SEC536: Adversarial AI - Penetration Testing AI Systems


Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsLast week, the US Cybersecurity and Infrastructure Security Agency (CISA) added a critical improper input validation flaw in PTC Windchill and FlexPLM to the Known exploited Vulnerabilities (KEV) database. PTC Windchill is a product lifecycle management (PLM) platform for manufacturing environments; FlexPLM is a PLM platform for retail environments. The vulnerability, CVE-2026-12569, was added to the KEV on Thursday, June 25 with a mitigation deadline for Federal Civilian Executive Branch (FCEB) agencies of Sunday, June 28. On Monday, June 29, Help Net Security noted that "PTC’s advisory keeps getting updated with indicators of compromise and advice for defenders, confirming that attackers are dropping JSP webshells on vulnerable systems." PTC initially disclosed the flaw on June 17 and released a fix on June 18. At that time, Germany's Federal Office for Information Security (BSI) began contacting organizations in that country to warn them of active exploitation of the vulnerability and urge them to apply the patch. PTC's advisory includes suggested remediation steps as well as indicators of compromise. PTC eSupport is available to customers with established accounts.

If you missed the PTC Windchill alerts last week, or if you postponed making the update, you really need to accelerate that. In addition, make sure you're keeping up on the new IoCs. Consider that Germany's BSI was calling folks at night to get them implementing the fix. CVE-2026-12569 is an insecure deserialization flaw which can be executed over the network without authentication and carries a CVSS score of 10.0. The fix is to update to Windchill 13.1.2.8. 13.1.3.4, 13.0.2.12 or 12.1.2.27.
Help Net Security
Heise
The Hacker News
SecurityWeek
PTC
CISA
Microsoft has announced that it will extend hotpatching for certain versions of Windows Server 2022 for a year. Hotpatches will now be available for Windows Server 2022 for specific versions through October 2027. Normally hotpatching ends on the mainstream end date, which for Windows Server 2022 is October 13, 2026; the product's extended end date is October 14, 2031. Microsoft writes, "Hotpatch update support for Windows Server 2022 Datacenter: Azure Edition has been extended through October 2027. Devices enrolled in Hotpatch updates will continue to receive monthly security updates without requiring a restart." Microsoft explains, "Because Hotpatches patch the in-memory code of running processes without needing to restart them, your applications aren't affected." Quarterly cumulative updates will still require a reboot. In a separate story, Microsoft has also extended security updates for Windows 10. Support for Windows 10 officially ended on October 14, 2025. At that time, users were offered an extended support package for a cost, business users were given the option to purchase three years of additional support, and consumers were the option to purchase one year of additional patches through October 13, 2026; that date has now been extended through October 12, 2027.

Don't take your foot off the gas in your project to move off of Windows 10. Consider this a compensating control for those systems you're having trouble getting scheduled; even so, you need to purchase extended support to get these updates. The Hotpatch updates are a boon for keeping your Server 2022 systems updated, provided they are Windows Server 2022 Data Azure Edition, but you still need target the move to Server 2025.
Microsoft is finally saying the quiet part out loud: budget cuts mean companies are stretching their software lifecycles as far as they can. The reality is that the install bases for Windows 10 and Windows Server 2022 are still huge. Microsoft didn't really have a choice here; they had to pivot to keep their customers from jumping ship.

Microsoft has followed this path after Windows OS transitions. Always a positive move, but to reduce risk, don’t let this delay existing plans for moving to Windows 11.
The Register
BleepingComputer
Microsoft
Microsoft
Microsoft
The Register
The Linux foundation has announced the formation of Akrites, a program whose mission is to centralize the disclosure and remediation of flaws in critical open-source software, such as the systems underpinning banks, hospitals, power grids, telecoms, governments, and AI labs. The effort comprises "a single, standardized Coordinated Vulnerability Disclosure (CVD) process operated by a shared Security Incident Response Team (SIRT), built on confidentiality-first principles and the industry’s established standards and tooling (CVE, TLP, CWE, CVSS, EPSS, SSVC, VEX)." Initial funding commitments have been made by Amazon Web Services, Anthropic, Chainguard, Cisco, Citi, Endor Labs, Ericsson, Google, IBM, JPMorganChase, Microsoft and GitHub, NVIDIA, OpenAI, RapidFort, Red Hat, Rust Foundation, Sonatype, Vodafone and Zscaler. One stated factor motivating the creation of Akrites is the use of AI by both attackers and defenders. A letter accompanying the announcement states that the success of the project "will be measured in patch deployment, not publication," including an emphasis on confidentiality, and that Akrites aims to prioritize helping with downstream security efforts as much as upstream coordination.
Huge shoutout to the industry for backing this initiative! Open-source software is everywhere, but it’s a ticking time bomb when critical systems rely on a handful of overworked volunteers. Corporate funding is exactly what’s needed to minimize this risk. That said, funding is only half the battle — the real proof will be whether end-user companies step up and actually patch their vulnerabilities. It has to be a two-way street.

Glad to see strong industry support for both Akrites and Chainguard/Athena. Most commercial software is very dependent on open-source software, and the vendors/service providers need to contribute to raising the security bar for all software. Ask about this in your RFPs.

The idea is to consolidate resources and efforts to secure open-source software, versus a decentralized/inconsistent model, making for a more consistent and effective hardening of critical packages. Providing a boost to packages which, themselves, include these modules. The broad support — read that list of companies above again — is a positive indicator that this effort is positioned to succeed.

The number of sponsors is important to ensuring that the program has adequate resources while keeping the burden on any single sponsor reasonable.
The US Federal Communications Commission (FCC) has approved new cybersecurity rules for the country's emergency alert systems and for undersea cables. The new rules for the Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA) aim to protect the systems from being hijacked. Both EAS and WEA share essential information about severe weather, AMBER alerts, and other emergencies. The new rules direct the systems to use strong passwords, apply security updates in a timely manner, and deploy firewalls. The new EAS/WEA rules also establish a system to verify alerts before they are sent. The new cybersecurity rules for undersea cables are intended to "enhance submarine cable security and adopt a range of measures to streamline and accelerate the deployment of secure submarine cable infrastructure." Until now, providers of undersea cables have been required to undergo security licensing reviews; the new rules would "exempt applications from applicants that have operated cables without incident, can certify to the highest national security standards, and agree to ongoing oversight and monitoring." The rules also introduce a licensing requirement for submarine line terminal equipment (SLTE) owners and operators and "updat[e] safeguards that address vulnerabilities related to principal equipment, third-party service providers, and other areas of concern."

We've had several stories of late of compromised/hijacked EAS systems. The new rules represent the security essentials, the minimum standards. Beyond strong passwords, I would have liked to see MFA required where technically feasible. The EAS improvement includes requirements for an authentication ID system to verify alerts before they are transmitted to ensure alerts are authentic and not duplicated.
The FCC's update to the EAS and WEA cybersecurity rules was a much-needed move. By aligning the new regulations with the Center for Internet Security (CIS) Critical Security Controls Implementation Group 1, the FCC has successfully adopted industry best practices to strengthen emergency alert infrastructure.
The US Supreme Court has ruled in Chatrie v. United States that broad surveillance using a geofence to track the locations of all mobile devices in a given area violates US citizens' Fourth Amendment rights, and that those same rights protect a reasonable expectation of privacy for users' mobile app data as a form of "personal property." Per this decision, law enforcement must obtain a warrant establishing specific probable cause for searching every individual in the area, rather than the previous geofence warrant process that could reveal the location data of large numbers of uninvolved bystanders. Chatrie contended that location data used in connection with a trial for bank robbery had been collected under a request that violated the Fourth Amendment. The Electronic Frontier Foundation notes that this is "the first digital surveillance decision by the Court since its landmark 2018 ruling Carpenter v. United States, which involved prolonged tracking of people’s movements using cell phone location data."

The Fourth Amendment protects against unreasonable search and seizure. This ruling doesn't prevent the use of Geofenced data requests, but it requires a search warrant and probable cause that the target may have committed a crime. Some companies, such as Google, no longer store location information on their servers — instead, they leave it on the device, so they are no longer are able to hand over location data. Others who do store location data, such as Microsoft, Uber and Yahoo, regularly receive geofence warrants.

This looks like a strong win for individual privacy, confirming a constitutional right to "own" your personal location data. Look for future lawsuits aimed at requiring opt-in versus opt-out that cite this as precedent.
A huge win for digital privacy. This ruling reminds us that just because our lives are digitized doesn't mean our right to privacy disappears. Yes, this data can help solve crimes, but protecting citizens’ rights matters more. Asking law enforcement to get a court order first isn't a radical hurdle, it's just basic due process.
Companies are continuing to disclose data breaches stemming from the compromise of market research platform Klue and its third-party integrations in enterprise software such as Salesforce. Klue reports that a legacy credential created for a pilot program in 2022 was compromised, allowing an attacker to obtain OAuth tokens and steal customer data from Salesforce instances and other platforms where Klue was integrated, but not from the Klue platform itself. Upon detecting unauthorized activity on June 12, 2026, Klue revoked the affected credentials, removed unauthorized code, disabled potentially impacted integrations, and began an investigation alongside law enforcement and CrowdStrike. The company is communicating directly with customers about the investigation and steps for remediation, and is undertaking a review of internal security controls, credential management, monitoring, and deployment. TechCrunch reports that Klue has notified customers about ongoing negotiation with the threat actor: “We continue to communicate with the threat actor we have been in contact with (‘Icarus’), ... Icarus told us they are taking steps to delete the data taken from Klue customers. The Icarus site remains down and we have indications that Icarus is indeed taking steps to delete data taken from Klue customers.” Communications have reportedly also stated that a second threat actor is attempting to extort Klue customers directly, and that "Icarus has asked [Klue] to inform Klue customers to not make payment to this other party." The information stolen varies by customer, and may include personally identifiable information and business information; companies who have published security announcements include BeyondTrust, LastPass, HackerOne, Huntress, Insurity, Jamf, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium. Salesforce and Gong have both disabled the Klue integration for now.

This is getting complicated. While Klue is negotiating with Icarus — who is removing data, indicating Klue paid the demand — there are also reports Klue paid an Icarus operator to take down the data. Then it gets messier, as it appears the stolen data Icarus had was, itself, stolen by another unknown gang that is using it to attempt to extort Klue's customers directly. If you're a Klue customer, leverage their guidance to secure your implementation. Have a conversation about who's accountable for third-party security. Ensure that best practices continue to be followed and protections are commensurate with the data processed. Be on the lookout for attempted phishing attempts claiming to be from Klue or one of the compromised companies. Use caution attempting to access or analyze the exfiltrated data.

Anyone who believes that the use of strong authentication is inconvenient or burdensome has not yet dealt with a breach that exploited reusable credentials.
Klue
TechCrunch
TechCrunch
TechCrunch
SecurityWeek
SecurityWeek
Nissan North America and the US National Association of Insurance Commissioners (NAIC) have both disclosed that their systems were compromised through a vulnerability in Oracle PeopleSoft. The California State Attorney General's office has examples of breach notification letters Nissan sent to current and former employees. According to the notifications, Nissan learned of the incident from Oracle and is currently investigating the breach, which may have compromised "contact and banking information, Social Security Number / Social Insurance Number / National Identification Number, financial and tax data, and dependent / beneficiary information." The Nissan breach appears to have affected current and former employees in Brazil, Canada, Mexico, and the US. In a post on its website, NAIC writes that "Unauthorized access to a portion of the NAIC’s environment was identified on June 11 via an Oracle PeopleSoft vulnerability. While in PeopleSoft, the unauthorized party was able to obtain information needed to gain temporary access to certain data storage areas." NAIC is working with a third-party consultant "to compare the scope and type of data the group posted with our own preliminary analysis." Compromised NAIC data include publicly available statutory financial reporting information and credit rating agency data.

As we set up more business systems to be directly accessible over the Internet, controlling what is able to access them becomes important. The option to require transiting a corporate VPN needs to be weighed against a zero trust implementation where both the device and user must meet requirements before access is granted. Weather hosted or on premises, make sure that you understand the patch/update processes; it's easy to miss that you may have obligations or actions necessary to maintain the appropriate security posture.
The Register
California AG
California AG
Infosecurity Magazine
SecurityWeek
NAIC
Japanese telecommunications company KDDI has acknowledged that threat actors exploited a vulnerability in third-party software to gain access to a KDDI email system. KDDI detected the breach on June 17 and took steps to mitigate the situation. The compromised email system is also used by five other internet service providers (ISPs): STNet Inc.; JCOM Co. Ltd.; Chubu Telecommunications C. Inc.; NIFTY Corporation; and BIGLOBE Inc. The incident may have compromised email addresses and passwords of 14.2 million accounts, so customers are advised to change their account passwords. The investigation is ongoing.

The mitigations include not only changing your password but also setting up 2FA if available. I would suggest 2FA be mandatory. Changing your password is consistent with current password guidance to use a long passphrase and only change it after it's compromised. This is definitely a case to assume compromise, even if the exfiltrated passwords were encrypted or hashed. So, change your password and turn on 2FA if you're a user of any of these systems.
Japan's Self-Defense Forces procured flash drives in March 2024 that were carrying a virus with ties to Chinese nation-state threat actors. In February 2025, military personnel began reporting that their devices were running unusually slowly, and infections were discovered following a computer malfunction at a regional command in Itami. A subsequent investigation conducted by the Japanese army's Cyber Defense Unit found that six of eight flash drives contained malware and more than 50 of 480 computers were infected; of those, about half were running on closed, internal networks. Investigators believe that the infected drives were manufactured in China. The Defense Post writes that while the devices were "marketed as 1-terabyte storage devices, investigators found they actually contained 240-gigabyte microSD cards, and some had reportedly been preloaded with malware before use [and] despite multiple antivirus screening procedures, the devices were not scanned before deployment, allowing the malware to remain undetected."

You should be thinking supply chain security. How can you verify products are genuine and safe to use? Not only were the delivered drives not the capacity ordered, but also the screening procedures were not followed. Further, these drives were used with both government and non-government systems, which allowed the malware to spread into the private sector. Give careful thought to media screening, especially for sensitive and critical systems, possibly using a transfer station rather than allowing the direct connection of outside media. Give thought to restricting connection of external media to only authorized products, and make sure that your EDR protections include them when present.
It’s an oldie but a goodie, and it still works for threat actors. You can bet adversaries are testing their malware against virus scanners to ensure it slips by undetected. It’s a cheap, highly effective way for them to breach and steal data from closed networks. If your organization hasn't revisited its USB and external drive policy lately, now is the time to lock it down and move to safer sharing alternatives.

"Poisoned" flash drives are not a high volume attack, but this points out that they still happen. Use this item if you need a refresh in your physical mail/package delivery security awareness efforts.

As an attack vector, flash drives do not scale well. However, they remain a risk to otherwise highly secure but high value targets. You know if you meet this threshold.
Gov Infosecurity
The Defense Post
SANS Internet Storm Center StormCast Tuesday, June 30, 2026
Favicon Recon Automation; Targeting Messaging; Gemini CLI vuln; IPv6 Frag Escape
https://isc.sans.edu/podcastdetail/9988
Adding some Automation to the favicon.ico method of Host Recon
https://isc.sans.edu/diary/Adding+some+Automation+to+the+faviconico+method+of+Host+Recon/33110
Russian Intelligence Services Continue to Target Commercial Messaging Applications
https://www.ic3.gov/PSA/2026/PSA260626
Google Gemini CLI Vulnerability CVE-2026-12537
https://github.com/advisories/GHSA-jj69-4grx-fqj5
IPv6 Frag Escape
https://github.com/sgkdev/ipv6_frag_escape
SANS Internet Storm Center StormCast Monday, June 29, 2026
Automated Cybercrime; Linux Process Names; Amazon Q VS Code
https://isc.sans.edu/podcastdetail/9986
What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime
Linux Process Name Masquerading
https://isc.sans.edu/diary/Linux+Process+Name+Masquerading/33102
Amazon Q VS Code Extension Vulnerability
https://www.wiz.io/blog/amazon-q-vulnerability
My Upcoming Classes
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
Confident AI investment starts with clarity. The CISOs Guide to Buying AI breaks down how to cut through hype, evaluate risk, and select solutions that deliver real outcomes. Learn what to prioritize, the right questions to ask, and how to align AI investments with your security goals across the organization.
SANS AI Survey Insights | Poisoned Wells and Pure Springs: Drawing Security and Compromise from the same AI Source | Wednesday, July 15
Webinar | The New Face of Fraud in Financial Services | Thursday, July 16 | Kevin Garvey, Mick Leach & Manuel Bernal
Webinar | AI and Network Control: Visibility, Risk Prioritization, and Automation in the Age of Agentic NetOps | Monday, July 20 | Matt Bromiley & Avishai Wool