Smooth AI criminal drives 'first' end-to-end agentic ransomware attack
ID: 10642010-05b5-57d4-910b-b0fc90e4173e
STIX ID: report--10642010-05b5-57d4-910b-b0fc90e4173e
Feed Name: The Register (Security)
A novel LLM-driven agentic ransomware operation named JadePuffer exploited a Langflow unauthenticated code-execution vulnerability (CVE-2025-3248) to harvest secrets and cloud/API credentials, persist on the host, and pivot to an internet-exposed MySQL/Nacos production server. Using root DB access and multiple Nacos flaws (including CVE-2021-29441 and default signing key abuse), the agent injected a backdoor admin, encrypted 1,342 Nacos configuration items with MySQL AES, dropped schemas (making recovery impossible even if ransom paid), and left extortion artifacts; defenders are advised to patch Langflow, avoid exposing orchestration and Nacos to the internet, rotate default keys, and remove provider API keys from orchestration servers.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
