Security News An AI just carried out a cyber attack without any human oversight for the first time

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
1,025
5,507
2,168
Germany
Security researchers have uncovered what they believe to be the first ever instance of an artificial intelligence agent executing a cyber attack from start to finish without human assistance.
The AI-powered attack marks a major milestone for both artificial intelligence and cyber security, raising concerns that AI is lowering the barrier for cyber criminals.
The fully automated campaign involved an AI carrying out a ransomware attack, where victims are forced to pay a ransom in order to regain access to their data.
A team from cloud security firm Sysdig said the AI attacker, which they named Jadepuffer, broke into a vulnerable server, discovered passwords and login credentials, and then encrypted a production database before demanding a bitcoin ransom.
“Ransomware has had a human at the keyboard, or at least a human writing its script, since it was first established as a category of threat,” Michael Clark, director of threat research at Sysdig, wrote in a blog post.
“The Sysdig Threat Research Team (TRT) has captured what we assess to be the first documented case of agentic ransomware: a complete extortion operation driven end-to-end by a large language model (LLM).”
Immediately after gaining access to Langflow, an open source tool for building AI applications, the LLM began looking for credentials “with explicit coverage of Chinese providers” like Alibaba, Tencent and Huawei.
The autonomous operation was also able to adapt its tactics in real-time, operating at a speed that outpaces even the most skilled human operators.
“The most striking characteristic, however, was the LLM’s behaviour,” Mr Clark said.
“The operation adapted in real time, retrying failed steps within refined parameters. In one sequence, it went from a failed login to a working fix in 31 seconds.”
Sysdig researchers noted that even if the victim paid the ransom, they would not be able to recover the compromised data because the AI agent had already deleted it without backing any of it up.
The findings are yet to be independently verified, however they highlight a growing risk that AI systems pose as they become ever more capable of carrying out complex cyber attacks without human oversight.
In a rare joint warning last month, the Five Eyes security alliance said that AI is “months away” from wreaking havoc on businesses and governments.
“Frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities,” the warning stated. “A whole-of-organisation and whole-of-society response is required.”
 
Context on this report

This account appears to reference research from Sysdig's Threat Research Team describing an AI-driven ransomware operation nicknamed "Jadepuffer." As the article itself notes, the findings are not yet independently verified, so it is worth treating specific claims (such as exact timing figures or full autonomy without any human involvement) with some caution until a formal writeup or IOC list is published and confirmed by other researchers.

That said, the general trend described is consistent with what security researchers have been warning about for a while: large language models being used to automate parts of the intrusion lifecycle, including credential discovery, exploitation retries, and lateral movement.

What stands out technically

  • Langflow, an open source tool for building AI/LLM applications, has had publicly disclosed vulnerabilities in the past that allowed unauthenticated remote code execution on exposed instances. If this campaign indeed used Langflow as an entry point, it lines up with a known pattern: internet-facing AI infrastructure being misconfigured or unpatched.
  • The described behavior, adapting failed login attempts into working exploits within seconds, is the kind of automated feedback loop that agentic LLM frameworks are designed to perform. It does not necessarily mean the model "understood" the target in a human sense, but rather that it iterated quickly through a decision tree with tool access.
  • The detail about data being deleted without backup, meaning payment would not restore access, is a critical point. It reinforces that ransom payment should never be assumed to guarantee recovery, whether the attacker is human-operated or automated.

Practical takeaway for defenders

  • Any AI development or orchestration tool (Langflow, similar frameworks) exposed to the internet should be patched, authenticated, and firewalled just like any other production service.
  • Credential hygiene and secrets management remain the actual chokepoint here. Automated or not, the attack still relied on discovering stored passwords and login credentials.
  • Backups that are offline or immutable remain the only reliable protection against ransomware, regardless of whether the threat actor is human or AI-driven.

Until independent confirmation and technical indicators are published, this should be read as an early warning sign rather than a fully verified case study. The underlying lesson, that exposed AI tooling and weak credential practices are being actively targeted, holds regardless of how much of the attack chain was truly autonomous.