Category: Cybersecurity

Jun 24, 2025Ravie LakshmananSocial Media / Privacy

The United States Embassy in India has announced that applicants for F, M, and J nonimmigrant visas should make their social media accounts public.

The new guideline seeks to help officials verify the identity and eligibility of applicants under U.S. law. The U.S. Embassy said every visa application review is a “national security decision.”

“Effective immediately, all individuals applying for an F, M, or J nonimmigrant visa are requested to adjust the privacy settings on all of their personal social media accounts to ‘public’ to facilitate vetting necessary to establish their identity and admissibility to the United States,” the embassy said in a post on X.

Under the new rules, Indian students and others planning to pursue academia or enroll in vocational or exchange programs are mandated to ensure that their social media profiles are set to public before submitting their visa applications. A refusal to set the accounts to “public” could be grounds for rejection.

The embassy noted that the United States has required visa applicants to provide social media identifiers on immigrant and nonimmigrant visa application forms since 2019.

It also said every piece of “available” information is used as part of its visa screening and vetting to identify visa applicants who are deemed inadmissible to the country, including those who pose a threat to its national security. However, it did not spell out what these steps would look for.

Similar directives have been issued by other U.S. embassies across the world, with the U.S. Embassy in Mexico stating that visa applicants must list all social media usernames or handles of every platform they have used from the last 5 years.

The development comes weeks after U.S. President Donald Trump’s administration ordered embassies around the world to stop scheduling appointments for student visas to expand social media vetting of such applicants. Last week, the U.S. Department of State said it’s resuming the process, but with new measures that require applicants to unlock their social media accounts for government review.

“The United States must be vigilant during the visa issuance process to ensure that those applying for admission into the United States do not intend to harm Americans and our national interests, and that all applicants credibly establish their eligibility for the visa sought, including that they intend to engage in activities consistent with the terms for their admission,” the department said.

Jun 24, 2025Ravie LakshmananVulnerability / Malware

Unidentified threat actors have been observed targeting publicly exposed Microsoft Exchange servers to inject malicious code into the login pages that harvest their credentials.

Positive Technologies, in a new analysis published last week, said it identified two different kinds of keylogger code written in JavaScript on the Outlook login page –

• Those that save collected data to a local file accessible over the internet
• Those that immediately send the collected data to an external server

The Russian cybersecurity vendor said the attacks have targeted 65 victims in 26 countries worldwide, and marks a continuation of a campaign that was first documented in May 2024 as targeting entities in Africa and the Middle East.

At that time, the company said it had detected no less than 30 victims spanning government agencies, banks, IT companies, and educational institutions, with evidence of the first compromise dating back to 2021.

The attack chains involve exploiting known flaws in Microsoft Exchange Server (e.g., ProxyShell) to insert keylogger code into the login page. It’s presently not known who is behind these attacks.

Some of the vulnerabilities weaponized are listed below –

• CVE-2014-4078 – IIS Security Feature Bypass Vulnerability
• CVE-2020-0796 – Windows SMBv3 Client/Server Remote Code Execution Vulnerability
• CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 – Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon)
• CVE-2021-31206 – Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-31207, CVE-2021-34473, CVE-2021-34523 – Microsoft Exchange Server Security Feature Bypass Vulnerability (ProxyShell)

“Malicious JavaScript code reads and processes the data from the authentication form, then sends it via an XHR request to a specific page on the compromised Exchange Server,” security researchers Klimentiy Galkin and Maxim Suslov said.

“The target page’s source code contains a handler function that reads the incoming request and writes the data to a file on the server.”

The file containing the stolen data is accessible from an external network. Select variants with the local keylogging capability have been found to also collect user cookies, User-Agent strings, and the timestamp.

One advantage of this approach is that the chances of detection are next to nothing as there is no outbound traffic to transmit the information.

The second variant detected by Positive Technologies, on the other hand, uses a Telegram bot as an exfiltration point via XHR GET requests with the encoded login and password stored in the APIKey and AuthToken headers, respectively.

A second method involves using a Domain Name System (DNS) tunnel in conjunction with an HTTPS POST request to send the user credentials and sneak past an organization’s defenses.

Twenty-two of the compromised servers have been found in government organizations, followed by infections in the IT, industrial, and logistics companies. Vietnam, Russia, Taiwan, China, Pakistan, Lebanon, Australia, Zambia, the Netherlands, and Turkey are among the top 10 targets.

“A large number of Microsoft Exchange servers accessible from the Internet remain vulnerable to older vulnerabilities,” the researchers said. “By embedding malicious code into legitimate authentication pages, attackers are able to stay undetected for long periods while capturing user credentials in plaintext.”

Jun 24, 2025Ravie LakshmananMalware / Cryptocurrency

Cybersecurity researchers have detailed two novel methods that can be used to disrupt cryptocurrency mining botnets.

The methods take advantage of the design of various common mining topologies in order to shut down the mining process, Akamai said in a new report published today.

“We developed two techniques by leveraging the mining topologies and pool policies that enable us to reduce a cryptominer botnet’s effectiveness to the point of completely shutting it down, which forces the attacker to make radical changes to their infrastructure or even abandon the entire campaign,” security researcher Maor Dahan said.

The techniques, the web infrastructure company said, hinge on exploiting the Stratum mining protocol such that it causes an attacker’s mining proxy or wallet to be banned, effectively disrupting the operation.

The first of the two approaches, dubbed bad shares, entails banning the mining proxy from the network, which, in turn, results in the shutdown of the entire operation and causes the victim’s CPU usage to plummet from 100% to 0%.

While a mining proxy acts as an intermediary and shields an attacker’s mining pool and, by extension, their wallet addresses, it also becomes a single point of failure by interfering with its regular function.

“The idea is simple: By connecting to a malicious proxy as a miner, we can submit invalid mining job results — bad shares — that will bypass the proxy validation and will be submitted to the pool,” Dahan explained. “Consecutive bad shares will eventually get the proxy banned, effectively halting mining operations for the entire cryptomining botnet.”

This, in turn, entails using an in-house developed tool called XMRogue to impersonate a miner, connect to a mining proxy, submit consecutive bad shares, and ultimately ban the mining proxy from the pool.

The second method devised by Akamai exploits scenarios where a victim miner is connected directly to a public pool sans a proxy, leveraging the fact that the pool can ban a wallet’s address for one hour if it has more than 1,000 workers.

In other words, initiating more than 1,000 login requests using the attacker’s wallet concurrently will force the pool to ban the attacker’s wallet. However, it’s worth noting this isn’t a permanent solution as the account can stage a recovery as soon as the multiple login connections are stopped.

Akamai noted that while the aforementioned methods have been used to target Monero cryptocurrency miners, they can be extended to other cryptocurrencies as well.

“The techniques presented above show how defenders can effectively shut down malicious cryptominer campaigns without disrupting the legitimate pool operation by taking advantage of pool policies,” Dahan said.

“A legitimate miner will be able to quickly recover from this type of attack, as they can easily modify their IP or wallet locally. This task would be much more difficult for a malicious cryptominer as it would require modifying the entire botnet. For less sophisticated miners, however, this defense could completely disable the botnet.”

Jun 24, 2025Ravie LakshmananThreat Exposure Management

I had the honor of hosting the first episode of the Xposure Podcast live from Xposure Summit 2025. And I couldn’t have asked for a better kickoff panel: three cybersecurity leaders who don’t just talk security, they live it.

Let me introduce them.

Alex Delay, CISO at IDB Bank, knows what it means to defend a highly regulated environment. Ben Mead, Director of Cybersecurity at Avidity Biosciences, brings a forward-thinking security perspective that reflects the innovation behind Avidity’s targeted RNA therapeutics. Last but not least, Michael Francess, Director of Cybersecurity Advanced Threat at Wyndham Hotels and Resorts, leads the charge in protecting the franchise. Each brought a unique vantage point to a common challenge: applying Continuous Threat Exposure Management (CTEM) to complex production environments.

Gartner made waves in 2023 with a bold prediction: organizations that prioritize CTEM will be three times less likely to be breached by 2026. But here’s the kicker – only if it’s operationalized.

Speaking with these seasoned defenders, we unpacked the realities and challenges behind the hype of implementing and operationalizing an effective Exposure Management strategy, addressing the following tough questions:

• What does a good CTEM program look like and what are the typical challenges that need to be overcome?
• How do you optimize cyber and risk reporting to influence board-level decisions?
• And ultimately, how do you measure the success of your CTEM program?

Challenges, Priorities, and Best Practices

CTEM isn’t plug-and-play. The panelists’ prescription was clear: start with asset inventory and identity management; weak service accounts, over-permissioned users, legacy logins. None of these are small gaps, they’re wide-open doors that need to be checked frequently. And for all of our panelists, frequency matters – a lot. Because guess what? Adversaries are constantly challenging defenses too. For internal assets, weekly validation is the rule of thumb. For external-facing assets? Daily. As they see it, it’s the only way to maintain a constant handle over their constantly changing environments.

Surprisingly, Michael pointed to threat intelligence as the backbone of any security testing program. “You need to understand your adversaries, simulate their TTPs, and test your defenses against real-world scenarios, not just patching CVEs.” That’s the key difference between CTEM and vulnerability management. Vulnerability management is about patching. Exposure management is about figuring out whether your controls actually work to block threats.

Reporting: Translating Cyber to Risk Terms

In the banking industry, like many other highly regulated industries, Alex couldn’t emphasize enough the need to be prepared to answer hard questions asked from regulators. “You will get challenged on your exposure, your remediation timelines, and your risk treatment. And that’s a good thing. It forces clarity and accountability”.

But even outside regulated industries, the conversation is changing. Boards do not want to hear about CVSS scores. They want to understand risk – and that’s a completely different discussion. Is the company’s risk profile going up or down? Where is it concentrated? And what are we doing about it?

Measuring Progress

Success in CTEM isn’t about counting vulnerabilities; Ben pinned it down when he said he measures the number of exploited attack paths his team has closed. He shared how validating attack paths revealed risky security gaps, like over-permissioned accounts and forgotten assets. Suddenly, risk becomes visible.

Others took it in another direction with tabletop exercises that walk leadership through real

attack scenarios. It’s not about metrics, it’s about explaining the risk and the consequences. A shift that moves the discussion from noise to signal, and gives the business clarity on what matters: where we’re exposed, and what we’re doing about it.

From Concept to Action

Want to hear how these defenders are putting CTEM into action without drowning in noise?

This episode dives deep into the real questions: where do you start, how do you stay focused on what’s exploitable, and how do you connect it all to business risk? You’ll hear first-hand how security leaders like Alex, Ben, and Michael are tackling these challenges head-on, with a few surprises along the way…

🎧Make sure to catch the full conversation on Apple Podcast and Spotify

Jun 24, 2025Ravie LakshmananCloud Security / Cryptojacking

Misconfigured Docker instances are the target of a campaign that employs the Tor anonymity network to stealthily mine cryptocurrency in susceptible environments.

“Attackers are exploiting misconfigured Docker APIs to gain access to containerized environments, then using Tor to mask their activities while deploying crypto miners,” Trend Micro researchers Sunil Bharti and Shubham Singh said in an analysis published last week.

In using Tor, the idea is to anonymize their origins during the installation of the miner on compromised systems. The attacks, per the cybersecurity company, commence with a request from the IP address 198.199.72[.]27 to obtain a list of all containers on the machine.

If no containers are present, the attacker proceeds to create a new one based on the “alpine” Docker image and mounts the “/hostroot” directory – i.e., the root directory (“/”) of the physical or virtual host machine – as a volume inside it. This behavior poses security risks as it allows the container to access and modify files and directories on the host system, resulting in a container escape.

The threat actors then execute a carefully orchestrated sequence of actions that involves running a Base64-encoded shell script to set up Tor on the container as part of the creation request and ultimately fetch and execute a remote script from a .onion domain (“wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad[.]onion”)

“It reflects a common tactic used by attackers to hide command-and-control (C&C) infrastructure, avoid detection, and deliver malware or miners within compromised cloud or container environments,” the researchers said. “Additionally, the attacker uses ‘socks5h’ to route all traffic and DNS resolution through Tor for enhanced anonymity and evasion.”

Once the container is created, the “docker-init.sh” shell script is deployed, which then checks for the “/hostroot” directory mounted earlier and modifies the system’s SSH configuration to set up remote access by enabling root login and adding an attacker-controlled SSH key into the ~/.ssh/authorized_keys file.

The threat actor has also been found to install various tools like masscan, libpcap, zstd, and torsocks, beacon to the C&C server details about the infected system, and ultimately deliver a binary that acts as a dropper for the XMRig cryptocurrency miner, along with the necessary mining configuration, the wallet addresses, and mining pool URLs.

“This approach helps attackers avoid detection and simplifies deployment in compromised environments,” Trend Micro said, adding it observed the activity targeting technology companies, financial services, and healthcare organizations.

The findings point to an ongoing trend of cyber attacks that target misconfigured or poorly secured cloud environments for cryptojacking purposes.

The development comes as Wiz revealed that a scan of public code repositories has uncovered hundreds of validated secrets in mcp.json, .env, and AI agent configuration files and Python notebooks (.ipynb), turning them into a treasure trove for attackers.

The cloud security firm said it found valid secrets belonging to over 30 companies and startups, including those belonging to Fortune 100 companies.

“Beyond just secrets, code execution results in Python notebooks should be generally treated as sensitive,” researchers Shay Berkovich and Rami McCarthy said. “Their content, if correlated to a developer’s organization, can provide reconnaissance details for malicious actors.”

Jun 24, 2025Ravie LakshmananMalware / Threat Intelligence

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new cyber attack campaign by the Russia-linked APT28 (aka UAC-0001) threat actors using Signal chat messages to deliver two new malware families dubbed BEARDSHELL and COVENANT.

BEARDSHELL, per CERT-UA, is written in C++ and offers the ability to download and execute PowerShell scripts, as well as upload the results of the execution back to a remote server over the Icedrive API.

The agency said it first observed BEARDSHELL, alongside a screenshot-taking tool named SLIMAGENT, as part of incident response efforts in March-April 2024 in a Windows computer.

While at that time, there were no details available on how the infection took place, the agency said it received threat intelligence from ESET more than a year later that detected evidence of unauthorized access to a “gov.ua” email account.

The exact nature of the information shared was not disclosed, but it likely pertains to a report from the Slovak cybersecurity company last month that detailed APT28’s exploitation of cross-site scripting (XSS) vulnerabilities in various webmail software such as Roundcube, Horde, MDaemon, and Zimbra to breach Ukrainian government entities.

Further investigation triggered as a result of this discovery unearthed crucial evidence, including the initial access vector used in the 2024 attack, as well as the presence of BEARDSHELL and a malware framework dubbed COVENANT.

Specifically, it has come to light that the threat actors are sending messages on Signal to deliver a macro-laced Microsoft Word document (“Акт.doc”), which, when launched, drops two payloads: A malicious DLL (“ctec.dll”) and a PNG image (“windows.png”).

The embedded macro also makes Windows Registry modifications to ensure that the DLL is launched when the File Explorer (“explorer.exe”) is launched the next time. The primary task of the DLL is to load the shellcode from the PNG file, resulting in the execution of the memory-resident COVENANT framework.

COVENANT subsequently downloads two more intermediate payloads that are designed to launch the BEARDSHELL backdoor on the compromised host.

To mitigate potential risks associated with the threat, state organizations are recommended to keep an eye on network traffic associated with the domains “app.koofr[.]net” and “api.icedrive[.]net.”

The disclosure comes as CERT-UA revealed APT28’s targeting of outdated Roundcube webmail instances in Ukraine to deliver exploits for CVE-2020-35730, CVE-2021-44026, and CVE-2020-12641 via phishing emails that ostensibly contain text about news events but weaponize these flaws to execute arbitrary JavaScript.

The email “contained a content bait in the form of an article from the publication ‘NV’ (nv.ua), as well as an exploit for the Roundcube XSS vulnerability CVE-2020-35730 and the corresponding JavaScript code designed to download and run additional JavaScript files: ‘q.js’ and ‘e.js,’” CERT-UA said.

“E.js” ensures the creation of a mailbox rule for redirecting incoming emails to a third-party email address, in addition to exfiltrating the victim’s address book and session cookies via HTTP POST requests. On the other hand, “q.js” features an exploit for an SQL injection flaw in Roundcube (CVE-2021-44026) that’s used to gather information from the Roundcube database.

CERT-UA said it also discovered a third JavaScript file named “c.js” that includes an exploit for a third Roundcube flaw (CVE-2020-12641) to execute arbitrary commands on the mail server. In all, similar phishing emails were sent to the email addresses of more than 40 Ukrainian organizations.

Jun 24, 2025Ravie LakshmananData Protection / Mobile Security

The U.S. House of Representatives has formally banned congressional staff members from using WhatsApp on government-issued devices, citing security concerns.

The development was first reported by Axios.

The decision, according to the House Chief Administrative Officer (CAO), was motivated by worries about the app’s security.

“The Office of Cybersecurity has deemed WhatsApp a high-risk to users due to the lack of transparency in how it protects user data, absence of stored data encryption, and potential security risks involved with its use,” the CAO said in a memo, according to Axios.

To that end, House staff are prohibited from downloading the app on any device issued by the government, including its mobile, desktop, or web browser versions.

WhatsApp has pushed back against these concerns, stating messages sent on the platform are end-to-end encrypted by default, and that it offers a “higher level” of security than most of the apps on CAO’s approved list.

“We disagree with the House Chief Administrative Officer’s characterization in the strongest possible terms,” Meta’s Communication Director Andy Stone said in a post on social media site X.

“We know members and their staffs regularly use WhatsApp and we look forward to ensuring members of the House can join their Senate counterparts in doing so officially.”

As “acceptable” alternatives, the CAO’s message has recommended that the staff use apps like Microsoft Teams, Amazon’s Wickr, Signal, and Apple’s iMessage and FaceTime. WhatsApp is the latest app to be banned by the House after TikTok, OpenAI ChatGPT, and DeepSeek.

Last week, the Meta-owned messaging app said it’s bringing ads in an effort to monetize the platform, but emphasized they are done in a manner without sacrificing user privacy.

Jun 24, 2025Ravie LakshmananCyber Espionage / Chinese Hackers

The Canadian Centre for Cyber Security and the U.S. Federal Bureau of Investigation (FBI) have issued an advisory warning of cyber attacks mounted by the China-linked Salt Typhoon actors to breach major global telecommunications providers as part of a cyber espionage campaign.

The attackers exploited a critical Cisco IOS XE software (CVE-2023-20198, CVSS score: 10.0) to access configuration files from three network devices registered to a Canadian telecommunications company in mid-February 2025.

The threat actors are also said to have modified at least one of the files to configure a Generic Routing Encapsulation (GRE) tunnel, enabling traffic collection from the network. The name of the targeted company was not disclosed.

Stating that the targeting likely goes beyond the telecommunications sector, the agencies said the targeting of Canadian devices may permit the threat actors to collect information from the compromised networks and use them as leverage to breach additional devices.

“In some cases, we assess that the threat actors’ activities were very likely limited to network reconnaissance,” per the alert.

The agencies further pointed out that edge network devices continue to be an attractive target for Chinese state-sponsored threat actors looking to breach and maintain persistent access to telecom service providers.

The findings dovetail with an earlier report from Recorded Future that detailed the exploitation of CVE-2023-20198 and CVE-2023-20273 to infiltrate telecom and internet firms in the U.S., South Africa, and Italy, and leveraging the footholds to set up GRE tunnels for long-term access and data exfiltration.

U.K. NCSC Warns of SHOE RACK and UMBRELLA STAND Malware Targeting Fortinet Devices

The development comes as the U.K. National Cyber Security Centre (NCSC) revealed two different malware families dubbed SHOE RACK and UMBRELLA STAND that have been found targeting FortiGate 100D series firewalls made by Fortinet.

While SHOE RACK is a post-exploitation tool for remote shell access and TCP tunneling through a compromised device, UMBRELLA STAND is designed to run shell commands issued from an attacker-controlled server.

Interestingly, SHOE RACK is partly based on a publicly available tool named reverse_shell, which, coincidentally, has also been repurposed by a China-nexus threat cluster called PurpleHaze to devise a Windows implant codenamed GoReShell. It’s currently not clear if these activities are related.

The NCSC said it identified some similarities between UMBRELLA STAND and COATHANGER, a backdoor that was previously put to use by Chinese state-backed hackers in a cyber attack aimed at a Dutch armed forces network.

Jun 23, 2025Ravie LakshmananHacktivism / Cyber Warfare

The United States government has warned of cyber attacks mounted by pro-Iranian groups after it launched airstrikes on Iranian nuclear sites as part of the Iran–Israel war that commenced on June 13, 2025.

Stating that the ongoing conflict has created a “heightened threat environment” in the country, the Department of Homeland Security (DHS) said in a bulletin that cyber actors are likely to target U.S. networks.

“Low-level cyber attacks against U.S. networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against U.S. networks,” the DHS said.

“Both hacktivists and Iranian government-affiliated actors routinely target poorly secured U.S. networks and Internet-connected devices for disruptive cyber attacks.”

The development comes after U.S. President Donald Trump announced that the U.S. military had conducted a bombing attack on three Iranian nuclear facilities at Fordo, Natanz, and Isfahan. Trump described the strikes as a “spectacular military success” and warned of “far greater” attacks if Tehran does not make peace.

The Iran-Israel war of 2025 has triggered a maelstrom in cyberspace, what with hacktivist groups aligned with the two nations targeting the other.

In response to the U.S. military strikes, a pro-Iranian group named Team 313 claimed it took down Trump’s Truth Social platform in a distributed denial-of-service (DDoS) attack.

Jun 23, 2025Ravie LakshmananLLM Security / AI Security

Cybersecurity researchers are calling attention to a new jailbreaking method called Echo Chamber that could be leveraged to trick popular large language models (LLMs) into generating undesirable responses, irrespective of the safeguards put in place.

“Unlike traditional jailbreaks that rely on adversarial phrasing or character obfuscation, Echo Chamber weaponizes indirect references, semantic steering, and multi-step inference,” NeuralTrust researcher Ahmad Alobaid said in a report shared with The Hacker News.

“The result is a subtle yet powerful manipulation of the model’s internal state, gradually leading it to produce policy-violating responses.”

While LLMs have steadily incorporated various guardrails to combat prompt injections and jailbreaks, the latest research shows that there exist techniques that can yield high success rates with little to no technical expertise.

It also serves to highlight a persistent challenge associated with developing ethical LLMs that enforce clear demarcation between what topics are acceptable and not acceptable.

While widely-used LLMs are designed to refuse user prompts that revolve around prohibited topics, they can be nudged towards eliciting unethical responses as part of what’s called a multi-turn jailbreaking.

In these attacks, the attacker starts with something innocuous and then progressively asks a model a series of increasingly malicious questions that ultimately trick it into producing harmful content. This attack is referred to as Crescendo.

LLMs are also susceptible to many-shot jailbreaks, which take advantage of their large context window (i.e., the maximum amount of text that can fit within a prompt) to flood the AI system with several questions (and answers) that exhibit jailbroken behavior preceding the final harmful question. This, in turn, causes the LLM to continue the same pattern and produce harmful content.

Echo Chamber, per NeuralTrust, leverages a combination of context poisoning and multi-turn reasoning to defeat a model’s safety mechanisms.

Echo Chamber Attack

“The main difference is that Crescendo is the one steering the conversation from the start while the Echo Chamber is kind of asking the LLM to fill in the gaps and then we steer the model accordingly using only the LLM responses,” Alobaid said in a statement shared with The Hacker News.

Specifically, this plays out as a multi-stage adversarial prompting technique that starts with a seemingly-innocuous input, while gradually and indirectly steering it towards generating dangerous content without giving away the end goal of the attack (e.g., generating hate speech).

“Early planted prompts influence the model’s responses, which are then leveraged in later turns to reinforce the original objective,” NeuralTrust said. “This creates a feedback loop where the model begins to amplify the harmful subtext embedded in the conversation, gradually eroding its own safety resistances.”

In a controlled evaluation environment using OpenAI and Google’s models, the Echo Chamber attack achieved a success rate of over 90% on topics related to sexism, violence, hate speech, and pornography. It also achieved nearly 80% success in the misinformation and self-harm categories.

“The Echo Chamber Attack reveals a critical blind spot in LLM alignment efforts,” the company said. “As models become more capable of sustained inference, they also become more vulnerable to indirect exploitation.”

The disclosure comes as Cato Networks demonstrated a proof-of-concept (PoC) attack that targets Atlassian’s model context protocol (MCP) server and its integration with Jira Service Management (JSM) to trigger prompt injection attacks when a malicious support ticket submitted by an external threat actor is processed by a support engineer using MCP tools.

The cybersecurity company has coined the term “Living off AI” to describe these attacks, where an AI system that executes untrusted input without adequate isolation guarantees can be abused by adversaries to gain privileged access without having to authenticate themselves.

“The threat actor never accessed the Atlassian MCP directly,” security researchers Guy Waizel, Dolev Moshe Attiya, and Shlomo Bamberger said. “Instead, the support engineer acted as a proxy, unknowingly executing malicious instructions through Atlassian MCP.”