Security News CyberStrikeAI tool adopted by hackers for AI-powered attacks

[Brownie2019]

Content source

https://www.bleepingcomputer.com/news/security/cyberstrikeai-tool-adopted-by-hackers-for-ai-powered-attacks/

Researchers warn that a newly identified open-source AI security testing platform called CyberStrikeAI was used by the same threat actor behind a recent campaign that breached hundreds of Fortinet FortiGate firewalls.

Last month, BleepingComputer reported on an AI-assisted hacking operation that compromised more than 500 FortiGate devices in five weeks. The threat actor behind this campaign used multiple servers, including a web server at 212.11.64[.]250.

In a new report, Senior Threat Intel Advisor for Team Cymru, Will Thomas (aka BushidoToken), says that the same IP address was observed running the relatively new CyberStrikeAI AI-powered security testing platform.

Read more:

CyberStrikeAI tool adopted by hackers for AI-powered attacks

Researchers warn that a newly identified open-source AI security testing platform called CyberStrikeAI was used by the same threat actor behind a recent campaign that breached hundreds of Fortinet FortiGate firewalls.

www.bleepingcomputer.com

 

[ForgottenSeer 123960]

Executive Summary

Confirmed Facts
Telemetry demonstrates that the open-source platform CyberStrikeAI is actively hosted on IPs such as 212.11.64[.]250 and is being used to target Fortinet FortiGate firewalls. Concurrently, Google Threat Intelligence Group (GTIG) confirms that attackers are abusing Gemini AI via model extraction attacks and API probing.

Assessment
Based on the developer's associations, CyberStrikeAI likely serves as an orchestration engine for state-sponsored and advanced persistent threats (APTs) to automate reconnaissance and exploitation at scale.

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1588.007
Obtain Capabilities: Artificial Intelligence.

T1190
Exploit Public-Facing Application (Targeting FortiGate edge devices).

T1068
Exploitation for Privilege Escalation (Chrome Gemini Panel abuse).

CVE Profile
CVE-2026-24858
(Fortinet FortiCloud SSO Bypass)
[CVSS 9.4]
[CISA KEV Status: Active].

CVE-2026-0628 (Chrome Gemini Panel Escapes)
[CVSS 8.8]
[CISA KEV Status: Active]

Telemetry
IPs: 212.11.64[.]250
103.164.81[.]110
106.52.47[.]65

Associated Tooling Strings
CyberStrikeAI
PrivHunterAI
InfiltrateX.

Constraint
The structure suggests an automated testing framework designed to weaponize AI prompts and exploit edge vulnerabilities at machine speed.

Origin
Insufficient Evidence regarding the exact delivery vehicle of the initial payload.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate incident response protocols for potential edge device compromise and evaluate AI supply chain risk.

DETECT (DE) – Monitoring & Analysis

Command
Query SIEM and NetFlow data for inbound/outbound connections to 212.11.64.250 and other CyberStrikeAI nodes.

Command
Implement behavioral detection for anomalous Gemini API usage that indicates model extraction or distillation attempts.

RESPOND (RS) – Mitigation & Containment

Command
Isolate affected Fortinet appliances and temporarily disable FortiCloud SSO authentication if unpatched.

RECOVER (RC) – Restoration & Trust

Command
Validate the integrity of VPN configurations and firewall rules to ensure a clean state prior to phased network restoration.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Apply immediate patches for CVE-2026-24858 and enforce strict API rate-limiting on LLM integrations.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately if running an outdated version of Google Chrome vulnerable to Gemini panel exploits.

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords and rotate MFA tokens using a known clean device (e.g., mobile phone on a 5G network).

Priority 3: Persistence

Command
Check Scheduled Tasks, Startup Folders, and Browser Extensions for unknown plugins attempting to hijack AI prompt queries.

Hardening & References

Baseline
CIS Benchmarks for Google Chrome and Network Infrastructure.

Framework
NIST CSF 2.0 / SP 800-61r3.

Notes
AI-augmented attacks lower the barrier to entry for complex network exploitation. Security posture must evolve to monitor automated, high-frequency logic probing against web properties and APIs.

Source

Team Cymru Research

BleepingComputer - Gemini Abuse

BleepingComputer - CyberStrikeAI

 

[Halp2001]

The paradox is that while some celebrate the “democratization” of AI, others turn it into a catapult for chaos. It’s like handing out lightsabers in a medieval marketplace: fascinating, yes… but also a reminder that light cuts both ways.