SEC536: Adversarial AI - Penetration Testing AI Systems


Experience SANS training through course previews.
Learn MoreLet us help.
Contact usBecome a member for instant access to our free resources.
Sign UpWe're here to help.
Contact UsOn Friday, July 10, Progress Software began contacting customers who use the company’s ShareFile Storage Zone Controllers (SZC), urging them to manually shut down servers hosting SZC due to what Progress says is a "credible external security threat." While Progress has disabled access to ShareFile accounts that use SZC, the company has deemed the manual shutdown process "a critical additional step to ensure the safety of [customer] data." Progress made initial contact with affected customers via email, and customers have also reported receiving phone calls about the issue. Storage Zone Controllers are the on-premises component of Progress Software's ShareFile enterprise file-sharing platform. As of Monday morning, July 13, Progress has not provided additional information about the issue. The company had already released updates for a pair of critical vulnerabilities in ShareFile SZC in February 2026, and several years ago Progress's MOVEit file transfer software was widely exploited by ransomware actors.

Progress is being doubly cautious, having been bit by SZC flaws earlier this year as well as by the 2023/2024 MOVEiT attack by the Clop ransomware gang. The company sent a message recommending users shut down their SZC hosting environments, typically Windows, with promises of a follow-up message in 24 hours. They also updated their SZC service disruption guidance, login and access information KB article (https://support.sharefile.com/s/article/ShareFile-Storage-Zone-Controller-SZC-Service-Disruption-Guidance-Login-Issues-and-Access-Information) on July 11, stating that users should leave those controllers alone (down/offline) and watch for email notifications from progress <at> inform.progress.com. If you're a ShareFile customer, make sure that the notifications from them are going to the right people while you're waiting for next steps.

When the vendor of software you are using in your production environment tells you to shut it down due to a credible threat, you should take heed of their warnings. If you are using that software for business-critical processes, you should also ensure that you have already developed resilience into those businesses processes in the event that software becomes unavailable.

Somewhat the worst of the worst in this one — a potential system compromise, though the provider has no control over it. I can see customers missing the fact that they have this system or being unaware of it. It would be interesting to see whether Progress can provide feedback on how many customers use the ShareFile SZC and which ones did not disable or shut down those services within the next 72 hours.
Manual server shutdown is a drastic recommendation and would only ever be recommended if the threat were both legitimate and imminent. Companies do not make that recommendation lightly. If you’re operating this software application, factor in the potential loss of your company data in the decision process.

Prevention is often inconvenient, but mitigation is painful.
The Register
Help Net Security
Gov Infosecurity
SecurityWeek
BleepingComputer
Tracebit has published research indicating that prompts designed to trigger an LLM's safety policies can be planted in decoy data to counter attacks carried out with agentic AI. This is a form of prompt injection dubbed a "context bomb," in which the LLM is manipulated to interpret ingested text as a prompt, but that prompt stops the agent from proceeding by asking for something the agent is designed to refuse. The researchers specifically hid each transgressive prompt as the value of a Secrets Manager secret within a data "canary," which contains attractive phony information and detects and captures information about an attacker when accessed. Tests with leading models from Anthropic, Google, GMI, DeepSeek, and Novita AI demonstrated that this technique significantly obstructed attacks: compared to a control environment with no canary, the average success of reaching full account admin dropped from 57% to 5%, and the ability to complete any of ten possible attack paths fell from 91% to 15%. "Opus 4.8 and Gemini 3.1 Pro were the most capable attackers in the baseline range, yet both dropped to 0% admin [reached] once a context bomb was in play. Kimi was least effective of the models tested at reaching Admin, while also being least affected by context bombs." Tracebit also notes that the prompt topic should be specific to the model to target its guardrails effectively. In all cases, whether the context bomb completely halted the agent or not, accessing the canary raised an alert. Socket has previously observed guardrail-tripping prompt injection hidden inside malware to deter defenders' AI-assisted analysis; Tracebit believes their research is the first known use of defensive context bombing.

This is a great use of defensive techniques for the AI Agents. I would keep an eye on this space. I have already seen the attackers do a similar thing to thwart AI analysis of their binaries by planting wording that would violate the AI’s own constitution and stop it from analyzing the rest of the code. I suspect we will see more clever tricks, except this time it will be in potentially readable language.

Learn about Context Bombing. You're effectively doing prompt injection via information adjacent to legitimate data, doing in the attacker's AI. Keep in mind that this is not going to be set it and forget it — attack techniques will continue to evolve, and this will need to as well. Keep an eye on this technique as it becomes part of your overall plan for cyber resiliency.
Tracebit
Ars Technica
Schneier on Security
Socket
The US Cybersecurity and Infrastructure Security Agency (CISA) has published a blog assessing its own response to a researcher's May 15 report that a public GitHub repository called "Private-CISA" had been exposing CISA credentials and files for nearly six months. Brian Krebs first reached CISA on behalf of Guillaume Valadon at GitGuardian after Valadon received no response from Nightwing, a CISA contractor who owned the repository. According to GitGuardian, the 844 MB repository contained private keys, personal and professional GitHub tokens, AWS secrets, and a wide array of code, development assets, documentation, and backups. Upon hearing from Krebs, CISA took down the repository — within about eight hours, according to Valadon — then took down its development environment and reset associated credentials, and revoked the responsible Nightwing employee's system access. After analyzing the repository and log files, CISA rotated all credentials associated with the employee, tuned its repositories' allow and deny lists, and restricted uploads to public repositories. CISA's report recognizes the value of external reporting, the effectiveness of Zero Trust in visibility and alerting, and the importance of logging in their response. At the same time, CISA notes shortcomings that serve as lessons for improvement: Users' public uploads were not controlled; secrets were allowed into repositories; CISA did not have an incident response playbook for GitHub/Cloud; incident reporting channels were ambiguous; development environments were not yet fully consolidated, managed, and protected; and rotating keys took a long time due to complex systems and connections with partner organizations. Valadon has published his own postmortem echoing the same six priorities, also noting that GitGuardian's team reported the leak on May 14 through CERT/CC and personal contacts, and that CISA had already received nine automated notifications of the exposure through the Good Samaritan program before the report. Valadon writes, "To my knowledge, it is also the first time a national cybersecurity agency has publicly advocated for secrets scanning and for simplifying relations with security researchers. These are topics my team has been pushing for years, and I am proud to see them recognized at this level."

Read through the lessons learned and consider how this can happen. Public source code repositories are a risk for many companies and CISA has some decent conclusions here. I would say having a playbook for the what-if is one of those must-haves at this point.
This is a surprisingly candid assessment from CISA. Corporate information security teams too often overlook third-party supplier security controls. While CISA emphasizes zero trust, the core issue remains mastering essential cyber hygiene.

Supply chain security remains a constant. CISA has published guidance including incident response, lessons learned, what worked well, and what to strengthen — perfect topics for a conversation in your shop, not just with developers, but also with incident responders and security teams. Don't forget to include conversations about maintaining improvements made in this process, or even raising the bar further. Our adversaries aren't going to be resting on their laurels, and neither can we.

Kudos to CISA for the transparency and details shown in this report. It is something that everyone can learn from. Remember one of the critical parts of incident response is learning from the incident, and it is always preferable to learn from someone else's incident.
CISA
GitGuardian
KrebsOnSecurity
TechCrunch
CyberScoop
The European Commission (EC) has referred Ireland, Spain, France, and the Netherlands to the Court of Justice of the European Union for failing to implement the European Union's (EU's) NIS2 Directive, which establishes security standards for multiple critical sectors, including healthcare, energy, transportation, and information systems. EU member states faced an October 17, 2024 deadline for transposing the directive into domestic legislation. Since that date, non-compliant member states received letters of formal notice in November 2024 and reasoned opinions in May 2025. The referrals to the Court of Justice include a request for financial sanctions. NIS2, which is an updated version of the EU's Network and Information Security Directive of 2016, "requires Member States to enhance their cybersecurity capabilities, while introducing risk management measures and reporting requirements to entities from more sectors and setting up rules for cooperation, information sharing, supervision, and enforcement of cybersecurity measures." It also requires member states to adopt a national cybersecurity strategy, including policies for supply chain security, vulnerability management, and cybersecurity education and awareness. Ireland's National Cybersecurity Bill, which will transpose NIS2, is nearing finalization and expected to be in place by the end of this calendar year.

Organisations in Ireland, France, Spain, and the Netherlands that come under the remit of NIS2 should not mistake delayed national legislation for delayed obligations. Once NIS2 is transposed into national law, its requirements will take effect immediately and there will be no grace period to prepare. For Ireland in particular, this is an awkward position as it begins its Presidency of the Council of the European Union having stated that security is one of its key priorities but has yet to implement one of the EU's flagship cybersecurity laws itself.

Ireland, Spain, France, and the Netherlands are more than 20 months late in transposing the NIS2 Directive. Ireland's National Cyber Security Bill will meet their requirements, but no such delivery is on the horizon for Spain, France, and the Netherlands, so penalties are being levied. Regrettably, in practice, the fines being sought by the European Commission are rarely paid, meaning the penalty isn't sufficient to drive adoption. Stepping aside from politics and regulation, our adversaries don't care what legislation we have in play and what our response is — they are going to attack on their terms, so start rolling with the essentials. We know the drill: authentication, segmentation, access controls, monitoring/logging, and response.
Europa
Europa
Inside Privacy
NCSC Ireland
The Record
Bank Infosecurity
The US Environmental Protection Agency (EPA) held a National Cyber Drill on Wednesday, July 8, 2026, offering an opportunity for "emergency response planners, IT and OT security specialists and state and local partners, as well as utility managers from more than 200 water and wastewater utilities across the country" to simulate operating a large public water utility during a comprehensive outage of all third-party communications due to a cyberattack. The participants were challenged to maintain a continuous safe water supply without cellular or landline phones, SMS, internet, cloud services including email and document sharing, and SCADA connections to remote sites. The exercise was offered in two forms: a tabletop scenario conducted as a video conference, or a live action drill where the participating utility would switch its actual service to entirely manual operation. "Of the 390 participants on the call, 67 had opted for the manual operations module, rather than the tabletop exercise," but only one participant who chose the manual drill confirmed they had carried it out, with four more stating intent to complete it soon. Andy Krapf, director of Cybersecurity for Loudoun Water in Virginia, and co-chair of the Cybersecurity Advisory Committee for the Water Information Sharing and Analysis Center (WaterISAC), noted that water utilities vary widely in size, complexity, customer base, treatment technology, regulatory environment, geography, and dependence on third-party technology rather than in-person checks or private fiber and radio communication lines. Participants mentioned challenges including prioritizing resources for investigating an incident, sustaining 24-hour staffing patterns, and navigating the tradeoff between maintaining water quality with slower manual treatment processes versus ensuring even imperfectly treated water is available for emergencies.

I'm reminded of being in a session on disaster recovery where one participant wanted to know when they could start kicking switches/disrupting power/etc. While disaster preparedness is a learning process, at some point you do need to go to a physical situation to learn what it's like to run or rebuild a system without a lot of services taken for granted. Find a way to replicate/imitate production; the experience gained will make future production (a.k.a. real) outages much easier to respond to. Remember the old phrase, "practice like you play." If you don't practice well, you're not going to do well when the time comes.
This federal initiative is designed to support critical infrastructure providers. To maximize its impact, the government should establish funding schemes that accelerate the implementation of lessons learned during the national cyber drill.
GovInfoSecurity
The Australian Signals Directorate's (ASD's) Australian Cyber Security Centre (ACSC) has published a critical alert warning of a large-scale exploitation campaign that is targeting website content management systems (CMS). ACSC states that "as part of this campaign, malicious cyber actors are actively scanning websites for opportunities to deploy webshells, leveraging various vulnerabilities affecting CMS software and plugins. These vulnerabilities primarily allow unauthenticated file upload, remote code execution, server side request forgery or deserialisation." The alert provides a list of software, plugins, and CVEs that the campaign is known to be targeting; these include a dozen WordPress plugins, Sneeit Framework, Craft CMS, MaxSite CMS, MetInfo CMS, and Joomla JCE. ACSC's recommended mitigations include making sure to inspect CMS for webshells and known vulnerable plugins for abnormal files in the plugin directory; examine web access logs for IP addresses making GET or POST requests to any webshell paths; treat servers on which webshells have been detected as compromised; review network logs for suspicious activity; trace back suspicious web requests that may account for the initial exploitation and deployment of webshells; review network logs; investigate logging and hosts for evidence of persistence, lateral movement or other malicious activity; apply available fixes; and restore compromised websites from known safe backups. ACSC also recommends making sure software and plugins are current; monitoring or blocking file creation; restricting file and path access; monitoring for new processes; and blocking unnecessary network communication between internet-facing websites and other corporate computing devices.

Beyond the actions and mitigations suggested by ASD, make sure that you're enforcing MFA for users (particularly administrators), that updates are being installed automatically, and that you're reviewing and removing unused plugins. Keep an eye out for plugins which either need paid licenses for updates or are deprecated/unsupported. Don't forget to make sure you're on a current supported PHP version; that is super easy to miss, and the update can break older plugins not updated to current PHP specifications, so be ready with lifecycle and rollback plans to help you get squared away.
Poorly coded WordPress plugins are a notorious security weak point. While monitoring for signs of compromise is essential, prioritizing prompt patching is an equally critical defense. This control has become urgent now that attackers leverage cyber-focused LLMs like Mythos and GPT-5.6-Cyber to rapidly find and exploit vulnerabilities.
Australian Cybersecurity Magazine
BleepingComputer
Infosecurity Magazine
ASD
In October 2025, Microsoft Threat Intelligence (MTI) identified modular Golang-based backdoor malware that the team has dubbed “GigaWiper.” The malware incorporates command-and-control (C2) capabilities with a variety of malicious payloads. The payloads include a powerful physical-disk-level wiper; a command that encrypts files with unsaved, randomly generated keys; and a command that repeatedly overwrites files, seriously impeding recovery efforts. A July 9 MTI blog that offers a code-level analysis of GigaWiper describes the malware as "an amalgamation of separate malware families that were folded into GigaWiper as on-demand backdoor commands, giving threat actors the flexibility to choose their mode of destruction." Beyond the malware's destructive capabilities, it also "sets persistence and implements C2 communication over RabbitMQ and Redis. In analyzing these backdoor capabilities, we discovered that some backdoor commands contain code from additional malware families." The MTI blog provides suggested mitigations, including turning on tenant-wide tamper protection features and blocking direct access to known C2 infrastructure where possible, as well as indicators of compromise. The malware is also known as BLUERABBIT.

GigaWiper, aka BLUERABBIT, was assembled by combining and reimplementing components from at least three previously separate malware families. As such it's very capable, flexible, stealthy, and destructive when needed. Grab the IoCs from the MTI blog, make sure your EDR is in blocking mode, and look to your XDR platform to implement attack surface reduction rules, such as preventing executables from running unless they meet needed age or trust criteria, as well as blocking access to known C2 infrastructure, ideally with real-time updates to that block list.
Microsoft
Binary Defense
Dark Reading
The Register
SecurityWeek
A former ransomware negotiator for DigitalMint has been sentenced to 70 months in prison for conspiring with BlackCat ransomware threat actors to extort more than $75 million from five companies. Compounding the severity of his crimes is the fact that Angelo John Martino III was supposed to be working on behalf of those companies against extortion. Martino shared information he had access to as an employee of DigitalMint, which negotiates with ransomware operators on behalf of ransomware victims. The sensitive information included negotiation positions and limits on victims' insurance policies. The five companies paid ransoms between April and September 2023. Martino pleaded guilty earlier this year to conspiracy to obstruct, delay or affect commerce or the movement of any article or commodity in commerce by extortion. He also admitted to conspiring with two other ransomware negotiators — Kevin Tyler Martin and Ryan Clifford Goldberg — to deploy ransomware to five other companies between April and November 2023. Of those, one paid a $1.2 million ransom. Martin and Goldberg pleaded guilty to various charges in December 2025; in April 2026, both were sentenced to four years in prison. The FBI has seized cryptocurrency Martino received for his role in the BlackCat scheme, though much of it had already been spent. To compensate his victims, Martino will be required to forfeit property and surrender 10 percent of his earnings following his release from prison.

Those who you trust most are often the ones who can hurt you the most. Trust is earned long before a cyber incident occurs. Organisations should not be selecting ransomware negotiators or other incident response partners in the middle of a crisis. Conducting due diligence, agreeing on contractual terms, checking and validating references, and establishing trusted relationships in advance ensures you can focus on responding to the incident rather than questioning whether those helping you can themselves be trusted.

Not so sure that five years — less time served, plus future property and earnings — will make his victims, who are out about $75 million, feel whole. At this point that is decided. What we can learn from this, given that Martino was already engaging in criminal activity at the time he was hired by DigitalMint, is that good background checks matter, particularly for sensitive positions. Further, take a serious look at how often you want to re-check your findings. A position like ransomware negotiator comes with a lot of temptation/risks and reward, so you should have a validation process and controls, which correspond with the need for increased standards of security, safety, reliability, and mental stability they must demonstrate.
Ars Technica
Help Net Security
CyberScoop
Court Listener
Centers Laboratory, a New Jersey-based healthcare diagnostics laboratory, has disclosed a data breach that compromised protected health information (PHI) belonging to more than 540,000 people. According to a notice on the company's website, Centers became aware of suspicious activity in its IT environment on August 25, 2025. A subsequent investigation revealed that intruders had accessed and copied data on Centers systems between August 9 and 14, 2025. A June 18, 2026 entry in the US Department of Health and Human Services Office for Civil Rights (HHS OCR) places the number of affected individuals at 542,377. Lidl, a German supermarket chain, has notified customers in Germany, Belgium, and the Netherlands that their personal information was compromised following a breach at one of the company's IT service providers. Lidl learned of the incident last week; in notices on company websites, Lidl writes that "unidentified individuals were briefly able to access a separately stored file containing customer data and steal some of it." ZEGO Textilveredelungszentrum, a German textile company, has filed for insolvency after a cybersecurity incident that kept its production systems offline for six weeks earlier this year. The company, which has been in business for 37 years, has not provided details of the attack, noting only that it hopes "to develop viable solutions together with the stakeholders, to preserve jobs, to maintain customer relationships and to secure the future of our company." Miinto, a Danish fashion ecommerce company, has notified customers via email that an intruder accessed order data. The compromised information also includes names, email addresses, physical addresses, phone numbers, and payment methods.

The Centers Laboratory breach is claimed by the WorldLeaks cybercrime group, known for their 2025 attacks of Nike and Dell; they appeared after the 2025 shutdown of the Hunters International ransomware gang. WorldLeaks has released over 1.6 million files, roughly 760 GB, allegedly pilfered from Centers Lab systems. The Centers Lab event notice provides good information on protecting your privacy data as well as information about which states entitle residents to copies of related police reports. Make sure you've covered all the areas mentioned when it comes to your information, because when that next breach notification comes, there is nothing like knowing you've already done all you need to protect your data.
SecurityWeek
CentersLab
Help Net Security
Lidl
The Register
ZEGO TVZ
The Register
SANS Internet Storm Center StormCast Tuesday, July 14, 2026
MCP/AI Related Scans; Improve Router Hygiene; OAuth Client ID Spoofing; Veeam Vuln
https://isc.sans.edu/podcastdetail/10006
Someone Is Scanning for Your MCP Servers and AI Assistant Credentials
Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting
https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-194a
OAuth Client ID Spoofing
Vulnerability Resolved in Veeam Backup & Replication 12.3.2.4854
SANS Internet Storm Center StormCast Monday, July 13, 2026
Progress ShareFile Shutdown; U-Boot Vuln; More Nightmare Eclipse; Cisco AI Response
https://isc.sans.edu/podcastdetail/10004
Progress Sharefile Emergency Shutdown Notice
https://www.reddit.com/r/sysadmin/comments/1usohco/psa_shutdown_your_sharefile_storage_zone/
U-Boot Vulnerabilities
https://www.binarly.io/blog/unfit-to-boot-breaking-u-boots-fit-signature-verification
Nightmare Eclipse Releases Next Microsoft Defender Exploit
https://blog.projectnightcrawler.dev/posts/2026-07-09-some-interesting-findings-in-windows-defender/
Cisco Increases Patch Cadence
My Upcoming Classes
Catch up on recent editions of NewsBites or browse our full archive of expert-curated cybersecurity news.
SANS AI Survey Insights | Poisoned Wells and Pure Springs: Drawing Security and Compromise from the same AI Source | Wednesday, July 15 | Learn key findings from the latest SANS research, diving into the real-world tactics, struggles, and successes organizations face as they draw from this shared AI wellspring.
Webinar | The New Face of Fraud in Financial Services | Thursday, July 16 | Kevin Garvey, Mick Leach & Manuel Bernal
Webinar | AI and Network Control: Visibility, Risk Prioritization, and Automation in the Age of Agentic NetOps | Monday, July 20 | Matt Bromiley & Avishai Wool