Intelligence, theft, encryption, everything is itself. AI for the first time conducted a fully autonomous attack, successfully erasing the databases

Depov

Moderator
Staff member
MODERATOR
ULTIMATE
SUPREME
PREMIUM
MEMBER
Joined
Feb 18, 2025
Messages
167
Reaction score
165
Deposit
0$
Extortion programs for decades demanded a person behind the keyboard – the one who writes a malicious scenario and is attacking. However, the IB-F. The Sysdig described The first documented case when the entire operation of extortion from beginning to end was carried out by a large language model without human intervention. The attacker was called JADEPUFFER.

The entry point was an Internet-based server with a Langflow framework, which creates applications based on language models. Via Vulnerability CVE-2025-3248 (10.00 on the CVSS 3.1 scale, AV:N/AC:L/PR:N/U:C/C/H/H/A:H/H/A:H/H:H/H:H/H, which allows you to perform someone else's code without authorization, the model has captured the host control. Such servers are valuable for attacks, as they often store access keys to clouds and other AI services.

After gaining control, the model inspected the system, collected keys and passwords, and also searched for crypto wallet data, unloaded the Langflow database and scanned the internal network. She found the MinIO storage with default settings and extracted files from there with the accounts. The actions were tried and bugged: when the answer came in the wrong format, the model immediately changed the analysis and repeated the query. To fix, she added a task that each half hour contacted the server of the attackers.

The real goal was a separate server with a MySQL database and Nacos settings service. Using root access, the model created a hidden administrator account, encrypted all 1342 configuration elements, deleted the original tables and left the requirement of extortion with a bitcoin address and mail for communication. The encryption key was accidental and was not stored anywhere – the victim will not be able to restore the data even after payment.


The structure of the code pointed to autonomy itself: it was saturated with explanations in the ordinary language, which explained each step and the setting of priorities. The speed of error correction was even more clearly. After an unsuccessful entry, the model in 31 seconds diagnosed, rewrote the script and achieved success. A person would have taken much longer.

The case shows that the threshold for launching such attacks has fallen sharply: the model itself builds reconnaissance, theft of data, promotion through the network and destruction, without requiring deep knowledge from the operator. Obsolete vulnerabilities are put on the flow.

To reduce the risk, Langflow should be updated to the version with the correcting CVE-2025-3248 and do not open to the Internet nodes with the execution of code. Do not keep access keys near web servers, and the standard Nacos key needs to be changed and close the platform from external access. In addition, it will not be superfluous to prohibit the connection to the databases under the root account and limit outgoing traffic.
 
Top Bottom