitHub stars and a clean scanner verdict.
For the stars, it opened a pull request to a skill marketplace repository with around 36,000 stars and 156 skills. The pull request was merged after a few days, so the skill inherited the repo’s count. Then it ran an Instagram ad aimed at marketers, salespeople, and designers, who installed it and put it to work. Why the scanners missed it The scanners AIR tested analyze the package you hand them: the SKILL.md and the files shipped with it.
That’s Cisco’s , NVIDIA’s , and the ones wired into skills.sh. AIR’s skill carried no setup instructions of its own. It told the agent to install the “Stitch SDK” by following the documentation at an external link, stitch-design.ai, a domain AIR controls, not Google (the real Stitch lives at stitch.withgoogle.com). At first, the link led to the genuine Stitch docs, so the scanners, seeing a clean package that pointed at a plausible setup page, cleared it.
The page the agent would actually fetch and follow sat outside the scan. Once the skill was installed widely, AIR swapped the page behind that link. The new version told the agent to download and run a script. In the demo, it only mailed the user’s address back to AIR, which is how the firm counted the agents it reached.
A real operator could have used that foothold to read files, move data, or hit internal systems, bounded only by what the agent could reach. AIR is not the first to show this. Three weeks earlier, Trail of Bits bypassed ClawHub’s malicious-skill detector, Cisco’s scanner, and all three scanners wired into skills.sh. Its conclusion was blunt: a scanner checks a fixed package, while an attacker can keep tweaking the payload until it passes.
Real campaigns have used the same trick for months, keeping the submitted skill clean and hosting the payload on a site the agent only fetches at install. The problem is structural: the scan happens once, but the page a skill points the agent to can be rewritten at any time after. Anthropic’s own docs already warn that skills fetching external URLs are risky for exactly this reason, since the content can change after the skill is vetted. Separate research this year found scanners often disagree, because each one judges a skill in isolation, blind to its external links and to what changes after review.
What to do The read for defenders is the same one researchers keep landing on, now with a sharper example behind it. Treat skills as software, not text. Vet what a skill points to, not just what ships inside it. Most of these add-ons got installed with no review, so the first job is finding what is already running.
Route new skills through a single source you control, and re-check them when anything changes, because a clean result at install does not stay clean if the skill phones out to a link someone else can edit. Pin versions. Hold agents to the least privilege. Assume any external instruction an agent fetches runs with the agent’s access.
The scale figures come from AIR alone, and they deserve a skeptical read. The firm is launching a managed skill marketplace and closes the write-up, pitching it, so the 26,000 number, the corporate-account detail, and the claim that it could have seized full control of every agent are the company’s own and are not independently confirmed. What holds up is the method. The named scanners really do judge only the submitted package, the external-link blind spot is real and has been independently demonstrated, and the trust signals AIR borrowed, stars, and a clean scan are exactly the ones the ecosystem still treats as proof.
The experiment does not expose a new bug so much as it lines up every weak trust signal around agent skills into one run: stars that can be borrowed, a scan that reads a snapshot, and a link that can be rewritten after the check clears. Whether the real figure is 26,000 or a fraction of it, the gap it walks through is one that defenders still have not closed. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Trump Order Sets 2030 Deadline for Federal Post-Quantum Crypto Migration
President Trump signed an executive order on June 22 setting hard deadlines for federal agencies to move high-value assets and high-impact systems to post-quantum cryptography. Key establishment must move by December 31, 2030; digital signatures by December 31, 2031. EO 14409 leaves national security systems on a separate track. The deadlines matter because of a threat that does not need a working quantum computer today.
Adversaries can collect encrypted U.S. data now and decrypt it later, once a large-scale quantum machine exists, the risk is known as “harvest now, decrypt later” . The order describes that risk directly and pulls the government’s PQC timeline forward by four to five years. The prior government-wide target, set by the 2022 National Security Memorandum 10, ran to 2035.
The two deadlines line up with the standards NIST finalized in August 2024 . Key establishment uses FIPS 203, the ML-KEM algorithm formerly called CRYSTALS-Kyber. Digital signatures use FIPS 204 and 205, ML-DSA, and SLH-DSA. The standards have been ready for almost two years.
The order is what turns them into a schedule with consequences. What agencies have to do, and when The near-term clock starts fast. Within 30 days, each agency head names a PQC migration lead who reports to the agency CIO and owns the cryptographic inventory and migration plan. Within 90 days, OMB issues guidance requiring agencies to review their inventories of high-value assets and high-impact systems, plan the migration, and submit that plan.
NIST runs a pilot migration on a subset of its own systems, to be finished by December 31, 2027. The order reaches past federal networks. The Federal Acquisition Regulatory Council has 180 days to propose a rule giving “covered contractors” until December 31, 2030, to meet NIST’s FIPS, including the PQC algorithms. A second proposed rule, due in 270 days, would fold cryptographic flaws into contractor vulnerability disclosure programs, including tests for missing encryption and for non-FIPS algorithms.
Sector Risk Management Agencies and CISA are told to help critical infrastructure operators build their own migration plans, though that part is assistance, not a mandate. Then there is the inventory angle. Within 270 days, CISA and NIST are to publish the minimum elements for a cryptographic bill of materials, a machine-readable list of the cryptographic assets in a piece of hardware or software. That is the groundwork for crypto-agility: you cannot swap out weak algorithms on a deadline if you do not know where they are.
The practical read For federal teams and the vendors who sell to them, the work is the inventory, and it starts now. Find every place key exchange and signatures happen, flag what is not NIST PQC, and sequence the swap against the 2030 and 2031 dates. Contractors should expect the FAR clause and a 2030 compliance line once the rule lands. The standards exist.
The deadlines now exist. The gating task for almost everyone is knowing what cryptography is running, and where. A companion order signed the same day, “Ushering in the Next Frontier of Quantum Innovation,” pushes the other side of the equation: building the quantum computers that make the migration urgent in the first place. The teeth are still being written.
OMB’s 90-day guidance and the FAR rules will decide whether 2030 and 2031 become real procurement pressure or just another federal migration target that slips once the hard work starts. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
GitHub Updates actions/checkout to Block Common Pwn Request Attack Patterns
GitHub is moving to strengthen software supply chain security by updating “ actions/checkout “ to block pwn request attacks that exploit the risky use of the “pull_request_target workflow” trigger to run malicious code with the workflow’s full privileges. Effective June 18, 2026, the latest version of “actions/checkout,” the official GitHub action for checking out a repository into the workflow’s runner, refuses common pwn request patterns by default. The change is expected to be backported to all currently supported major versions on July 16, 2026. “Actions/checkout v7 refuses to fetch fork pull request code in pull_request_target and workflow_run workflows (the latter only when workflow_run.event is a pull_request* event),” it added .
The refusal occurs when the pull request is from a fork, and any of the following criteria is met, unless workflow authors explicitly opt out of it by setting the “ allow-unsafe-pr-checkout “ flag to “true” in “actions/checkout” - repository: resolves to the fork pull request’ repository ref: matches refs/pull/number/head or refs/pull/number/merge ref: resolves to a fork pull request’s head or merge commit SHA The change is aimed at preventing the most common form of pwn requests in the Actions ecosystem. As a result, “actions/checkout” will fail for “pull_request_target events” from forks with insecure inputs. “Pull_request_target” is a workflow trigger that’s automatically run without requiring manual approval when a pull request is opened or reopened, or when the head branch of the pull request is updated. It’s important to note that the event runs in the context of the default branch of the base repository, potentially exposing secrets and a privileged GITHUB_TOKEN with both read and write permissions.
“Running untrusted code on the pull_request_target trigger may lead to security vulnerabilities,” GitHub notes in its documentation. “These vulnerabilities include cache poisoning and granting unintended access to write privileges or secrets.” The danger arises when a “pull_request_target” is combined with “actions/checkout” to download and execute code submitted by an untrusted fork. Should a bad actor submit a pull request containing malicious scripts and the workflow checks out and runs the code, it can allow the attacker to steal the GITHUB_TOKEN and other secrets, leading to what’s called a pwn request attack . “Workflows triggered by pull_request_target run with the base repository’s GITHUB_TOKEN, secrets, and default-branch cache access,” GitHub said.
“Checking out the head of an unreviewed pull request from a fork inside one of these workflows typically lets attacker-controlled code execute with the workflow’s full privileges.” In recent months, a number of software chain attacks have weaponized this behavior. The most severe of them was the compromise of multiple packages associated with the Nx build system as part of a campaign codenamed s1ngularity, as well as the breach of PostHog , TanStack , and the popular Emacs package, “ kubernetes-el/kubernetes-el .” “Pull_request_target was designed for trusted automation around pull requests, such as labeling, commenting, or applying project metadata,” Socket said. “But the checkout step controls which code actually lands in the runner workspace. If it pulls code from a forked pull request, the workflow can end up running attacker-controlled code with the base repository’s privileges.” That said, the Microsoft-owned subsidiary emphasized that pwn requests triggered via other event types besides pull_request_target (e.g., issue_comment) or through other means, such as git or the GitHub CLI, are out of scope of this change.
“This change only blocks checkouts of the fork pull request head and merge commits,” it added. “It does not block checkouts of other untrusted repositories. For example, setting repository: to an unrelated third-party repository is not blocked. Checking out and executing any untrusted code in a privileged event remains a pwn request risk that should be reviewed.” To counter the risk posed by “pull_request_target,” developers are advised to assess and use it only when necessary, switch to “ pull_request “ if the workflow does not require elevated permissions or access to secrets, restrict permissions granted to the workflows, and ensure user-controlled input does not result in execution of untrusted code.
“The protection in this update only covers checkouts performed through actions/checkout,” Socket said. “That makes this a guardrail, not a complete solution for Actions security. Workflows that run with secrets, write permissions, deployment permissions, or OIDC publishing access still need careful review.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Agentic AI: The Weapon That No Longer Needs a Warrior
Every weapon begins as an extension of the hand that holds it. The spear lengthened the reach of the arm. The bow sent the point flying without the throw. The rifle placed a man’s death a quarter mile beyond his sight, and the aircraft carried that death across oceans.
At each turn, the distance between the warrior and the wound grew wider, and yet one thing never moved: a human chose the target, and a human struck the blow. For the entire history of conflict, the cyber realm included, the hand has remained on the weapon. Offensive AI is the moment the weapon learns to aim itself. For three years, artificial intelligence (AI) has been an extension of the pen.
It drafted the phishing email, proposed the exploit, sketched the malicious function, and then, like every tool that came before it, handed the work back to a human to carry out. In 2023, I published a whitepaper at the SANS Technology Institute showing how a person of almost no skill could coax a chatbot into producing malware that strolled past the controls built to stop it. That was the age of the assistant: dangerous, certainly, but still leashed to the operator who held it. Agentic AI severs the leash.
It takes the objective and walks the steps itself. This single change, from a tool that drafts to a tool that acts, is reshaping offensive operations faster than the defenses built to catch them, and it cuts in two directions at once. It grants real capability to attackers who never possessed any, and it lends ferocious speed to those who were already deadly. If your trade is offensive work, this is the ground you now stand upon.
The tooling an adversary turns against a target is the tooling you must be capable of turning yourself, and it has marched far beyond chatbots composing prettier phishing. It is worth studying, with clear and unsentimental eyes, what these agents can do today, how they let you operate at a pace that lately seemed impossible, and where they will quietly walk you off a cliff should you follow them with too much faith. The Gate Has Fallen Consider the entry-level threat actor, historically limited by a lack of technical expertise. Such individuals can now leverage agents to develop exploits and conduct campaigns autonomously.
Technical mastery is no longer a prerequisite; intent and access to capable tools suffice. I refer to this phenomenon as ‘script kiddie as a service,’ signifying the emergence of sophisticated attacks from previously unskilled actors. A further implication is that the limitations of unskilled attackers are now defined by the capabilities of their chosen AI models rather than their own expertise. As numerous untrained actors employ similar models in comparable ways, their attack methodologies begin to converge, resulting in a behavioral monoculture.
While this increases the volume of competent attacks, it also creates recognizable patterns, such as standardized phishing and exploit chains. Skilled adversaries will adapt beyond these defaults, but the majority will not. Consequently, defenders who understand these default behaviors can better anticipate and mitigate widespread threats. For experienced practitioners, artificial intelligence does not necessarily enhance skill, but it significantly increases operational speed.
Training an agent on established tradecraft enables parallel execution of campaigns, reducing tasks that previously required weeks to mere hours. This dual effect, more attackers at the entry level and accelerated attacks from experts, broadens the overall threat landscape. For those conducting authorized offensive operations, this is now the prevailing standard. Adversaries already utilize these tools, and any engagement that neglects them fails to reflect current threats.
The Hunt Runs Itself One of the most common examples I often give to people is autonomous social engineering. In this scenario, an attacker deploys an agent to gather publicly available information about a target, such as LinkedIn profiles, press releases, or conference recordings, to construct a detailed profile. This intelligence is then utilized by a second agent, which generates and sends personalized messages, manages responses, and conducts an ongoing conversation, incrementally advancing toward its objective. No human intervention is required in the communication process.
The danger here is not speed; it is the quiet death of the signals we trusted. For years, our phishing defenses leaned on the tells of mass production: the clumsy grammar, the recycled template, the identical mail sent ten thousand times. Those are precisely the tells this arrangement erases. Each message arrives fluent, singular, and grounded in something genuinely true about its mark.
Sure, the infrastructure signals endure; things like sender reputation, authentication, and the like still stand watch, but now as defenders, we have to lean on them harder than ever, and how long is it going to be before those defenses break under that pressure? The linguistic and template-level information tells us that so much of our detection, quietly depended upon, is gone. And it’s not just social engineering. The same automation is overtaking exploitation.
As frontier models grow practiced at chaining tool calls and correcting themselves against a living environment, the bar for producing a working exploit is sinking lower with each release. So much so that the federal government is now getting involved and forcing models like Anthropic’s Fable 5 to be taken off the market over fears of its capabilities. But this is only the tip of the iceberg. Tying even moderately capable models into a retrieval database of known vulnerabilities, and it will perform its own reconnaissance, judge what a target is likely exposed to, draw the matching exploit from the shelf, and report back like a hound that has caught a scent: I believe this will work, based on these indicators.
Shall I run it? Malware is traveling the same road, growing agentic in its own right, and we are already watching agents rewrite existing malware into quieter strains bred to slip past the controls that knew the older form. This started years ago with the introduction of the “Guided Network Access Weapon (GNAW)” which I debuted at the Hackers Teaching Hackers conference. The Confidence of a False Oracle All of this makes the agents a very seductive thing to lean upon.
They are swift, they run themselves, and they speak with unbroken authority from beginning to end. That last quality is the trap, and to call it lying is to flatter it with intent. The agent is not seeking the truth. It is seeking a finished task and an answer that wears the appearance of being right.
It holds no privileged sight into whether a host is truly vulnerable; it matches indicators to a conclusion and delivers that conclusion in the same steady voice, whether the conclusion is sound or hollow. Marry it to a retrieval store of vulnerabilities, and the flaw compounds, for retrieval surfaces what is plausibly related, not what genuinely applies. It does not check the version, nor the configuration, nor whether the service can even be reached. Where the Proof Is Made That problem of judgment is precisely why the place this work occupies matters.
The SANS Secure AI Blueprint , authored by SANS Chief AI Officer Rob T. Lee , divides the wider challenge into three tracks: Protect AI, Utilize AI, and Govern AI. Govern produces the policy and the oversight that keep these systems accountable. Protecting hardens the systems an organization actually runs.
Utilize is where AI is put to work for offense and defense alike, and offensive operations are its keenest edge. Leadership hears the words “AI security” and pictures policy binders and a governance committee in a quiet room. Yet Utilize is the only one of the three that yields proof: the actual attacks run against the actual systems, which reveal whether the policy and the hardening hold when they are struck. An organization may write every guideline it pleases and stand up every defense it can purchase, but until someone turns this tooling against its own walls, it does not yet know which of them will hold.
A defense is a theory until it makes contact, and the operator is the one who brings it there. That is why the operators are, more and more, the ones who hold the whole program to account. What the Warrior Is For Return, then, to where we began. For the whole of human history, the hand stayed on the weapon because the weapon could not be trusted to choose, and that much has not changed.
The machine can aim itself now, but it cannot tell you whether the shot should be taken. It will name a target that was never there and ask, in the same untroubled voice it uses when it is right, for permission to fire. Every mechanical part of this craft is passed to the machine. The one part that is not, the judgment to know a true thing from a confident lie and to hold your hand until you are certain, is becoming the whole of the work.
The warrior has never stood farther from the wound, and the choice that joins them has never weighed more. The weapon no longer needs a warrior to swing it, but it has never needed a person to decide whether it should be swung at all more than now. Learn Offensive AI at SANS San Antonio 2026 This August, I will take up these questions in depth during my SEC535: Offensive AI – Attack Tools and Techniques course run at SANS San Antonio 2026 . Across three days of hands-on labs, we work the techniques described here from the operator’s side of the line: AI-assisted reconnaissance and social engineering, deepfake and voice-cloning attacks, AI-supported vulnerability discovery, and the use of AI in the development and evasion of malware.
You will drive the tooling with your own hands and come away with a true sense of its reach, its limits, and the precise points at which it must not be trusted. That is the distance between knowing these attacks exist and being able to carry them out. The machine will do the aiming. Be the judgment behind the shot.
Register for SANS San Antonio 2026 here . Note: This article has been expertly written and contributed by Foster Nethercott, SANS SEC535 Course Author. Found this article interesting? This article is a contributed piece from one of our valued partners.
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.