SEC536: Adversarial AI - Penetration Testing AI Systems


Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsAfter disabling its Fable 5 and Mythos 5 models on June 12 in response to a US Department of Commerce (DOC) export control directive, Anthropic announced on June 30 that the export control was lifted, and that both models would soon become available again. This federal restriction had obligated Anthropic to prevent access to these models by any foreign national, citing concern for national security following Amazon's report of a method to bypass the safeguards that keep the models from identifying and exploiting cyber vulnerabilities. In the meantime, an open letter signed by hundreds of executives and technical leaders had criticized the directive and urged the DOC to reconsider. Mythos 5 was reopened to certain US organizations on June 26, and Fable 5 became globally available again on July 1 "on the Claude Platform, Claude.ai, Claude Code, and Claude Cowork." Anthropic determined that the reported jailbreak technique, now fixed, "did not expose any unique Mythos-level cyber capabilities," and notes in their redeployment announcement that there is currently no standard way to rate the severity of an AI jailbreak; the company proposes four assessment criteria: 1. The degree of capability gained relative to existing tools, 2. The breadth of offensive tasks the gained capability applies to, 3. The ease of leveraging the jailbreak into an attack, and 4. The availability of the jailbreak technique. The company has also launched a HackerOne program for researchers to submit Fable 5 jailbreaks for review.

Anthropic's new framework for assessing bypasses of AI safeguards (jailbreaks), created in partnership with Google, Amazon, Microsoft and other Glasswing partners, is something we should watch closely. Just as there is no such thing as perfect security, it's impossible to make any AI model fully impervious to jailbreaks, so having a framework to understand and measure them just as we do with vulnerabilities will be helpful as our AI portfolio grows and evolves.

It's important to remember that ALL models carry risk. While Mythos/Fable is a powerful model, it isn't fundamentally different from Codex, Gemini, or the others.
And we're back. The race to hunt down and weaponize vulnerabilities has officially resumed. So, what did that 20-day pause actually accomplish? Some great PR for Anthropic (and OpenAI, to a lesser degree), some vague government analysis with zero public details, and some model assessment criteria that look okay on paper. Move along, nothing to see here.
Anthropic
CyberScoop
The Record
The Hacker News
Ars Technica
BleepingComputer
ZDNET
On Tuesday, June 30, Adobe published security bulletins addressing 12 vulnerabilities: 10 rated critical and one rated important in Adobe ColdFusion, and one critical vulnerability in Adobe Campaign Classic. Of the vulnerabilities in ColdFusion, six have CVSS scores of 10.0: two unrestricted upload of file with dangerous type issues, three improper input validation issues, and a path traversal issue, all of which could lead to arbitrary code execution; the Campaign Classic vulnerability, an incorrect authorization issue that can lead to arbitrary code execution, also received a CVSS score of 10.0. According to reports, the critical path traversal ColdFusion flaw, CVE-2026-48282, is being actively exploited. KEVIntel founder Ryan Dewhurst reported that the flaw was under exploitation within hours of its disclosure. The vulnerability affects ColdFusion versions 2025.9, 2023.20, and earlier. In a related story, last week Adobe announced that as of July 14, 2026, the company "is moving from monthly to twice-monthly publication of Adobe Security Bulletins and Advisories on the second and fourth Tuesday of each month."

Don't lose sight of Adobe's move to two security bulletins a month. We've all been spoiled with alerts converging on that second Tuesday, except for browser updates, which seem to favor days ending in "Y." And yes, you read that right, ColdFusion is still around and supported; it turned 30 last year, so you need to keep updating it.
A wave of CVSS 10 vulnerabilities suggests Adobe is aggressively using Anthropic and OpenAI models to find bugs. Their new twice-monthly patch cadence practically confirms it. Defenders will need to accelerate their own patching timelines just to keep up.
BleepingComputer
BleepingComputer
SecurityWeek
Adobe
Adobe
X
Adobe
Last week, threat intelligence firm Defused reported that a known critical vulnerability in Oracle E-Business Suite is being actively exploited. CVE-2026-46817 is an unauthorized HTTP takeover issue affecting the file transmission component of the Oracle Payments product in Oracle E-Business Suite. It has three associated weakness enumerations, including improper privilege management, improper authentication, and missing authentication for critical function. Oracle released a patch for the vulnerability in May; at the time, it was noted that the vulnerability can be remotely exploited without authentication. Defused CEO and founder Simo Kohonen told CyberScoop that the company observed six instances of exploitation on its honeypots in a two-hour window.

It appears the exploits started before any public POC was released. They are targeting the Oracle Payments flaw, which was fixed in the May CPU. Your assignment, should you wish to accept it, is to make sure that the May CPU was fully deployed, including production. Then have a conversation about whether your EBS instance should be exposed to the Internet, and if it is, what compensating controls, such as a WAF, are in place to prevent malfeasance. Then make sure they are working. Remember that time the WAF was left in learning mode? Let's not learn that lesson again.
The Register
CyberScoop
SC Media
X
Oracle
Oracle
In a July 1, 2026 blog, the UK's National Cyber Security Centre (NCSC) shared the answers they received when they asked pentesters "What can organisations do to make your job harder?" Their top answers were to build systems that are secure by design, to segment networks, and to implement logging and monitoring. Systems that are secure by design make it easier to implement fixes. NCSC notes that "One of the clearest examples of 'secure by design' is the adoption of network segmentation, particularly where it has been considered as part of the system design rather than added later." Once systems are secure by design and properly segmented, "logging and monitoring become far more effective." It's also important to make sure logging and monitoring systems are focusing on the right data, and that they are responding to the information gathered effectively. The bottom line: build in security from the start rather than tacking it on as an afterthought.

Security in the design stage, not added in later, is essential. This is where you can really implement logging, monitoring and other control points in a non-disruptive fashion. It's also a heck of a lot easier to start with MFA and fine-grained access controls rather than adding them later. You'll also have time to iron things out, as well as create best practices for things like segmentation up-front, easing deployments considerably.
Practical advice from pentesters: The Center for Internet Security (CIS), in collaboration with SAFECode, recently published Secure by Design: A Guide to Assessing Software Security Practices. This guide offers a practical, evaluable framework for building and verifying software security from the ground up, and software vendors should absolutely use it to audit and validate their development workflows. https://www.cisecurity.org/insights/white-papers/secure-by-design
Over the past week, the US Cybersecurity and Infrastructure Security Agency (CISA) added two more vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, both with three-day mitigation windows for Federal Civilian Executive Branch (FCEB) agencies. CVE-2026-48558, added to the KEV on June 29, is a critical authentication bypass vulnerability in the SimpleHelp remote monitoring and management (RMM) tool, which stems from missing OIDC JWT signature verification. The vulnerability affects SimpleHelp versions 5.5.15 and prior, and 6.0 pre-release versions. CVE-2026-45659, added to KEV on July 1, is a high-severity deserialization of untrusted data vulnerability in Microsoft SharePoint Server. The flaw affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Microsoft addressed the vulnerability in late May with an out-of-band update.

The SharePoint flaw was addressed in the May update — it's July… The SimpleHelp flaw, CVE-2026-48558, is an authentication bypass being used to deliver the Djinn Stealer, which captures cloud keys, source-control sessions, SSH keys, and AI integration credentials, as well as crypto wallets, browser history and more. The fix is to install the updated SimpleHelp 5.5.16 or 6.0 immediately, then go looking for IoCs in the BlackPoint Cyber writeup: https://blackpointcyber.com/blog/a-djinn-in-the-machine-taskweavers-node-js-intrusion-chain/
The Register
SC Media
SecurityWeek
CISA KEV
Help Net Security
CISA KEV
Canada's cryptologic intelligence and security agency, the Communications Security Establishment (CSE), has released an annual report on its research and operations, including disclosures of three "active cyber operations" authorized in a "two key" system by the Minister of National Defence and the Minister of Foreign Affairs under the CSE Act. These operations are described as efforts to "interfere with foreign online efforts that threaten Canada ... [and] relate to international affairs, defence or security, which includes economic interests." These actions are prohibited from interfering with the course of justice or democracy, and from negligently or deliberately causing death or bodily harm. One of the active cyber operations began with intelligence from the Cyber Centre, and resulted in the CSE disabling infrastructure and deleting data stolen by a Ransomware-as-a-Service (RaaS) group. The second mentioned action disrupted and diminished operational viability for foreign online brokers of synthetic opioids and precursors. The third action targeted a violent extremist group's online presence, and "successfully undermined the group’s credibility and limited their ability to radicalize and recruit new members." These actions are unrelated to the warrant summarized in NewsBites Vol. 28, No. 46, obtained by the Canadian Security Intelligence Service (CSIS) to access Canadian devices in order to disrupt foreign-run botnets in May 2024.

This report reinforces that Canada's CSE has skills and capabilities and is willing to use them to stop adversarial actions as well as partner with other law enforcement agencies to protect Canada's interests. Word to their would-be attackers: Don't assume Canada can be targeted without a response.

Offensive cyber operations absolutely have a place at the federal government level. Kudos to the Canadian government for their transparency!
Excellent work from our friends up North. Expect to see a lot more of this from Canada and other like-minded nations as they step up efforts to counter cybercriminals.
A July report from Citizen Lab details their finding that the phone of investigative journalist and former Member of European Parliament Stelios Kouloglou was infected with Pegasus spyware in October 2022 and March 2023 while he served on the European Parliament's PEGA Committee, which was established to "investigate infringements and maladministration in application of EU law in relation to the use of Pegasus and equivalent spyware surveillance software." Citizen Lab writes that "Through forensic analysis of his device, we found that the attackers could have had access to confidential documents and committee deliberations." They add that evidence "suggest[s] a Pegasus customer with authorization to spy in multiple European countries is responsible." Analysis found Kouloglou received notifications from Apple that his device was likely being targeted with spyware. The alerts are not delivered in real time and Kouloglou does not remember receiving them. Pegasus spyware was discovered by Citizen Lab in 2016. It has "evolving" capabilities, including the ability to infect both iOS and Android devices, gather information from targeted devices' microphones and cameras and harvest other data, including messages, contacts, web browsing history, and photos. The PEGA Committee produced recommendations for the European Commission to address the use of spyware in the EU. These include establishing a special task force dedicated to protecting the 2024 European elections; investigating and reporting on the shortcomings in implementation and enforcement of relevant Union laws and creating a roadmap to correct them; setting up an EU Tech Lab; conducting an in-depth investigation into the export licenses granted for the use of spyware; and promptly coming forward with legislative proposals on the basis of this recommendation. The recommendations have largely gone unheeded.

To defend yourself against Pegasus and similar spyware, you need to actively ensure you are running supported mobile devices with a current OS, and only install apps from known good sources, ideally only Google Play or Apple App store and your corporate app store (if any). Next you need to check your existing apps. Remove those you don't recognize or no longer use, and drill down on those using lots of data or battery use. Lastly, check recently added apps to see if there are any unusual or unexpected additions. Lastly, consider using lockdown mode when traveling in high-risk areas.
Citizen Lab
WIRED
The Record
Gov Infosecurity
Europa
In a Form 8-K filing with the US Securities and Exchange Commission, AdaptHealth has disclosed a cybersecurity incident that resulted in data theft. The company was contacted by a threat actor on June 15, 2026. Based on information at hand, as of June 27 AdaptHealth believes the threat actor accessed the company's "cloud-based business applications, including certain internal patient management systems and document storage platforms." The company has also confirmed that the threat actor exfiltrated "a stored password file associated with insurance billing" and accessed some external electronic health record system portals. The compromised data include "passwords associated with insurance billing and certain personally identifiable information and protected health information of patients." AdaptHealth has "determined that the incident is material due to the nature and potential volume of the data that is at risk." It appears the initial vector of intrusion was "a successful social engineering attack that compromised a user session associated with a third-party contractor." AdaptHealth provides home medical equipment, as well as supplies for diabetes treatment and sleep therapy.

Exfiltrating a stored password file should raise two alarms. First, why are reusable passwords still in place? Second, why wasn't that password file encrypted or otherwise protected? To the first issue, you need to have the hard conversations about what can be done to raise the bar wherever possible, not forgetting to review those decisions as technology evolves; to the second, you need to provide (and publicize, if not mandate) a corporate password management solution which includes team secret sharing, not just individuals, wherein you're managing the security of the information stored, rather than relying on individuals choosing proper settings.
A data breach affecting up to 4.2 million patients across all 50 states is undeniably material and absolutely warranted an SEC filing. But what happens after the investigation is just as critical. What specific changes did AdaptHealth make to its cybersecurity program? Hopefully they share those details so the rest of the industry can learn from their misfortune.
Healthcare device manufacturer Medtronic has begun notifying patients that their personal information may have been compromised in an April 2026 breach. According to the notification letters, Medtronic became aware of suspicious activity on its corporate IT systems on April 15, 2026. A subsequent investigation conducted with the assistance of third-party experts determined that threat actors had accessed some systems between April 13 and April 19. When Medtronic first disclosed the incident in late April, it said that product, manufacturing, and distribution operations were not affected. Medtronic says that the compromised data include names, contact information, dates of birth, Social Security numbers, and health-related information. The letter is being sent to more than 3.8 million individuals.

Hopefully you already have identity and credit monitoring/restoration. While we're talking about it, check the duration of any of your subscriptions, particularly those granted by a breach. You'll want to decide on continuing the service before the bill comes. While it's never a bad idea to evaluate alternate providers, keep in mind that you're uploading sensitive information to yet another source. Ask about the disposition of your data is should you discontinue a particular service. Make changes fully informed.
The US Department of Homeland Security (DHS) is investigating unauthorized access to its Homeland Security Information Network (HSIS), according to sources in contact with Nextgov. HSIN is a network used by federal, state, local, territorial, tribal, international, and private-sector partners to "send requests securely between agencies, manage operations, coordinate planned event safety and security, respond to incidents," and share information in the interests of community safety and the missions of organizations across defense, intelligence, emergency management and services, critical infrastructure, law enforcement, public health, and cyber sectors. HSIN's website mentions the use of the network for coordinating intelligence during large events, crises, and natural disasters. The Office of Intelligence and Analysis within the DHS has reportedly assessed that a threat actor targeted HSIN servers and a collaborative SharePoint system between late May and early June 2026; an official DHS spokesperson has stated that "there is no indication that classified networks were impacted, and the system remains operational for our partners."

Apparently access was obtained by compromising a legacy system. A reminder that we need to not forget those older systems which may not be robust enough to survive modern threats. You may have a list of these systems that need to continue to operate, and which should have additional controls and not be directly accessible. They should also have good logging and monitoring. Make sure you're watching for end-arounds to the access protections, even if only for "a minute" or "just once," those workarounds have a way of persisting beyond the approval and are best not allowed in the first place.
SANS Internet Storm Center StormCast Tuesday, July 7, 2026
RCS and DNS; OpenSSH Update; Beyond Trust Advisory; PolinRider Update
https://isc.sans.edu/podcastdetail/9996
RCS and DNS: The NAPTR Record
https://isc.sans.edu/diary/RCS+and+DNS+The+NAPTR+Record/33124
OpenSSH 10.4 released
https://seclists.org/oss-sec/2026/q3/62
Beyond Trust Advisory CVE-2026-40138 CVE-2026-40139
https://www.beyondtrust.com/trust-center/security-advisories/bt26-03
PolinRider: North Korea-Linked Supply Chain Campaign
https://socket.dev/blog/polinrider-north-korea-linked-supply-chain-campaign-expands
SANS Internet Storm Center StormCast Monday, July 6, 2026
Apple Patch Policy; FatFS Vulns; OpenWRT; Multi-Agent Offensive AI
https://isc.sans.edu/podcastdetail/9994
Apple Updated Patch Policy
https://www.darkreading.com/cybersecurity-operations/apple-patch-policy-ai
T3MP3ST multi-agent offensive-security framework
https://github.com/elder-plinius/T3MP3ST
Seven FatFs bugs, one very large blast radius
https://www.runzero.com/blog/fatfs-bugs/
OpenWRT Releases v25.12.5
https://github.com/openwrt/openwrt/releases
SANS Internet Storm Center StormCast Thursday, July 2, 2026
MetaMask Phishing; Adobe Patches; Google Chrome Patches; Apple Hide-My-Email Vuln
https://isc.sans.edu/podcastdetail/9992
Why Ask Credentials If There Are Secret Codes?
https://isc.sans.edu/diary/Why+Ask+Credentials+If+There+Are+Secret+Codes/33118
Adobe Patches and Updated Patch Release Policy
https://helpx.adobe.com/security/Home.html
Google Chrome Update (link had issues loading while recording)
https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html
Apple Hide My Email Vulnerability
https://www.404media.co/apple-hide-my-email-vulnerability-reveals-peoples-real-email-addresses/
SANS Internet Storm Center StormCast Wednesday, July 1, 2026
Apple Patches; SimpleHelp Exploit; Git DNS Tricks
https://isc.sans.edu/podcastdetail/9990
June 2026 Apple Updates
https://isc.sans.edu/diary/June+2026+Apple+Updates/33114
SimpleHelp Exploit used to reply TaskWeaver
https://blackpointcyber.com/blog/a-djinn-in-the-machine-taskweavers-node-js-intrusion-chain/
DNS Tricks to Load Malware into Cloned Repository
https://0din.ai/blog/clone-this-repo-and-i-own-your-machine
My Upcoming Classes
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
SANS AI Survey Insights | Poisoned Wells and Pure Springs: Drawing Security and Compromise from the same AI Source | Wednesday, July 15
Webinar | The New Face of Fraud in Financial Services | Thursday, July 16 | Kevin Garvey, Mick Leach & Manuel Bernal
Webinar | AI and Network Control: Visibility, Risk Prioritization, and Automation in the Age of Agentic NetOps | Monday, July 20 | Matt Bromiley & Avishai Wool
Webinar | How to Reduce Connectivity Tickets and Accelerate Application Changes | Wednesday, July 29 | Kevin Garvey & Kyle Wickert