SEC536: Adversarial AI - Penetration Testing AI Systems
SEC536Offensive Operations, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
Global Cybercrime “Assembly Line” Takedown Assisted by AI Analysis
Europol and Microsoft have published announcements of an international joint operation that took down, suspended, and blocked 326 servers and 142 domains serving as infrastructure for "cybercrime-as-a-service" dropper/loaders SocGholish and Amadey, and infostealer StealC. Over the course of two weeks, authorities from Canada, Denmark, Germany, the Netherlands, the United Kingdom, the United States alongside Europol, Eurojust, and private sector companies worked as part of the ongoing "Operation Endgame," dismantling command-and-control (C2) infrastructure as well as seizing €41 million (US$47 million) in virtual currency and 27 million stolen login credentials. 14,971 websites infected with SocGholish — also known as "FakeUpdates," which compromises systems via phony browser updates — were also remediated and their owners notified. Microsoft describes this as a strike on multiple links in the "assembly line" of cybercrime, as specialized malicious tools are often used together to compromise systems and steal information; "in the first two weeks of May alone, Amadey and StealC were linked to more than 140,000 infected computers globally." While Amadey and StealC were not developed by the same cybercriminals, Microsoft determined through AI-assisted analysis that they shared a common C2 infrastructure, enabling the operation to leverage this connection and disrupt multiple malicious tools at once.
Editor's Notes
- Slide 1 of 4
More good news on international cooperation tackling cybercrime. What I liked in particular about this story was the use by Microsoft of AI to analyse the criminal gangs. Amidst all the hype about criminals using AI to undermine all our security controls, it's a pleasant relief to read a story about defenders using AI to undermine the criminals.
- Slide 2 of 4
Two things of note here: first, Microsoft is showing how AI can be used to help analysis of malicious activity and aid in more comprehensive takedowns, and second is a call to WordPress (WP) users to change login credentials, install MFA, remove unknown additional accounts, and keep your WP site up to date, as the SocGholish dropper was actively spreading via hacked WP sites.
- Slide 3 of 4
This appears to be a large, coordinated shutdown across multiple countries. Even if the amount of money doesn’t appear to be as high as in other heists, this targeted a large number of people, including many who were probably vulnerable to such an attack chain. With so many systems taken down, one has to wonder if these individuals won’t just pop back up with another infrastructure set just as large.
- Slide 4 of 4
Europol and Microsoft just pulled off a massive takedown with two really cool twists. Instead of just shutting things down, they actually remediated the infected websites to keep them safe moving forward. Plus, they used AI to hunt down the command and control infrastructure, showing exactly how AI can supercharge human intelligence. Love to see it!
Slide 1 of 0- Slide 1 of 4
CISA Publishes Guidance for Agencies on Adopting SASE for Zero Trust
The US Cybersecurity and Infrastructure Security Agency (CISA) has published guidance for federal agencies that are implementing Secure Access Service Edge (SASE) technology in place of their perimeter-based architecture on the path to adopting zero-trust. The document, The Journey to Zero Trust: Using Secure Access Service Edge in a Modern TIC 3.0 Solution, contrasts the limitations of Trusted Internet Connections (TIC) 2.0, namely that "centralized TIC access points create performance bottlenecks, limit agility, and restrict adoption of modern technologies," with the flexibility offered by TIC 3.0, which "enables modern, distributed security architectures grounded in zero trust principles." It also notes that by replacing perimeter-based solutions with SASE technology, agencies can "reduce operating costs, improve network performance and user experience, and increase visibility and control." While the guidance is designed for Federal Civilian Executive Branch (FCEB) agencies, the advice is also pertinent to state, local, and territorial governments, critical infrastructure operators, and other organizations.
Editor's Notes
- Slide 1 of 4
Identity is the new perimeter, and in this case, I am very happy to see agencies do this correctly. Done correctly, this will have some flaws, but it will be a step forward. If done incorrectly, I can see a new set of vulnerabilities emerging. The agency is making a call here that decentralized perimeters relying on Firewalls and VPNs are no longer appropriate, and that centralized, shared zero-trust architectures are the way to go.
- Slide 2 of 4
This modernizes the approach to Zero Trust — a required change for agencies. The guidance incorporates the change in architecture for services, where traffic ran through common control points, visible to the EINSTEIN sensors, akin to the old castle and moat model, to the decentralized model of today, and removes the requirement to break TLS traffic, which reduces latency, complexity, and the need for custom back-haul for cloud services, allowing support for the communication patterns of current cloud apps. This comes at a regulatory cost, requiring agencies to provide an equivalent data feed to CISA's Comprehensive Log Aggregation Warehouse (CLAW) and to rely on encrypted traffic analysis to detect suspicious patterns. This should speed implementations and lower their cost and complexity once you have the supporting processes worked out.
- Slide 3 of 4
Although this guidance is aimed at US federal agencies, the underlying principles apply to organisations everywhere, and I would encourage you to become familiar with the guidance.
- Slide 4 of 4
While specifically addressed to federal agencies, this guidance can be useful to private enterprises. We desperately need for all enterprises to get to zero trust. We cannot continue to accept the risk that the compromise of one user's reusable credentials or one rogue insider can bring down an entire enterprise.
Slide 1 of 0- Slide 1 of 4
Cloudflare Announces Private Access Control Token Initiative
Cloudflare is collaborating with major browser makers — Mozilla, Google, and Microsoft — to develop a protocol to help websites differentiate malicious internet traffic from legitimate traffic. The increasing use of generative AI as well as autonomous agents has added a layer of complexity to identifying legitimate web traffic. Private Access Control Tokens, or PACT, "are designed to allow sites with strong knowledge of 'personhood' to issue anonymous tokens. A user's browser can then provide these tokens to other sites to prove that a human is in the loop, reducing the need for annoying and clunky captchas or invasive tracking. PACT is designed so that sites cannot leverage it to track or identify users or their browsing history."
Editor's Notes
- Slide 1 of 5
If we can ensure privacy and anonymity while also ensuring that this system is not spoofable, PACT could work to remove CAPTCHAS once and for all. That is, however, a really tall order; done wrong, we will have a super, super, super cookie, one that advertisers and others can use to pinpoint the human right behind that keyboard, so to speak.
- Slide 2 of 5
The PACT standard has not been finalized, but Cloudflare’s support will be critical to make this standard work. Currently, websites are flooded with automated requests, causing outages and forcing sites to provision additional resources to respond to them. Websites frequently use CAPTCHA to defend against automated requests. While effective, CAPTCHA is adding friction for human users. PACT’s goal is to establish a “human user” once and provide proof to various websites that a request originated from a human user, not a bot. This assertion protects privacy and prevents websites from identifying a particular user.
- Slide 3 of 5
The industry desperately needs a protocol like this. With agentic AI making software look exactly like legitimate users, the details will be tricky to solve, and we'll have to watch out for false positives blocking real traffic. Still, anything that gets us closer to a post-CAPTCHA world is a huge step forward.
- Slide 4 of 5
AI use means that the way we detect non-human users needs to evolve, preferably without making the use by legitimate users harder. We've implemented and used CAPTCHAs and tracking; when the dust settles, PACT is promising to provide a better solution with less impact to legitimate users while promising to preserve privacy. While CAPTCHA service providers have worked to improve their detection and impact, I still keep an eye out for a better option. For now, all we can do is watch, as the protocols are still under development, and identify environments to test in when solutions are made available.
- Slide 5 of 5
This initiative will also reduce the risk of counterfeit CAPTCHAs.
Slide 1 of 0- Slide 1 of 5
The Rest of the Week's News
Squid Memory Leak Discovered by Mythos Preview After 29 Years
Calif researcher Lam Jun Rong has published a blog describing a flaw in Squid, a popular open-source web proxy, that was discovered with the help of Mythos Preview in 2026, but which had been in the code since 1997. The flaw (CVE-2026-47729, dubbed “Squidbleed”) affects all versions of Squid in the default configuration, and stems from a 29-year-old commit intended to support NetWare FTP servers, specifically how NetWare handled whitespace between a timestamp and a filename. The FTP directory listing parser for Squid was modified to skip NetWare's extra whitespace, but if there is no filename after the timestamp, the strchr() function returns a pointer to the null terminator rather than returning NULL, continuing to loop until a non-null, non-whitespace byte is reached, resulting in a heap overread. Rong notes that this can leak HTTP requests back to the attacker, which may contain passwords or API keys. A Squid implementation is vulnerable to this flaw if it handles cleartext HTTP or is deployed in a TLS-terminating setup, and if it can reach an attacker-controlled FTP server via TCP on port 21. Rong states that this is easily patched by checking for the null terminator before calling strchr(), and he recommends users "remove this entire attack surface" by disabling FTP unless absolutely necessary. The blog credits an initial report to Squid by Pavel Kohout of Aisle Research in March 2026; Calif separately reported the flaw on April 17, and it has been fixed as of Squid v7.6.
Editor's Notes
- Slide 1 of 2
Squid for FTP is a strange use case. The interesting thing I find is that while many of these bugs are 29-30 years old, most are in edge cases. Does this mean that Mythos cannot find fully exploitable bugs, or does this mean that the code is at a stability point where it's harder to find bugs? I will be watching closely for this, but as the models mature, it would be interesting to see whether they find a similar bug in a widely deployed configuration, such as HTTP Proxy or HTTPS Proxy.
- Slide 2 of 2
Again, Mythos is helping to identify issues in old code. The flaw stems from a (now identified) simple oversight in making sure that the return was a NULL, not a null terminator. The name Squidbleed points back to Heartbleed, which leaked memory the same way. Two fixes here: first, update to Squid v7.6 if you're still using it; second, disable FTP. FTP is a venerable service, and it's fundamentally not up to today's security requirements; you should have moved to some other file transfer system. Take a minute to read the Calif log (the analysis is good and easy to follow), if for nothing else than to check out the cute logo created for Squidbleed.
Slide 1 of 0- Slide 1 of 2
KEV: Lantronix, Ubiquiti UniFi OS, PTC Windchill and FlexPLM, and Cisco Unified Communications Manager
The US Cybersecurity and Infrastructure Security Agency (CISA) has added six CVEs to the Known Exploited Vulnerabilities (KEV) database so far this week; all six were assigned three-day mitigation windows. CVE-2025-67038 is a critical code injection vulnerability in Lantronix EDS5000 that was the subject of a CISA ICS advisory in March 2026. CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 are, respectively, critical improper access control, path traversal, and improper input validation vulnerabilities in Ubiquiti UniFi OS. CVE-2026-12569 is a critical remote code execution and improper input validation vulnerability in PTC Windchill and FlexPLM. CVE-2026-20230 is a server-side request forgery vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). While CISA has assigned this vulnerability a high severity rating, Cisco given it a critical Security Impact Rating (SIR), because exploitation of the vulnerability could allow an attacker to elevate privileges to root.
Editor's Notes
The increased use of three-day remediation windows in the KEV worries me. While I acknowledge they are interpreting the risks of these issues and providing guidance accordingly, I can't help but recall the warning that if everything is urgent, nothing is, as it undermines prioritization and creates confusion about what truly matters. Fortunately, we don't all have all the items listed in the KEV, helping prune the list. However, your Windchill and UCM system owners aren't necessarily embracing a rapid update, but you gotta go there. UCM has no workarounds, so you need to apply the update. PTC has posted IoCs for CVE-2026-12569 and released patches and mitigations you need, but you need to access the PTC eSupport portal to obtain them.
Technical Update Caused German Rail Service Disruption
On Tuesday, June 23, Germany's state-run rail operator Deutsche Bahn experienced an outage of the GSM-R digital railway radio network, "a critical [wireless] communications network used by train drivers, dispatchers, and signaling systems to coordinate rail operations safely." The outage, which also affected S-Bahn commuter trains, prevented trains from operating for several hours. The issue was resolved in the early hours of Wednesday, June 24. Dr. Philipp Nagl, CEO of DB InfraGO, said "From our current perspective, the cause of yesterday’s disruption to the GSM-R digital railway radio system was the scheduled replacement of a technical component."
Editor's Notes
- Slide 1 of 3
Certainly not a cyberattack, but when a scheduled technical change to a critical communications system halts rail operations nationwide it raises questions about the resiliency of the entire system. Infrastructure operators should ask questions like, “if this system (pick one, there are many to choose from) was not available for four hours, what stops?” The answer may reveal dependencies that deserve additional redundancy and testing.
- Slide 2 of 3
Tough spot to be in. GSM-R is based on old 2G technology, and component failures are having impact in other countries besides Germany. Odds are there is not a pre-production system to test changes, and there's nothing like testing an "innocuous" change in production. I have found two approaches to help the risks of that scenario. One: Don't work alone, and have someone cross checking your work and the changed system. Two: Make sure that you really can execute the proposed back-out plan, keeping in mind that even after reverting a change, returning to normal can take a bit due to layered dependencies.
- Slide 3 of 3
Not every major outage is caused by a cyberattack, but the impact on essential services can be just as severe. The EU's NIS2 Directive rightly places resilience and availability alongside cybersecurity as core requirements. Organisations providing essential services, particularly those operating within the EU, need to ensure that change management, testing, and recovery processes are just as robust as their security controls.
Slide 1 of 0- Slide 1 of 3
Healthcare Management Services Provider Xsolis Discloses Data Breach
Healthcare case and utilization management services provider Xsolis has disclosed a data security incident that may have compromised personal and protected health information (PHI) of nearly 1.4 million individuals. Xsolis became aware of "unauthorized activity impacting a limited portion of the Xsolis environment" on January 22, 2026. The breach was the result of a January 20, 2026 targeted phishing attack. A subsequent investigation determined that the intruder gained access to patient names, addresses, date of birth, health insurance information, Social Security numbers, and medical treatment information. The breach affected data belonging to patients of multiple Xsolis customers, including UW Medicine in Washington state and the Mayo Clinic. Xsolis is notifying affected individuals. According to the breach notification letter, Xsolis reset all user and key account passwords and has taken steps to improve security, including strengthening credentials management and employee security training. Xsolis's AI-powered software is used by more than 600 US hospitals and insurance companies. Xsolis reported the incident to the Department of Health and Human Services Office for Civil Rights (HHS OCR) on June 5, 2026.
Editor's Notes
- Slide 1 of 2
Targeted phishing attacks still work, so do everything you can to help staff who fall for them. Good on Xsolis for detecting the breach only two days after it occurred, and for reporting in less than six months. Given this is the third largest health data breach reported in 2026, and that the company specializes in AI based solutions, there is an opportunity to shorten the reporting interval. Healthcare providers, like many others, have rapidly adopted AI solutions. We need to make sure that monitoring, detection and access controls are in place to detect proper data use, access, and sharing (with fourth parties), as well as ensuring active participation in the governance process.
- Slide 2 of 2
Although specific details regarding the initial compromise are limited, the attacker's ability to locate protected data immediately following a successful phishing exploit suggests gaps in internal defenses. This incident highlights the critical need for robust data segmentation and identity access management.
Slide 1 of 0- Slide 1 of 2
Mistic Backdoor
Researchers at Symantec and Carbon Black have identified a backdoor dubbed Mistic that has been used in attacks against organizations in multiple sectors, including insurance, education, IT, and professional services, since April 2026. Mistic was first documented in early June by researchers at Zscaler, which tracks it as MLTBackdoor. Zscaler writes that the backdoor "sideloads ... via a legitimate signed Microsoft Defender mpextms.exe executable." Symantec notes that it is capable of uploading and downloading files; moving, renaming, and deleting files; creating folders; altering how frequently it checks for commands; executing code from C2 in memory; and terminating and deleting itself. Both Symantec and Zscaler have also listed indicators of compromise.
Editor's Notes
This appears to be tied to the financially motivated initial access broker known as KongTuke or Woodgnat. They obtain access and then sell that to others who then deliver the malware. Mistic is very stealthy, operating in memory, running remote payloads from C2 directly, and even including a remote kill switch, so file-based detection, often part of AV/EDR solutions, isn't going to find it. Even so, there are IoCs you need to use.
Scattered Spider Hackers Plead Guilty in Transport for London Case
Preempting an anticipated six-week trial, 18-year-old Owen Flowers and 20-year-old Thalha Jubair have pleaded guilty in Woolwich Crown Court in London, UK to charges of conspiring to commit unauthorized acts under the Computer Misuse Act, in connection with Scattered Spider's 2024 cyberattack on Transport for London (TfL). Flowers also pleaded guilty to participating in 2024 cyberattacks on SSM Health Care Corporation, based in Missouri, and Sutter Health, based in California. TfL was compromised on August 31, 2024, and while core transportation remained functional, ten million customers had Oyster refunds data stolen in the attack, and three months of disruption cost TfL approximately £39 million (US$51.4 million), according to the BBC. Both Flowers and Jubair were arrested in September 2025 as suspects in Scattered Spider attacks that caused serious disruption to Marks & Spencer, Harrods, and Co-op Group that spring. A sentencing hearing has been scheduled for July 15, 2026, and Jubair additionally faces an indictment from a US District Court in New Jersey in connection with 120 network intrusions between May 2022 and September 2025.
Editor's Notes
- Slide 1 of 3
The motivations of teenage hackers have changed over the decades from the early days where most of the activity was driven by curiosity, then later by activism/hacktivism, and now seemingly by a focus on inflicting damage and criminal intent. Unfortunately, these teenagers are often underage, making it extremely difficult for law enforcement to deal with cases like this. I don't have any ready answers to this situation apart from supporting law enforcement in their efforts to deter and divert such teenagers away from a life of crime before it is too late for them and their victims.
- Slide 2 of 3
NCA agents had completed a comprehensive, complex, and painstaking investigation. This work is not wasted; it gave legal representatives the ammunition they needed to win in court or negotiate an early settlement, in this case a guilty plea. It will also support the case for the sentence made in July. Expect the US indictment to be similarly supported.
- Slide 3 of 3
Well, that’s a wild twist for this early in the trial! Now comes the really tough question: with so many people affected by what they did, how much jail time are we looking at? Let's hope they finally learn the hard way that crime doesn't pay.
Slide 1 of 0- Slide 1 of 3