SN 1082: The Malicious Use of AI - Anthropic's Red Team Report

[00:00:00] It's time for Security Now. Steve Gibson is here. This is a big day. Anthropic just released a new version of its AI, the Fable model. It's appropriate because we're going to talk about how, what Anthropic has learned from years of abuse of their AI models. We'll also talk about the malicious use of AI, some really scary examples.

[00:00:25] And which US law firm paid a $20 million ransom to ransomware authors and why. That and a whole lot more coming up next on Security Now. Podcasts you love. From people you trust. This is TWiT. This is Security Now with Steve Gibson.

[00:00:51] Episode 1082, recorded Tuesday, June 9th, 2026. The malicious use of AI. It's time for Security Now. The show we cover the latest security and privacy and a little bit of AI in here with this guy right here, Mr. Steve Gibson, the guy in charge at GRC.com. Hello, Steve. Steve Gibson Hello, my friend. Great to be. Oh, that's right. Steve Gibson Great to be with you again.

[00:01:22] Steve Gibson So, for a long time, we've been. Steve Gibson Saying, predicting. It was a prediction, but not like any great stretch of imagination that the bad guys would be using AI just like the good guys are.

[00:01:44] And in fact, the reason that that Anthropic did its sort of semi-controversial clawed mythos preview limited, you know, strictly limited release was that their feeling was it was enough of an advance that if the bad guys got a hold of it, then there wouldn't be time for the good guys to fix their broken code.

[00:02:08] So, it turns out that there's a red team operating at Anthropic, which has for the last year from March 2025 to March 2026 been cataloging the abusers use of their AI various versions of clawed through the last year.

[00:02:33] Steve Gibson And they've mapped it on to something we've never talked about before, which is the MITRE attack taxonomy. Steve Gibson It's spelled ATT&CK because I guess you're going to have to be a hacker. And what they found is really interesting and just as worrisome as you could possibly imagine.

[00:03:02] Steve Gibson I mean, like, you know, I'm not one to declare that the sky is falling, but it occurred to me. Steve Gibson So, we've got Security Now episode 1082 for this June 9th titled The Malicious Use of AI, where we're going to, by the end of the podcast, have a bracing understanding of, like, the bad guys are not sitting around.

[00:03:31] Steve Gibson They're not waiting. Steve Gibson They're on this fast. Steve Gibson And what an AI-enabled attack, like, well-orchestrated malicious campaign can do is truly bone-chilling.

[00:03:50] Steve Gibson So, oh, I, you know, I just hope that everybody who's got some jewels they need to protect are on the ball here and using all of the most state-of-the-art available tools. And one just dropped, like, what, an hour ago? Steve Gibson Yeah, Fable just came out. Steve Gibson Yeah, this is reputedly kind of a simpler stripped-down mythos.

[00:04:21] And at the same time, apparently, Anthropic turned on, because Anthony tried to put your show notes into the previous version, 4.8, and then they have turned on some sort of gate that says, you know, let me read you the actual text. Steve Gibson I actually saw that. Steve Gibson Did you see that? Steve Gibson Did you see that? Steve Gibson I see that, yeah.

[00:04:41] Steve Gibson Yeah, and there was a slide switch where it would fall back to a less potent model if it thinks that you're asking for things that it's not sure it wants to give you. Steve Gibson It says it won't work on cybersecurity stuff. Steve Gibson Oh, oh. Steve Gibson And apparently your show notes are too dangerous. Opus 4.8 is a chat's paused. Opus 4.8 has safety measures that flag messages on most cybersecurity or biology topics. Steve Gibson Wait, 4.8. Steve Gibson They may flag safe, normal content as well.

[00:05:11] Steve Gibson These measures let us bring you mythos-level capability in other areas sooner. Steve Gibson Interesting. Steve Gibson So because they're having a problem filtering, they did a crude filter. Steve Gibson Yeah. Steve Gibson That is to say, you know, it's difficult. Steve Gibson A perfect example is my show note. Steve Gibson There's nothing malicious in our show notes, except we're talking about malicious things. Steve Gibson I mean, we're talking about cybersecurity stuff.

[00:05:35] Steve Gibson So the idea is like, that's just since they don't know that they can slice it correctly, they're just completely blackly blacking it out. Steve Gibson Nothing to do with cybersecurity, nothing to do with biology, because we don't yet know how to differentiate enough to give you access to that. Steve Gibson Now, I have just fed your show notes to the new model, which just came out this morning called Fable. Steve Gibson And Fable is kind of like mythos, right?

[00:06:05] Steve Gibson And it has no trouble, no trouble at all going through your show notes, no complaints whatsoever. Steve Gibson So something's up. Steve Gibson I did, in fact, and I think you saw it earlier on MacBreak Weekly, run some of my old cloud-generated code through mythos saying, find some security flaws. Steve Gibson And it did, and it did a nice job. Steve Gibson Stuff that it had previously audited and found flawless. Steve Gibson Saw no problems with. Steve Gibson Yeah.

[00:06:34] Steve Gibson So I was very impressed, not merely with how quickly it worked and how well it did, but I was actually very impressed with the verbiage it used. Steve Gibson It seemed quite impressive, and it's much faster. Steve Gibson It whipped through a large number of files, both in Rust and Python and Go, and found flaws.

[00:06:58] Steve Gibson Now, I know you, I know, well, we know from the announcement that it uses twice the token consumption rate as Opus, right? Steve Gibson Yes, they say this right on the front. Steve Gibson And so it's twice as expensive, essentially.

[00:07:15] Steve Gibson Now, I've got the $20 a month plan, and I'm never hitting a ceiling because I'm not really – well, I have to say, though, that the only time I saw the thermometer start going up was when I gave it more of an agentic-y kind of thing to do, where it sat and churned for a while. Steve Gibson And I thought, ooh, I wonder how expensive that was. Steve Gibson And I went over to check my account.

[00:07:39] Steve Gibson It's like, oh, look, I just used up 20% of something, whereas normally it just doesn't even get off the ground for the little simple things I'm asking. Steve Gibson So it was able to find these. Steve Gibson I feel like this – it just feels a little smarter, a little quicker, a little more effective. Steve Gibson I was quite impressed. Steve Gibson I'm just stunned by this pace, Leo. Steve Gibson I mean – Steve Gibson They just released 4.8 like three weeks ago. Steve Gibson It's breathtaking. Steve Gibson It's crazy. Steve Gibson It's crazy.

[00:08:09] Steve Gibson I don't know if this is mythos, but in a way, something mythos-like has arrived already, which means I think you should start looking for tomorrow. Steve Gibson Time to start running your code through Fable. Steve Gibson I did have it fix everything it found, by the way. Steve Gibson Very cool. Steve Gibson Okay. Steve Gibson So in addition to getting to the malicious use of AI, where we're going to look at exactly what's going on,

[00:08:38] Steve Gibson We're going to answer some questions. Steve Gibson Was a U.S. law firm right to pay a $20 million ransom? Steve Gibson Could Cisco have yet another SD-WAN zero day in the wild? Steve Gibson Like, really, Cisco? Steve Gibson Really? Steve Gibson Really? Steve Gibson Come on. Steve Gibson Why is it so difficult to author secure PHP code?

[00:09:00] Steve Gibson Turns out that teens are using something called weed hack to spy and attack each other, which McAfee's security people found and were quite disheartened to see what was going on. Steve Gibson Researchers have created the first AI-enabled internet worm. Steve Gibson And oh, boy. Steve Gibson The good thing is it's not clear that a worm makes anyone any money.

[00:09:29] Steve Gibson And money is the name of the game for the bad guys now. Steve Gibson Otherwise, it would be game over. Steve Gibson Also, just a little editorial annoyance. Steve Gibson Because while I was working, I got a weird Chrome pop-up telling me that I could shop with confidence. Steve Gibson I wasn't even using Chrome. Steve Gibson I was in Firefox. Steve Gibson It's like, what the heck? Steve Gibson No. Steve Gibson We've also got something was really wrong here.

[00:09:59] Steve Gibson An irresponsible disclosure of a very bad problem that was discovered in HTTP2. Steve Gibson You know, we always had HTTP1. Steve Gibson Then we got 1.1. Steve Gibson Recently we got, well, a couple years ago, we got 2. Steve Gibson There's an HTTP2 bomb which can basically bring any contemporary web servers to their knees. Steve Gibson And the Cretans who discovered it said, yeah, you know, what the heck?

[00:10:27] Steve Gibson We're going to force everyone to upgrade by releasing it. Steve Gibson Wow. Steve Gibson And then we're going to get to what Anthropic has learned from their past year of monitoring Claude's abuse. Steve Gibson And in two words, maybe it's three. Steve Gibson I don't know if you count a contraction as two. Steve Gibson Anyway, it's bad. Steve Gibson Well, we have lots to talk about and a picture of the week to come in just a little bit. Steve Gibson You're watching Security Now with Steve Gibson.

[00:10:57] Steve Gibson And our show today brought to you by a great sponsor, people we really like, Threat Locker. Steve Gibson I went to their Zero Trust World Conference a few months ago in Orlando. Steve Gibson I had a great time, did a presentation for them. Steve Gibson I'm a big fan of Zero Trust. Steve Gibson Threat Locker Zero Trust. Steve Gibson I think at Zero Trust World, maybe at RSEC a couple of weeks later. Steve Gibson They have now the industry's most comprehensive suite of Zero Trust solutions.

[00:11:22] Steve Gibson Not merely protecting endpoints, but now they protect company networks and the cloud. Steve Gibson This is great. Steve Gibson By extending Zero Trust enforcement to cloud services and company networks, Threat Locker's ensuring that devices, Steve Gibson Not only are the endpoints protected, but devices are validated through a secure broker before they can connect to your cloud platforms, your SaaS apps, things like Salesforce and Microsoft 365, Steve Gibson Asana, Google Workspace, GitHub.

[00:11:52] Steve Gibson The impact of this is huge, even if a user is successfully phished. Steve Gibson It happens all the time. Steve Gibson Attackers still cannot access those resources. Steve Gibson They can't access those SaaS apps, the cloud resources, unless, well, in order to do that, Steve Gibson They'd actually have to have physical possession of the user's trusted device. Steve Gibson And then they, you know, I presume you're going to have biometrics on there, Steve Gibson Windows Hello or something. Steve Gibson So they'd have to get through all of that. Steve Gibson So you're really locked down.

[00:12:21] Steve Gibson This is so much better. Steve Gibson Threat Locker works across all industries, provides US-based 24-7 support, really good support. Steve Gibson It works everywhere, Windows, Mac, Linux environments. Steve Gibson I got them to demonstrate it on the Mac for me because it was very interesting. Steve Gibson It works beautifully. Steve Gibson And it enables comprehensive visibility and control. Steve Gibson This is one of the real benefits of Threat Locker is it's great for compliance. Steve Gibson Ask Rob Thackeray. Steve Gibson He's the end user technical architect at Heathrow Airport.

[00:12:49] Steve Gibson After a number of incidents, they switched to Threat Locker. Steve Gibson He says, quote, Steve Gibson Threat Locker was the most intuitive solution we tested. Steve Gibson And the responsiveness of the organization, the willingness to engage with us, to set up a demo, to work with us on weekly audit reviews was very good. Steve Gibson It's great to have an ongoing relationship with a company that is so responsive to our requests. Steve Gibson So not only great technology, but great support, great service from a really superb company.

[00:13:18] Steve Gibson No wonder Threat Locker is trusted by some of the biggest and best in the world. Steve Gibson Global Enterprises Like JetBlue, the Indianapolis Colts, the Port of Vancouver uses Threat Locker. Steve Gibson They can't afford to be down for one minute. Steve Gibson Threat Locker consistently receives high honors and industry recognition. Steve Gibson G2 gave them their high performer and best support for enterprise summer 2025. Steve Gibson Pure Spot ranked Threat Locker number one in application control. Steve Gibson And they got GetApp's Best Functionality and Features Award last year. Steve Gibson I mean, the awards just keep on coming.

[00:13:48] Steve Gibson You can find them all at the website. Steve Gibson With Threat Locker, you can confidently ensure that users have access to a consistent, safe network connection. Steve Gibson Offices, remote users, internal servers, critical services, all can maintain smooth operations. Steve Gibson But you don't need to open inbound ports. Steve Gibson You don't need to deploy traditional VPN solutions. Steve Gibson Your end users will get the same secure, reliable, internal system access they need and they're used to

[00:14:17] Steve Gibson And it's so much more secure. Steve Gibson You've got to try Threat Locker. Steve Gibson Get unprecedented protection quickly, easily, and effectively with Threat Locker. Steve Gibson Visit ThreatLocker.com slash twit. Steve Gibson You get a free 30-day trial and you can learn more about how Threat Locker can help mitigate unknown threats and ensure compliance. Steve Gibson Again, ThreatLocker.com slash. Steve Gibson We thank them so much for supporting. Steve Gibson Security Now!

[00:14:43] Steve Gibson So, and now, ladies and gentlemen, the picture of the week. Steve Gibson So, there's no security angle here, but I just love this. Steve Gibson Okay. Steve Gibson I gave this the headline, there may be hope for humanity after all. Steve Gibson All right, I'm going to scroll up. Steve Gibson I haven't seen this before. Steve Gibson All right, I'll let you describe this one. Steve Gibson So, we have- Steve Gibson That's great. Steve Gibson We have two signs.

[00:15:13] Steve Gibson You're the yellow diamond sign that says dip ahead, right? Steve Gibson Like, where there's just to warn drivers that there's going to be some sort of a dip in the road that they need to take advantage of. Steve Gibson But then, slightly after that, along the road, is one of those programmable

[00:15:35] boards where, you know, for whatever the people working on the road need to warn drivers about. Steve Gibson In this case, the signage has been programmed to say, and this is again, to the, just following the dip ahead sign, bring chips. Steve Gibson So, yeah. Steve Gibson And to which our, our discord chat room has responded with this picture of you and me as,

[00:16:05] well, as chips. Steve Gibson Oh, no. Steve Gibson Let me pull up the image. Steve Gibson Oh, no. Steve Gibson In this case, chips is the California Highway Patrol. Steve Gibson Oh, goodness. Steve Gibson Oh, goodness. Steve Gibson You look good in a uniform. Steve Gibson Very nice. Steve Gibson Thank you, pretty fly for us, this guy. Steve Gibson Last time I was in a uniform was the Boy Scouts and that, lots of stories came from that. Steve Gibson Oh, okay.

[00:16:29] Steve Gibson Okay, so the large law firm, while gosh, goth, shawl and manges, which reported, I mean, this is the there are firms you never hear about. I've never heard about these guys, but $2 billion in revenue last year, right? Steve Gibson So they're like so high end that they don't do any retail advertising or they don't have any sort of a public presence at all.

[00:16:58] Steve Gibson They're whatever it is they're doing, you know, military contractors or who knows what, maybe international stuff. Steve Gibson Anyway, they're breaking in the bucks. Steve Gibson They recently paid a $20 million ransom. Steve Gibson Yeah. Steve Gibson And I did the math. Steve Gibson That's 1% of their annual take. Steve Gibson So they did so in order to prevent the release of their confidential client data.

[00:17:27] Steve Gibson And we don't know who their clients are, but again, $2 billion of revenue and people we've never heard of before, they probably got it going on. Steve Gibson So the company said that their clients' confidential data had been stolen from an external cloud storage site earlier this year by a group known as the silent ransom group.

[00:17:51] Steve Gibson The FBI sent out a private industry alert last year warning in advance that this silent ransom group had been spotted and that they were specifically targeting US law firms for their extortion campaigns. Steve Gibson Now, what I appreciate about this is the strategic value of targeting law firms for extortion.

[00:18:19] Steve Gibson Everyone knows I'm not endorsing the practice, far from it. Steve Gibson But I think that high-end law firms are an interesting and clever ransom target. Steve Gibson We've been seeing and reporting on the surprising and welcome dramatic decline in the percentage of ransoms that are being paid lately. Steve Gibson Many more companies are simply saying no now than were 10 years ago.

[00:18:46] Steve Gibson Back then, being hacked was much more of a black mark on an enterprise's reputation than it has, frankly, sadly become today. Steve Gibson I'm not happy that being hacked is almost routine now, but with cyberattacks having become a nearly daily occurrence, no one who's observing them from a distance really cares that much anymore.

[00:19:12] Steve Gibson Now, as a consequence, companies are just saying no to ransom demands and putting out a press release saying that, oh, well, we were hacked, coming up with some spin about how the bad guys didn't really get anything of any super secret value, and then offering their customers 12 months of free credit reporting, as if that makes restitution. Steve Gibson So nothing to see here. Steve Gibson Move along.

[00:19:37] Steve Gibson Okay, so against that backdrop, rather than just stumbling upon targets of opportunity, the bad guys have needed to find targets where the apologize, obfuscate, and move on practice would not be available, and the confidential client data being retained by major deep-pocketed law firms just perfectly fits that bill.

[00:20:06] Steve Gibson There's no doubt that this wild goth shawl and manges knew that the disclosure of their clients' data would result not only in massive reputational harm, which a law firm can ill afford, but also in a mass of breach of fiduciary responsibility lawsuits, right, brought

[00:20:32] by their own current and past clients whose data they have not protected adequately. Steve Gibson We know that the FBI and others would have cautioned the law firm over and over that there's absolutely no guarantee whatsoever that the bad guys will honor their side of the agreement, which after all is voluntary and they're bad guys, you know, by deleting all the stolen

[00:20:58] data. But given $2 billion in annual revenue, that even a $20 million payout, you know, that's just a 1% tax on the company's annual revenue when weighed against the alternative of absolutely certain disclosure of highly damaging data. Well, that's a bet that's entirely understandable. As I've been observing,

[00:21:27] the only thing these criminals care about is money. They could not possibly care less about the actual data they've stolen from this wild goth shawl and manges. They know that the only chance they have of reliably obtaining voluntary ransom payments from their victims is if those victims believe from

[00:21:57] all past evidence that their payment of a ransom will result in the deletion as far as they can tell, or certainly not the disclosure of the stolen data so that it can then hopefully never be disclosed. You know, yes, it may be a bargain with the devil, but it almost certainly paid off.

[00:22:19] So I think the takeaway here is the observation that the overall drop in ransom payment likelihood has predictably shifted the attackers targeting to those specific enterprises, law firms being a perfect example of that, which have the most to lose if their stolen data is publicly disclosed. That's the threat.

[00:22:47] And so it's got to be a threat where the pain of that threat being actualized is so high that the company says, oh, well, we don't like it, but it's, you know, a gamble we're willing to take. So, you know, companies like the regular run of the mill companies who merely have, you know, millions of small customer transactions, you know, they're just increasingly shrugging off such breaches as

[00:23:15] unfortunate, but unfortunate, but all equally unfortunate nowadays, almost inevitable. So it's like, eh, we got it. We got hacked. How'd you like a year of free credit monitoring? Well, we would rather that you hadn't been hacked, but you know, banks anyway, if I were to share the news

[00:23:34] that another unpatched zero day flaw in Cisco's SD WAN manager was being actively exploited in the wild, our listeners could be forgiven for thinking that perhaps they were listening to a previous podcast, but sadly, no. In their reporting on this latest rerun of a story that pretty much writes

[00:24:00] itself at this point, you know, you only need to change the date and tweak some CVE numbers. Bleeping Computer reminded us, they wrote last month, Cisco, so we have one like last week, right? A new SD WAN zero day flaw exploit. And to give some background, they finished their coverage,

[00:24:25] bleeping computer did saying last month, Cisco also tagged a maximum severity catalyst SD WAN controller authentication bypass flaw. And that was, uh, the CVE 2026, uh, 201 82 as an actively exploited zero day to gain admin privileges on unpatched devices while Cisco, they wrote has not yet

[00:24:50] released patches for today's most recent problem on May 14th. It advised customers to upgrade to the software that had been fixed for that 201 82 CVE. Then they said in February, Cisco patched another catalyst SD WAN manager information disclosure security flaw. That was 201 33, which CISA flagged as

[00:25:16] actively exploited in late April. And two weeks later warned that two more flaws, 201 28 and 201 22 were being abused in the wild. In March, it also addressed and flagged a critical authentication bypass vulnerability, which is, you know, the polite way of saying anybody who wants to can get in.

[00:25:39] Uh, and that would be 201 27 that has been exploited in zero day attacks since at least 2023. And they said over the past several years, CISA has tagged 90, nine zero 90 Cisco vulnerabilities as abused in the wild. Four of them in catalyst SD WAN manager and six others exploited by ransomware

[00:26:07] operations. So 90 vulnerabilities in just the past several years abused in the wild. Cisco has certainly earned their reputation for providing hackers with a ready and so far unending supply of remotely exploitable security vulnerabilities. Two months ago on April 17th, I'm sorry, April 7th.

[00:26:33] So just, just over two months ago, today's the 9th of June Cisco wrote for some time, we have been stress testing our own products and infrastructure against the most advanced AI powered security tools available, including Anthropics latest unreleased AI model, Claude Mythos preview. What we have found,

[00:26:57] they said, what we have found has been illuminating. Uh huh. Now the real work begins AI powered analysis uncovers data at a scale and depth that legacy frameworks were not designed to accommodate. Oh, whatever. Okay. Whatever that means. This industry will recalibrate together. And Cisco is committed

[00:27:24] to leading that conversation. All I could say is that I hope they mean it. I hope they really do suddenly care more than they have ever appeared to in the past. And given the evidence, it's like, how do you explain that? This is Cisco, you know, perhaps something needed to make security much easier

[00:27:49] for them to deliver. And perhaps AI will be that something that's been missing until now. It's, it is inexplicable to me how a company that is so important and has been such a leader, you know, a pioneer on the internet could continue year after year to have so many damaging security problems.

[00:28:14] What, what is the culture over there? Recall that years ago they were surprised to discover that the firmware of their own machines had been shipping with embedded authentication credentials in the firmware so that anybody who knew the username and password could log in remotely.

[00:28:39] I bet you Mythos would have found that. Yes. If yes, given access to the firmware, Mythos would have said, uh, the equivalent of WTF. So, but you know, you know, Cisco, perhaps they are just really crappy at doing software. And, and the only re I know the only reason they were ever on top is that they

[00:29:03] were first. And so it's like, you know, once upon a time they were the only game in town and maybe they just always sort of sat back on their laurels and thought, well, you know, everyone's buying our stuff. It doesn't, it's broke, but what the hell? I take a guess, a wild guess that part of it was the number of acquisitions they did because Cisco grew very fast by acquiring a lot of other companies. That's fair. It'd be my guess that some of those companies themselves didn't have the best

[00:29:32] practices. And sometimes when you have mismatched systems, you get these kinds of problems. A perfect example was that Hilton attack. Remember it was that they bought another, another chain. Yeah, yeah, yeah, yeah, yeah, yeah. And it was that, it was that it was like they, they, they bought the, the, the thing they, they bought was bad, you know, some serious problems. And they just, we, at the time we argued that they didn't vet it as well as they should have, which I think

[00:30:02] is a reasonable position to take, but wow, Cisco, come on, you know, get your AI going and fix this because too much of the, now, of course, the big problem, once there is firmware, which the latest AI agrees has no more problems that it can detect is how do you get it deployed? Because it's one thing to have it as another thing to have it out there running. Okay. Uh, I mentioned before

[00:30:33] that my desire to host web forums required me to run a PHP interpreter on a, on a GRC domain, you know, forums.grc.com. Um, and even grc.sc, that little short, that little link shortener is also some PHP. Um, but due to the long history of security incidents surrounding PHP, the idea

[00:31:00] of running a PHP interpreter on a GRC domain terrified me. Uh, and I was, and still am unwilling to allow any such server to share a network with the rest of GRC's infrastructure. Um, in other words, I took my own advice in the same way that I do for residential IOT devices, which is to firmly

[00:31:26] sequester the things, those, the, those things whose security we have no control over and are inherently suspicious of on their own network, you know, contain them, sandbox them. Fortunately, my choice of the PHP based Zenforo for forums and the PHP based Nuevo mail, which is what I use as, uh, for, to, to send

[00:31:54] out GRC's weekly mailings. Um, they've both been solid choices. Um, and I've never had any problem with them, but I'm still not allowing anything that runs PHP anywhere near the rest of GRC's network. The reason I'm mentioning this today is that once again, a PHP based third party WordPress plugin has come under

[00:32:18] active widespread global attack. And the means by which the plugin is being attacked is just so marvelously PHP that I wanted to take the time to share it last Wednesday, the word fence WordPress security company. And, and based on everything we've, we haven't talked about word fence for a long time, but they got a strong recommendation last time and they'll get it again because I think anybody who is running

[00:32:47] WordPress stuff with any add on plugins, especially, which is where the problems generally are WordPress, you know, itself is generally been so well cared for and, and, um, and maintained that we don't see problems in, in, in the, in the core WordPress system. Anyway, they posted word word fence posted the news of this

[00:33:12] latest vulnerability, which carries a CVSS of 9.8, which is, we know is, you know, hard to, hard to achieve. You basically have to let anybody who wants to anywhere in the world crawl into your system and set up shop to get a 9.8 word fence wrote on March 30th, 2026. We publicly disclosed a critical

[00:33:37] remote code execution vulnerability in Everest forms pro a WordPress plugin with an estimated 4,000 active installations. This vulnerability can be leveraged by unauthenticated attackers, meaning anyone to execute arbitrary PHP code on the server, leading to complete site compromise. The vendor

[00:34:04] released the fully patched version on March 18th, 2026. Our records indicate that attackers started exploiting the issue on April 13th, 2026. So, okay, less than a month later. So March 18th, fully patched version that fixed the problem. April 13th, it began, it came under attack. So again,

[00:34:31] anybody who's keeping their site up to date is checking for like checking for, uh, updates and following through with them would have been safe. The word fence firewall, they wrote has already blocked over 29,300 exploit attempts targeting this vulnerability. The, uh, and they said word fence,

[00:34:59] premium word fence, care and word fence response users received a firewall rule to protect against any exploits targeting this vulnerability on February 27th, way up in advance of the plugin being updated sites using the free version, which is what I mean, like, why wouldn't you use the free version of this protection system of word fence received the same protection 30 days later on March 29th. So still

[00:35:28] well in advance of when the bad guys started attacking, they said, considering this vulnerability is being actively exploited. We urge users to ensure their sites are updated with the latest patched version of Everest forms pro version 1.9.13 at the time of its writing as soon as possible. So, as I said, we've covered the work of the word fence people in the past, and I have no problem

[00:35:56] allowing them to promote themselves by sharing their posting here. Since any site that has chosen to employ third party WordPress plugins would be well served to at least run the free version. And, you know, I'd pay something for the added protection if nothing, if for no other reason to support them in the same way that Leo and I do, uh, for, uh, bit warden. Yeah. In other words, you know, these are good guys

[00:36:23] offering an important service at a reasonable price. Uh, and if you're running a WordPress and you've got, you know, random plugins, uh, plugins that you've added on, you, you really ought to have word fence watching your back. Then they explain what they found, which is really what I wanted to get to. They wrote examining the Everest forms pro code reveals that the plugin uses the process underscore

[00:36:50] filter function in the process class to evaluate user defined calculation formulas. Now there's the key. user defined, meaning visitor based calculation formulas. The function concatenates submitted form field values

[00:37:12] into a PHP code string, which is then passed to the eval function. Now, again, all that phrase that, that, that, that string of words should make anyone's blood run cold concatenates submitted form field values into a PHP code string, which is then passed to the eval function. So this is a variation of the infamous

[00:37:41] Bobby drop tables flaw. You know, anytime any user, user provided, you know, visitor web visitor traffic input, is passed to a function that might confuse data with commands, which is what PHP does in the same way that SQL can,

[00:38:03] that user provided input must be scrupulously sanitized. But I mean, really, you should never have a situation where that could be done. But if you have to, for some reason, then really make sure there's no way that, that the user can provide something that can get,

[00:38:24] that can be switched from data to command to prevent malicious users from managing to use a web form for their own command input. Word fences. Word fences. Right up continues saying, although user input is sanitized with sanitized text field function.

[00:38:46] This function does not escape single quotes. And by escape, they mean convert a single quote into something that isn't a single quote, but like carries the same meaning. That's known as escaping in programming parlance. It does not escape single quotes or other characters that are significant in PHP code.

[00:39:11] For string-based fields, such as text, email, select, and radio fields, the submitted value is placed inside single quotes and directly added to a PHP code string. An unauthenticated attacker can exploit this by submitting a value containing a single quote,

[00:39:35] followed by malicious PHP code and a comment character, allowing them to break out of the string and inject PHP code that is later executed through the eval function. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field,

[00:40:05] as long as the targeted form uses the complex calculation feature. As with all remote code execution vulnerabilities, this could lead to complete site compromise through the creation of admin accounts, the use of web shells, and other techniques. Okay, so this is exactly why PHP terrifies me. When I've made the mistake of stating that PHP is fundamentally insecure,

[00:40:35] our well-informed listeners have written somewhat indignantly to argue that it's entirely possible to write secure PHP systems. I assume that's true, since I've never had any trouble with Zenforo, and their security record has been very good. Not perfect, but still very good. So I suppose a more balanced assertion on my part would be that authoring secure PHP websites

[00:41:07] inherently requires much more understanding of the security pitfalls inherent in the use of PHP, which are many than the typical PHP author possesses. In other words, you can write secure PHP, but PHP is targeted at people who don't.

[00:41:34] WordFence explains that their WordPress application firewall has intercepted by writing, the most common payload observed in our blocked requests attempts to create a new admin account

[00:41:55] named D-I-K-S-I Marina, M-A-R-I-N-A, Dixie Marina, I guess you'd say, on the affected site. The attacker submits a value for a text field that begins with a single quote to close the wrapping string literal, followed by a PHP statement that calls WP underscore insert underscore user,

[00:42:25] WordPress insert user, to create a new admin account with the user Dixie Marina. The trailing slash slash comment marker ensures the rest of the generated PHP code, which was there in the original form, including its closing quote, which the attacker put first, is treated as a comment and does not cause a syntax error,

[00:42:53] because that would crash PHP and then the attacker's code wouldn't get to execute. When the form is processed and the calculation is evaluated, the injected PHP code is executed and the malicious admin account is created. Once authenticated as a new administrator, the attacker can fully compromise the site by uploading web shells, modifying themes or plugins,

[00:43:20] or installing further backdoors to obtain persistent access. So the problem with PHP is that while it correctly advertises itself as very easy to use, the less well-appreciated fact is that it's also extremely easy to abuse. Thus, it's running on a server at GRC on its own network segment with no contact to the rest of my stuff,

[00:43:49] because I will never trust it. But Leo, you know what I will trust? Yes. I trust you and I trust our next sponsor. Well, it's a good thing you do because they trust you. And, you know, the fact that they're advertising this show is a measure of this. I'm talking about OutSystems. Security Now is brought to you this week by OutSystems.

[00:44:17] OutSystems is an amazing tool. They've been at it for a long time. They, I think it's safe to say, are the leading agentic systems platform. They help businesses bridge the enterprise gap into that agentic future we're all looking forward to, where the constraints of the past give way to unlimited capacity and scale. With OutSystems, you can architect, deliver, and scale governed, very important word there,

[00:44:44] agentic systems with agility and trust using one open and unified platform. You can power secure, company-wide agentic orchestration for core business operations. OutSystems provides the only agentic systems that are unified, agile, and enterprise proven. Let me explain. OutSystems is unified. It enables you to build, run, and govern apps and agents on a single platform.

[00:45:13] OutSystems is agile because it allows you to innovate at the speed of AI, but very importantly, without compromising quality or control. And OutSystems is enterprise proven and trusted by enterprises for mission-critical AI applications and durable innovation. OutSystems is the secret weapon behind the world's most successful company. And not just for little one-off apps.

[00:45:37] We're talking massive, complex systems, systems that run banks, insurance companies, and government services right now. OutSystems even helps companies with aging IT environments bridge the gap to the AI future without a rip-and-replace nightmare. I'll give you some examples. OutSystems provides the safest and fastest way for an enterprise to go from, we need an AI strategy to, we have a functioning agentic system.

[00:46:06] Stop wondering how AI will change your business and start building the agents that will lead it. Visit OutSystems.com slash twit to see how the world's most innovative enterprises use OutSystems to engineer, orchestrate, and govern agentic systems quickly and cost-effectively without compromising reliability and security. That's OutSystems.com slash twit to book a demo.

[00:46:36] OutSystems.com slash twit. We thank him so much for supporting Steve and the vital work he is doing here. I'm looking at the information about Claude Fable 5, which was released today by Anthropic and Mythos 5, and I'm looking at the benchmarks provided by Anthropic. But man, they say this is even better than the Mythos preview that they've been offering to some people. It is incredible.

[00:47:02] $10 per million tokens in, $50 per million tokens out. It is a very expensive model, although they're cheaper than Mythos preview. They also say it can work longer than any previous Claude models. So they have a lot of benchmarks, a lot of examples. I was thinking about this the other day. I wish that unused tokens built up a balance in your account. I know.

[00:47:33] I know. Because my use is very erratic, and a lot of times I'm not using Claude for anything. Well, do you have a subscription or do you pay as you go? Because you can't pay as you go. I have a subscription. Yeah, so the subscription is all you can eat. And as you've probably noticed, if you really bang on it, it'll time out after five hours. It'll say, well, you've got to wait until one or whatever. Right.

[00:47:59] And you can also use up more tokens than you're supposed to in any given week or even month. But generally, the all you can eat is pretty good. The API is pay as you go. So if you don't use it at all, it's zero. So maybe, but the problem is it's a lot more expensive to pay as you go than it is to buy a subscription for most people. I don't know what it's going to be like eventually.

[00:48:22] I think eventually Anthropik wants everybody to go the API route because I think for a lot of users, they're losing money on the all you can eat. It's a buffet that some people are real pigs. But I'm just playing with it right now, and it's very fast. It also, they said, if it gets in a situation where you're asking about security stuff, it will fall back to 4.8. It's going to try to prevent you from using it to hack.

[00:48:52] Yes. And that's why we're getting that 4.8 warning. Security or biology, apparently. Yeah. I don't know about biology, but anyway. Yeah. You can't make bugs, dangerous bugs with it either. Yeah, exactly. Of any kind. Yeah. Okay.

[00:49:10] So McAfee's report, their headline caught my attention because it was new malware targeting Minecraft infects 2,000 daily and teens are becoming attackers. So this is all pretty sad, but it's worth us knowing what's going on.

[00:49:32] McAfee writes, McAfee Labs has discovered a massive ongoing, and massive because of how cheap it is, ongoing malware campaign called Weed Hack that disguises itself as free Minecraft mods and game clients to infect players' computers.

[00:49:51] Since January 2026, it has logged more than 116,000 victim infections, averaging between 2,000 and 3,000 new hits every single day. What makes Weed Hack different from most malware is how cheap and easy it is to use. Typically, a hacker would pay hundreds of dollars per month to access attack tools through underground criminal networks.

[00:50:21] Now, this is all, you know, malware as a service, which is the new thing. They said, Weed Hack offers a free version to anyone with a Discord account. A premium upgrade, which includes the ability to secretly watch victims through their own webcam, starts at just $5 a month. This low barrier has attracted a younger crowd of would-be attackers.

[00:50:48] Many of them appear to be teenagers or young adults. Our researchers were startled to discover teens using these tools, not just for financial theft, but to harass and bully their peers. A pattern we've documented and like posting the webcam footage that they capture from other people's machines. A pattern we've documented and that makes this campaign especially concerning.

[00:51:18] Weed Hack is a malware as a service, M-A-A-S, malware as a service campaign, meaning it's a criminal business that sells hacking tools to customers. The same way a legitimate software company sells subscriptions. The product, in this case, is malware that gets secretly installed on a victim's computer when they download what they think is a Minecraft mod or client.

[00:51:45] Once installed, it can steal passwords, hijack accounts, and for paying customers, it can give the attacker live access to the victim's screen, webcam, and files. The campaign operates a polished, professional-looking dashboard hosted openly on the internet, not hidden on the dark web.

[00:52:10] That dashboard lets customers track their victims, download stolen data, and launch remote access features all from their browser. One of the most disturbing findings from our investigation is how Weed Hack is being used. While monitoring the campaign's Telegram channel, which had over 850 members during the time of our research, we observed that many customers appear to be teenagers and young adults,

[00:52:40] and a significant portion of using the remote access tools were using the remote access tools not for financial gain, but to harass and intimidate other players. We observed attackers recording victims through their webcams without consent and sharing those recordings in a Telegram channel as trophies. Others used knowledge of victims' IP addresses and system address to threaten them.

[00:53:09] It's important to note that at the current time of publishing, the Telegram channel has been taken down, and no replacement channel has appeared. McAfee's continuing to monitor any new channels that may be established by the threat actors for further communication. Still, what we observed is a form of cyberbullying with unusually invasive tools behind it.

[00:53:34] If you or your child has been contacted by someone online claiming they've hacked your computer, have your webcam footage, or know your IP address, take it seriously. Do not follow the attacker's instructions. It only makes things worse. Tell a trusted adult immediately, a parent, a guardian, or a school counselor. Contact your local law enforcement. This may constitute a criminal conduct.

[00:54:04] And do not engage with the attacker or attempt to negotiate. So, how do people get infected? Weed Hack spreads in two main ways. And the campaign even provides its customers with step-by-step tutorials on how to carry out both. First, fake YouTube videos. Attackers create convincing YouTube videos reviewing or demonstrating Minecraft clients and mods.

[00:54:33] The videos are well produced. Some include voiceover narration. The link to malicious download sites in the description and comments is present. One video McAfee identified had over 7,500 views before being flagged. Comments are also sometimes planted by the attackers claiming the files are safe. Second way, fake mod websites. Weed Hack instructs customers to build convincing-looking websites

[00:55:02] that mimic official Minecraft mod pages. These sites are deliberately designed to show up high in search engine results for popular mod names, a tactic called SEO poisoning. Some fake sites include fake security warnings, Discord links, and GitHub references to appear legitimate. In one case, a site warned players to only download from us, unquote, while actively distributing malware.

[00:55:32] Minecraft clients and mods specifically targeted include Meteor client, Radium client, Worst, W-U-R-S-T client, Liquid bounce, Impact client, Future client, and others. So what happens when you're infected? Infection occurs in four stages that happen silently in the background after a victim opens the downloaded file. First stage, first contact.

[00:56:00] The malicious file launches quietly without showing a console window, connects to a hidden network, and phones home to receive further instructions. It uses a sophisticated technique involving the Ethereum blockchain to locate its command server in a way that's difficult to block or take down. Remember, we talked about one such method using DNS domain names,

[00:56:27] which are created dynamically based on a timestamp. This uses the Ethereum blockchain. Stage two, taking hold. The malware disables Windows Defender protections, gathers detailed information about the victim's computer, their processor, graphics card, RAM, operating system, and so forth, and takes a screenshot of their screen. It then steals their Discord tokens, browser passwords, and cookies.

[00:56:58] Stage three, digging in. The malware installs itself so that it automatically restarts every time the victim logs back into their computer. It sets up a hidden scheduled task that runs continuously with the highest system privileges. And finally, stage four, obtaining full access. For premium customers, an additional component is installed that connects the attacker to the victim's computer in real time.

[00:57:27] This includes live screen sharing with keyboard and mouse control, webcam access, key logging, recording every keystroke, a reverse shell, full command line access to the computer, and the ability to upload or download any files. A separate component specifically hunts for Telegram credentials and cryptocurrency wallets, sending that data to a different server every five minutes.

[00:57:57] So, what can attackers steal? The free tier supports the theft of Minecraft session IDs, which are used to hijack Minecraft accounts, saved passwords and cookies from 36 different browsers, credentials from Discord, Steam, and Telegram, browser-based crypto wallets, 56 are currently supported, and desktop crypto wallets, 12 are currently supported,

[00:58:27] files matching 24 different search keywords, screenshots of the victim's screen, and system information, the computer name, their IP address, and hardware specs. Then, for $5 a month, which is the premium tier, you get live webcam access, in addition to all those things, live webcam access, live screen sharing with keyboard and mouse control, key logging, every key the victim types,

[00:58:56] full remote shell, command line control of the computer, and file management, upload, download, and delete files remotely. Okay, so, just to be completely clear, what now exists is a service, which for as little as $5 per month, apparently, in a play for you serve volume, anyone, and often teens, no longer need to have any, not any, hacking skills.

[00:59:26] Apparently, all they need is some marketing skills. All the hacking, all the technology, all of that has been done for them. They're able to subscribe to this new malware-as-a-service, weed hack, out on the public open web, and then trick others, using their marketing skills, into downloading a Minecraft mod or client that then gives them access access to that infected users,

[00:59:56] save passwords and cookies, their social media credentials, their crypto wallets, and more, including their webcam and full remote keyboard and mouse access to their computer. And the service is going gangbusters, logging between 2,000 and 3,000 newly infected victims per day, with more than 116,000 victim infections spotted

[01:00:25] since this past January. So, Leo, the world we live in today, wow. No kidding. You know, basically, turning teens into criminals, because this is all criminal abuse. I mean, this is criminal network intrusion thanks to a third party that's only asking for $5 per month and taking all of the hard work,

[01:00:55] all of the knowledge, all of the technology out of the loop. You pay them $5 a month. What's worse is it's using kids to get to their, I presume, to get to their parents' accounts, right? I mean, because... Can be, but all... I guess the kids might have money. I don't know. But, yeah, it's not clear where... I guess the kids say, hey... Some adults play Minecraft, but it's mostly kids, right? It's got to be, hey, mom, can I, you know, charge $5 a month for this cool service that I found that will allow me to do something with Minecraft

[01:01:25] and mom says, you know, okay, fine, whatever. Yeah. Wow. Wow. Okay, so... It's so evil. It's so bad. It is. It is. And, and, you know, teens are like, well, wait, it's a service on the internet. What do you mean I'm breaking the law? What do you mean I'm a criminal? It's actually smart because, yeah, exactly. This is taking advantage of their naivete. Yep. And getting, and getting $5 a month out of all of their parents' credit cards.

[01:01:55] Right. Okay, so, what have we done? You know, somebody was bound to try it. So far, it's been contained inside a lab. Yikes. Uh-oh. Researchers... I don't like that open. No. We, yes, we've known of other things that were supposed to be contained inside a lab and got loose. researchers with the University of Toronto

[01:02:23] and the Vector Institute wondered what a contemporary AI-powered network worm might look like and how effective it might be. So, of course, they made one. The paper they just published is titled AI Agents Enable Adaptive Computer Worms and they explain, quote, in our pursuit of new knowledge,

[01:02:54] that's always the excuse, right, or the justification, in our pursuit of new knowledge to enhance the security of artificial intelligence, we uncovered a cybersecurity threat with implications across society. Okay, so, you know, since the idea of an AI-enhanced network worm is not a stretch for anyone, I'm just going to share the high points from the research overview

[01:03:22] which they published. However, even this overview makes me somewhat queasy. Here's what they wrote. They said, and I just scrolled off, they said, large language models now demonstrate the capacity for structured problem solving which, combined with tool access, enables agentic AI systems to solve

[01:03:51] complex tasks. We show that when these capabilities are embedded in a self-replicating agent, they produce a fundamentally new cybersecurity threat, an adaptive computer worm that devises target-specific attack strategies to gain control of machines and spread across networks.

[01:04:20] each compromised machine becomes part of the worm's own infrastructure, providing compute or reach for further attacks. A computer worm, they write, is self-replicating malware that spreads across a network without human intervention. The WannaCry worm in 2017 disrupted critical infrastructure across 150 countries

[01:04:50] by exploiting a single vulnerability. Traditional worms can be stopped by patching the specific vulnerability they exploit. Our adaptive worm cannot be stopped. This way, it uses a recursive reasoning loop to detect and exploit diverse vulnerabilities as it propagates. We demonstrate these capabilities in a controlled

[01:05:19] experiment, a prototype AI-driven worm powered by an open-weight LLM running locally propagated across a heterogeneous network of Linux, Windows, and IoT devices with common corporate network vulnerabilities. The experiment was conducted in an isolated virtual network. We believe this work highlights three important

[01:05:49] dimensions of the impact of AI on the cyber threat landscape. First, it establishes a qualitative shift in threat capability. The worm replaces fixed exploitation code with goal-directed reasoning that adapts to the vulnerabilities of each encountered target in real time. Our agent self-replicates across network devices,

[01:06:19] subverts control of systems, and self-sustains on stolen resources. Second, the AI-driven worm requires only an open-weight model that can run on a single local GPU. It does not rely on any commercial AI platform. This renders vendors' centralized safety controls, including service refusal, content filtering, and rate limits structurally irrelevant. The worm's

[01:06:49] tiered design, where each compromised GPU-equipped node provides reasoning for lightweight agents on downstream devices, extends the attack surface to any network device. And I'll note that it gets smarter as it propagates, right? Because it's continuing to have access to all the GPUs it's already taken over. So, that's kind of creepy. And finally, the traditional economic barrier

[01:07:18] in cybersecurity collapses, the traditional economic barrier in cybersecurity collapses. The worm parasitically uses the victim's own computational resources, reducing the attacker's marginal cost to zero. As consumer devices increasingly support LLM inference, meaning they're getting the GPU compute locally, the reasoning

[01:07:48] resources available to such adversaries grow accordingly. This work provides empirical evidence that autonomous cyber offense has crossed from theoretical risk to demonstrated capability, a challenge that spans AI research, cybersecurity, and public policy. We believe this transition demands rigorous,

[01:08:18] rigorous, transparent evaluation of model capabilities across the open and closed weight model ecosystems. To which I say, yeah, good luck, because there's going to be unrestricted open weight models. There already are. They're only going to get better. So I'm not sure what that conclusion is supposed to mean. we believe this transition demands rigorous, transparent evaluation

[01:08:47] of model capabilities across the open and closed weight model ecosystem. What this actually means, you know, and for the first time demonstrates, is that the defenders of cyberspace had better get serious about tightening up their code. this leaves the huge problem of the existing installed base of systems. And that's where we're really going to have our next problem. We know that because they're not going to

[01:09:17] update themselves. And, you know, many will never be updated without some form of, you know, more than typical intervention. I don't know how this happens, but it is the big problem. The one bright spot here is that, you know, knock on wood, we seem to be past, as I mentioned earlier, we're past those frolicking days of uncontrolled internet worms. Most

[01:09:46] mischief now is about bad guys focusing solely upon making money. And internet worms do not do that, you know, the way that targeted extortion can. The place I could see a worm being deployed as an offensive cyber weapon is not by a criminal organization that wants to make money as its first priority, but by a nation state

[01:10:16] like the U.S., China, North Korea, or Russia. And in that case, its worm code would be carefully written to restrict its reach and spread to within a targeted geography. technology. So this feels more like an interesting academic exercise. This is not to say that someone might not release such a thing just to see what it could do. That's always a possibility, but as these researchers also noted, the world does not

[01:10:46] yet have sufficient potential victims with inference engines capable of supporting a roaming large language AI model. By the time that changes, the world's exposed vulnerabilities should be so new that any potential worm would starve. So hopefully we're going to get the internet cleaned up.

[01:11:16] And as we evolve to next generation systems that do have the required inference engines, they'll be running newer firmware or newer software, hopefully that will never have the vulnerabilities that the current, thankfully dumb, installed base of hardware does. Wow. And Leo, I mentioned to you, I think before we began recording, that the weirdest thing happened, or I guess

[01:11:45] I did run through it in the things I want to talk about. As I was writing these show notes, I was rudely interrupted by an unsolicited Windows 10 notification from Google Chrome. I wasn't using Chrome, as we know. I don't use Chrome unless there's no alternative. Sometimes there's a site that Firefox won't display.

[01:12:14] OpenTable.com is the one that keeps biting me, and now I've learned I just have to go over and use OpenTable from Chrome. Chrome. I haven't even used Chrome in recent memory, yet what we know is that today's web browsers are all running agents in the background which serve to keep those browsers up to date, and that's a good thing. We know that we want our web browsers to be patching themselves to keep themselves current. I'm all for that.

[01:12:45] But the operative phrase here is in the background. When Chrome, which I have installed, but as I said, I've not been using for any reason for quite a while, certainly since that machine was booted, when it without invitation pops up a notification telling me that I can shop with confidence and that I can quote, track prices across the web and get

[01:13:15] alerts if the price drops on any site, first of all, I don't do that, but it's no longer in the background and it's an annoyance in my foreground. The internet appears to be silent on this issue. I went searching, like, is this happening to people? I was like, what? So I don't know what's going on. Perhaps this is Google trying to get traction for some of its new agentic AI crap. In any event,

[01:13:44] I hope more than ever that Mozilla is able to somehow keep Firefox alive. A web browser, you know, is serious business. And keeping one going and secure and up to date with the never ending and ever changing worldwide web consortium standards, it takes a huge amount of work. So I appreciate what Mozilla is doing, but I need my Firefox and I sure want

[01:14:14] as little of Chrome as I can get. Yeah, I agree. Yeah. And I grabbed a copy of this notification from Chrome, I put it in the show notes, it's like, what? I don't want to hear from a browser that I'm not using about shopping tips. Thank you. It's got to be Windows doing this, right? How could Chrome? Well, you have notifications turned on in Chrome, I guess. And they are off now, but I hadn't turned them. Off before. So get

[01:14:44] out of my way, Chrome. Okay, after our next sponsor note, I'm going to talk about this HTTP2 bomb attack and how annoyed I am with the people who just said, well, we're going to make everybody update their web servers by publishing an exploit. What? Huh? Well, that'll work. It's 2026, guys. Our show today brought to you by GuardSquare. This is for you,

[01:15:13] mobile app developers. First of all, thank you for the job you do. Mobile apps today are an inescapable part of life ranging from, I mean, everything from financial services to healthcare, retail, entertainment. We users trust mobile apps with our most sensitive personal data. That's what makes them great. But it's also a risk. Recently, a survey came out that showed that 72% of organizations have experienced a mobile application security incident in the past year.

[01:15:44] 92% of respondents reported rising threat levels over the last two years. Meanwhile, attackers who want your users' personal data are constantly finding new ways to attack your mobile app. You know what the latest one is? It's really insidious. They take your app, they reverse engineer it. You could do this fairly easily with Claude and Ghidra and reverse engineer the app, repackage it, modifying it, put a little malware in there and then distribute that modified app via

[01:16:14] phishing campaigns or side loading, third-party app stores, all sorts of ways to do this, little pop-ups on Steve's machine saying you need this app. Well, you don't want this. This affects you, this affects your users, this affects your reputation. By taking a proactive approach to mobile app security, you can stay one step ahead of these attacks and maintain the trust of your users and that's why you need GuardSquare. GuardSquare. GuardSquare is an amazing tool for

[01:16:44] app developers. It delivers mobile app security without compromise in a couple of ways, providing advanced protections for both Android and iOS apps, combined with automated mobile application security testing so it can find vulnerabilities in your app, and then I guess the third thing they do is real-time threat monitoring. They're always looking out for how apps are being attacked and let you know what to watch out for. I think you need, as a mobile app developer, you need to find out more about

[01:17:13] how GuardSquare provides industry leading security for your mobile apps. Go to GuardSquare.com. GuardSquare.com. Mobile app developers, thank you for the job you do and thank you for taking the extra steps to make us secure with GuardSquare at GuardSquare.com. All right, Mr. Gibson, what else you got for us? Okay, so it's been a while since the abuse of a

[01:17:43] core internet protocol was able to take down a wide variety of servers. But the recently discovered and, as I've said, very irresponsibly disclosed HTTP slash two bomb attack, as it's called, can knock down Nginx, Apache, IIS, Envoy, CloudFlares, Pingora, and presumably any

[01:18:13] other modern web server that accepts and terminates HTTP 2 connections and queries, as all of the current state-of-the-art web servers do. An independent observer of this wrote, since the bug is an HTTP 2 protocol bug, other services may also be affected with Nginx, which is used in hardware load balancers, the most popular open-source reverse proxy, and the ingress

[01:18:43] controller for Kubernetes. Envoy, which is a reverse proxy for large cloud and tech companies, such as Google, Amazon, Netflix, and Airbnb, and Azure, which uses IIS. All of those can be knocked off the air with this thing. So they said a large portion of modern public-facing web infrastructure is affected. And when they say affected, they're not kidding. They wrote, given these circumstances, we had to take a

[01:19:12] close look at the write-up and assess the impact in order to determine which of our customers were affected and to incorporate the new attack vector directly into our platform. And they wrote, oh boy, that attack is effective. With one single notebook, we were able to bring down any of our own HTTP2 servers, small and large. A single attacker

[01:19:41] can consume 20 to 30 gig of RAM on the target. This is a resource consumption attack where 32 gigs are consumed and then locked. locked and it makes the server crash. They said RAM slash memory remains locked even after the attack is stopped. This allows for a low and slow attack in which the attacker starts with a low connections and

[01:20:10] stream rate, but gradually consumes more and more of the target's RAM resources over time. once a certain RAM usage threshold is reached, the affected Nginx instance crashes and must be restarted via a hard reboot. So this creates permanent damage. And they said, with these attacks, even a small botnet of just 10 bots can take down services of any size for a low

[01:20:40] and slow attack with fewer than 10 requests per second, a botnet of only 100 bots is sufficient. And due to the slow query rate, such an attack would be undetectable and unstoppable by any web application firewall, which would normally be blocking high rate attacks. Okay, so given the discovery of a truly devastating

[01:21:09] attack against pretty much all of the current internet infrastructure, the fact that its discoverer chose to release the details without coordinating with the rest of the industry, well, in this day and age, it's truly unforgivable. We first encountered Califf, that's the name of this group, C-A-L-I-F, like as an abbreviation for California, C-A-L, but I don't know what it is, Califf. We encountered them

[01:21:38] recently and I didn't think much of them at the time. Now, unfortunately, I do think something of them and it's not good. Their website's homepage declares in large font type pushing the frontier of vulnerability research with AI. And the subhead is Leet Hackers and Top Models What Could Go Wrong? Let's Find Out. Wow. Okay.

[01:22:07] Their posting about this sets the tone for them and for their site. One week ago today, on June 2nd, their blog posting carried the title Codex, you know, OpenAI's Code AI. Codex discovered a hidden HTTP slash 2 bomb and they wrote, 14 years ago, so this is written in the first person by the

[01:22:36] person at Califf who was the discoverer. So, he wrote, or she, they, 14 years ago, I helped break HTTP header compression, then was asked to review the fix, which became part of HTTP 2. Life has come full circle. Today, we're releasing an attack I missed. We're publishing

[01:23:05] HTTP 2 bomb, a remote denial of service exploit against most major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloud Flare Pingora. The vulnerable behavior exists in each server's default HTTP 2 configuration. The attack was discovered by

[01:23:34] OpenAI's Codex, which chained two techniques known to humans for a decade, a compression bomb, and a slow Loris-style hold. The bomb targets HPAC, which is HTTP 2's header compression scheme. One byte on the wire becomes one full header allocation on the server, repeated thousands of times per request.

[01:24:03] The hold is a zero byte flow control window that keeps the server from ever freeing any of it. A curious search on Shodan. revealed more than 880,000 websites supporting HTTP 2 and running one of these servers. In other words,

[01:24:32] before releasing this, or at the time of its release, they know, thanks to Shodan, that 880,000 websites can be brought down with this. Yet, release it, they do. They said, though many, oh, here, so here's a caveat to that, though many sit behind a CDN, which is much harder to bring down. They wrote, a home computer on 100 megabit

[01:25:02] connection can render a vulnerable server inaccessible in seconds. Against Apache HTTPD and Envoy, a single client can consume and hold 32 gigs of server memory in roughly 20 seconds. They then get into the details of this potentially debilitating vulnerability that's sufficient for anyone proficient to design an attack. But,

[01:25:32] that won't be necessary because not only did these irresponsible jerks describe something for which they knew there was no current defense, but they also published a fully working proof-of-concept exploit. Not surprisingly, the folks over at Envoy, who produced that reverse proxy front end used by companies such as Google, Amazon, Netflix, and Airbnb were not humored by the behavior

[01:26:01] of these irresponsible glory hounds. So, they posted to the feedback thread for this announcement blog posting. They wrote, OP ignored responsible disclosure policy and released a zero day for Envoy's ecosystem. Envoy community was in process of releasing a patch for this problem. And then they have a link

[01:26:31] to Envoy security advisories, which is at github.com, to which that posting, the Caliph guy replied, thanks for fixing the issue so quickly. this is a win for Envoy users. Yes, you jerk. We believe the traditional disclosure model is increasingly outdated in the

[01:27:00] era of AI-assisted vulnerability discovery, and we explain our rationale for disclosure in the post. So, they've unilaterally decided, well, that old responsible disclosure doesn't make any sense anymore. So, we're going to, you know, stir this all up. The Envoy guy replies, and irresponsible disclosure is a huge loss. Oh, so, so, this guy says this is a win

[01:27:30] for Envoy users, right? It's a win for Envoy users. Envoy replies, and irresponsible disclosure is a huge loss for Envoy ecosystem and possibly wider industry. Did you disclose this to all H2 implementations? This should have really been coordinated via Vince to make sure all H2 vendors are aware. And if the 90-day disclosure policy is

[01:28:00] outdated, what's the new policy that you believe is appropriate? You have filed advisory on May 27th and published this blog on June 2nd. So, is your new embargo policy four days? Califf responds and finishes with, we disclose details once we believe that anyone monitoring public commits could reproduce the issue using AI

[01:28:30] assisted analysis. I guess that means instantaneously. in our view, withholding information after the relevant commits are public does more harm than good. We recognize that reasonable people may disagree and we respect that perspective. Well, thanks a lot for your respect. What a mealy-mouth position. I suppose we're going to be seeing more of this sort of thing as those

[01:29:00] who could not have disclosed this attack on their own, I'm sorry, those who could not have discovered this attack on their own, now use AI to find the attacks for them. In the era before AI, acquiring true expertise would generally be accompanied by the acquisition of some maturity

[01:29:29] about it or they would value the attack they discovered because it was so hard to discover it and so then they would responsibly disclose it to the people who it affected. Now discovering new attacks is free. They don't cost anything. When AI hands someone who has never done the hard work, they don't have the maturity to guide their handling of such a gift. In this case, it is

[01:29:59] utterly unconscionable that this exploit would have been publicly posted without a far more widely coordinated vulnerability and private vulnerability disclosure. NGINX has scrambled to assemble a patch and has made it available through standard update channels, but we know that's not the same as it being online. Apache's fix exists in a standalone module that has not yet been bundled into

[01:30:29] any release that package managers will pick up. So again, not enough time. Microsoft IIS has no patch and no CVE has even been assigned to the IIS variant yet. And we know that Envoy also has just had to scramble. As I said, I suppose we're going to be seeing more of this sort of thing in the future. I'm not unhappy that I'm still running an HTTP 1.1 only web server for

[01:30:59] a change. I'm sure that by the time I'm ready to deploy GRC's new servers, which I've talked about recently, Microsoft will have updated IIS to protect from this. But in the meantime, what a mess for everybody else. Wow. Another little related AI note from me. I've mentioned

[01:31:28] that I am currently working, speaking of GRC servers, to reduce the purchase friction for GRC's software by supporting a range of one-click purchase options such as PayPal, Google Pay, Apple Pay, Venmo, and so forth. Since my plan is to create a few more low-cost commercial products before I plow back into Spinrite for Windows, I want to make purchasing those as simple as possible.

[01:31:58] So I've been working to upgrade the e-commerce system, which I wrote 22 years ago. I briefly flirted with the e-commerce provider, Stripe, since I liked their integration solutions, but I decided to go in another direction. During that brief flirtation, they got hold of my email address, so I've actually an alias that I use just for them, but still, it's alive. So I've been receiving

[01:32:27] occasional notes from Chet at Stripe reminding me how wonderful they are, and they just kind of come in and I ignore them. I've noticed that every email from Chet contains a link inviting me to set up a time for further discussions of the wonders of using Stripe, but I've just been ignoring those

[01:32:56] emails and letting them go unanswered until this past Sunday evening when I decided to explain to Chet that since they do not support PayPal payments, Stripe is a non-starter for me. Yesterday morning, a reply was waiting for me from my Sunday evening email informing me of the good news that Stripe did support PayPal payments so that, as the email put it, it didn't need to be one or the other.

[01:33:27] And as with every email, it quickly ended with a link to quote, book a time for a Stripe discovery call. Now, what I'd failed to mention to this Chet was that I needed to have everyone able to use PayPal, including U.S. domestic purchasers, and that is not something PayPal allows anyone else to do. So Stripe does offer

[01:33:57] PayPal, but only for some international users. After jotting a short note back to Chet, I was hit by the question, am I interacting with a person? Because thinking back on all those previous emails, and its response to me when I finally did answer it, I suddenly had that question. Is there actually any Chet at the other end of this email

[01:34:26] dialogue? I realized that these days it's entirely possible now that all of this sort of front-end sales lead development has already been automated by AI. I'm being pushed by automation to click a link to make an appointment with a real person. And the cost of that pushing from the pushers end may have

[01:34:56] been reduced to zero. They don't need to be paying a human any longer. It's not a great job, you know, even when they were brand, it's actually a new form of business spam. And the other thing that clicked into place for me is that it's becoming prevalent because one of the things I've been noticing is the degree to which an increasing

[01:35:26] percentage of other enterprises that I'm noticing are being, having stuff outsourced. When I was interacting with DigiCert a few months ago, I noted that many of the links which looked like theirs actually pointed to Salesforce.com. DigiCert is outsourcing a large chunk of their customer service communication handling. Now, a second order consequence of this

[01:35:55] is, of this increasingly prevalent outsourcing is that, is the degree, I guess, of what I'd call presence broadcasting has been steadily increasing. I've been noticing it happening. In the good old days, when a company needed to design and develop their forward, you know, their outward facing communications for themselves, everything was bespoke. It was varied and

[01:36:25] it was minimal, being only what they really needed for them, what really made sense for them. But now, when a company signs up, for example, with Salesforce, they simply check off all of the various crappy outreach services they want to offer in their name, and which inherently subjects everyone to that they can find.

[01:36:55] And that service provider then makes it happen. And today, now, we add to that a patient, never tiring, proactive emailing AI agent, which is going to have zero-cost conversations as a means of what used to be working the phones, or in this case, working the email. So, it seems clear to me that

[01:37:24] many businesses are soon to become much more annoying. I just, you know, I had this weird thought, Leo, like, as I replied to these emails. They're all very succinct, very short, from Chet, and they all invite me to, you know, find a time when we can have a conversation. And I doubt that there's any Chet at that end, because nothing I've done really requires one.

[01:37:54] And I don't know if you've noticed, but I'm feeling a homogeneity among very different companies that have identical feeling outreach. And I realized it's because, oh, they didn't write it. They're now subscribing to an outsourcer that just does this. And unfortunately,

[01:38:24] it just means we're going to get a lot more of this crap. We, as internet users, we get good at ignoring stuff, pop-ups, spam. I mean, it's just endless. It is unfortunate. Yeah. Yeah. Okay. We have two more breaks. Let's take one now, and then we're going to get into looking at malicious use of AI, and we'll take our next break about halfway through that. Okay.

[01:38:54] That's good. I'm ready to talk about our sponsor for this segment of Security Now, Doppel.com. Yeah, maybe that voicemail is an urgent message from your CEO. Sure, sounds like your CEO. You ever think it could be a deep fake trying to target your business? It happens more and more. AI can impersonate trusted individuals, and Doppel's platform illustrates how frequently users fall for phishing attempts. We did a little demo,

[01:39:23] I played this for you before, this is in four minutes, Anthony Nielsen was able to train a model for my voice and make this message. Hey, Burke, this is definitely not Leo asking you to buy gift cards, but seriously, can you grab me 100 Apple gift cards? Just kidding. This is Anthony testing text-to-speech. How's it sound? Burke, fortunately, knows better. But, you know, that sounded just like me, right?

[01:39:53] It wasn't me. I never said those words. It was an AI. And unfortunately, this fools people. It fools your employees in voice call simulation deployments, Stopple did. Target users, get this, spent six minutes, on average, conversing with the deep fake. 100% of them believed the AI was human. They couldn't tell the difference. That's why you need Doppel. Doppel is the AI-native

[01:40:23] social engineering defense platform. Doppel strengthens human risk management by training employees to recognize deception, protection, while Doppel's digital risk protection detects and disrupts attacks across every channel. You need both. I mean, attackers now, and we're going to talk about this more in a bit, they are turning the AI to power increasingly sophisticated strikes, and your employees are practically helpless

[01:40:53] against this, but Doppel can help them fight back with automated takedowns, multi-channel coverage, and AI defenses that build intelligence with every fight. Doppel works relentlessly to protect people, brands, and most importantly, your trust. Doppel offers best-in-class integrations and partnerships to seamlessly integrate into your existing security stack, and Doppel's industry awards and testimonials speak for themselves. Doppel is recognized as a winter

[01:41:22] 2026 G2 leader of users most likely to recommend, and momentum leader, and best support. Join hundreds of companies already using Doppel to protect their brand and people from social engineering attacks. Doppel, outpacing what's next in social engineering. Learn more at doppel.com, D-O-P-P-E-L dot com. We thank them so much for their support of security now. It's scary out there.

[01:41:53] Doppel can help. Back to you, Steve. And it is rapidly getting scarier. It is. So, okay. We all knew it was coming, but it is no longer coming. It has arrived. It's here. Last Wednesday, Anthropic published a Red Team report which examined the detected abuse of their clawed AI by malicious actors. We need to

[01:42:23] understand and examine how AI is being used. by those who are, you know, aiming at nefarious ends in order to protect ourselves. So, the report's three authors at Anthropic opened their report by writing, we've spent the last year investigating how threat actors are weaponizing AI to conduct cyber operations. Today,

[01:42:52] we're sharing a new analysis that maps these real-world attacks onto the MITRE attack framework, a database of tactics and techniques used by cyber attackers. Doing so reveals patterns that challenge traditional assumptions about cybersecurity. For example, that the level of risk a threat actor poses can be assessed via metrics like technical sophistication or breadth of

[01:43:22] techniques. We partnered with Verizon to include some of these results in their 2026 Verizon Data Breach Investigation Report and are publishing this report to offer a longer-form analysis of trends we see in AI-enabled cyber operations. Okay, so what I'm about to share from their report, you'll hear these researchers referring to accounts. accounts. The accounts Anthropic is

[01:43:52] referring to are Claude AI accounts whose holders were attempting to use or abuse their access to Claude AI for malicious purposes. The other key to understand is this MITRE M-I-T-R-E attack, A-T-T- ampersand C-K, the MITRE attack framework, which we never had the occasion to look at closely. The MITRE

[01:44:21] attack homepage explains, they said MITRE attack is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. And I'll just note that at the end of this report, they observed that the MITRE attack knowledge base is going to need updating based on the impact of AI. So MITRE says the attack knowledge base is used as a

[01:44:51] foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. With the creation of attack, MITRE is fulfilling its mission to solve problems for a safer world by bringing communities together to develop more effective cybersecurity. Attack is open and available to any person or organization

[01:45:19] for use at no charge. Okay, so this MITRE attack database is really nothing more than a well-thought-out and carefully constructed taxonomy of all the various things bad actors have been seen to do through the years. And it makes sense to have a common vocabulary, a common enumeration

[01:45:48] system where we can say this technique and this tactic were used and have those meanings well defined and described. So for example, it breaks malicious conduct down into 15 categories. reconnaissance, resource development, initial access, execution, persistence, privilege escalation, stealth, defense impairment,

[01:46:19] credential access, discovery, lateral movement, collection, command and control, exfiltration, and impact. And so basically, those 15 broad categories, they're enough to contain whatever we see. And then each of those broad categories of malicious conduct is then broken down into a specific behavior. I'll just give you an example of one. So for example,

[01:46:49] taking that first category which was reconnaissance, that's broken down by this MITRE attack framework into 12 specific techniques of reconnaissance. Active scanning, gather victim host information, gather victim identity information, gather victim network information, gather victim org information, phishing for information, query public AI services, search

[01:47:19] closed sources, search open technical databases, search open websites and domains, search threat vendor data, search victim owned websites. So again, this is meant to be a comprehensive description of anything that the bad guys do. And so what the anthropic researchers have done is that they took everything that they saw during a 12-month period from March of

[01:47:48] 25 to this past March of 26 and plugged all of the behavior into this MITRE ATT&CK database in order to talk about it. And so the terms from the database are what I will be then describing. It is a widely agreed upon system for categorizing and naming. So here's what we know from their explanation. There are

[01:48:18] three researchers, right? For this study, we analyzed 832 accounts. Again, accounts meaning bad guys had an clawed AI account, which is what they found, where they found the misbehavior. So for this study, we analyzed 832 accounts associated with malicious cyber activity over the course of one year, from March 25 to March 26.

[01:48:47] Anthropic banned these accounts from using clawed for violating our usage policy. The accounts in this analysis are just a subset of those we investigated and banned during this time period. We selected them because we had enough detail about their malicious activities to map their techniques onto the MITRE attack framework. The 832 accounts in our analysis

[01:49:17] used AI models for all 14 tactics and 482 unique sub techniques across the framework, from initial reconnaissance through final impact. We also developed a risk scoring framework to assess how much AI assistance helped these actors plan their attacks. Most strikingly, we found that the percentage

[01:49:46] of actors labeled as being medium or high risk jumped from 33% to 56% between the first and second halves of the year. We found that the percentage of actors that they were labeling as being medium or high went from a third, 33%,

[01:50:16] to more than half, 56%, between the first half of their analysis period and the second half of their analysis period. They wrote, this suggests that AI is helping attackers conduct increasingly sophisticated cyber operations with greater ease. Our analysis resulted in three key findings. First, the number of actors using AI for cyber operations

[01:50:45] is growing and their actions carry higher risk. risk. As mentioned above, the percentage of medium or high risk actors increased by a factor of about 1.7 in under a year, from 33% during the first half of our study window to 56% during the second. That growth is concentrated in actors using AI for some of the most harmful activities, including lateral movement,

[01:51:15] credential dumping, and web shells that carry the highest per-actor risk weight in our scoring, rather than the commodity build and obfuscate work that dominates the rest of the population. Traditionally, only the most technically sophisticated actors could operate across the entire kill chain or the sequential stages of a cyber attack. But our analysis found that this is no

[01:51:45] longer the case. The platform through which they access the model, such as an API or an agentic coding platform like Claude Code, also has no bearing on how high-risk their actions are. What does distinguish the highest risk actors is which techniques they're asking the model to perform. Okay. Second, agentic

[01:52:15] scaffolding will make it possible for cyber attacks to be far more autonomous. As AI-enabled cyber techniques become more common among this population, it will become harder to differentiate an actor's risk level based on what they're asking a model to do. Instead, the differentiator will become the scaffolding, the surrounding code, architecture, and tooling

[01:52:45] that makes AI models more capable, that actors build around the model so they can chain together attack stages autonomously. This was starkly apparent in the cyber espionage campaign we disrupted in November 2025, which had a maximum risk score of 100, yet only used a number of techniques comparable to medium risk actors.

[01:53:15] That attack was distinct not because of the number of techniques it employed, but because of how the attackers used an AI agent to orchestrate them. Third, the MITRE attack framework does not yet cover the autonomous actions that make these actors so dangerous. Autonomous kill chain orchestration, real-time pivot decisions,

[01:53:44] and AI-directed execution with no human intervention do not yet have ID numbers in the attack framework. Our report included 13,873 observations of malicious activity, all of which mapped to categories laid out on the framework, but the behaviors that distinguish the highest risk actors and determine the speed and scale of their operations

[01:54:14] do not yet have such IDs. The taxonomy that modern threat intelligence relies on must be evolved to capture them. While Claude Mythos preview demonstrates where frontier AI-cyber capabilities are hitting, models able to find and exploit vulnerabilities at a level approaching the most skilled human researchers. This report tells us how threat actors are already

[01:54:43] misusing generally available models today. It also serves as a guide to how threat actors are likely to misuse increasingly capable models in the near future, giving defenders a chance to get ahead of them. I hope. And they finish. What we learned from this and other analysis directly shapes how we build Claude to prevent such

[01:55:13] misuse. For example, we've updated the classifiers built into Claude to detect the high risk behavior indicators revealed by this analysis. These findings point to a landscape where the dividing line between low and high risk actors is no longer technical skill but orchestration and where

[01:55:43] defenses detections and the shared frameworks we all rely on will need to evolve as fast as the attacks they describe. Okay, so there's so much here. No one who's been following this podcast has ever heard me run around saying that the sky is falling. But what we learned from this report is as close to that as we've ever seen. This extremely

[01:56:12] sobering report shows that while we've been focused upon and enraptured by all of the many productivity benefits the use of LLM AI can bring to our lives malicious actors have been exploring the many ways that same power can be used to attack our world. And unfortunately there are many. The extreme leveraging power of AI cuts both ways.

[01:56:43] During the many years of this podcast before AI our long time listeners will have have been assembling maintaining and growing a large database of known vulnerabilities because we know most of the world is not updating their systems. That database will be large unfortunately because there are so many

[01:57:12] vulnerabilities which we've encountered over the last 20 years. My thought was always that when a nation state actor wanted to attack someone specific they would determine which equipment and versions were being used then look up the known vulnerabilities in their carefully curated master vulnerability database and launch their attack. As it turns out that's not the way it's going to happen. Instead

[01:57:42] all of the software publishers around the world have been publishing as we have for the last 20 years of this podcast all of this information for decades and thanks to AI model training it doesn't need to be curated into any master reference database instead any well-trained malicious AI will have absorbed all of that knowledge

[01:58:11] and will have it at the tip of its virtual fingers when it's asked to target a specific entity the most important point to appreciate is that bad guys are only using publicly available cloud based AI such as Claude GPT Gemini whatever because we're still in the earliest days of where this is all headed I cannot

[01:58:41] say that enough I mean just the fact Leo that we see you know a new model comes out an hour ago and it's a dramatic improvement over what we had that came out three weeks ago I mean this is just moving so fast and and and and guarantee you that that like we it's not like we're running out of steam here we're still accelerating you know AI's legs are

[01:59:38] of their publicly available services and the essential nature of LLM based AI means that even that is not easy as we saw Anthropic is saying well you just can't talk to us on our most advanced model about cybersecurity or biotechnology because we're just going to say no we we're not we don't believe that we can determine well meaning

[02:00:07] cybersecurity questions from malicious ones and in fact there may not be really any difference because if a security researcher wants to know about something bad that's the same as a bad guy wanting to know about something bad they're just going to use the information for different purposes so you just can't give out the information here's the problem we already know that AI is able to run quite well off the cloud

[02:00:37] locally on local hardware it may not be super strong not like what you have in the cloud with massive data centers and crazy H200 chips that cost what is it $40,000 some insane amount of money that NVIDIA is getting for these chips that going to change locally run AI will have no safeguards no guard rails of any kind to limit its actions

[02:01:06] in the very near future it will be local models that the malefactors will be employing to direct their real time attack campaigns they're not going to be using anthropics cloud where it's booting 838 of their accounts they're going to invest in local hardware just like bitcoin miners did back in the day the strongest hardware available

[02:01:36] and that's going to be running future attacks and it'll have no safeguards that's what's going to happen and while it's against my nature to warn that the sky is falling for sure in the near future I'm not sure I'd want to be spending too much time out in the open okay chicken little we have far too much legacy mess to clean up and not

[02:02:06] nearly enough time or incentive to we're to go to need

[02:02:51] to We're entering systems and pivoting like masters and moving through networks and taking them over. Like I said, it's going to be good times. The good news is that as Anthropics' year-long study shows, this has not happened yet.

[02:03:18] So at the moment, we're able to see what these miscreants have been up to. Anthropic writes, the findings in this report are drawn from 832 accounts that Anthropic banned for violating cyber-related parts of our usage policy between March 25 and 26.

[02:03:40] We identified these accounts through a combination of automated safeguards and investigations by our threat intelligence team. For each account, we produced a summary of the observed activity.

[02:03:58] We then extracted the tactics, techniques, and procedures, you know, the TTPs, described in those summaries and mapped them to the version of the MITRE ATT&CK framework that was live at the time, which was version 18. In all, we observed 13,873 actions across 482 unique techniques and all 14 tactics.

[02:04:26] We gave each actor a risk score from 0 to 100 based on a new methodology we've developed called the AI risk enablement score. So it's A-I-R-E-S, which they're calling ARIES. We've anonymized the data so that actors cannot be identified in the analysis that follows.

[02:04:51] Okay, so I'm going to skip past the description of their scoring system because, you know, the most interesting part of Anthropic's report is what they learned of the way threat actors are using, I would say, abusing AI today. And, Leo, let's take our last break, and then we're going to look into this breakdown. All right. What is actually being done by the bad guys?

[02:05:17] And while you've been talking, I've been getting all sorts of security work done with Fable. Wow. Catching all my holes. It's amazing what it's finding. I swear I'd tell you. And these are holes that previous AI did not know about. Didn't say Claude didn't see. 4, 6, 4, 7, 4, 8. And actually, previous AI wrote that code. That's right. That's right. And these holes, which are security vulnerabilities, were created by previous generation AI. Good point.

[02:05:47] Yeah, that's a good point. Yeah. It's been fun just running through everything with Fable. Fable's very smart, very fast, very impressive. It's really interesting to see this at work. I think another big jump in capability. Just happened. It's hard to believe. I know. I know. It's happening pretty fast here.

[02:06:08] There was an article I read this morning saying that math, generically, mathematicians, it's falling to AI in the same way that chess did to computation. Yeah. Basically, there are high-end math, theoretical math that has been eluding mathematicians, and AI is now resolving those.

[02:06:35] In fact, now it's not producing the proofs. It's now the mathematicians are trying to understand the proof that the AI provided. So the AI says, yeah, here you go. And now the humans are like, what the hell? It doesn't seem like this is just pulling stuff out of its knowledge base and applying it.

[02:07:02] It seems like it's creating new stuff. It's kind of amazing what's happening. I don't know. Anyway, I love following these stories. I do. And we'll continue to do that more with Steve and Security Now in just a little bit. Actually, we'll learn how the bad guys are using it next. But first, Security Now is brought to you this week by CyberHoot. There are a lot of bad guys out there. CyberHoot is there to protect you.

[02:07:32] If you've ever rolled out security awareness training and thought, oh, this feels more like a compliance exercise than actually teaching me security. Well, that is a universal feeling, right? Most platforms work basically the same way. They try to catch users making mistakes. Then they go, gotcha! They send fake phishing emails to inboxes. They wait for somebody to click. And then they go, mm-mm-mm, and assign training after the fact.

[02:08:01] And frankly, it can feel a little punitive. And it doesn't change behaviors. That's most important. You don't learn when you're being punished. That's where CyberHoot takes a completely different approach. That's what Lisa's doing right now. Instead of trying to trick your users, CyberHoot's Hootfish, I love the name, Hootfish, focuses on teaching them first. So she's in the little class right now. Not in their inbox after a mistaken click, but in their browser.

[02:08:29] Through a trusted, realistic phishing simulation. It's actually really fun. The goal is simple. To build instinct before that click ever happens. Oh, and for you, you'll love it because it's automated. CyberHoot is fully automated. Training campaigns, reminders, escalation to managers, reporting is all handled for you. So instead of chasing users, you get clear visibility into who has completed what and where your risks are. And here's something interesting.

[02:08:58] CyberHoot also adds a light opt-in social layer. In fact, who was it that was telling me? Lisa just sent him an owl because she earned an owl, right? Here's my owl. Users can connect with coworkers and engage in a friendly competition around the training process. Not forced gamification. Just enough fun to increase participation without turning it into some sort of punitive gotcha system. And it really works.

[02:09:25] G2 reviewers rate CyberHoot 4.9 out of 5 stars. I've never seen such a good score. The reviewers repeatedly praise ease-of-use hyper participation, brief content, non-punitive training, full automation, and strong support. If your organization is ready to stop punishing people for being human and start actually building cyber smart employees, head to cyberhoot.com slash security now.

[02:09:53] And by the way, use the code security now, one word at checkout, and you're going to get 20% off your first year. 20% off. That's C-Y-B-E-R-H-O-O-T dot com slash security now. The promo code security now for 20% off your first year. Just remember CyberHoot. Laugh, learn, and hoot up. CyberHoot.com slash security now really is a hoot. And don't forget to use the offer code. Security now.

[02:10:23] Mr. Gibson. Okay. So, what did they find? They wrote, Our empirical analysis of 13,873 observed techniques reveals clear patterns in how adversaries are using AI across the attack lifecycle and the most common techniques that models are being used for today. The most common technique family we observed was develop capabilities.

[02:10:50] That's one of the MITRE attack categories. Develop capabilities used by 574 out of the total 832 actors in our analysis, which is 69%. The majority of this behavior manifests as malware development used by 560 out of those 574.

[02:11:14] In practice, we observed threat actors misusing models to build and refine custom scripts to run, write DLL injection code with detailed guidance on how to implement it, as well as canvas fingerprinting. Canvas fingerprinting evasion and automated account management.

[02:11:35] The next most prevalent techniques are obfuscated files or information employed by 64.7% of threat actors, data from local system employed by 55.9% and impaired defenses employed by 54.9% also.

[02:11:54] Together, these top techniques show that threat actors most commonly seek LLM's help to build pre-engagement offensive tooling, making those tools harder to detect and harvest data from compromised systems. On the other hand, actors are much less likely to use LLMs for real-time adaptive decision-making, which that's where the real danger is, right?

[02:12:24] Once they've gotten inside a target network, so less likely. For example, only 54 of the 832 threat actors, which is 6.5%, used models for lateral movement. And less than 12 actors used models for remote services like RDP, SSH, and SMB. Only 22.5% of actors used LLMs for privilege escalation and impact stages.

[02:12:53] So those are all post-infiltration actions. Some technique families that are staples of real-world cyber attacks, such as active directory exploration, Kerberos, ticket attacks, cloud infrastructure manipulation, AWS, Azure, and GCP, and container escape, they noted, have lower representation within the data set.

[02:13:22] So basically, the bad guys are sort of still using AI in the old model, not for dynamic real-time attack, but to help them build malware. And that's going to change.

[02:13:45] So the one observation I have is that Anthropic's view of what the bad guys are doing is probably skewed by the fact that their AI is deeply wrapped in guardrails, right? So the lack of more sophisticated AI, the sophisticated use of AI's potential,

[02:14:07] is also probably a combination of the resistance the cloud-based services already have built in against abuse coupled with how early we are still in the game. As I said, it's going to change. And boy, when they start using local unrestricted models, we're really going to see a change. The strongest supporting evidence for this is the fact that Anthropic noted that large jump

[02:14:35] in their own risk assessment of what bad actors were doing. Remember, it jumped from a third of them to more than half of them, up to 56% of them, in the second half, which suggests that we are nowhere near reaching any sort of steady state. This is all still very much growing. So they continue writing, The top techniques and the frequency with which actors use them did not change much over the one-year period we studied.

[02:15:03] For both the first and second halves of the period, the median number of techniques the model is used for is 16. Meaning, right, 16, there were just as many threat actors who used fewer than 16 as who used more than 16. So median as opposed to average. In the second half of the year, we observe a subtle directional shift with threat actors using models less to build

[02:15:32] standalone malware or obfuscation scripts and more to help with specific operational phases in a cyber attack. And for on-target discovery and collection techniques. In other words, that's where the sophistication is and that's where the bad guys are going. Specifically, we observe an 8.9% increase in account discovery occurrences,

[02:15:58] as well as a 6.2% increase in automated exfiltration alongside a 12% decrease in developed capabilities, which was that front-end stuff, and an 8.6% decrease in phishing. Again, more in the post-infiltration and less on the getting ready to do so.

[02:16:22] They said defense evasion is the single largest tactic category in the data set, present in the behavior of 84.4% of the actors we studied. MITRE defines 64 techniques under the broad category of defense evasion across its enterprise and mobile-specific frameworks.

[02:16:49] We observe 32, so exactly half of these techniques in our data set, 25 for enterprise and 7 for mobile. The top techniques observed within this tactic include obfuscated files or information, where 64.7% of threat actors in their sample used AI to implement techniques like XOR or Base64 encoding.

[02:17:15] So this is obfuscation of information, right? Polymorphic variants and anti-detection wrappers to evade signature-based detection. 54.8% used impaired defenses, where the AI was used to bypass, disable, or tamper with the endpoint security tools, getting around whatever was there to try to catch them.

[02:17:40] And 30.3% of actors used AI for process injection to write malicious code that could be injected into legitimate processes, such as hollowing out processes and DLL injection to execute payloads from trusted process memory. Less frequently used tactics include impact, exfiltration, privilege escalation, and lateral movement.

[02:18:07] Together, these account for just 8.7% of all observations, less than defense evasion alone. So they said, overall, the actors with the highest risk scores used AI most heavily for post-compromise hands-on keyboard techniques, such as remote services, credential dumping, web shell deployment, and internal network and account discovery.

[02:18:35] Lateral movement was the strongest marker of a high-risk actor. 54 actors in their data set who used lateral movement had an average risk score of 56.4, which was 10 points higher above the average, which was 48.6. No other technique came close to having such predictive power. So lateral movement is what the heavyweight hitters are using.

[02:19:07] So the aspect of this entire study that's most unclear to me, again, and I mentioned this before, Leo, is how these researchers avoided the problem of altering the behavior of their abusers. You know, they're describing wide-ranging malicious activity that they apparently directly observed.

[02:19:29] So does that mean that they allowed Claude to perform these services for the bad guys? Did they drop their guardrails in order to see what the bad guys would do? You know, that's difficult to imagine. But if they did not, then those attempted malicious actions would have been detected and blocked, I would think. That's what one would think. Yeah. You know, in the model card for the new fable, it says,

[02:20:00] we have put in all sorts of hidden things to prevent this. And they said it's not jailbreakable, which I find to be a very cocky thing to say and very unlikely. But they are definitely trying to keep bad guys from using these models for malicious code. Whether they'll succeed is another matter.

[02:20:27] So they said what this means for defenders, right? So here we are, the good guys. What does what they saw mean? They wrote, the population of AI-enabled actors is not only growing, but also drifting toward the riskiest activities in our framework without requiring the actors themselves to become any more skilled.

[02:20:55] So there's the gotcha, right? Yeah. That's the danger, is that it has lowered the bar of skill level. So less skilled. And there, of course, it's a pyramid, right? There are many more less skilled threat actors than there are those they cream of the crop at the top. They said if this trend continues, these operational techniques will not be a differentiating factor anymore.

[02:21:22] That is, you won't be able to tell the skill of an actor because they'll all be doing the fancy stuff and will become the baseline for tomorrow. And we'll need to find a new way to measure the riskiest actors. I don't care about measuring them. I mean, they're bad. Okay. They said looking at our highest risk threat actors also underscores that calculating the risk of AI-enabled cyber operations based on number, type, or breadth of attack techniques is insufficient. Yeah.

[02:21:52] Or I would argue irrelevant. We need a way to understand the scaffolding threat actors are able to build to chain these techniques together. And Leo, I just see this being automated. I see it being sold on the dark web. There will be scaffolds, which the advanced guys sell to the junior guys, which automate all of this for them.

[02:22:17] And they said this will allow them to use AI models to autonomously execute large swaths of a cyber attack without human intervention. Now, get a load of this. Here's the one guy. They said, we analyzed the behavior of the threat actor who orchestrated the AI-enabled cyber espionage campaign we reported on in November 2025.

[02:22:45] They labeled this threat actor GTG 1002. We see that this actor achieved a maximum possible risk score of 100. Remember that the average was down at 46.2. So this guy, this was an elite group.

[02:23:05] Successfully compromised government and critical infrastructure targets across multiple countries and developed a scaffolding to use clawed code, not as an advisor, but as an autonomous operator. Yet their overall MITRE profile, 30 techniques across 13 tactics is comparable to dozens of medium risk actors in this data set.

[02:23:35] The median actor deploys 16 techniques. So they were even below the median. Several low risk actors also exceed 30. In other words, technique count or tactic type alone could not explain what made GTG 1002 the highest risk actor we've observed thus far.

[02:23:57] What does explain this actor's high risk score is the increasingly agentic components they used. How they were able to orchestrate and chain together techniques to take action on their objectives.

[02:24:14] GTG 1002 weaponized clawed code running on a Kali Linux machine, integrating open source penetration testing tools as MCP, model context protocol servers. Effectively turning the AI into an autonomous attack platform rather than a code writing assistant.

[02:24:41] The AI didn't just suggest commands or generate attack scripts. It executed them and reasoned about attack environments autonomously. Some indications of their agenticness show up proxied through the types of techniques we track.

[02:25:02] GTG 1002 employed operational techniques such as remote services, SSH, exploitation of remote services, and archived collected data. Those are the MITRE categories. Their analysis concludes with a very clear description of what they observed. This most advanced threat actor, which they codenamed GTG 1002 doing.

[02:25:29] And if you want a chill to run up your spine, just remember that we have barely begun. And that what may be a single top rated risk profile actor today will almost certainly become every threat actor. Once the understanding of how to best leverage these tools becomes widespread. And we know it will become widespread.

[02:25:56] So Anthropic explains what this one actor, GTG 1002, did. First, we have three bullet points. First, autonomous execution within stages. GTG 1002 deployed cloud code running on a Kali machine to orchestrate dozens of MCP tools operations autonomously.

[02:26:22] Scanning and mapping dozens of internet-facing services during reconnaissance. Then discovering internal admin portals, databases, logging servers, and temporal workflow systems once inside the network. The AI didn't just suggest commands, it executed them. Making tactical decisions about what... I'm getting goosebumps.

[02:26:46] Making tactical decisions about what to probe next without waiting for operator input. Next, live exploitation and pivoting. Operating within GTG 1002 scaffolding, the AI exploited an SSRF, a server-side request forgery vulnerability, in a public-facing web server to proxy commands into the internal cloud environment.

[02:27:13] Harvested SSH private keys from internal infrastructure and service account tokens from cloud metadata devices and AWS Secrets Manager, and used those harvested credentials to move laterally across the victim's cloud environment. These are the operational phases, discovery, credential access, lateral movement, that were more rare in our data set.

[02:27:39] And finally, human intent, AI execution. GTG 1002 provided strategic direction while the AI handled tactical implementation. The AI operated autonomous... I can't believe I'm even reading this, Leo. A year ago, this was sci-fi. I mean, it was. A year ago, this was science fiction. Yeah.

[02:28:08] And it is now real. The AI operated autonomously during reconnaissance and internal discovery, adapted its approach when it encountered unanticipated infrastructure like container image signing workflows and service account identities.

[02:28:27] It staged and compressed tens of thousands of proprietary workflow records and internal architecture documentation for exfiltration. The final data extraction, downloading to the attacker's machine via curl MCP tool calls,

[02:28:47] was human-directed, suggesting the operator retained control over the consequential decisions while delegating the operational work to the AI. GTG 1002's activity was novel for using an AI agent autonomously chained together many stages of the cyber attack lifecycle,

[02:29:15] reconnaissance, exploitation, lateral movement, and exfiltration into a coherent operation, making real-time decisions about what to do and what data to collect. This is the dimension of AI-enabled uplift that a technique frequency table cannot capture.

[02:29:38] And it is the dimension we expect to matter most as agentic tooling matures. So, while the good guys are currently excited about the promise of using the awesome leverage of agentic AI to transform our lives for the better,

[02:30:03] we should also soberly recognize that malicious forces throughout the cyber world are every bit as excited by the capability they are now receiving to dramatically magnify the power of their cyber attacks.

[02:30:22] This new AI technology with agentic agents coupled with MCP to remotely control existing tools is, you know, it's neither good nor bad in itself. What it is, unfortunately, is a great deal of both. Yeah. And we got it. Nothing you can do about it now. It's here.

[02:30:50] No, but I mean, but please, everybody take this seriously. Yeah. Well, I think today's the day because of the release of Fable. I think it is now. It's here, right? It's not as fully capable as Mythos, I guess, but I'm really impressed by what I've seen so far. It's pretty amazing. Steve Gibson. Go ahead. I was going to say, so Fable is not Mythos.

[02:31:19] It is, it is a, um. It's Mythos adjacent. They're calling it Cloud 6. It's the next Cloud model. But I think it's very related to Mythos. Yeah. It has certainly security capabilities. But Mythos, remember, wasn't trained specifically for security capability either. It's just a really good model. Right. Um, that's what's, that's what's happening. Yeah. Uh. Fable. Sorry, Cloud 5, not Cloud 6. I skipped one.

[02:31:49] The last Cloud 4, 6, 4, 5, 4, 6, 4, 7, 4, 8. And we're now, uh. Well, and they're calling it Fable 5. Yeah. When it popped up, it was Fable 5 for me. Five, yeah. Yeah. Exactly. Uh, I'm sure. I mean, this is just, it's just came out. This is, we're going to see a lot more. Uh, but so far the buzz is very, very positive everywhere I look. Wow. Which it wasn't for 4.8. 4.8 was pretty much universally reviled.

[02:32:20] Um, but I think 4.8 was an interim release because they wanted something to fall back to when they released Mythos. And you know, when you said this, I was reminded of how Windows versions always alternate between good and bad. Oh yeah. You know, it's, it's like, yeah. I don't know why, but every other Windows major release was famous for that. Yeah. Famous for that. Mr. Gibson is at GRC.com.

[02:32:49] He's famous for a lot of things, including, uh, Shields Up, which tests your network, uh, Spinrite, which tests your hard drive, affects the world's best mass storage maintenance recovery and performance enhancing utility. In fact, if you've got mass storage of any kind, you need Spinrite 6.1's the current version. This is Steve's bread and butter. He also has his newest program, the DNS Benchmark Pro, which tests various DNS servers from your

[02:33:18] locale to find the one that's best for you, which is, you know, it's not the same for everyone by any means. You'll find all that at GRC.com along with this show. He has a couple of unique versions of the show, a 16 kilobit audio version, which is a little scratchy, but small, a 64 kilobit audio version, which is just fine. And, uh, he also has the show notes, 22, 23 pages of excellence, handcrafted, no AI. You don't use AI on the show notes, do you?

[02:33:48] No, that's, that's Elaine. In fact, uh, our show last week was three hours. And so, uh, she transcribed, she said, normally by this point, I, uh, I'm done transcribing, but I still have 37 minutes left. I got them Friday at midnight. She did not sleep or, or at least delayed. Elaine will be happy. This is only two and a half hours this time. So thank you, Steve. Uh, yeah. Elaine Ferris, a human writes the transcripts. Those are also available at GRC.com.

[02:34:18] You can send Steve email, go to GRC.com slash email and, and whitelist your email address. It won't go through until you do that. That's an important step. After you do that, you might want to look at those two boxes below. You can, uh, ask Steve to email you the show notes the minute they're available. Usually a couple of days before the show. Uh, he also has a mailing list, which will announce new products, which he never uses, but you might as well sign up for that. Cause when you get an email from that, that's like a red light of day. That's a big deal. All of that at GRC.com.

[02:34:47] We also have the show at our website, twit.tv slash SN. And we have, uh, audio yes, but also video. That's our unique format. Uh, you'll also find it on YouTube. There's the video there. A great way to share clips. I know a lot of people like to do that with this show. Uh, and then you can always subscribe in your favorite podcast client, get it automatically as soon as it's done audio or video or both. We do stream it live. If you want the absolute freshest version, uh, we do this show right after Mac break weekly.

[02:35:16] That's usually about one 30 Pacific on a Tuesday, four 30 Eastern 2030 UTC. Uh, it's also, uh, uh, let's see what, oh yeah, it's in the discord for club members. And I do hope you're a club member. I keep forgetting Lisa reminded me if you want chapters, a lot of people say, Hey, I would love to be able to skip through stuff on security. Now we can't do that on ad supported shows because the ads are variable lengths. And in many cases inserted after the fact.

[02:35:46] So we couldn't tell where the time markers would go. Right. Um, YouTube could do that because they insert all the ads, but for us, uh, we have different parties inserting ads. So, and they're different lengths. So we just don't know. However, if you're a club member, we do put chapter markers in for club members. So that's another benefit. Ad free versions of the shows, plus the ability to go chapter by chapter order, go back a chapter. If you want to hear something again, I think that's more likely with Steve. Uh, if you want to listen, I got to hear that one again.

[02:36:15] Um, that is part of the benefit of being a club member, 10 bucks a month. It also really supports us. It helps us keep doing what we do here. And I think it's really important that we do. I know it is. So please join the club. We'd love to have you at twitter.tv slash club twit. You can watch live. Even if you're not in the club on YouTube, twitch x.com, Facebook, LinkedIn, and kick every Tuesday afternoon, Steve. I'll see you right back here next week for another gripping edition of security. Now, right. Oh, bye.

[02:36:46] Hi there. Leo Laporte here. I just wanted to let you know about some of the other shows we do on this network. You probably already know about this week in tech. Every Sunday, I bring together some of the top journalists in the tech field to talk about the tech stories. It's a wonderful chance for you to keep up on what's going on with tech. Plus be entertained by some very bright and fun lines. I hope you'll tune in every Sunday for this week in tech.

[02:37:11] Just go to your favorite podcast client and subscribe this week in tech from the twit network. Thank you.