Security Now 1082 transcript

Please be advised that this transcript is AI-generated and may not be word-for-word. Time codes refer to the approximate times in the ad-free version of the show.

Leo Laporte [00:00:00]:
It's time for Security now. Steve Gibson is here. This is a big day. Anthropic just released a new version of its AI, the Fable model. It's appropriate because we're going to talk about how what Anthropic has learned from years of abuse of their aying models. We'll also talk about the malicious use of AI some really scary examples and which US law firm paid a 20 million dollar ransom to ransomware authors and why. That and a whole lot more coming up next on Security Now

Steve Gibson [00:00:38]:
Podcasts you love from people you trust.

Leo Laporte [00:00:43]:
This is twit. This is Security now with Steve Gibson. Episode 1082 recorded Tuesday June 9th, 2026 the Malicious Use of AI it's time for Security now the show we cover the latest security and privacy and a little bit of AI in here with this guy right here, Mr. Steve Gibson, the guy in charge@grc.com hello Steve.

Steve Gibson [00:01:14]:
Hello my friend. Great to be yo.

Leo Laporte [00:01:17]:
That's right, I do that live longer.

Steve Gibson [00:01:18]:
Great to be with you again.

Leo Laporte [00:01:20]:
Yeah, so.

Steve Gibson [00:01:23]:
So for a long time we've been saying predicting it was a prediction but not like any didn't take any great stretch of imagination that the bad guys would be using AI just like the good guys are. And in fact the reason that that Anthropic did its sort of semi controversial Claude my preview limited, you know, strictly limited release was that their feeling was it was enough of an advance that if the bad guys got a hold of it then there wouldn't be time for the good guys to fix their broken code. So it turns out that there's a red team operating at Anthropic which has for the last year from March 2025 to March 2026 been cataloging the abusers use of their AI various versions of Claude through the last year and they've mapped it on to something we've never talked about before, which is the Miter attack taxonomy. It's spelled a t&ck because I guess you're going to have to hacker and what they found is really interesting and just as worrisome as you could possibly imagine. I mean like you know I'm not one to declare that the sky is falling but it occurred to me so we got security now episode 1082 for this June 9th titled the malicious use of AI where we're going to by the end of the podcast have a bracing understanding of like the bad guys are not sitting around, they're not waiting, they're on this fast and and what an AI enabled attack like well orchestrated malicious campaign can do is truly bone chilling. So. Oh, I, I, you know, I just hope that everybody who's got some jewels they need to protect are on the, on the ball here and using the all of the most state of the art available tools. And one just dropped like what, an

Leo Laporte [00:04:11]:
hour ago, a new update, Fable, just came out. Yeah, this is reputedly kind of a simpler, stripped down Mythos and at the same time apparently anthropic turned on because Anthony tried to put your show notes into the previous version 4.8 and then they have turned on some sort of gate that says here, let me read you the actual text.

Steve Gibson [00:04:38]:
I actually saw that. Saw that, yeah. And there was a slide switch where it would fall back to a less potent model if it thinks that you're asking for things that it's not sure it wants to give you.

Leo Laporte [00:04:53]:
It says it won't work on cyber security stuff and it's apparently your show notes are too dangerous. Opus 4.8 is that chat's paused. Opus 4.8 has safety measures have flagged messages on most cybersecurity or biology topics. Wait, they may flag safe normal content as well. These measures let us bring you Mythos level capability in other areas sooner.

Steve Gibson [00:05:17]:
So interesting. So because they're having a problem filtering, they did a crude filter. That is to say, you know, it's difficult. A perfect example is my show note. There's nothing malicious in our show notes except we're talking about malicious things. I mean, we're talking about cybersecurity stuff. And you. So the idea is like, that's just since they don't know that they can slice it correctly, they're just completely blacking it out.

Steve Gibson [00:05:46]:
Nothing to do with cybersecurity, nothing to do with biology, because we don't yet know how to differentiate enough to give you access to that.

Leo Laporte [00:05:55]:
Now, I have just fed your shownotes to the new model which just came out this morning, called Fable. And Fable is kind of like Mythos, right? And it has no trouble, no trouble at all, going through your show notes. No complaints whatsoever. So something's up. I did, in fact, and I think you saw it earlier on MacBreak weekly run. Some of my old Claude generated code through Mythos saying find some security flaws. And it did. And it did a nice job.

Leo Laporte [00:06:28]:
Stuff that it had previously audited and

Steve Gibson [00:06:31]:
found flawless, saw no problems with. Yeah.

Leo Laporte [00:06:35]:
So I was very impressed not merely with how quickly it worked and how well it did, but I was actually very impressed with the verbiage it used. It seemed quite Impressive. And it's much faster. It whipped through a large number of files, both in Rust and Python, and go. And found faults, found flaws.

Steve Gibson [00:06:58]:
Now, I know you. I know. Well, we know from the announcement that it uses it twice the token consumption rate as Opus. Right. Fable does.

Leo Laporte [00:07:09]:
Yes. They say this right on the front.

Steve Gibson [00:07:12]:
And. And so it's twice as expensive, essentially. Now I've got the $20 a month plan, and I'm never hitting a ceiling because I'm not really. Well, I have to say, though, that the only time I saw the thermometer, like, start going up was when I gave it more of an agent kind of thing to do, where it sat and churned for a while. And I thought, oh, I wonder how expensive that was. And I went over to check my account. It's like, oh, look, I just used up 20% of something. Whereas normally it just doesn't even get off the ground for the little simple things I'm asking.

Leo Laporte [00:07:48]:
So it was. It was able to find these. I feel like this. It just feels a little smarter, a little quicker, a little more effective. I was quite impressed. This is all.

Steve Gibson [00:07:58]:
I'm just stunned by this pace, Leo.

Leo Laporte [00:08:01]:
I mean, they just released four, like, three weeks ago.

Steve Gibson [00:08:05]:
It's breathtaking.

Leo Laporte [00:08:06]:
Crazy. Well, so I don't know if this is Mythos, but in a way, something Mythos like, has arrived already, which means I think you should start looking for tomorrow.

Steve Gibson [00:08:20]:
Time to start running your code through Fable.

Leo Laporte [00:08:25]:
Yep.

Steve Gibson [00:08:25]:
Yep.

Leo Laporte [00:08:26]:
I did have it fix everything it found, by the way.

Steve Gibson [00:08:29]:
Very cool.

Leo Laporte [00:08:29]:
Yeah.

Steve Gibson [00:08:30]:
Okay, so in addition to getting to the malicious use of AI, where we're gonna look at exactly what's going on. We're gonna answer some questions. Was a US law firm right to pay a $20 million ransom? Could Cisco have yet another sdwan0day in the wild? Like, really, Cisco? Really? Come on. Why is it so difficult to author secure PHP code? Turns out that teens are using something called weed hack to spy and attack each other, which McAfee's security people found and were quite disheartened to, like, see what was going on. Researchers have created the first AI enabled Internet worm and. Oh, boy, let's. The good thing is, it's not clear that a worm makes anyone any money. And money is the name of the game for the bad guys now.

Steve Gibson [00:09:33]:
Otherwise, it would be game over. Also, just a little editorial annoyance because while I was working, I got a weird Chrome pop up telling me that I could shop with confidence. As I wasn't even using Chrome. I was in Firefox. It's like, what the heck? We've also got. Something was really wrong here. An irresponsible disclosure of a very bad problem that was discovered in HTTP 2. You know, we always had HTTP 1.

Steve Gibson [00:10:08]:
Then we got 1.1. Recently we got, well, a couple years ago we got two. There's an HTTP 2 bomb which can basically bring any contemporary web servers to their knees. And the cretins who discovered it said, yeah, you know, what the heck? We're going to force everyone to upgrade by releasing it. Wow. And then we're going to get to what Anthropic has learned from their past year of monitoring Claude's abuse. And in two words, maybe it's three. I don't know if you count, if you count a contraction as two.

Steve Gibson [00:10:45]:
Anyway, it's bad.

Leo Laporte [00:10:48]:
Wow. Well, we have lots to talk about and a picture of the week to come in just a little bit. You're watching Security now with Steve Gibson. And now, ladies and gentlemen, the picture of the week.

Steve Gibson [00:11:02]:
So there's no security angle here, but I just love this.

Leo Laporte [00:11:08]:
Okay.

Steve Gibson [00:11:09]:
I gave this the headline there may be hope for humanity after all.

Leo Laporte [00:11:14]:
All right, I'm gonna scroll up. I haven't seen this before. All right, I'll let you describe this one

Steve Gibson [00:11:23]:
we have.

Leo Laporte [00:11:24]:
That's great.

Steve Gibson [00:11:25]:
We have two signs. You're a. The. The yellow diamond sign that says dip ahead. Right. Like where there's. Just to warn drivers that there's going to be some sort of a. Of a dip in the road that they need to take advantage of.

Steve Gibson [00:11:42]:
But then slightly after that along the road is one of those programmable boards where you know, for like whatever the, the people working on the road need to warn drivers about. In this case, the signage has been programmed to say. And this is again to the following. The dip ahead sign bring chips.

Leo Laporte [00:12:12]:
And to which our. Our Discord chat room has responded with this picture of you and me as well as Chips. Let me pull up the image. In this case, CHIPS is the California Highway Patrol.

Steve Gibson [00:12:30]:
Ch. Oh, goodness.

Leo Laporte [00:12:31]:
Yeah. You look good in the uniform. Very nice. Thank you. A pretty fly for assist guy.

Steve Gibson [00:12:36]:
Last time I was in a uniform was the Boy Scouts and that.

Leo Laporte [00:12:39]:
That was.

Steve Gibson [00:12:40]:
Lots of stories came from that. Oh, okay. So the large law firm While Goth, Goth, Shaw and Manges, which reported. I mean this is the. There are firms you never hear about. I've never hear about. Heard about these guys. But $2 billion in revenue last year, right? So they're like so high end that they don't do any retail advertising or they don't have any sort of a public presence at all.

Steve Gibson [00:13:12]:
They're whatever it is they're doing, you know, military contractors or who knows what, maybe international stuff. Anyway, they're breaking in the bucks. They recently paid a 20 million dollar ransom. Yeah, and I did the math, that's 1% of their annual take. So they did so in order to prevent the release of their confidential client data. And we don't know who their clients are, but again, $2 billion of revenue and people we've never heard of before, they probably got it going on. So the company said that their clients confidential data had been stolen from an external cloud storage site earlier this year by a group known as the Silent Ransom Group. The FBI sent out a private industry alert last year warning in advance that this Silent Ransom group had been spotted and that they were specifically targeting US law firms for their extortion campaigns.

Steve Gibson [00:14:24]:
Now what I appreciate about this is the strategic value of target of targeting law firms for extortion. Everyone knows I'm not endorsing the practice, far from it. But I think that high end law firms are an interesting and clever ransom target. We've been seeing and reporting on the surprising and welcome dramatic decline in the percentage of ransoms that are being paid lately. You know, many more companies are simply saying no now than were 10 years ago. Back then, being hacked was much more of a black mark on an enterprise's reputation than it has frankly sadly become today. You know, I'm not happy that being hacked is almost routine now, but with cyber attacks having become a nearly daily occurrence, no one who's observing them from a distance really cares that much anymore. You know, as a consequence, companies are just saying no to ransom demands and putting out a press release saying that oh well, we were hacked.

Steve Gibson [00:15:35]:
Coming up with some spin about how the bad guys didn't really get anything of any super secret value. And then offering their customers 12 months of free credit reporting as if that makes restitution. So nothing to see here. Move along. Okay, so against that backdrop, rather than just stumbling upon targets of opportunity, the bad guys have needed to find targets where the apologize, obfuscate and move on practice would not be available. And the confidential client data being retained by major deep pocketed law firms just perfectly fits that bill. There's no doubt that this wild goth shawl and manges knew that the disclosure of their clients data would result not only in massive reputational harm, you know, which a law for a law firm can ill afford, but also in a mass of breach of fiduciary responsibility lawsuits. Right Brought by their own current and past clients whose data they have not protected adequately.

Steve Gibson [00:16:52]:
We know that the FBI and others would have cautioned the law firm over and over that there's absolutely no guarantee whatsoever that the bad guys will honor their side of the agreement, which, after all, is voluntary. And they're bad guys, you know, by deleting all of the stolen Data. But given $2 billion in annual revenue, that even a 20 million dollar payout, you know, that's just a 1% tax on the company's annual revenue when weighed against the alternative of absolutely certain disclosure of highly damaging data. Well, that's a bet that's entirely understandable. As I've been observing, the only thing these criminals care about is money. They could not possibly care less about the actual data they've stolen from this wild goth, Shaw and Manes. They know that the only chance they have of reliably obtaining voluntary ransom payments from their victims is if those victims believe from all past evidence that their payment of a ransom will result in the deletion, as far as they can tell, or certainly not the disclosure of the stolen data, so that it can then hopefully never be disclosed. You know, yes, it may be a bargain with the devil, but it almost certainly paid off.

Steve Gibson [00:18:34]:
So I think the takeaway here is the observation that the overall drop in ransom payment likelihood has predictedly shifted the attackers targeting to those specific enterprises. Law firms being a perfect example of that which have the most to lose if their stolen data is publicly disclosed. That's the threat. And so it's got to be a threat where the pain of that threat being actualized is so high that the company says, oh, well, we don't like it, but it's, you know, a gamble we're willing to take. So, you know, companies like the regular run of the mill companies who merely have, you know, millions of small customer transactions, you know, they're just increasingly shrugging off such breaches as unfortunate, but unfortunate, but all equally unfortunate nowadays, almost inevitable. So it's like, we got it, we got hacked. How do you like a year of free credit monitoring? Well, we would rather that you hadn't been hacked, but you know, banks. Anyway, if I were to share the news that another unpatched zero day flaw in Cisco's sdwan manager was being actively exploited in the wild, our listeners could be forgiven for thinking that perhaps they were listening to a previous podcast, but sadly, no, in their reporting on this latest rerun of a story that pretty much writes itself at this point, you know, you only need to change the date and tweak some CVE numbers.

Steve Gibson [00:20:20]:
Bleeping Computer reminded us they wrote last month Cisco so. So we have one like last week, right? A new sdwan zero day flaw exploit. And to give some background, they finished their coverage. Bleeping Computer did, saying last month Cisco also tagged a maximum severity Catalyst SD WAN controller authentication bypass flaw. And that was the CVE 2026, 2182 as an actively exploited zero day to gain admin privileges on unpatched devices. While Cisco, they wrote, has not yet released patches for today's most recent problem, on May 14, it advised customers to upgrade to the software that had been fixed for that 20182 CVE. Then they said in February, Cisco patched another Catalyst SD WAN Manager information disclosure security flaw. That was 20133, which CISA flagged as actively exploited in late April and two weeks later warned that two more flaws, 20128 and 2122, were being abused in the wild.

Steve Gibson [00:21:42]:
In March, it also addressed and flagged a critical authentication bypass vulnerability, which is, you know, the polite way of saying anybody who wants to could get in. And that would be 20127. That has been exploited in zero day attacks since at least 2023. And they said over the past several years, CISA has tagged 9,990 Cisco vulnerabilities as abused in the wild, four of them in Catalyst SD WAN Manager and six others exploited by ransomware operations. So 90 vulnerabilities in just the past several years abused in the wild. Cisco has certainly earned their reputation for providing hackers with a ready and so far unending supply of remotely exploitable security vulnerabilities. Two months ago, on April 17th. I'm sorry, April 7th.

Steve Gibson [00:22:47]:
So just, just over two months ago, today's the 9th of June, Cisco wrote, for some time we have been stress testing our own products and infrastructure against the most advanced AI powered security tools available, including Anthropic's latest unreleased AI model. Claude Mythos Preview what we have found they said what we have found has been illuminating. Now the real work begins. AI powered analysis uncovers data at a scale and depth that legacy frameworks were not designed to accommodate. Whatever, okay, whatever that means, this industry will recalibrate together. And Cisco is committed to leading that conversation. All I could say is that I hope they mean it. I hope they really do suddenly care more than they have ever appeared to in the past.

Steve Gibson [00:23:52]:
And given the evidence, it's like, how do you explain that this is Cisco? You know, perhaps something needed to make Security much easier for them to deliver. And perhaps AI will be that something that's been missing until now. It's. It is inexplicable to me how a company that is so important and has been such a leader, you know, a pioneer on the Internet, could continue year after year to have so many damaging security problems. What. What is the culture over there? Recall that years ago, they were surprised to discover that the firmware of their own machines had been shipping with embedded authentication credentials in the firmware so that anybody who knew the username and password could log in remotely.

Leo Laporte [00:24:53]:
I bet you Mythos would have found

Steve Gibson [00:24:55]:
that, yes, if, yes, given access to the firmware, Mythos would have said the equivalent of wtf. So, but, you know, you know, Cisco, perhaps they are just really crappy at doing software. And, and the only re. You know, the only reason they were ever on top is that they were first. And so it's like, you know, once upon a time, they were the only game in town. And maybe they just always sort of sat back on their laurels and thought, well, you know, everyone's buying our stuff. It doesn't. It's broken, but what the hell?

Leo Laporte [00:25:32]:
Doesn't seem to matter. A wild guess that part of it was the number of acquisitions they did because Cisco grew very fast by acquiring a lot of other companies.

Steve Gibson [00:25:42]:
That's fair.

Leo Laporte [00:25:43]:
It'd be my guess that some of those companies themselves didn't have the best practices. And sometimes when you have mismatched systems, you get these kinds of problems.

Steve Gibson [00:25:50]:
A perfect example was that Hilton attack, remember? Right. It was. They bought another. Another.

Leo Laporte [00:25:58]:
Yeah, yeah, yeah, yeah, yeah.

Steve Gibson [00:25:59]:
And it was that. It was that. It was like they, they, they bought. They. The thing they. They bought was had, you know, some serious problems. And they just. We at the time, we argued that they didn't vet it as well as they should have, which I think is a reasonable position to take.

Steve Gibson [00:26:18]:
But wow, Cisco, come on, you know, get your AI going and fix this. Because too much of the. Now, of course, the big problem, once there is firmware which the latest AI agrees has no more problems that it can detect, is how do you get it deployed? Because it's one thing to have it, it's another thing to have it out there running. Okay, I mentioned before that my desire to host web forums required me to run a PHP interpreter on a. On a GRC domain, you know, forums.grc.com and even GRC SC, that little short, that link shortener is also some PHP. But due to the long history of security incidents surrounding php. The idea of running a PHP interpreter on a GRC domain terrified me, and I was and still am unwilling to allow any such server to share a network with the rest of GRC's infrastructure. In other words, I took my own advice in the same way that I do for residential IoT devices, which is to firmly sequester the things those those things whose security we have no control over and are inherently suspicious of on their own network.

Steve Gibson [00:27:54]:
You know, contain them, sandbox them. Fortunately, my choice of the PHP based Zenforo for forums and the PHP based Nuevo Mail, which is what I use as for to send out GRC's weekly mailings, they've both been solid choices and I've never had any problem with them. But I'm still not allowing anything that runs php anywhere near the rest of GRC's network. The reason I'm mentioning this today is that Once again a PHP based third party WordPress plugin has come under active widespread global attack and the means by which the plugin is being attacked by is just so marvelously PHP that I wanted to take the time to share it. Last Wednesday the word Fence WordPress Security Company and and based on everything we've we haven't talked about Word Fence for a long time but they got a strong recommendation last time and they'll get it again. Because I think anybody who is running WordPress stuff with any add on plugins especially, which is where the problems generally are. WordPress, you know, itself is generally been so well cared for and and, and maintained that we don't see problems in in the, in the core WordPress system anyway. They posted Word Word Fence posted the news of this latest vulnerability which carries a CVSS of 9.8, which as we know is, you know, hard to hard to achieve.

Steve Gibson [00:29:36]:
You basically have to let anybody who wants to anywhere in the world crawl into your system and set up shop to get a 9.8 wordfence wrote on March 30, 2026, we publicly disclosed a critical remote code execution vulnerability in Everest forms Pro, a WordPress plugin with an estimated 4,000 active installations. This vulnerability can be leveraged by unauthenticated attackers, meaning anyone to execute arbitrary PHP code on the server, leading to complete site compromise. The vendor released the fully patched version on March 18, 2026. Our records indicate that attackers started exploiting the issue on April 13, 2026. So, okay, less than a month later. So March 18, fully patched version that fixed the problem. April 13 it began. It came under attack.

Steve Gibson [00:30:44]:
So again, anybody who's keeping their site up to date is checking for like checking for updates and following through with them would have been safe. The Word Fence firewall they wrote, has already blocked over 29,300 exploit attempts targeting this vulnerability. And they said Wordfence Premium, Word Fence Care and Word Fence Response users received a firewall rule to protect against any exploits targeting this vulnerability or on February 27, way up in advance of the plugin being updated sites using the free version. Which is what I mean, like why wouldn't you use the free version of this protection system of wordfence received the same protection 30 days later on March 29, so still well in advance of when the bad guy started attacking, they said, considering this vulnerability is being actively exploited when we urge users to ensure their sites are updated with the latest patched version of Everest forms Pro version 1.9.13 at the time of its writing as soon as possible. So as I said, we've covered the work of the Word Fence people in the past and I have no problem allowing them to promote themselves by sharing their posting here, since any site that has chosen to employ third party WordPress plugins would be well served to at least run the free version. And you know I'd pay something for the added protection if nothing if for no other reason to support them in the same way that Leo and I do for Bit Warden. Yeah, in other words, you know these are good guys offering an important service at a reasonable price and if you're running a WordPress and you've got know random plug ons plugins that you've added on you, you really ought to have Word Fence watching your back. Then they explain what they found, which is really what I wanted to get to they wrote Examining the Everest Forms Pro code reveals that the plugin uses the process filter function in the process class to evaluate user defined calculation formulas.

Steve Gibson [00:33:12]:
Now there's the key user defined meaning visitor based calculation formulas. The function concatenates submitted form field values into a PHP code string which is then passed to the eval function. Now again, all the that phrase that string of words should make anyone's blood run cold. Concatenates submitted form field values into a PHP code string which is then passed to the eval function. So this is a variation of the infamous Bobby drop tables flaw. You know, anytime any user user provided you know visitor web visitor traffic input is passed to a function that might confuse data with commands, which is what PHP does in the same way that SQL can, that user provided input must be scrupulously sanitized. Really, you should never have a situation where that could be done, but if you have to for some reason, then really make sure there's no way that that the user can provide something that can get that can be switched from data to command to prevent malicious users from managing to use a web form for their own command input Word fences Write up continues saying Although user input is sanitized with sanitized text field function, this function does not escape single quotes. And by escape they mean convert a single quote into something that isn't a single quote but like carries the same meaning.

Steve Gibson [00:35:13]:
That's known as escaping in in programming parlance, it does not escape single quotes or other characters that are significant in PHP code. For string based fields such as text, email, select and radio fields, the submitted value is placed inside single quotes and directly added to a PHP code string. An unauthenticated attacker can exploit this by submitting a value containing a single quote followed by malicious PHP code and a comment character, allowing them to break out of the string and inject PHP code that is later executed through the eval function. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server by submitting a crafted value in any string type form field as long as the targeted form uses the complex calculation feature. As with all remote code execution vulnerabilities, this could lead to complete site compromise through the creation of admin accounts, the use of web shells, and other techniques okay, so this is exactly why PHP terrifies me when when I've made the mistake of stating that PHP is fundamentally insecure, our well informed listeners have written somewhat indignantly to argue that it's entirely possible to write secure PHP systems. I assume that's true, since I've never had any trouble with Zenforo and their security record has been very good. Not perfect, but still very good. So I suppose a more balanced assertion on my part would be that authoring secure PHP websites inherently requires much more understanding of the security pitfalls inherent in the use of php, which are many than the typical PHP authority possesses.

Steve Gibson [00:37:39]:
In other words, you can write secure php, but PHP is targeted at people who don't Wordfence explains that their WordPress application firewall has explains what their excuse me, what their world their WordPress application firewall has intercepted by writing the most common payload observed in our blocked requests. Attempts to create a new admin account named D I K S I Marina M A R I N a Dixie Marina, I guess you'd say on the affected site the attacker submits a value for a text field that begins with a single quote to close the the wrapping string literal followed by a PHP statement that calls WP insert underscore user WordPress insert user to create a new admin account with the user dixie marina. The trailing SL slash comment marker ensures the rest of the generated PHP code which was, you know, there in the original form, including its closing quote, which the attacker put first, is treated as a comment and does not cause a syntax error because that would crash php and then the the the attacker's code wouldn't get to execute. When the form is processed and the calculation is evaluated, the injected PHP code is executed and the malicious admin account is created. Once authenticated as a new administrator, the attacker can fully compromise the site by uploading web shells, modifying themes or plugins, or installing further backdoors to obtain persistent access. So the problem with PHP is that while it correctly advertises itself as very easy to use, the less well appreciated fact is that it's also extremely easy to abuse. Thus it's running on a server at GRC on its own network segment, with no contact to the rest of my stuff. Because I will never trust it.

Leo Laporte [00:40:07]:
I'm looking at the information about Claude Fable 5, which was released today by Anthropic and Mythos, and I'm looking at the benchmarks provided by Anthropic. But man, they say this is even better than the Mythos preview that they've been offering to some people. It is incredible. $10 per million tokens in, $50 per million tokens out. It is a very expensive model, although they're cheaper than Mythos Preview. They also say it can work longer than any previous Claude models. So they have a lot of benchmarks, a lot of examples.

Steve Gibson [00:40:47]:
I wish I was thinking about this the other day. I wish that unused tokens built up a balance in your account. I know, because my use is very erratic and you know, a lot of times I'm not using Claude for anything.

Leo Laporte [00:41:05]:
Well, do you have a subscription or do you pay as you go? Because you can't pay as you go.

Steve Gibson [00:41:09]:
I have a subscription.

Leo Laporte [00:41:11]:
Yeah, so the subscription is all you can eat. And as you've probably noticed, if you really bang on it, it'll time out after five hours. It'll say, well, you got to wait till one or whatever.

Steve Gibson [00:41:22]:
Right? Right.

Leo Laporte [00:41:23]:
And you can also use up more tokens than you're supposed to in any given week or even month. But generally the all you can eat is pretty good. The API is pay as you go so if you don't use it at all, it's zero. So maybe. But the problem is it's a lot more expensive to pay as you go than it is to buy a subscription for most people. I don't know what it's going to be like eventually. I think eventually Anthropic wants everybody to go the API route because I think for a lot of users they're losing money on the all you can eat. It's a buffet that some people are real pigs.

Leo Laporte [00:42:01]:
But you know, I'm just playing with it right now and I'm. It's very fast. It also, they said if, if, if it gets in a situation where you're asking about security stuff, it will fall back to 4, 8. It's going to try to prevent you from using it to.

Steve Gibson [00:42:15]:
Yeah. Yes.

Leo Laporte [00:42:16]:
And that's why we're getting that 4, 8 warning.

Steve Gibson [00:42:19]:
It's because security or biology, apparently.

Leo Laporte [00:42:22]:
Yeah.

Steve Gibson [00:42:23]:
I don't know about biology.

Leo Laporte [00:42:24]:
But anyway.

Steve Gibson [00:42:24]:
Yeah.

Leo Laporte [00:42:25]:
You can't make bugs dangerous bugs with it either.

Steve Gibson [00:42:29]:
Exactly.

Leo Laporte [00:42:29]:
Of any kind. Yeah.

Steve Gibson [00:42:33]:
Okay. So McAfee's report, their headline caught my attention because it was new malware Targeting Minecraft infects 2000 daily and teens are becoming attackers. So this is all pretty sad, but it's worth us knowing what's going on. McAfee writes. McAfee Labs has discovered a massive ongoing and massive because of how cheap it is ongoing malware campaign called weed hack that disguises itself as free Minecraft mods and game clients to infect players computers. Since January 2026, it has logged more than 116,000 victim infections, averaging between 2,000 and 3,000 new hits every single day. What makes weed hack different from most malware is how cheap and easy it is to use. Typically, a hacker would pay hundreds of dollars per month to access attack tools through underground criminal networks.

Steve Gibson [00:43:44]:
Now this is all, you know, malware as a surface, which is the new thing they said. Weed hack offers a free version to anyone with a Discord account. A premium upgrade which includes the ability to secretly watch victims through their own webcam starts at just $5 a month. This low barrier has attracted a younger crowd of wouldbe attackers. Many of them appear to be teenagers or young adults. Our researchers were startled to discover teens using these tools not just for financial theft, but to harass and bully their peers. A pattern we've documented and like posting the webcam footage that they capture from other people's machines. A pattern we've documented and that makes this campaign especially concerning Weed hack is a Malware as a Service M A s Malware as a Service campaign, meaning it's a criminal business that sells hacking tools to customers the same way a legitimate software company sells subscriptions.

Steve Gibson [00:44:56]:
The product in this case is malware that gets secretly installed on a victim's computer when they download what they think is a Minecraft mod or client. Once installed, it can steal passwords, hijack accounts, and for paying customers, it can give the attacker live access to the victim's screen, webcam and files. The campaign operates a polished, professional looking dashboard hosted openly on the Internet, not hidden on the dark Web. That dashboard lets customers track their victims, download stolen data, and launch remote access features all from their browser. One of the most disturbing findings from our investigation is how Weed Hack is being used. While monitoring the campaign's Telegram channel, which had over 850 members during the time of our research, we observed that many customers appear to be teenagers and young adults and a significant portion of using the remote access tools were using the remote access tools not for financial gain, but to harass and intimidate other players. We observed attackers recording victims through their webcams without consent and sharing those recordings in a Telegram channel as trophies. Others use knowledge of victims IP addresses and system address to threaten them.

Steve Gibson [00:46:32]:
It's important to note that at the current time of publishing, the Telegram channel has been taken down and no replacement channel has appeared. McAfee is continuing to monitor any new channels that may be established by the threat actors for further communication. Still, what we observed is a form of cyberbullying with unusually invasive tools behind it. If you or your child has been contacted by someone online claiming they've hacked your computer, have your webcam footage or know your IP address, take it seriously. Do not follow the attacker's instructions. It only makes things worse. Tell a trusted adult immediately. A parent, a guardian or school counselor.

Steve Gibson [00:47:23]:
Contact your local law enforcement. This may constitute a criminal conduct and do not engage with the attacker or attempt to negotiate. So how do people get infected? Weed Hack spreads in two main ways and the campaign even provides its customers with step by step tutorials on how to carry out both. First, fake YouTube videos. Attackers create convincing YouTube videos reviewing or demonstrating Minecraft clients and mods. The videos are well produced. Some include voiceover narration. The link to malicious download sites in the description and comments is present.

Steve Gibson [00:48:07]:
One video McAfee identified had over 7,500 views before being flagged. Comments are also sometimes planted by the attackers, claiming the files are safe. Second way fake mod websites Weedhack instructs customers to build convincing looking websites that mimic official Minecraft mod pages. These sites are deliberately designed to show up high in search engine results for popular mod names, a tactic called SEO poisoning. Some fake sites include fake security warnings, discord links, and GitHub references to appear legitimate. In one case, a site warned players to only download from us while actively distributing malware. Minecraft clients and mods specifically targeted include Meteor client, Radium client, Wurst Client, Liquid Bounce, Impact client, Future Client, and others. So what happens when you're infected? Infection occurs in four stages that happen silently in the background after a victim opens the downloaded file.

Steve Gibson [00:49:22]:
First STAGE first contact the malicious file, launches quietly without showing a console window, connects to a hidden network, and phones home to receive further instructions. It uses a sophisticated technique involving the Ethereum blockchain to locate its command server in a way that's difficult to block or take down. Remember, we talked about one such method using DNS domain names, which are created dynamically based on a timestamp. This uses the Ethereum blockchain. Stage two Taking hold the malware disables Windows Defender protections, gathers detailed information about the victim's computer, their processor, graphics card, ram, operating system, and so forth, and takes a screenshot of their screen. It then steals their discord tokens, browser passwords, and cookies. Stage 3 Digging in the malware installs itself so that it automatically restarts every time the victim logs back into their computer. It sets up a hidden scheduled task that runs continuously with the highest system privileges.

Steve Gibson [00:50:38]:
And finally, stage four Obtaining full access for premium customers, an additional component is installed that connects the attacker to the victim's computer in real time. This includes live screen sharing with keyboard and mouse control, webcam access, key logging, recording every keystroke, a reverse shell, full command line access to the computer, and the ability to upload or download any files. A separate component specifically hunts for Telegram credentials and cryptocurrency wallets, sending that data to a different server every five minutes. So what can attackers steal? The free tier supports the theft of Minecraft session IDs, which are used to hijack Minecraft accounts, saved passwords and cookies from 36 different browsers, credentials from Discord, Steam, and Telegram Browser based crypto wallets 56 are currently supported and desktop crypto wallets 12 are currently supported. Files matching 24 different search keywords, screenshots of the victim, screen and system information, the computer name, their IP address, and hardware specs. Then, for $5 a month, which is the premium tier, you get live webcam access. In addition to all those things, live Webcam access, live screen sharing with keyboard and mouse control key, logging every key the victim types, full remote shell, command line control of the computer and file management upload, download and delete files remotely. Okay, so just to be completely clear, what now exists is a service which for as little as $5 per month, apparently in a play for user volume, anyone? And often teens no longer need to have any, not any hacking skills apparently.

Steve Gibson [00:52:50]:
All they need is some marketing skills. All the hacking, all the technology, all of that has been done for them. They're able to subscribe to this new malware as a service weed hack out on the public open web and then trick others using their marketing skills into downloading a Minecraft mod or client that then gives them access to that infected users saved passwords and cookies, their social media credentials, their crypto wallets and more, including their webcam and full remote keyboard and mouse access to their computer. And the service is going gangbusters, logging between 2,000 and 3,000 new infect newly infected victims per day with more than 116,000 victim infections spotted since this past January. So Leo, the world we live in today. Wow.

Leo Laporte [00:53:58]:
No kidding.

Steve Gibson [00:53:59]:
You know, basically turning teens into criminals. Because this is all criminal abuse. I mean these are crim. This is criminal network intrusion thanks to a third party that's only asking for $5 per month and taking all of the hard work, all of the knowledge, all of the technology out of the loop.

Leo Laporte [00:54:22]:
You pay using kids to get to their, I presume to get to their parents accounts. Right. I mean, because.

Steve Gibson [00:54:30]:
Can be, but I guess the kids

Leo Laporte [00:54:32]:
might have money, I don't know.

Steve Gibson [00:54:33]:
But yeah, it's not clear where I guess the, the, the kids, some adults

Leo Laporte [00:54:38]:
play Minecraft, but it's mostly kids. Right?

Steve Gibson [00:54:40]:
It's got to be. Hey mom, can I, can I, you know, charge $5 a month for this cool service that I found that will allow me to do something with Minecraft? And mom says, you know, fine, whatever.

Leo Laporte [00:54:50]:
Yeah. Wow.

Steve Gibson [00:54:53]:
Wow. Okay. So, so evil.

Leo Laporte [00:54:56]:
It's so bad.

Steve Gibson [00:54:57]:
It is, it is. And, and you know, teens are like, well, wait, it's a service on the Internet. What do you mean I'm breaking the law? What do you mean I'm, I'm a criminal.

Leo Laporte [00:55:07]:
It's actually smart because. Yeah, exactly. This is taking advantage of their naivete. Yep.

Steve Gibson [00:55:13]:
And getting, and getting $5 a month out of all of their parents credit cards.

Leo Laporte [00:55:18]:
Right.

Steve Gibson [00:55:21]:
Okay, so what have we done? You know, somebody was bound to try it. So far it's been contained inside a lab. Yikes. Researchers I Don't like that open. No, we've. Yes, we, we've known of other things that were supposed to be contained inside a lab and got loose. Researchers with the University of Toronto and the Vector Institute wondered what a contemporary AI powered network worm might look like and how effective it might be. So of course they made one.

Steve Gibson [00:56:04]:
The paper they just published is titled AI Agents Enable Adaptive Computer Worms and they explain, quote, in our pursuit of new knowledge, that's always the excuse, right? Or the justification. In our pursuit of new knowledge to enhance the security of artificial intelligence, we uncovered a cyber security threat with implications across society. Okay, so you know, since the idea of an AI enhanced network worm is not a stretch for anyone, I'm just going to share the high points from the research overview which they published. However, even this overview makes me somewhat queasy. Here's what they wrote, they said, and I just scrolled off, they said. Large language models now demonstrate the capacity for structured problem solving which combined with tool access, enables agentic AI systems to solve complex tasks. We show that when these capabilities are embedded in a self replicating agent, they produce a fundamentally new cybersecurity threat. An adaptive computer worm that devises target specific attack strategies to gain control of machines and spread across networks.

Steve Gibson [00:57:44]:
Each compromised machine becomes part of the worm's own infrastructure, providing compute or reach for further attacks. A computer worm, they write, is self replicating malware that spreads across a network without human intervention. The WannaCry worm in 2017 disrupted critical infrastructure across 150 countries by exploiting a single vulnerability. Traditional worms can be stopped by patching the specific vulnerability they exploit. Our adaptive worm cannot be stopped this way. It uses a recursive reasoning loop to detect and exploit diverse vulnerabilities as it propagates. We demonstrate these capabilities in a controlled experiment. A prototype AI driven worm powered by an open weight LLM running locally, propagated across a heterogeneous network of Linux, Windows and IoT devices with common corporate network vulnerabilities.

Steve Gibson [00:59:02]:
The experiment was conducted in an isolated virtual network. We believe this work highlights three important dimensions of the impact of AI on the cyber threat landscape. First, it establishes a qualitative shift in threat capability. The worm replaces fixed exploitation code with goal directed reasoning that adapts to the vulnerabilities of each encountered target in real time. Our agent self replicates across network devices, subverts control of systems and self sustains on stolen resources. Second, the AI driven worm requires only an open weight model that can run on a single local gpu. It does not rely on any commercial AI platform. This renders vendors centralized safety controls, including service refusal, content filtering and rate limits, structurally irrelevant.

Steve Gibson [01:00:12]:
The worms tiered design where each compromised GPU equipped node provides reasoning for lightweight agents on downstream devices, extends the attack surface to any network device. And I'll note that it gets smarter as it propagates, right, because it, it's, it's continuing to have access to all the GPUs it's already taken over, so that's kind of creepy. And finally, the traditional economic barrier in cybersecurity collapses. The traditional economic barrier in cybersecurity collapses. The worm parasitically uses the victim's own computational resources, reducing the attacker's marginal cost to zero. As consumer devices increasingly support LLM inference, meaning they're getting the, the, the GPU compute locally, the reasoning resources available to such adversaries grow accordingly. This work proves. This work provides empirical evidence that autonomous cyber offense has crossed from theoretical risk to demonstrated capability.

Steve Gibson [01:01:30]:
A challenge that spans AI research, cybersecurity and public policy. We believe this transition demands rigorous transparent evaluation of model capabilities across the open and closed weight model ecosystems. To which I say, yeah, good luck, because there's going to be unrestricted open weight models. There already are. They're only going to get better. So I'm not sure what that conclusion is supposed to mean. You know, we believe this transition demands rigorous transparent evaluation of model capabilities across the open and closed weight model ecosystem. What this actually means, you know, and for the first time demonstrates, is that the defenders of cyberspace had better get serious about tightening up their code.

Steve Gibson [01:02:28]:
This leaves the huge problem of the existing installed base of systems. And that's where we're really going to have our next problem. We know that because they're not going to update themselves. And they, you know, many will never be updated without some form of, you know, more than typical intervention. I don't know how this happens, but it is the big problem. The one bright spot here is that, you know, knock on wood, we seem to be past, as I mentioned earlier, we're past those frolicking days of uncontrolled Internet worms. Most mischief now is about bad guys focusing on solely upon making money. And Internet worms do not do that.

Steve Gibson [01:03:20]:
You know, the way that targeted, you know, targeted extortion can. The place I could see a worm being deployed as an offensive cyber weapon is not by a criminal organization that wants to make money as its first priority, but by a nation state like the U.S. china, North Korea or Russia. And in that case, its worm code would be carefully written to restrict its reach and spread to within a targeted geography. So this feels more like an interesting academic exercise. This is not to say that someone might not release such a thing, just to see what it could do. That's always a possibility. But as these researchers also noted, the world does not yet have sufficient potential victims with inference engines capable of supporting a roaming large language AI model.

Steve Gibson [01:04:21]:
By the time that changes, the world's exposed vulnerabilities should be, you know, so new that any potential worm worm would starve. So, you know, hopefully we're going to get the Internet cleaned up and as we evolve to next generation systems that do have that the the required inference engines, they'll be running newer firmware or newer software, hopefully that will never have the vulnerabilities that the current thankfully dumb installed base of hardware does. Wow. And Leo, I mentioned to you before, I think before we began recording, that the weirdest thing happened, or I guess I did run run through it in the Things I Want to Talk about as I was writing these show notes, I was rudely interrupted by an unsolicited Windows 10 notification from Google Chrome. I I wasn't using Chrome as we know. I don't use Chrome unless there's no alternative. Sometimes there's a site that Firefox won't display. OpenTable.com is the one that keeps biting me.

Steve Gibson [01:05:40]:
And now I've learned I just have to go over and use Open Table from Chrome. I haven't even used Chrome in recent memory yet. What we know is that today's web browsers are all running agents in the background which serve to keep those browsers up to date. And that's a good thing. I we know that we want our web browsers to be, you know, patching themselves to keep themselves current. I'm all for that. But the operative phrase here is in the background when Chrome, which I have installed, but as I said, I've not been using without, you know, like for any reason, like for quite a while, certainly since that machine was booted when it, without invitation pops up a notification telling me that I can shop with confidence and that I can quote track prices across the web and get alerts if the price drops on any site. First of all, I don't do that.

Steve Gibson [01:06:44]:
But it's no longer in the background and it's an annoyance in my foreground. You know, the Internet appears to be silent on this issue. I went searching like is this happening to people? I was like, what? So I don't know what's going on. You know, perhaps this is Google trying to get traction for some of its new agentic AI crap. In any event, I hope more than ever that Mozilla is able to to somehow keep Firefox alive. A web browser, you know, is serious business and keeping one going and secure and up to date with the never ending and ever changing Worldwide Web Consortium standards, it takes a huge amount of work. So I appreciate what Mozilla is doing, but I need my Firefox and I sure want as little of Chrome as I can get.

Leo Laporte [01:07:39]:
Yeah, I agree.

Steve Gibson [01:07:40]:
Yeah, and I put up, I, I grabbed a copy of this, of this notification from, from Chrome, I put it in the show notes. It's like what I, I don't want to hear from a browser that I'm not using that about shopping tips. Thank you.

Leo Laporte [01:07:55]:
Anyway, Windows doing this right? How could Chrome. Well, you have notifications turned on in Chrome, I guess.

Steve Gibson [01:08:00]:
Yeah, right. And they are off now. But I hadn't turned, I hadn't turned them off before, so. So get out of my way, Chrome. Okay, after our next, our next sponsor note, I'm going to Talk about this HTTP 2 bomb attack and how annoyed I am with the people who just said, well, we're going to make everybody update their web servers by publishing an exploit. What?

Leo Laporte [01:08:25]:
Huh?

Steve Gibson [01:08:27]:
Well that'll work. It's 2026 guys.

Leo Laporte [01:08:31]:
All right, Mr. Gibson, what else you got for.

Steve Gibson [01:08:34]:
Okay, so it's been a while since the abuse of a core Internet protocol was able to take down a wide variety of servers. But the recently discovered, and as I've said, very irresponsibly disclosed HTTP 2 bomb attack, as it's called, can knock down Nginx, Apache, IIS, Envoy, Cloudflares, Pingora, and presumably any other modern web server that accepts and terminates HTTP 2 connections and queries as all of the current state of the art web servers do. An independent observer of this wrote, since the bug is an HTTP 2 protocol bug, other services may also be affected with nginx, which is used in hardware load balancers, the most popular open source reverse proxy, and the ingress controller for Kubernetes Envoy, which is a reverse proxy for large cloud and tech companies such as Google, Amazon, Netflix and Airbnb and Azure which uses iis. All of those can be knocked off the air with this thing. So they said a large portion of modern public facing web infrastructure is affected. And when they say affected, they're not kidding. They wrote given these circumstances, we had to take a close look at the write up and assess the impact in order to determine which of our customers were affected and to incorporate the new attack vector directly into our platform. And they wrote and oh boy, that attack is effective.

Steve Gibson [01:10:26]:
With one single notebook, we were able to bring down any of our own HTTP 2 servers, small and large. A single attacker can consume 20 to 30 gig of RAM on the target. This is a resource consumption attack where 32 gigs are consumed and then locked and it makes the server crash. They said RAM memory remains locked even after the attack is stopped. This allows for a low and slow attack in which the attacker starts with a low connections and stream rate, but gradually consumes more and more of the target's RAM resources over time. Once a certain RAM usage threshold is reached, the affected NGINX instance crashes and must be restarted via a hard reboot. So this creates permanent damage. And they said with these attacks, even a small botnet of just 10 bots can take down services of any size.

Steve Gibson [01:11:37]:
For a low and slow attack with fewer than 10 requests per second, a botnet of only 100 bots is sufficient. And due to the slow query rate, such an attack would be undetectable and unstoppable by any web application firewall which would normally be blocking high rate attacks. Okay, so given the discovery of a truly devastating attack against pretty much all of the current Internet infrastructure, the fact that its discoverer chose to release the details without coordinating with the rest of the industry, well, in this day and age, it's truly unforgivable. We first encountered Caliph. That's the name of this group, C A, L I F, like as an abbreviation for California. C A, but I don't know what it is. California. We encountered them recently and I didn't think much of them at the time.

Steve Gibson [01:12:39]:
Now unfortunately, I do think something of them and it's not good. Their website's homepage declares in large font type, pushing the frontier of vulnerability research with AI. And the subhead is Elite hackers and top models. What could go wrong? Let's find out. Wow. Okay, they're posting about this sets the tone for them and for their site. One week ago today, on June 2nd, their blog posting carried the title Codex. You know, open AI's code.

Steve Gibson [01:13:20]:
AI Codex discovered a hidden HTTP/2 bomb and they wrote 14 years ago. So this is written in the first person by the person at Caliph who was the discoverer. So he wrote 14 or Chi Bay. 14 years ago, I helped break HTTP header compression, then was asked to review the fix which became part of HTTP 2. Life has come full circle. Today we're releasing an attack I missed. We're publishing HTTP 2 bomb, a remote denial of service exploit against most major web servers including nginx, Apache, httpd, Microsoft iis, Envoy, and Cloud Flare Pingora. The vulnerable behavior exists in each server's default HTTP 2 configuration.

Steve Gibson [01:14:29]:
The attack was discovered by OpenAI's Codex, which chained two techniques known to humans for a decade, a compression bomb and a slow loris style hold. The bomb targets HPACK, which is HTTP 2's header compression scheme. One byte on the wire becomes one full header allocation on the server, repeated thousands of times per request. The hold is a zero byte flow control window that keeps the server from ever freeing any of it A curious search on Shodan revealed more than 880,000 websites supporting HTTP 2 and running one of those one of these servers. In other words, before releasing this or at the time of its release, they know thanks to Shodan that 880,000 websites can be brought down with this yet release it. They do, they said, though many oh oh here. So here's a caveat to that. Many may sit though many sit behind a cdn, which is much harder to bring down.

Steve Gibson [01:15:56]:
They wrote. A home computer on a 100 megabit connection can render a vulnerable server inaccessible in seconds. Against Apache, HTTPD and Envoy, a single client can consume and hold 32 gigs of server memory in roughly 20 seconds. They then get into the details of this potentially debilitating vulnerability that's sufficient for anyone proficient to design an attack, but that won't be necessary, because not only did these irresponsible jerks describe something for which they knew there was no current defense, but they also published a fully working proof of concept exploit. Not surprisingly, the folks over at Envoy who produced that reverse proxy front end used by companies such as Google, Amazon, Netflix and Airbnb were not humored by the behavior of these irresponsible glory hounds. So they posted to the feedback thread for this announcement blog posting. They wrote OP ignored responsible disclosure policy and released a zero day for Envoy's ecosystem. Envoy community was in process of releasing a patch for this problem and then they have a link to Envoy Security Advisories, which is@GitHub.com to which that posting the Caliph guy replied, thanks for fixing the issue so quickly.

Steve Gibson [01:17:45]:
This is a win for Envoy users. Yes, you jerk. We believe the traditional disclosure model is increasingly outdated in the era of AI assisted vulnerability discovery, and we explain our rationale for disclosure in the post. So they've unilaterally decided, well, that that old responsible disclosure doesn't make any sense anymore. So we're going to, you know, stir this all up. The Envoy guy replies and irresponsible disclosure is a huge loss. Oh, so. So this guy says this is a win for Envoy users, right? It's a win for Envoy users.

Steve Gibson [01:18:31]:
Envoy replies and irresponsible disclosure is a huge loss for Envoy ecosystem and possibly wider industry. Did you disclose this to all H2 implementations? This should have really been coordinated via Vince to make sure all H2 vendors are aware. And if the 90 day disclosure policy is outdated, what's the new policy that you believe is appropriate? You have filed advisory on May 27th and published this blog on June 2nd. So is your new embargo policy four days Caliph responds and finishes with we disclose details once we believe that anyone monitoring public commits could reproduce the issue using AI assisted analysis. I guess that means instantaneously in our view, withholding information after the relevant commits are public does more harm than good. We recognize that reasonable people may disagree and we respect that perspective. Well, thanks a lot for your respect. What a mealy mouth position.

Steve Gibson [01:19:53]:
I suppose we're going to be seeing more of this sort of thing as those who could not have disclosed this attack on their own, who are, I'm sorry, not those who not have, who could not have discovered this attack on their own, now use AI to find the attacks for them. In the era before AI acquiring true expertise would generally be accompanied by the acquisition of some maturity about it, or they would value the attack they discovered because it was so hard to discover it, and so then they would responsibly disclose it to the people who it affected. Now discovering new attacks is free. They don't cost anything. When AI hands someone who has never done the hard work, they don't have the maturity to guide their handling of such a gift. In this case, it is utterly unconscionable that this exploit would have been publicly posted without a far more widely coordinated vulnerability. You know, and private vulnerability disclosure. Nginx has scrambled to assemble a patch and has made it available through standard update channels, but we know that's not the same as it being online.

Steve Gibson [01:21:20]:
Apache's fix exists in a standalone module that has not yet been built bundled into any release that package managers will pick up. So again, not enough time. Microsoft IIS has no patch and no CVE has even been assigned to the IIS variant yet, and we know that Envoy also has just had to scramble. As I said, I suppose we're going to be seeing more of this sort of thing in the future. I'm not unhappy that I'm still running an HTTP 1.1 only web server for a change. I'm sure that by the time I'm ready to deploy GRC's new servers, which I've talked about recently, Microsoft will have updated iis to protect from this, but in the meantime, what a mess for everybody else. Wow. Another little related AI note for me.

Steve Gibson [01:22:24]:
I've I've mentioned that I am currently working speaking of GRC servers to reduce the purchase friction for GRC's software by supporting a range of one click purchase options such as PayPal, Google Pay, Apple Pay, Venmo, and so forth. Since my plan is to create a few more low cost commercial products before I plow back into spinrite for Windows, I want to make purchasing those as simple as possible. So I've been working to upgrade the E commerce system which I wrote 22 years ago. I briefly flirted with the E commerce provider Stripe since I liked their integration solutions, but I decided to go in another direction. During that brief flirtation they got hold of my email address so I actually an alias that I use just for them. But still it's. It's alive. So I've been receiving occasional notes from Chet at Stripe reminding me how wonderful they are and they just kind of come in and I ignore them.

Steve Gibson [01:23:37]:
I've noticed that every email from chat contains a link inviting me to set up a time for further discussions. You know of the wonders of using Stripe. But I've just been ignoring those emails and letting them go unanswered until this past Sunday evening when I decided to explain to Chet that since they do not support PayPal payments, Stripe is a non starter for me. Yesterday morning a reply was waiting for me from my Sunday evening email informing me of the good news that stripe did support PayPal payments, so that as the email put it, it didn't need to be one or the other. And as with every email, it quickly ended with with a link to quote book a time for a Stripe discovery call. Now what I'd failed to mention to this chat was that I needed to have everyone able to use PayPal, including US domestic purchasers. And that is not something PayPal allows anyone else to do. So Stripe does offer PayPal, but only for some international users.

Steve Gibson [01:24:57]:
After jotting a short note back to Chet, I was hit by the question am I interacting with a person? Because thinking back on all those previous emails and its response to me, when I finally did answer it, I suddenly had that question, is there actually any chat? At the other end of this email dialogue, I realized that these Days. It's entirely possible now that all of this sort of front end sales lead development has already been automated by AI. I'm being pushed by automation to click a link to make an appointment with a real person. And the cost of that pushing from the pusher's end may have been reduced to zero. They don't need to be paying a human any longer. It's not a great job, you know, even when they were paying a human. But still now all of the cost of that interaction is at my end. It's actually a new form of business spam.

Steve Gibson [01:26:12]:
And the other thing that clicked into place for me is that it's becoming prevalent because one of the things I've been noticing is the degree to which an increasing percentage of other enterprises that I'm noticing are being having stuff outsourced. When I was interacting with Digicert a few months ago, I noted that many of the links which looked like theirs actually pointed to salesforce.com DigiCert is outsourcing a large chunk of their customer service communication handling. Now a second order consequence of this is of this increasingly prevalent outsourcing is that is the degree, I guess of what I'd call presence broadcasting has been steadily increasing. I've been noticing it happening in the good old days when a company needed to design and develop their forward, you know, their, their outward facing communications for themselves. Everything was bespoke, it was varied and it was minimal being only what they really needed for them, what, what really made sense for them. But now when a company signs up for example with Salesforce, they simply check off all of the various crappy outreach services they want to offer in their name and which inherently subjects everyone to that they can find. And that service provider then makes it happen. And today now we add to that a patient never tiring, proactive emailing AI agent which is going to have zero cost conversations as a means of what used to be working the phones or in this case work in the email.

Steve Gibson [01:28:19]:
So it seems clear to me that many businesses are soon are soon to become much more annoying. I just, you know, I had this weird thought Leo, like as I resp. Replied to these emails, they're all very succinct, very short from Chet and they all invite me to, you know, find a time when we can have a conversation. And I doubt that there's any chat at that end because nothing I've done really requires one. Yeah, and I, I don't know if you've noticed but, but I'm, you know, I'm feeling a Homogeneity among very different companies that have identical feeling outreach. And I realized it's because, oh, they didn't write it. They're now sub, they're now subscribing to, to a, an outsourcer that just does this. And unfortunately, it just means we're going to get a lot more of this crap.

Leo Laporte [01:29:25]:
We, as Internet users, we get good at ignoring stuff, pop ups, spam. I mean, it's just endless.

Steve Gibson [01:29:35]:
It is unfortunate.

Leo Laporte [01:29:37]:
Yeah, yeah.

Steve Gibson [01:29:38]:
Okay, we have two more breaks. Let's take one now. And then we're going to get into looking at malicious use of AI and we'll take our next break.

Leo Laporte [01:29:47]:
Okay.

Steve Gibson [01:29:48]:
You know, about halfway through that.

Leo Laporte [01:29:51]:
Back to you, Steve.

Steve Gibson [01:29:53]:
And it is rapidly getting scarier.

Leo Laporte [01:29:55]:
It is.

Steve Gibson [01:29:57]:
So, okay, we all knew it was coming, but it is no longer coming. It has arrived.

Leo Laporte [01:30:05]:
It's here.

Steve Gibson [01:30:07]:
Last Wednesday, Anthropic published a Red Team report which examined the detected abuse of, of their clawed AI by malicious actors. We need to understand and examine how AI is being used by those who are, you know, aiming at nefarious ends in order to protect ourself. So the report's three authors at Anthropic open their report by writing, we've spent the last year investigating how threat actors are weaponizing AI to conduct cyber operations. Today we're sharing a new analysis that maps these real world attacks onto the MITRE, ATT&CK framework, a database of tactics and techniques used by cyber attackers. Doing so reveals patterns that challenge traditional assumptions about cybersecurity. For example, that the level of risk a threat actor poses can be assessed via metrics like technical sophistication or breadth of techniques. We partnered with Verizon to include some of these results in their 2026 Verizon data breach Investigation Report and are publishing this report to offer a longer form analysis of trends we see in AI enabled cyber operations. Okay, so what I'm about to share from their report, you'll hear these researchers referring to accounts.

Steve Gibson [01:31:45]:
The accounts Anthropic is referring to are Claude AI accounts whose holders were attempting to use or abuse their access to Claude AI for malicious purposes. The other key to Understand is this. MITRE, M I t r e, ATT&CK, ATT, Ampersand, CK, the MITRE, ATT&CK framework, which we never had the occasion to look at closely. The MITRE, ATT&CK homepage explains. They said MITRE, ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real world observations. And I'll just note that at the end of this report, they, they observed that the mitre, ATT and CK knowledge base is going to need updating based on the impact of AI. So they so MITRE says the ATTCK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government and in the cybersecurity product and service community. With the creation of attck, MITRE is fulfilling its mission to solve problems for a safer world by bringing communities together to develop more effective cybersecurity.

Steve Gibson [01:33:09]:
ATTCK is open and available to any person or organization for no for use at no charge. Okay, so this mitre, ATT and CK database is really nothing more than a well thought out and carefully constructed taxonomy of all the various things bad actors have been seen to do through the years. And right. It makes sense to have like a common vocabulary, a common enumeration system where we can say like this technique and this tactic were used and have those meanings well defined and described. So for example, it breaks malicious conduct down into 15 categories. Reconnaissance, resource development, initial access, execution, persistence, privilege, escalation, stealth, defense, impairment, credential access, discovery, lateral movement, collection, command and control, exfiltration and impact. And so basically those 15 broad categories, you can, you can, you know, they're enough to contain whatever we see. And then each of those broad categories of malicious conduct is then broken down into a specific behavior.

Steve Gibson [01:34:41]:
I'll just give you an example of one. So for example, taking that first category which was reconnaissance, that's broken down by this MITRE, ATT and CK framework into 12 specific techniques of reconnaissance. Active scanning Gather victim host information, Gather victim identity information Gathering gather victim network information, Gather victim org information Fishing for information Query public AI services, Search closed sources, search open technical databases, search open websites and domains Search threat vendor data and search victim owned websites. So again, this is meant to be a comprehensive description of anything that the bad guys do. And so what the anthropic researchers have done is to, they, they took everything that they saw during a 12 month period from March of 25 to this past March of 26 and, and plugged all of the behavior into this MITRE, ATT and CK database in order to talk about it. And so the, the terms from the database are what I will be then describing. It is a widely agreed upon system for categorizing and naming. So here's what we know from their explanation.

Steve Gibson [01:36:13]:
They there are three researchers, right? For this study we analyzed 832 accounts. Again accounts meaning bad guys had an A Claude AI account, Which is what they found where. Where they found the misbehavior. So, for this study, we analyzed 832 accounts associated with malicious cyber activity over the course of one year, from March 25 to March 26. Anthropic banned these accounts from using Claude for violating our usage policy. The accounts in this analysis are just a subset of those we investigated and banned during this time period. We selected them because we had enough detail about their malicious activities to map their techniques onto the MITRE, ATT and CK framework. The 832 accounts in our analysis used AI models for all 14 tactics and 482 unique sub techniques across the framework from initial reconnaissance through Final Impact.

Steve Gibson [01:37:27]:
We also developed a risk scoring framework to assess how much AI assistance helped these actors plan their attacks. Most strikingly, we found that the percentage of actors labeled as being medium or high risk jumped from 33% to 56% between the first and second halves of the year. Okay, let me make sure everybody gets that, because this is an important issue. We found that the percentage of actors that they were labeling as being medium or high went from a third 33% to more than half, 56% between the first half of their analysis period and the second half of their analysis period. They wrote. This suggests that AI is helping attackers conduct increasingly sophisticated cyber operations with greater ease. Our analysis resulted in three key findings. First, the number of actors using AI for cyber operations is growing and their actions carry higher risk.

Steve Gibson [01:38:46]:
As mentioned above, the percentage of medium or high risk actors increased by a factor of about 1.7 in under a year, from 33% during the first half of our study window to 56% during the second. That growth is concentrated in actors using AI for some of the most harmful activities, including lateral movement, credential dumping, and web shells that carry the highest per actor risk weight in our scoring, rather than the commodity build and obfuscate work that dominates the rest of the population. Traditionally, only the most technically sophisticated actors could operate across the entire kill chain or the sequential stages of a cyber attack. But our analysis found that this is no longer the case. The platform through which they access the model, such as an API or an agentic coding platform like CLAUDE Code, also has no bearing on how high risk their actions are. What does distinguish the highest risk actors is which techniques they're asking the model to perform. Okay. Second, agentic scaffolding will make it possible for cyber attacks to be far more autonomous.

Steve Gibson [01:40:18]:
As AI enabled cyber techniques become more common among this population, it will become harder to differentiate an actor's risk level based on what they're asking a model to do. Instead, the differentiator will become the scaffolding, the surrounding code architecture and tooling that makes AI models more capable. That actors build around the model so they can chain together attack stages of autonomously. This was starkly apparent in the cyber espionage campaign we disrupted in November 2025, which had a maximum risk score of 100, yet only used a number of techniques comparable to medium risk actors. That attack was distinct not because of the number of techniques it employed, but because of how the attackers used an AI agent to orchestrate them. Third, the MITRE attack framework does not yet cover the autonomous actions that make these actors so dangerous. Autonomous kill chain orchestration, real time pivot decisions, and AI directed execution with no human intervention do not yet have ID numbers in the ATTCK framework. Our report included 13,873 observations of malicious activity, all of which mapped to categories laid out on the framework.

Steve Gibson [01:42:01]:
But the behaviors that distinguish the highest risk actors and determine the speed and scale of their operations do not yet have such IDs. The taxonomy that modern threat intelligence relies on must be evolved to capture them. While Claude Mytho's preview demonstrates where frontier AI cyber capabilities are heading models able to find and exploit vulnerabilities at a level approaching the most skilled human researchers, this report tells us how threat actors are already misusing generally available models today. It also serves as a guide to how threat actors are likely to misuse increasingly capable models in the near future, giving defenders a chance to get ahead of them. I hope and they finish. What we learned from this and other analysis directly shapes how we build CLAUDE to prevent such misuse. For example, we've updated the classifiers built into CLAUDE to detect the highest risk actors, and have expanded our probe detections to cover high risk behavior indicators revealed by this analysis. These findings point to a landscape where the dividing line between low and high risk actors is no longer technical skill, but orchestration, and where defenses, detections and the shared frameworks we all rely on will need to evolve as fast as the attacks they describe.

Steve Gibson [01:43:48]:
Okay, so there's so much here. No one who's been following this podcast has ever heard me run around saying that the sky is falling. But what we learn from this report is as close to that as we've ever seen. This extremely sobering report shows that while we've been focused upon and enraptured by all of the many productivity benefits the use of LLM AI can bring to our lives, malicious actors have been exploring the many ways that that same power can be used to attack our world. And unfortunately, there are many. The extreme leveraging power of AI cuts both ways. During the many years of this podcast, before AI, our longtime listeners will have often heard me suggest that many major cyber powers must have been assembling, maintaining and growing a large database of known vulnerabilities. Because we know most of the world is not updating their systems.

Steve Gibson [01:45:03]:
That database will be large unfortunately, because there are so many vulnerabilities which we've encountered over the last 20 years. My thought was always that when a nation state actor wanted to attack someone specifically, they would determine which equipment and versions were being used, then look up the known vulnerabilities in their carefully curated master vulnerability database and launch their attack. As it turns out, that's not the way it's going to happen. Instead, all of the well meaning security researchers and software publishers around the world have been publishing, as we have for the last 20 years of this podcast, all of this information for decades. And thanks to AI model training, it doesn't need to be curated into any master reference database. Instead, any well trained malicious AI will have absorbed all of that knowledge and will have it at its at the tip of its virtual fingers when it's asked to target a specific entity. The most important point to appreciate is that bad guys are only using publicly available cloud based AI such as Claude, GPT or Gemini, whatever, because we're still in the earliest days of where this is all headed. I cannot say that enough.

Steve Gibson [01:46:37]:
I mean, just the fact, Leo, that we see, you know, a new model comes out an hour ago and it's a dramatic improvement over what we had that came out three weeks ago. I mean this is just moving so fast and, and I guarantee you that, that like it's not like this. We're running out of steam here. We're still accelerating. You know, AI's legs are just being stretched at this point. So widely available public cloud based AI services are currently investing a tremendous amount of time, effort and resources into erecting, maintaining and refining the guardrails around their AI. Because they have no choice, right? They must do everything they can to prevent the abuse of, of their publicly available services. And the essential nature of LLM based AI means that even that is not easy.

Steve Gibson [01:47:43]:
As we saw, Anthropic is saying, well, you just can't talk to us on our most advanced model about cyber security or biotechnology because we're just going to say no, we, we, we, we're not, we don't believe that, that we can determine, you know, well meaning cyber security questions from malicious ones. And in fact there may not be really any difference because if a, if a security researcher wants to know about something bad, that's the same as a bad guy wanting to know about something bad. They're just going to use the information for different purposes. So you just can't give out the information. Here's the problem. We already know that AI is able to run quite well off the cloud locally on local hardware. It may not be super strong, not like what you have in the cloud with massive data centers and crazy H200 chips that cost, what is it, $40,000? Some insane amount of money that Nvidia is getting for these chips. That's going to change.

Steve Gibson [01:48:55]:
Locally run AI will have no safeguards, no guardrails of any kind eliminate its actions. In the very near future, it will be local models that the malefactors will be employing to direct their real time attack campaigns. They're not going to be using anthropics, Claude, where it's, where it's, it's booting 838 of them off or 832 of them off of their accounts. They're going to invest in local hardware just like bitcoin miners did back in the day, you know, the strongest hardware available and that's going to be running future attacks and it'll have no safeguards. That's what's going to happen. And while it's against my nature to warn that the sky is going to

Leo Laporte [01:49:44]:
fall, the sky is falling for sure

Steve Gibson [01:49:46]:
in the near future. I'm not sure I'd want to be spending too much time out in the open. Okay, Chicken Little, we have far too much legacy mess to clean up and not nearly enough time or incentive to do it. We don't, we just don't see people updating the systems that are not giving them any trouble, even that they are the, they are old and bug ridden and probably already harboring some malware. Well, they're going to get some company. Yeah, we're in trouble. The bad news is that once attackers move to the use of their own local AI, our ability to monitor their actions as Anthropic did at the AI prompt level, it's going to disappear. So we're not going to know what they're using their AI for.

Steve Gibson [01:50:38]:
We're only going to see astonishingly sophisticated attacks as if world class hackers who knew everything about everything were entering systems and pivoting like masters and, and, and moving through, through, through Networks and taking them over. Like I said, it's gonna be good times. The good news is that as Anthropic's year long study shows, this has not happened yet. So at the moment we're able to see what these miscreants have been up to. Anthropic writes, the findings in this report are drawn from 832 accounts that anthropic banned for violating cyber related parts of our usage policy between March 25th and 26th. We identified these accounts through a combination of automated safeguards and investigations by our threatened. Sorry, I'm hiccuping. By our threat intelligence team.

Steve Gibson [01:51:48]:
For each account, we produced a summary of the observed activity. We then extracted the tactics, techniques and procedures, you know, the ttps described in those summaries, and mapped them to the version of the mitre, ATT and CK framework that was live at the time, which was version 18. In all, we observed 13,873 actions across 482 unique techniques and all 14 tactics. We gave each actor a risk score from 0 to 100 based on a new methodology we've developed called the AI Risk Enablement Score. So it's A I R E S, which they're calling ares. We've anonymized the data so that actors cannot be identified in the analysis that follows. Okay, so I'm going to skip past the description of their scoring system because, you know, the most interesting part of Anthropic's report support is what they learned of the way threat actors are using, I would say abusing AI today. And Leo, let's take our last break and then we're going to look into this breakdown.

Steve Gibson [01:53:09]:
All right, what is actually being done by the bad guys?

Leo Laporte [01:53:13]:
And while you've been talking, I've been getting all sorts of security work done with Fable.

Steve Gibson [01:53:18]:
Wow.

Leo Laporte [01:53:19]:
Catching all my holes. It's amazing what it's finding.

Steve Gibson [01:53:22]:
And these are holes that that previous AI did not know, didn't see.

Leo Laporte [01:53:27]:
4, 6.

Steve Gibson [01:53:28]:
And actually previous AI wrote that code.

Leo Laporte [01:53:31]:
That's right, that's right.

Steve Gibson [01:53:33]:
So these holes which are, which are security vulnerabilities were created by previous generation AI.

Leo Laporte [01:53:42]:
Good point. Yeah, that's a good point. Yeah. It's been fun just running through everything with Fable. Fable's very smart, very fast, very impressive. It's really interesting to see this at work. I think another big jump in capability just happened. It's hard to believe.

Steve Gibson [01:54:00]:
I know, I know.

Leo Laporte [01:54:02]:
It's happening pretty fast here.

Steve Gibson [01:54:03]:
There was an article I read this morning saying that math, generically, mathematicians, it's falling to AI in the same way that chess did to computation. Basically there are high end math, theoretical math that has been eluding mathematicians and AI is now resolving those. In fact, it's now it's not producing the proofs. It's now the mathematicians are trying to understand the proof that the AI provided. So the AI says yeah, here you go. And now the map. Now the humans are like what the heck?

Leo Laporte [01:54:51]:
It doesn't seem like this is just pulling stuff out of its knowledge base and applying it. It seems like it's creating new stuff. It's kind of amazing what's happening. I don't know. Anyway, I love following these stories. I do. And we'll continue to do that more with Steven Security now in just a little bit actually. We'll learn how the bad guys are using it next.

Steve Gibson [01:55:18]:
Okay, so what did they find? They wrote Our empirical analysis of 13,873 observed techniques reveals clear patterns in how adversaries are using AI across the attack life cycle. And the most common techniques that models are being used for today. The most common technique family we observed was develop capabilities. That's one of the MITRE, ATT and CK categories. Develop capabilities used by 574 out of the total 832 actors in our analysis, which is 69%. The majority of this behavior manifests as malware development used by 560 out of those 574. In practice, we observe threat actors misusing models to build and refine custom scripts to run, write DLL injection code with detailed guidance on how to implement it, as well as canvas fingerprinting, evasion and automated account management. The next most prevalent techniques are obfuscated files or information employed by 64.7% of threat actors, data from local system employed by 55.9 and impaired defenses employed by 54.9.

Steve Gibson [01:56:46]:
Also together these top techniques show that threat actors Most commonly seek LLMs help to build pre engagement offensive tooling, making those holes those tools harder to detect and harvest data from compromised systems. On the other hand, actors are much less likely to use LLMs for real time adaptive decision making, which that's where the real danger is, right? Once they've gotten inside a target network. So less likely. For example, only 54 of the 832 threat actors, which is 6.5% used models for lateral movement and less than 12 actors use models for remote services like RDP, SSH and SMB. Only 22.5% of actors use LLMs for privilege escalation and impact stages. So, so those are all post infiltration actions. Some technique families that are staples of real world cyber attacks such as active directory exploration, Kerberos ticket attacks, cloud infrastructure manipulation using aws, Azure and gcp and Container Escape they noted have lower representation within the data set. So they're basically the bad guys are sort of still using AI to in in the old model, not for dynamic real time attack, but to help them build malware and that's gonna change.

Steve Gibson [01:58:38]:
So the one observation I have is, is that Anthropic's view of what the bad guys are doing is probably skewed by the fact that their AI is deeply wrapped in guard rails, right? So the lack of more sophisticated AI, the sophisticated use of AI's potential is also probably a combination of the resistance the cloud based services already have built in against abuse, coupled with how early we are still in the game. As I said, it's going to change. And boy, when they start using local unrestricted models, we're really going to see a change. The strongest supporting evidence for this is the fact that Anthropic noted that large jump in their own risk assessment of what bad actors were doing. Remember, it jumped from a third of them to to more than half of them, up to 56% of them in the second half, which suggests that we are nowhere near reaching any sort of steady state. This is all still very much growing. So they continue writing the top techniques and the frequency with which actors use them did not change much over the one year period we studied. For both the first and second halves of the period, the median number of techniques the model is used for is 16.

Steve Gibson [02:00:06]:
Meaning right if 16, there are just as many threat actors who used fewer than 16 as who used more than 16. So median as opposed to average. In the second half of the year we observe a subtle directional shift with threat actors using models less to build standalone malware or obfuscation scripts and more to help with specific operational phases in a cyber attack and for on target discovery and collection techniques. In other words, that's where the sophistication is and that's where the bad guys are going. Specifically, we observe an 8.9% increase in account discovery occurrences and as well as a 6.2 increase in automated exfiltration alongside a 12% decrease in developed capabilities, which was that front end stuff and an 8.6% decrease in fishing. Again, Le let you know more in the post infiltration and less on the getting ready to do so. They said defense evasion is the single largest tactic category in the data set. Present in the behavior of 84.4% of the actors we studied.

Steve Gibson [02:01:30]:
MITRE defines 64 techniques under the broad category of defense evasion across its enterprise and mobile specific frameworks. We observe 32, so exactly half of these techniques in our data set, 25 for enterprise and 7 for mobile. The top techniques observed within this tactic include obfuscated files or information. Where 64.7% of threat actors in their sample used AI to implement techniques like XOR or base 64 encoding. So this is obfuscation of information, right? Polymorphic variants and anti detection wrappers to evade signature based detection. 54.8% used impaired defenses where the AI was used to bypass, disable or tamper with the endpoint security tools getting around whatever was there to try to catch them. And 30.3% of actors used AI in for process injection to write malicious code that could be injected into legitimate processes such as hollowing out processes and DLL injection to execute payloads from trusted process memory. Less frequently used tactics include impact exfiltration, privilege escalation and lateral movement.

Steve Gibson [02:03:00]:
Together these account for just 8.7% of all observations less than defense evasion alone. So they said. Overall, the actors with the highest risk scores used AI most heavily for post compromise hands on keyboard techniques such as remote services, credential dumping, web shell deployment, and internal network and account discovery. Lateral movement was the strongest marker of a high risk actor. 54 actors in their data set who use lateral movement had an average risk score of 56.4, which was 10 points higher above the average, which was 48.6. No other technique came close to having such predictive power. So lateral movement is what the heavyweight hitters are, are using. So the aspect of this entire study that's most unclear to me, again and I mentioned this before, Leo, is how these researchers avoided the problem of altering the behavior of their abusers.

Steve Gibson [02:04:14]:
You know, they're describing wide ranging malicious activity that they apparently directly observed. So does that mean that they allowed Claude to perform these services for the bad guys? Did they drop their guardrails in order to see what the bad guys would do? You know, that's difficult to imagine, but if they did not, then those attempted malicious actions would have been detected and blocked. I would think.

Leo Laporte [02:04:47]:
Would think, yeah. You know, in the model card for the new fable, it says we will. We have put in all sorts of hidden things to prevent this and it will. You know, and they said it's not jailbreakable, which I find to be a very cocky thing to say and very unlikely. But they are definitely trying to keep bad guys from using these models for malicious code. Whether they'll succeed is another matter.

Steve Gibson [02:05:20]:
So what? So, so they said what this means for defenders. Right. So here we are, the good guys. What, what does what they saw mean? They wrote, the population of AI enabled actors is not only growing, but also drifting toward the riskiest activities in our framework without requiring the actors themselves to become any more skilled. So there's the gotcha, right? Yeah. That's the danger is that it has lowered the bar of skill level. So less skilled. And they're.

Steve Gibson [02:05:58]:
Of course, it's a pyramid. Right. There are many more less skilled threat actors than there are those. The cream of the crop at the top. They said if this trend continues, these operational techniques will not be a differentiating factor anymore. That is, you won't be able to tell the skill of an actor because they'll all be doing the fancy stuff and will become the baseline for tomorrow. And we'll need to find a new way to measure the riskiest actors. I don't care about measuring them.

Steve Gibson [02:06:29]:
I mean, they're bad. Okay. They said looking at our highest risk threat actors also underscores that calculating the risk of AI enabled cyber operations based on numbers, type or breadth of attack techniques is insufficient. Yeah, or I would argue irrelevant. We need a way to understand the scaffolding threat actors are able to build to chain these techniques together. And Leo, I just see this being automated, I see it being sold on the dark web. There will be scaffolds which the advanced guys sell to the junior guys which automate all of this for them. Yeah, and they said this will allow them to use AI models to autonomously execute large swaths of a cyber attack without human intervention.

Steve Gibson [02:07:22]:
Now get a load of this. Here's their. The one guy they said, we analyze the behavior of the threat actor who orchestrated the AI enabled cyber espionage campaign we reported on in November 2025. They labeled this threat actor GTG1002. We see that this actor achieved a maximum possible risk score of 100. Remember that the average was down at 46.2. So this guy, this was an elite in, you know, group successfully compromised government and critical infrastructure targets across multiple countries and developed a scaffolding to use Claude code, not as an advisor, but as an autonomous operator. Yet their overall MITRE profile, 30 techniques across 13 tactics is comparable to dozens of medium risk actors.

Steve Gibson [02:08:26]:
In this data set, the median actor deploys 16 techniques, so they were even below the median. Several low risk actors also exceed 30. In other words, technique count or tactic type alone could not explain what made GTG1002 the highest risk actor we've observed thus far. What does explain this actor's high risk score is is the increasingly agentic components they used, how they were able to orchestrate and chain together techniques to take action on their objectives. GTG1002 weaponized Claude code running on a C Linux machine integrating open source penetration testing tools as MCP model context protocol servers, effectively turning the AI into an autonomous attack platform rather than a code writing assistant. The AI didn't just suggest commands or generate attack scripts, it executed them and reasoned about attack environments autonomously. Some indications of their agenticness show up proxied through the types of techniques we track. GTG1002 employed operational techniques such as remote services, SSH exploitation of remote services and archived collected data.

Steve Gibson [02:10:06]:
Those are the MITRE categories. Their analysis concludes with a very clear description of what they observed this most advanced threat actor, which they codenamed GTG1002 doing and if if you want a chill to run up your spine, just remember that we have barely begun and that what may be a single top rated risk profile actor today will almost certainly become every threat actor once the understanding of how to best leverage these tools becomes widespread and we know it will become widespread. So anthropic explains what this one actor GTG1002 did. First, we have three bullet points. First, autonomous execution within stages GTG1002 deployed Claude code running on a KALI machine to orchestrate dozens of MCP tools operations autonomously scanning and mapping dozens of Internet facing services during reconnaissance, Then discovering internal admin portals, databases, logging servers and temporal workflow systems. Once inside the network, the AI didn't just suggest commands, it executed them, making tactical decisions about what? I'm getting goosebumps. Making tactical decisions about what to probe next without waiting for operator input. Next live exploitation and pivoting operating within GTG1002 scaffolding, the AI exploited an SSRF A server side request forgery vulnerability in a public facing web server to to proxy commands into the internal cloud environment, harvested SSH private keys from internal infrastructure and service account tokens from cloud metadata devices and AWS Secrets Manager and used those harvested credentials to move laterally across the victim's cloud environment.

Steve Gibson [02:12:22]:
These are the operational phases. Discovery, credential access, lateral movement that were more rare in our data set and finally human intent AI execution GTG1002 provided strategic direction while the AI handled tactical implementation, the AI operated autonomously. I can't believe I'm even Reading this le this a year ago. A year ago, this was sci fi. I mean, it was a year ago. This was science fiction.

Leo Laporte [02:13:00]:
Yep.

Steve Gibson [02:13:01]:
And. And. And it is now real. The AI operated autonomously during reconnaissance and internal discovery. Adapted its approach when an encountered unanticipated infrastructure like container image signing workflows and service account identities. It staged a and compressed tens of thousands of proprietary workflow records and internal architecture documentation for exfiltration. The final data extraction downloading to the attacker's machine via curl MCP tool calls was human directed, suggesting the operator retained control over the consequential decisions which while delegating the operational work to the AI. GTG1002's activity was novel for using an A.

Steve Gibson [02:14:00]:
An AI agent autonomously chained together many stages of the cyber attack life cycle, reconnaissance, exploitation, lateral movement and exfiltration into a coherent operation, making real time decisions about what to do and what data to collect. This is the dimension of AI enabled uplift that a technique frequency table cannot capture. And it is the dimension we expect to matter most as agentic tooling matures. So while the good guys are currently excited about the promise of using awesome. The awesome leverage of agentic AI to transform our lives for the better, we should also soberly recognize that malicious forces throughout the cyber world are every bit as excited by the capability they are now receiving to dramatically magnify the power of their cyber attacks. This new AI technology with a. With agentic agents coupled with MCP to remotely control existing tools is, you know, it's neither good nor bad in itself. What it is, unfortunately, is a great deal of both.

Leo Laporte [02:15:38]:
Yeah, and we got it. Nothing you can do about it now. It's here.

Steve Gibson [02:15:43]:
No, but I mean, but please take. Everybody take this seriously.

Leo Laporte [02:15:48]:
Yeah. Well, I think today's the day because of the release of Fable. I think it is now it's here. Right. It's not as fully capable as Mythos, I guess, but I'm really impressed by what I've seen so far. It's. It's pretty amazing. Steve Gibson, go ahead.

Steve Gibson [02:16:08]:
I was gonna say so. So Fable is not Mythos. It is. It is a.

Leo Laporte [02:16:14]:
It's Mythos. They're calling it Claude 6. It's the next Claude model. But I think it's very related to Mythos. Yeah, it has certainly security capabilities, but Mythos, remember, wasn't trained specifically for security capabilities either. It's just a really good model.

Steve Gibson [02:16:33]:
Right.

Leo Laporte [02:16:33]:
That's what's. That's what's happening. Yeah. Sorry, Claude 5, not Claude 6. I skipped one the last cloud 464-546-4748. And we're now.

Steve Gibson [02:16:49]:
Well, and they're calling it Fable 5. When it popped up, it was Fable 5 for me. Yeah, yeah, exactly.

Leo Laporte [02:16:58]:
I'm sure. I mean, this is just. It's just came out. This is. We're gonna see a lot more. But so far the buzz is very, very positive everywhere I look, which it wasn't for 4 8. 48 was pretty much universally reviled, but I think 4. 8 was an interim release because they wanted something to fall back to when they released Mythos.

Steve Gibson [02:17:21]:
You know, when you said this, I was reminded of how Windows versions always alternate between good and bad.

Leo Laporte [02:17:27]:
Oh, yeah.

Steve Gibson [02:17:28]:
You know, it's. It's like. Yeah, I don't know why, but like every other Window Major release was famous for that.

Leo Laporte [02:17:37]:
Yeah, famous for that. Mr. Gibson is@grc.com he's famous for a lot of things, including Shields up, which tests your network. Spinrite, which tests your hard drive. Affects the world's best mass storage maintenance, recovery and performance enhancing utility effect. If you've got mass storage of any kind, you need Spinrite 6. One is the current version. This is Steve's bread and butter.

Leo Laporte [02:18:02]:
He also has his newest program, the DNS Benchmark Pro, which tests various DNS servers from your locale to find the one that's best for you, which is, you know, it's not the same for everyone by any means. You'll find all that@grc.com along with this show, he has a couple of unique versions of this show. A 16 kilobit audio version, which is a little scratchy but small. A 64 kilobit audio version, which is just fine. And he also has the show notes. 2223 pages of excellence, handcrafted, no AI. You don't use AI on the show notes, do you?

Steve Gibson [02:18:41]:
No, that's. That's Elaine. In fact, our show last week was three hours. And so she transcribed. She said, normally by this point, I. I'm done transcribing, but I still have 37 minutes left. I got them Friday at midnight. She did not sleep or, or at least delay.

Leo Laporte [02:19:01]:
Elaine will be happy. This is only two and a half hours this time, so. Thank you, Steve. Yeah. Lane Ferris, a human, writes the transcripts. Those are also available@grc.com you can send Steve email. Go to grc.com email and whitelist your email address. It won't go through until you do that.

Leo Laporte [02:19:18]:
That's an important step. After you do that, you might want to look at those two Boxes below. You can ask Steve to email you the show notes the minute they're available, usually a couple of days before the show. He also has a mailing list which will announce new products which he never uses. But you might as well sign up for that because when you get an email from that, that's like a red letter day. That's a big deal, all of that. Grc.com we also have the show at our website, Twit TV SN. We have audio, yes, but also video.

Leo Laporte [02:19:46]:
That's our unique format. You'll also find it on YouTube. There's the video there. A great way to share clips. I know a lot of people like to do that with this show. And then you can always subscribe in your favorite podcast client, get it automatically as soon as it's done. Audio or video or both. We do stream it live if you want the absolute freshest version.

Leo Laporte [02:20:06]:
We do this show right after Mac break weekly. That's usually about 1:30 Pacific on a Tuesday, 4:30 Eastern, 20:30 UTC. It's also. Let's see what. Oh yeah, it's in the discord for club members. And I do hope you're a club member. I keep forgetting. Lisa reminded me, if you want chapters, a lot of people say, hey, I would love to be able to skip through stuff on security.

Leo Laporte [02:20:31]:
Now we can't do that on ad supported shows because the ads are variable lengths and in many cases inserted after the fact. So we couldn't tell where the time markers would go.

Steve Gibson [02:20:41]:
Right.

Leo Laporte [02:20:43]:
YouTube could do that because they insert all the ads. But for us we have different parties inserting ads and they're different lengths. So we just don't know. However, if you're a club member, we do put chapter markers in for club members. So that's another benefit ad. Free versions of the shows, plus the ability to go chapter by chapter or to go back a chapter if you want to hear something again. I think that's more likely with Steve. If you want to listen.

Leo Laporte [02:21:06]:
I got to hear that one again. That is part of the benefit of being a club member. 10 bucks a month. It also really supports us. It helps us keep doing what we do here. And I think it's really important that we do. I know it is. So please join the club.

Leo Laporte [02:21:20]:
We'd love to have you at Twit tv Club Twit. You can watch live even if you're not in the club, on YouTube, Twitch, X.com, facebook, LinkedIn and kick every Tuesday afternoon. Steve, I'll see you right back here. Next week for another gripping edition of Security Now.

Steve Gibson [02:21:36]:
Right O. Bye.

Leo Laporte [02:21:40]:
Security Now.