CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday urged Fortinet customers with FortiGate appliances to take steps to secure against ongoing malicious activity aimed at thousands of internet-accessible devices.

The sweeping campaign, believed to be the work of Russian-speaking threat actors, has been codenamed FortiBleed. The number of compromised devices stands at 86,644 as of June 19, 2026.

According to data from SOCRadar, generic admin accounts (35%) and built-in Fortinet system accounts (28.3%) together make up the majority of compromised credentials. Organization-specific accounts account for 36.7% of the remaining breached credentials.

"This points directly to a widespread failure to rename default accounts or rotate factory credentials, giving the attacker a highly reliable target list before any brute force was even needed," SOCRadar said.

"Org-specific accounts topping the list is significant. It means the attacker is not just harvesting default credentials but has also successfully compromised accounts created by the organizations themselves, possibly sourced from prior breaches where passwords were never changed."

Telecom, government, and education have emerged as the top three impacted sectors, with the most exposures located in India, the U.S., Mexico, Colombia, and Thailand.

The threat actor is said to have mass-scanned the internet for Fortinet remote login endpoints, and then employed a bespoke tool to spray those identified endpoints with known login and password combinations in an attempt to break into them.

The fully-automated attack is built around a self-sustaining, two-step approach -

• The threat actor attempts a curated list of leaked Fortinet passwords against devices across the internet.
• Once access is obtained, they passively monitor network traffic going through the devices to collect additional credentials, which are then used to compromise more appliances.

The credentials are legitimate and valid, with the attackers verifying each of them before they are added to a database of confirmed, working logins.

"The scale of this breach touches nearly every sector of the global economy, sparing no industry," Hudson Rock said. "The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet."

The U.K. National Cyber Security Centre (NCSC) has described FortiBleed as a global campaign targeting internet-facing Fortinet firewalls and VPN gateways using methods like brute-force, dictionary attack, and credential stuffing.

It's suspected that the threat actors likely exploited older credential hashing mechanisms and the way credentials have historically been stored within FortiGate configuration files to pull off the large-scale attack.

"Fortinet introduced PBKDF2-based password hashing for administrator credentials in FortiOS 7.2.11, 7.4.8, and 7.6.1, replacing the legacy SHA-256-based storage mechanism," Arctic Wolf said. "However, when upgrading from earlier versions, existing administrator passwords remain stored as SHA-256 hashes until the corresponding administrator successfully logs in following the upgrade."

"As a result, many organizations likely continue to store administrator credentials using older SHA-256 with Salt hashing mechanisms."

In a statement shared with The Hacker News, a Fortinet spokesperson said "the data involved is likely a resharing of data from previous incidents, as well as brute-forcing of credentials, and not related to any current incident or advisory," urging organizations to follow best practices, including regularly rotating security credentials and enabling multi-factor authentication (MFA).

CISA has outlined the following recommendations to defend against the activity -

• Terminate all active SSL VPN and administrative sessions, reset all Fortinet VPN and administrative passwords, especially on internet-facing systems, and enforce strong password policies.
• Ensure use of the Password-Based Key Derivation Function 2 (PBKDF2) algorithm to store administrator credentials and remove weaker legacy hashes.
• Review firewall, VPN, authentication, and domain controller logs for signs of suspicious actions, including unauthorized configuration changes.
• Enable phishing-resistant MFA on all external gateways and administrative interfaces.
• Reduce the attack surface and lock down management.

The FortiBleed incident first came to light last week after security researcher Volodymyr "Bob" Diachenko discovered a server containing the database of working login credentials for thousands of firewalls and VPN gateways across 194 countries. Per SOCRadar, the server also staged the attacker's tools and automation scripts.

The findings once again demonstrate how credential reuse and poor password hygiene can be weaponized by malicious actors, not to mention that perimeter security appliances remain a lucrative target for gaining initial access to enterprise environments.

from The Hacker News https://ift.tt/hyOB8XC
via IFTTT

The Good, the Bad and the Ugly in Cybersecurity – Week 25

The Good | Authorities Dismantle PhaaS Network & Clean Sites Infected with SocGholish

A coordinated action between government and the private sector led by the FBI has led to the dismantling of Outsider Enterprise, a Chinese Phishing-as-a-Service (PhaaS) operation.

Operating since 2023, the syndicate combined AI and distributed phishing kits to impersonate trusted brands across millions of fraudulent SMS messages sent from major U.S. telecommunications carriers. Investigators are attributing an estimated $1.9 billion in financial losses to the operation, alongside the theft of roughly 3.8 million credit card records.

Source: FBI

Federal authorities were able to seize multiple administrative servers, a Shopify storefront, a Telegram bot containing customer data, and approximately $100,000 in cryptocurrency. Simultaneously, Google disabled thousands of associated domains and filed a civil lawsuit against the infrastructure operators. The tech giant is now actively coordinating with AT&T, T-Mobile, and Verizon to aggressively block the fraudulent text messages before they reach targeted users.

In another joint effort involving Europol and Eurojust, law enforcement teams globally removed SocGholish malware infections from nearly 15,000 compromised WordPress websites and dismantled over 100 associated command servers.

This initiative is another arm of Operation Endgame, a broader campaign specifically targeting infrastructure linked to the notorious Russian-based cybercrime syndicate Evil Corp.

The SocGholish malware, a JavaScript-based downloader active since 2017, operates by hijacking legitimate websites to deceive visitors into installing malicious payloads disguised as routine browser updates. Upon installation, the malware establishes remote access, enabling threat actors to deploy secondary malware and ransomware families.

Following the extensive technical cleanup, authorities strongly advised affected site administrators to implement multi-factor authentication (MFA) and update their platform software. Officials also emphasize that this massive disruption actively prevents further damage to global networks and marks the beginning of sustained enforcement against the botnet.

The Bad | DragonForce Abuses Microsoft Teams Relays to Conceal Backdoor Traffic

DragonForce, a cartel-like ransomware operation established in 2023, is now using a custom Go-based malware, dubbed Backdoor.Turn, to conceal command-and-control (C2) communications within legitimate Microsoft Teams relay infrastructure.

Security researchers recently observed an attack on a major U.S. services company where DragonForce actors obtained an anonymous Teams visitor token backed by Skype identity services.

The malware subsequently leverages Microsoft’s Traversal Using Relays around NAT (TURN) protocol during connection setup, establishing a direct QUIC session to the attacker’s C2 server. Investigations learned that network defenders only observed outbound traffic directed toward trusted Microsoft servers, allowing the attackers to remain undetected on the compromised network for up to two months.

Researcher say the intrusion likely began in December 2025 following the exploitation of an SQL or MSSQL server vulnerability. Attackers at that point executed a PowerShell command to drop a ZIP archive disguised as a technical support hotfix, initiating a DLL side-loading sequence.

To achieve kernel-level privileges and actively terminate host security tools, the attackers employed extensive Bring Your Own Vulnerable Driver (BYOVD) techniques. They systematically deployed several vulnerable drivers, including a Huawei audio driver and a custom ABYSSWORKER payload masquerading as legitimate Palo Alto software.

Source: Symantec/Carbon Black/Broadcom

The deployment of Backdoor.Turn marks the first documented in-the-wild abuse of Microsoft Teams TURN relays for C2 communications, building upon the theoretical “Ghost Calls” technique demonstrated in previous research.

Beyond deploying the DragonForce ransomware and exfiltrating data, the attackers injected the Backdoor.Turn remote access trojan into a legitimate debugger process to establish long-term persistence.

The backdoor provides the cartel with extensive post-exploitation capabilities, including network scanning, active directory reconnaissance, browser credential theft, and lateral movement, rounding out the group’s sophisticated cyber tradecraft.

The Ugly | PRC-Based Spies Breach REDCap Servers to Steal Medical Research

A China-linked espionage group, tracked as UNC6508, breached exposed REDCap servers to steal sensitive research data from a North American medical institution. Cyber researchers report that the attackers initially compromised the network back in September 2023 by probing vulnerable, legacy versions of the REDCap platform, which is widely utilized for managing scientific databases. Following the initial intrusion, the threat actors remained undetected within the victim’s environment until November 2025.

Three months after gaining access, the operators deployed a custom malware dubbed “InfiniteRed” specifically designed for REDCap environments. UNC6508 concealed these components by actively trojanizing the server’s underlying system files.

InfiniteRed operates through three primary modules: a persistence mechanism, a targeted credential harvester, and a versatile backdoor. The harvester intercepts user logins, encrypting and storing them directly within local database tables. In tandem, the backdoor receives commands via HTTP cookies, granting the attackers extensive capabilities to execute shell commands, run arbitrary SQL queries, and transfer files across the compromised infrastructure.

Source: GTIG

Considered a novel approach for China-linked actors, UNC6508 leveraged legitimate content compliance features within enterprise productivity tools to successfully exfiltrate data. By creating a compliance rule named “Patroit”, the attackers automatically forwarded emails containing specific keywords, such as those related to military readiness, molecular discovery, and geo-strategic policy, to an external, attacker-controlled email account. The operation maintained high operational security by utilizing U.S.-based residential proxies and compromised routers.

To mitigate these threats, administrators are strongly advised to immediately update all REDCap instances to the latest versions, enforce MFA, and implement Device Bound Session Credentials (DBSC) to prevent ongoing session hijacking. Indicators of compromise (IoCs) and YARA rules can be found here.

from SentinelOne https://ift.tt/ZlMrQuN
via IFTTT

From Assistive to Agentic: The AI Shift That's Redefining Threat Management

Introduction

The average enterprise security team has 40 or more security tools, giving a lot of visibility into internal telemetry and asset data. But often, these tools are working in siloes, generating (overlapping) alerts and data. And yet, breach dwell times remain stubbornly long (~43 days), response windows keep closing before teams can act, and analysts burn out triaging noise instead of stopping threats.

The problem isn't effort. It's architecture.

Security programs were built for a world where threats moved slowly enough for humans to coordinate responses manually. That world no longer exists. With the way AI capabilities are getting developed and used, especially with frontier AI tools, a much more proactive stance to security is needed as well as machine speed response to combat fast moving adversaries. Gartner's Continuous Threat Exposure Management (CTEM) framework helps this shift from reactive, point-in-time assessments to a continuous, iterative cycle of scoping, discovery, prioritization, validation, and mobilization. But for most organizations, operationalizing CTEM end-to-end has remained out of reach, because the tools needed to do it still don't talk to each other.

The Architecture Problem Behind Every Security Gap

Modern security stacks are collections of specialized tools: a threat intelligence platform here, a vulnerability scanner there, a separate BAS (breach and attack simulation) tool, and a SIEM trying to stitch it all together. Each generates data. None of them closes the loop.

By the time intelligence is correlated, exposures are prioritized, validation is run, and a remediation ticket is acted on, the adversary has often already moved. The bottleneck isn't any single tool. It's the white space between them.

This is the architecture problem that keeps security leaders up at night, and it's the one that generic AI assistants, bolted onto existing workflows, don't actually solve. Asking a chatbot to summarize a threat report is useful. It is not the same as having an AI system that autonomously correlates that report against your live exposure surface, validates whether your controls hold, and prioritizes what to fix first.

What "Agentic" Actually Means and Why It Matters Now

The term "AI" has become so overloaded in security marketing that it's worth being precise about what agentic AI actually means in this context.

Assistive AI waits to be asked. It summarizes, translates, and retrieves. It makes analysts faster at doing the same things they were already doing.

Agentic AI acts. It understands context, sets priorities autonomously, and executes multi-step workflows across systems, not as a one-time query, but continuously, in the background, at machine speed.

The distinction matters because the threat environment is increasingly operating at machine speed too. With rapid advancements in frontier AI models, discovery-to-exploit timelines are shrinking significantly. The security teams that stay ahead won't be the ones with the most analysts. They'll be the ones whose AI infrastructure can match that pace autonomously.

For CTEM specifically, this means three functions need to stop being separate workflows:

1. Operationalizing threat intelligence: Continuously ingesting, structuring, and contextualizing threat, exposure and vulnerability data against your environment. Understand what adversaries are doing and which asset and infrastructure is potentially exposed to those risks.
2. Testing and validating your security posture: Continuously testing whether your controls, teams and processes actually hold against the adversary behaviors you're tracking
3. Mobilizing response: Automatically prioritizing and routing remediation actions based on validated, intelligence-driven evidence and risk. 

When those three functions operate as a closed loop, with AI agents moving information and decisions between them without waiting for human handoffs, a CTEM program stops being a framework on a slide and starts being an operational reality.

Agentic AI to Operationalize CTEM and Proactive Security

An Agentic threat management architecture is what makes the difference between a CTEM framework that lives in a strategy document and one that runs continuously in the background. This requires a dedicated AI orchestration layer that acts as a foundational, contextual layer with interconnected agents. Instead of analysts manually connecting threat intelligence to exposure validation, agents do the heavy lifting continuously and with the right context and reasoning. The whole workflow is autonomous, where agents handover tasks from one to another and across products while still keeping human-in-the-loop for final decision making. Analysts can truly become the orchestrator of intelligence-driven actions.

The security teams building this capability now aren't waiting for a perfect toolset. They're building the operational model first and letting the architecture catch up. The ones that get there first will have a structural advantage that compounds over time: better data, better analysis, better evidence, and furthermore, better-tuned AI. General purpose LLMs aren’t cut for this, it requires context and the product-based know-how.

The organizations closing it fastest are the ones treating CTEM as an operating model, not as a single tool, and choosing AI infrastructure built specifically to run it end-to-end. You can see the operational model at work with XTM One CTEM Assistant.

Watch It in Practice: Live Webinar

Filigran is running a live session that walks through what this looks like in practice: how security teams are using agentic AI to connect intelligence, exposure validation, and response into a single continuous workflow, without the handoff gaps that slow down every step in between.

The session will cover:

• Why the shift to agentic AI changes the operational model for security programs, not just the tooling
• Where purpose-built agents outperform general-purpose AI when precision matters
• How to evaluate agentic AI infrastructure for your own program

Register for a live session or get the recording:

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/iS58UcY
via IFTTT

Forget Data Leakage: Shadow AI's Real Threat Is Access Control

The first wave of enterprise AI concern was straightforward. It was simply employees pasting sensitive data into public AI tools. Security teams responded with usage policies, domain blocks, and data loss prevention rules. That response made sense at the time.

It doesn't fit the problem anymore.

Shadow AI has shifted from a data leakage concern to an access control problem. The threat isn't about what employees type into AI tools. It's about which AI agents are running inside the organization, what enterprise systems they're connected to, and what actions they're authorized,or not, to take.

Employees and business units are building AI agents at a pace most security teams can't keep track of. Custom assistants, coding agents, workflow automations, and agentic applications are being created across departments with some in sanctioned platforms, but many through browser extensions, SaaS-native features, developer tools, MCP servers, endpoint-based agents, and custom scripts. Many start as quick experiments. Some become embedded in critical business processes within days.

The risk profile of these agents is fundamentally different from traditional shadow IT. An unsanctioned SaaS application is a destination for data. An AI agent is an actor that can call APIs, use stored credentials, retrieve records, modify configurations, trigger downstream workflows, and take actions in production systems, often without a human explicitly authorizing each step.

An employee pasting a customer record into a public AI tool is a data leakage incident. A custom AI agent connected to Salesforce, Snowflake, GitHub, Gong, and Slack is an access control incident waiting to happen. It could expose data, but it could also perform read, write, and delete actions on that data. It may also run on service accounts with permissions nobody audited and stay active six months after the employee who built it changed roles or left the company. New research from Token Security and the Cloud Security Alliance maps exactly how widespread this exposure has become. 

Why existing controls don't reach it

Most enterprise security controls were designed for human identities and deterministic workloads. IAM policies, DLP rules, and network monitoring assume predictable behavior and defined access paths. AI agents break those assumptions.

An agent tasked with resolving a failed deployment might read logs, query monitoring systems, modify infrastructure configurations, open tickets, trigger automation pipelines, and notify engineering teams, all in sequence, all using the same inherited credentials. To avoid breaking workflows, developers grant broad permissions upfront. Those permissions accumulate. Agents inherit creator-level privileges, temporary access becomes permanent, and security and identity teams lose visibility into what those identities are actually doing.

Blocking public AI domains doesn't reach any of this. By the time an agent has credentials to enterprise systems, the boundary has already been crossed. Automated remediation of non-human identities is where that gap gets closed.

What a real shadow AI inventory looks like

Discovering shadow AI requires looking across the environments where agents actually live, such as AI platforms, SaaS apps with built-in automation, cloud accounts, developer tools, endpoints, and identity providers. Here are six questions to define whether security teams have real control.

1. Where are agents being created or installed? This includes obvious AI platforms but also coding assistants, SaaS-native agent features, local developer tools, and internal applications that have quietly added AI capabilities.
2. Who owns each agent, and who can use it? Without ownership, there's no accountability. An agent built for a three-person finance team that gets shared across the organization carries a very different risk profile than one scoped to a single user.
3. What resources and services is the agent connected to? An agent can appear harmless at the platform level while holding connections to sensitive databases or production systems through credentials that were granted informally and never reviewed.
4. What identities and secrets does it use? Agents authenticate through service accounts, API keys, OAuth tokens, cloud IAM roles, and long-lived secrets. Each credential type carries different risks.
5. What is the agent’s intent and what has it actually done? Configuration alone doesn't show whether an agent is reading data, writing records, or accessing systems outside its intended scope. Understanding intent and behavioral context is required to prioritize response.
6. Is the agent still active? Token Security's Agentic Pulse data found that 65.4% of agentic chatbots have never been used since creation, but their credentials remain active. Dormant agents with live access are a persistent and underappreciated exposure.

The maturity curve to ensure agentic AI security

Most organizations are at the beginning of this and have little to no agent inventory. The next step is to gain partial visibility to know which agents exist, even without full context. After that they need enrichment and context to understand intent and map ownership, access, and credentials to each agent. The next step is to apply enforcement with automated controls that remediate excessive permissions, notify owners of inactive agents, and flag new agents connecting to sensitive systems.

The goal isn't to block AI adoption. Teams are under real pressure to use these tools, and many of the productivity gains are legitimate. If security becomes a hard blocker, usage moves further underground and unseen. The better outcome is governed enablement to provide a path for teams to deploy agents with automated controls running continuously in the background.

This requires treating AI agents the same way you'd treat any other identity in the enterprise with continuous discovery, defined ownership, scoped access, and lifecycle management from creation through decommissioning.

The shadow AI question has changed. It's no longer: what data are employees putting into AI? It's now: which agents are operating in our environment and what did we give them access to? Those are different questions. The second one is the one that defines an organization’s exposure and risk. If you're working through that inventory now, it's worth seeing how others are approaching it.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/9GVizp7
via IFTTT

DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic

Threat actors associated with the DragonForce ransomware have been observed using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to conceal command-and-control (C2) traffic inside Microsoft Teams relay infrastructure.

According to findings from Broadcom-owned Symantec and Carbon Black, the backdoor was deployed against a major U.S. services firm. The name of the company was not disclosed.

"Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, uses a legitimate Microsoft TURN relay to set up the connection, and then runs a QUIC session to the attacker’s real command-and-control (C2) server," the Threat Hunter Team said in a report shared with The Hacker News.

"To network defenders, the only traffic they could see was outbound connections to legitimate Microsoft Teams servers. The attackers were on the victim network for between one and two months."

The development marks the first publicly documented instance of the threat actors abusing Microsoft's Traversal Using Relays around NAT (TURN) relay infrastructure.

It's suspected the threat actor obtained initial access by exploiting a vulnerability in either an SQL or MS-SQL server, although the exact nature of the flaw is unknown. It's also possible that the access was acquired from an initial access broker (IAB).

Initial malicious activity on the victim network began in December 2025, with the attackers running a PowerShell command to drop a ZIP archive under the pretext of a tech support hotfix. The ZIP file responsible for launching a DLL side-loading attack, which then runs a rogue DLL to conduct reconnaissance, set up persistence, and silence security software using a Huawei driver ("HWAuidoOs2Ec.sys").

This is achieved by means of an attack technique called bring your own vulnerable driver (BYOVD) technique. The driver has been put to use in a large-scale malvertising campaign targeting U.S.-based individuals searching for tax-related documents, although this is said to have taken place after the ransomware incident.

Some of the other drivers used for this purpose are listed below -

What's notable about the attack is the execution of Backdoor.Turn by injecting it into the legitimate "DbgView64.exe" process after the DragonForce ransomware has been deployed. This suggests an attempt to maintain continued access to the compromised host for later attacks or reselling it for profit.

Backdoor.Turn's underlying TURN-based mechanism leans on a stealthy C2 communication technique called Ghost Calls that was documented by Praetorian in August 2024. The backdoor supports a wide range of capabilities, including command execution, process creation, network scanning, LDAP and Active Directory search, credential-based lateral movement, and browser credential theft.

"The backdoor requests a visitor token from the Microsoft Teams/Skype backend, uses that token to interact with Teams-associated infrastructure (TURN relay), and then establishes outbound connectivity," Symantec and Carbon Black explained.

"It obtains a Teams visitor (anonymous) authentication token backed by Skype identity services. It then uses a legitimate Microsoft server as the TURN relay server during connection setup. After relay-assisted setup, the malware establishes a direct QUIC session to the C&C server, which is malicious."

The findings paint a picture of a hacking group leaning on sophisticated cyber tradecraft to pull off high-impacted targeted attacks, while leaving victims in the dark about covert data exfiltration. This is particularly significant as Hackledorb, the threat actor behind DragonForce, has pivoted from a conventional ransomware-as-a-service (RaaS) model to a highly organized, formalized cartel structure.

"The operational timeline reveals a pattern of continuous capability development, with the adoption of highly advanced techniques becoming a hallmark of their post-2025 activity," the company said. "The deployment of Backdoor.Turn, combined with their multi-vector BYOVD evasion, marks them as one of the most capable and persistent ransomware groups operating today."

from The Hacker News https://ift.tt/VIjweP8
via IFTTT

Windows Server In-Place Upgrade via Windows Update: Major Improvements in 2025+ (No ISO or Media Required)

In-place upgrades for Windows Server have always been a topic that divides opinions in the admin community. Some love the convenience of keeping settings, roles, features, and applications intact without rebuilding everything from scratch. Others remember painful experiences from older versions and prefer clean installs. You should also think about the size of the environment you want to upgrade. You won’t use the same approach when upgrading thousands of servers compared to smaller environments that you can possibly rebuild with clean installs.

Microsoft has made significant improvements recently, especially with the ability to perform in-place upgrades directly through Windows Update — no ISO, no DVD, no mounted media needed. This is a game-changer for many environments, particularly for Windows Server 2019 and 2022 moving to Windows Server 2025. Yes WS 2019 and WS2022 are supported for those scenarios.

In this post I’ll cover the technical details, the process, advantages, potential risks, and a specific comparison between Server Core and Desktop Experience (GUI) versions.

Why This Matters Now

Historically, in-place upgrades often required downloading or mounting installation media and running setup.exe. Starting recently, about mid-April 2026, Microsoft offers the Windows Server 2025 feature update directly via Windows Update for eligible servers (primarily 2019 and 2022). This brings the upgrade process closer to how client Windows feature updates work — seamless, managed through the OS itself. There are some manual steps to perform, however, we’ll see it in details below.

Key highlight: We are talking purely about Windows Update-driven in-place upgrades, not media-based ones. This simplifies patching and upgrading in environments, where downloading and handling large ISOs isn’t practical.

Prerequisites and Supported Paths (Windows Update Method)

• Source: Windows Server 2019 or 2022 (with the latest cumulative update installed and rebooted).
• Target: Windows Server 2025.
• Same edition (Standard to Standard, Datacenter to Datacenter) and architecture.
• Not recommended for Domain Controllers (AD DS) — while technically possible, you miss out on performance and feature improvements in the new version.
• Must Install cumulative update for Windows Server 2022: KB5078766 (2026-03 Cumulative Update) or later must be installed. A reboot may be required after installing it.
• Must install cumulative update for Windows Server 2019: KB5078752 (2026-03 Cumulative Update) or later must be installed.

 

Make sure you got all the latest cumulative updates installed

 

• Backup everything first (system state, data, configurations). Test in a lab or non-prod.
• For policy-controlled environments, there might be registry keys or Group Policy to opt-in to the feature update.

The process downloads the necessary files as a feature update and performs the in-place replacement of OS files while preserving your installed components.

Manual Steps for the upgrade process to start (otherwise it won’t)

Yes, you must manually change a registry key in order for the upgrade process to trigger. If you don’t do that, the in-place upgrade will never happen. You can use PowerShell and one line of code (use elevated PowerShell prompt) to trigger the in-place upgrade.

Well, in fact, 2 commands:

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AllowWindowsServerFeatureUpdate"

New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AllowWindowsServerFeatureUpdate" -Name "AllowWindowsServerFeatureUpdate" -PropertyType DWord -Value 1

Those two commands create the registry entries automatically.

You can also do it manually, by opening regedit.exe and going to

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AllowWindowsServerFeatureUpdate

Create a DWORD value named AllowWindowsServerFeatureUpdate and set it to 1.

Both do the same.

 

You can also manually create the reg entry

 

The Upgrade Process: GUI (Desktop Experience) vs. Server Core

Desktop Experience (Full GUI):

1. Ensure the server is fully patched via Windows Update.
2. Go to Settings > Windows Update.
3. The Windows Server 2025 feature update should appear (after opt-in if required).
4. Download and install — it will handle the in-place upgrade.
5. Reboot when prompted. The process includes compatibility checks and preserves settings/apps.

 

A new option will allow you to go and upgrade to WS 2025 within Windows Update

 

This is straightforward for admins who prefer the graphical interface. Server Manager, MMC tools, etc., remain available post-upgrade.

You’ll get a warning that you must purchase the product to upgrade and activate it.

 

Product key purchase acceptation screen

 

Server Core: Server Core benefits equally well from this method. Use SConfig (the text-based configuration tool):

• Install the latest updates with Option 6 for Windows Update.

 

Install updates via SCONFIG

 

• Add Registry Key: Open an elevated PowerShell prompt and run the following command to create the necessary registry entry:

New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AllowWindowsServerFeatureUpdate" -Force

New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AllowWindowsServerFeatureUpdate" -Name "AllowWindowsServerFeatureUpdate" -PropertyType DWord -Value 1 

• Then one level deeper with sub-option 1 (quality updates). Search for and install the feature update.

 

 

• It will trigger the same in-place upgrade process as the WS 2025 feature update will appear. Just hit “Y” to confirm for download and installation. Server will reboot automatically.

Comparison:

• Resource Usage: Core remains lighter post-upgrade (smaller footprint, fewer services). GUI version carries the full Desktop Experience overhead.
• Management: Core relies on PowerShell, SConfig, or remote tools (Windows Admin Center, RSAT). The upgrade doesn’t change this fundamental model — you stay in Core unless you reinstall.
• Upgrade Experience: Both get the update via the same servicing stack. Core upgrades are often faster and have a smaller download footprint due to fewer components. No GUI means less chance of graphical glitches during the process.
• Roles/Features: Most roles work identically. Some GUI-dependent features or legacy apps may require Desktop Experience. Core has a reduced attack surface, which is preserved.
• Rollback/Recovery: Similar for both — Windows keeps previous files for potential rollback, but always have backups.

In short, if your server is already Core, the upgrade keeps it lean and mean. If it’s GUI, it stays that way. You cannot easily convert between them post-install without a clean reinstall.

Advantages of Windows Update In-Place Upgrades

• Simplicity and Convenience: No need to handle large ISOs, mount media, or deal with USBs/DVDs — especially useful for remote or headless servers.
• Minimal Disruption: Keeps applications, server roles (File Server, DNS, Hyper-V, etc.), settings, and data intact. Less downtime than rebuild + restore.
• Faster Path to New Features/Security: Get Windows Server 2025 improvements (better security, performance, hybrid capabilities) without full migration.
• Automation-Friendly: Integrates with existing WSUS or Windows Update for Business policies. Easier for fleets of servers.
• Broader Support: N-4 upgrade paths (e.g., directly from older versions with media, but Windows Update focuses on recent ones).
• Testing and Phased Rollout: Easier to pilot on a few servers via Update management.

Overall, more advantages than risks in well-maintained environments, especially for non-critical or well-backed-up servers.

Potential Risks and Inconvenients

Even with improvements, in-place upgrades aren’t risk-free:

• Legacy Bloat: Old registry entries, drivers, or unused files might carry over, potentially causing subtle issues later.
• Compatibility: Not all third-party apps or custom configurations play nicely. Test thoroughly.
• No Full AD Benefits on DCs: As noted, upgrade DCs via other methods for best results.
• Unexpected Upgrades: Some admins reported servers offering the update automatically — manage with policies or WSUS approvals.
• Rollback Challenges: While possible (previous OS files are kept temporarily), it’s not as clean as a snapshot revert in a VM. Always have a solid backup/recovery plan.
• Downtime: Still requires reboot(s) and time for the upgrade process (can take 30-90+ minutes depending on hardware/config).

In my experience (and from feedback across the community), risks are lower than in the past due to Microsoft’s refined servicing model, but they exist. Clean install remains the “gold standard” for maximum cleanliness, especially in high-security or complex AD environments.

My Recommendation

For many production servers – particularly Server Core installations used for infrastructure roles – the Windows Update in-place upgrade is now a very viable and attractive option. It saves time and effort while delivering modern OS benefits.

Always:

• Snapshot (if VM) or full backup.
• Validate hardware/firmware/drivers compatibility.
• Test in staging.
• Monitor post-upgrade logs (Setupact.log, Setuperr.log in C:\Windows\Panther).

What are your thoughts? Have you tried the Windows Update method for Server 2025 yet?

from StarWind Blog https://ift.tt/pv6Qc7F
via IFTTT

Coding Agent Horror Stories: The 13-Hour AWS Outage

In Part 1, we walked through six categories of AI coding agent failures and why they keep happening. The agent runs as you, with your filesystem permissions and your credentials, and nothing sits between the model’s decision and the shell’s execution. In Part 2, we looked at one specific version of that failure in detail, the rm -rf ~/ incident that wiped a developer’s entire Mac in a single command. Part 3 moves the same problem up the stack, into a production AWS environment where the blast radius is no longer one laptop but a regional cloud service.

What happens when the agent isn’t running on your laptop, but on a production AWS environment with operator-level credentials? You get a thirteen-hour outage, a public denial that fooled no one, and a series of follow-on incidents that cost Amazon an estimated 6.3 million orders before the company was forced to introduce what it called a “code safety reset.” 

Today’s Horror Story: The Agent That Deleted Production

In mid-December 2025, an AWS engineer asked Kiro for help with a small bug in AWS Cost Explorer, the dashboard customers use to track their cloud spending. Kiro is Amazon’s own agentic coding assistant. It had been granted operator-level access to the environment, the same access the engineer had, because that was how Kiro was being rolled out across the company at the time.

Kiro looked at the bug, weighed its options, and decided the cleanest fix was to delete the production environment and rebuild it from scratch. The engineer never got a chance to step in. There was no confirmation prompt, no second pair of eyes, no two-person rule, and by the time anyone could have intervened the deletion was already done. Cost Explorer went down for thirteen hours in one of AWS’s mainland China regions.

This was not a security breach. It was an AI coding agent doing exactly what it had been set up to do, running with the engineer’s full credentials, with nothing in the architecture to catch the moment between “delete and recreate” being a reasonable option to consider and a production service being torn down.

In this issue, you’ll learn:

• What happened in the December outage, step by step
• Why Amazon’s “user error, not AI” response only told part of the story
• How the December incident set the stage for outages that cost an estimated 6.3 million orders by March 2026
• The scoped-identity pattern that prevents this whole category of failure

Why This Series Matters

Each “Horror Story” examines a real-world incident that turns laboratory findings into production disasters. These aren’t hypothetical attacks. They’re documented cases with named victims, internal memos obtained by reporters, and in several cases, public denials from the vendors. Our goal is to show the human and operational impact behind the security statistics, demonstrate how these failures unfold in practice, and provide concrete guidance on protecting your infrastructure through Docker’s scoped-identity execution model.

The story begins with an internal memo dated November 24, 2025. Three weeks before Kiro deleted the Cost Explorer environment, two of Amazon’s senior VPs, Peter DeSantis (AWS Utility Computing) and Dave Treadwell (eCommerce Foundation) signed and distributed an internal memo telling the company that Kiro was now the standardized AI coding assistant for the entire organization. The memo set a target of 80% weekly usage by every Amazon engineer by year-end 2025, and directed teams to stop using third-party AI tools unless a VP signed off on the exception.

Engineers came to call this the “Kiro Mandate.” Adoption was tracked as a corporate OKR, and engineers who weren’t using the tool showed up on management dashboards. The mandate was framed as a performance question, not a safety question, which mattered because the safety side of the rollout had not kept up. Things like peer review for destructive changes, approval gates for production access, and per-agent permission scoping had not been formally extended to AI-assisted work when the 80% target was set

Around 1,500 Amazon engineers signed an internal forum post pushing back, arguing that tools like Claude Code outperformed Kiro on real engineering tasks like multi-language refactoring. Management proceeded with the mandate anyway. By January 2026, 70% of Amazon engineers had used Kiro during sprint windows. Adoption was on track. The risk profile of what those engineers could do with the tool was a different story.

Then on February 20, 2026, the Financial Times broke the story based on accounts from four people familiar with the incident. The FT reporting also surfaced a second AI-related outage, this one involving Amazon Q Developer, on a separate system. Amazon’s response went up the same day under the title “Correcting the Financial Times report about AWS, Kiro, and AI.” It called the cause “user error, specifically misconfigured access controls, not AI as the story claims,” and dismissed the FT’s second-incident claim as “entirely false.”

The misconfigured access controls part is worth a closer look. A typo would have been “user error.” What actually happened was a structural decision to give an autonomous agent the same permissions as a human operator, in a system where the human’s safety net had always been a colleague asking “are you sure?” Kiro had no colleagues.

The Scale of the Problem

The December outage was the visible piece of a bigger pattern. Inside Amazon, briefing notes described a series of incidents with “high blast radius” tied to AI-assisted changes, with safety rules that had not yet been written for the way the agents were now being used. None of that language was ever shared publicly.

On March 2, Amazon.com showed shoppers the wrong delivery dates after they added things to their carts. About 120,000 orders were lost and 1.6 million people hit error pages. Amazon’s internal review pointed at one of its own AI tools, Amazon Q, as a main cause. Three days later, on March 5, the storefront went down for six hours and lost an estimated 6.3 million orders, with U.S. order volume dropping 99% while it was down. Both incidents traced back to AI-written code that had been pushed live without proper review.

On March 10, Dave Treadwell, the same SVP who had co-signed the Kiro Mandate four months earlier, announced a 90-day code safety reset across roughly 335 of Amazon’s most important systems. The new rules: two people had to sign off on every change going live, senior engineers had to approve AI-written code from juniors, and the automated checks were tightened. Treadwell called the new approach “controlled friction.” It’s a quiet way of saying the friction had not been there before, and that what arrived in March was what should have been in place in November.

How the Failure Works

To understand why these incidents happen, you have to look at the architecture underneath. Kiro was doing exactly what an agentic coding assistant is designed to do. The failure was in the system that surrounded it.

When Kiro runs on behalf of an engineer, it inherits the engineer’s full set of permissions. There’s no separate identity for “Kiro acting on behalf of someone,” no role with a narrower scope than the human who launched it. Whatever the engineer can touch, the agent can touch. This is the same property we walked through in Part 1 for filesystem access, applied here to cloud credentials instead. The agent gets a copy of the keys, every time.

Then there’s the loop. In most AI coding assistants the reasoning step and the execution step happen inside the same cycle. The agent thinks about what to do, generates the action, and runs it before the engineer has a chance to read what it decided. There’s no proposal stage, no preview screen, no “do you want me to do this?” gate that a human approves first. The deciding and the doing are one thing.

The speed makes this worse. Most safeguards in software engineering assume a human is the one making the change. A confirm? (y/n) prompt only protects against typos because a person sees it, pauses, and reads it. An agentic loop reads the same prompt and replies “y” in milliseconds. By the time anyone notices the agent has made a decision, the decision has already been executed. Post-hoc intervention isn’t really a thing in this environment.

And the reasoning that gets the agent there isn’t wrong. It’s just not bounded by the things that would have stopped a human. A senior AWS engineer with the same permissions would not have looked at a small bug in Cost Explorer and decided the right move was to tear down the production environment. They would have walked over to a colleague, posted in a Slack channel, paused to think about whether anyone had pinged them lately about that service. Kiro had the same permissions and skipped all of that, because none of it is part of how an AI agent makes a decision.

Kiro didn’t go rogue. It didn’t malfunction. It was optimizing for the objective it was given, which was to fix the bug, and “delete and recreate” is a legitimate solution in many engineering contexts. What was missing wasn’t smarter reasoning. It was the layer of friction that would have caught the moment between “this is a defensible option” and “this is happening to a live customer service.”

Technical Breakdown: How a Cost Explorer Fix Became a 13-Hour Outage

Caption: Diagram illustrating how operator-level permissions flow directly from engineer to agent to production control plane, with no scoped-identity boundary in between.

Here’s how the December incident unfolded, step by step:

1. The Request

An AWS engineer is looking at a small bug in Cost Explorer for the cn-northwest region. They hand it to Kiro the way they’d hand it to a colleague:

check the cost explorer issue in cn-northwest and propose a fix

That’s the whole prompt. No special framing, no permissions caveat. It’s just routine maintenance.

2. The Reasoning

Kiro looks at the environment, finds the misconfiguration, and weighs its options. It could patch the misconfiguration in place, or redeploy specific components, or tear the environment down and rebuild it cleanly from the deployment templates. From a pure correctness standpoint, the last option is the most thorough, since it guarantees no residual state from the broken configuration. That’s the path Kiro picks.

3. The Inheritance

Kiro is running as the engineer. The engineer has operator-level access to the Cost Explorer production environment, including the ability to tear it down, because that’s the kind of operation a human operator might legitimately need during an incident. The control plane has no concept of “Kiro acting on behalf of the engineer.” It only has “an authenticated principal with sufficient permissions making a request.” From its point of view, the engineer is making the call.

4. The Execution

Kiro initiates the deletion, and the request runs in the seconds it takes to send the API call. There is no confirmation prompt the engineer could intercept in that window, no two-person rule waiting on a second approver, and no policy gate watching for the specific shape of “this command would tear down a production service.” The control plane sees a valid API call from an authenticated principal with sufficient permissions, and it processes the call the way it would process any other operator request.

5. The Outage

Cost Explorer in the affected region goes down, and customers across that region lose the ability to view, analyze, or manage their cloud spending. The outage ends up running for thirteen hours, with almost all of that time spent on recovery rather than detection, because the deletion itself completed in the seconds it took to send the API call. Rebuilding the environment from the deployment templates, validating the configuration against the expected state, restoring connectivity to the services Cost Explorer depends on, replaying the state the old environment had built up, and bringing the service back up in front of real traffic is the work that takes the rest of the day.

Internally, the incident enters Amazon’s Correction of Error process, while externally the story stays quiet for two months until the Financial Times breaks it on February 20, 2026. Amazon’s response, issued the same day, frames the cause as “user error, specifically misconfigured access controls,” and announces mandatory peer review for production access in the same breath. That second part is the architectural admission that something more than user error needed to be fixed.

The Impact

Within thirteen hours, AWS had:

• Lost a production service for a regulated region (mainland China) where service continuity matters acutely
• Triggered an internal investigation that produced a post-incident briefing characterizing the failure as part of a “trend of incidents” with “high blast radius”
• Set the conditions for the follow-on incidents in March that cost an estimated 6.3 million orders

The technical fix was simple. Mandatory peer review for production access. The reason it wasn’t in place from the start is the part that matters: nobody had updated the operational model to account for the fact that the entity making the change might be moving at a thousand times the speed of the entity reviewing it.

This is what one autonomous “delete and recreate” decision produces when the agent has the same credentials as the engineer who launched it.

How Docker Sandboxes Eliminates This Attack Vector

Issues 1 and 2 covered the commands you’d type to run an agent in a sandbox. This one is about what sits underneath those commands, because the Kiro incident isn’t really a CLI problem. It’s an architecture problem, and no command-line flag fixes the kind of gap the December outage exposed. What fixes it is the layer the flag sits on top of.

That layer is the microVM. Each sandbox runs inside its own dedicated microVM, with its own kernel, its own filesystem, its own network namespace, and its own Docker daemon. It’s hardware-boundary isolation, the same kind you get from a full VM, but optimized for the way agents actually work: spin up in seconds, throw away when done, no path back to the host. As Docker’s microVM architecture post explains, the bounding box has to come from infrastructure, not from a system prompt. An LLM deciding its own security boundaries is not a security model.

This is the part that matters for the Kiro case. Inside a microVM, the agent isn’t an extension of the engineer’s identity. It’s a distinct process with a distinct view of the world, running on a different kernel, talking to a different Docker daemon, reaching the network through a proxy that the agent cannot see or bypass. The credentials that would let a human operator delete a production environment are not in the agent’s process memory, not in its environment variables, not in any file it can read. They live outside the microVM boundary entirely.

Three architectural decisions that close the Kiro gap

The Docker Sandboxes architecture documentation describes how each layer of the design protects against a specific class of failure. Three of those layers are directly relevant to the December incident.

1. The workspace is mounted at the same path it has on the host, and nothing else is. The sandbox sees the agent’s workspace through a filesystem passthrough at the same absolute path. That’s the only thing it sees. The engineer’s home directory, their cloud configs, their credential files, their SSH keys, all of that lives outside the boundary. If the agent reasoned its way to a “delete and recreate” plan, the deletion would target the workspace, which is reproducible from source anyway. The host stays whole.

2. The Docker daemon lives inside the VM, with no path back. This is the design decision that separates Docker Sandboxes from approaches that look similar on the surface. Mounting the Docker socket from the host gives the agent escape paths. WASM and V8 isolates can’t run a full development environment. A general-purpose VM is too heavy to spin up for a single session. A microVM with its own Docker daemon is the only model that gives the agent a real working environment without any of those compromises. For the Kiro case specifically, it means the agent can investigate the Cost Explorer bug, build container images, run tests against them, and propose a fix, all without ever holding the credentials it would need to execute that fix against the live service.

3. A proxy on the host enforces credentials and network policy. All outbound traffic from the sandbox routes through an HTTP/HTTPS proxy running on the host, outside the VM boundary. This is the layer that directly addresses what went wrong with Kiro. Secrets are stored on the host, scoped to specific services, and injected into outbound requests by the proxy. The agent never sees the values themselves. It also can’t get around the proxy, because the proxy is the only way traffic leaves the microVM at all. If the agent decides to call a destructive control-plane endpoint, the proxy is what stops it, regardless of what the model has reasoned its way to.

Why this matters for the Kiro incident specifically 

Let’s replay the December scenario against this architecture. The engineer launches the agent inside a sandbox. The microVM boots in seconds, the workspace gets mounted, and the agent starts up without any AWS operator credentials in its environment. Those credentials are still on the host, where they belong. From here, the agent investigates the Cost Explorer bug exactly the way Kiro did, reasoning through the same options and quite possibly landing on the same “delete and recreate” plan. Nothing on the inside of the box has changed.

What changes is what happens when the agent tries to act. The deletion call leaves the sandbox through the only path available to it, which is the proxy on the host. The proxy checks the network policy and either authenticates the call with a scoped, read-only credential the engineer set up for investigation work, or it refuses the call because the destination wasn’t on the allowlist. Either way, the December outcome, the thirteen-hour production outage, simply doesn’t happen. The agent’s plan ends up in front of the engineer as a proposal. The engineer reads “delete and recreate,” recognizes that it’s too much for a small bug, and asks the agent to patch in place instead.

This pattern generalizes. The same architecture that would have contained the LovesWorkin filesystem incident in Issue 2 would have contained the Kiro control-plane incident in this one, because both failures share the same root cause: an agent acting with the launching user’s full identity, at machine speed, against systems that have no way of knowing they’re talking to an agent. The microVM makes the agent a distinct actor with its own boundary. The isolated Docker daemon gives that actor a real working environment to operate in. The proxy gives the engineer a place to decide, ahead of time, what that actor can reach. The blast radius of anything the agent reasons its way into is bounded by what the sandbox allows, not by what the engineer who launched it happens to have access to.

The sbx CLI is what exposes all of this to the developer. Here’s what the Cost Explorer investigation would have looked like inside a sandbox, configured the way the December incident needed.

# 1. Store the AWS credential for the sandbox, outside the agent's view.
#    The actual scoping (read-only, Cost Explorer only) is handled
#    at the AWS IAM layer when the credential is created. From sbx's
#    side, the credential is opaque, the agent never sees the value,
#    and the proxy is what injects it into outbound calls.
echo "$AWS_COST_EXPLORER_READONLY_KEY" | sbx secret set -g aws

# 2. Define what the sandbox is allowed to reach on the network.
#    Cost Explorer read endpoints are on the list. Control-plane
#    endpoints that would let an agent tear down a production
#    environment are not.
sbx policy allow network "ce.amazonaws.com,api.anthropic.com"

# 3. Launch the agent inside the sandbox.
sbx run claude

# 4. After the session, review what the proxy allowed and denied.
#    Any attempt the agent made to reach an endpoint outside the
#    allowlist will show up here.
sbx policy log

Step 1 stores the AWS credential outside the agent’s view, with the read-only and Cost-Explorer-only scoping enforced by AWS IAM rather than by sbx. Step 2 defines the network perimeter the proxy will enforce, independent of how broad the credential’s IAM permissions actually are. Step 3 starts the agent inside the microVM with no path back to the host. Step 4 is what makes the whole setup auditable: every call the proxy allowed or denied during the session, including any attempt the agent made to reach destinations off the allowlist, shows up in sbx policy log.

What this gives the engineer, end to end, is a working agent with a known and bounded reach. The agent can investigate, reason, and propose. It cannot execute its way into a region-wide outage.

What This Looks Like in Practice

Stepping back from the Kiro story for a moment, the picture is straightforward. Docker Sandboxes gives an agent a real working environment, scoped credentials, a network boundary, and a path that throws everything away cleanly when the session ends. Compared with the way most engineers run AI coding agents today, the trade-offs look like this:

Security Aspect	Traditional Agentic Setup	Docker Sandboxes
Identity	Engineer’s full credentials	Scoped identity per task
Secret Handling	Loaded into agent context	Proxy-injected, never exposed
Production Access	Inherited from operator role	Explicit allowlist or nothing
Destructive Operations	Execute at machine speed	Reviewable before execution
Audit Trail	Per-engineer, post-hoc	Per-sandbox, real-time sbx policy log
Blast Radius	Whatever the engineer can do	Whatever the sandbox is configured for

The row that matters most for the Kiro story is the second-to-last one. Without a sandbox, a destructive operation runs as fast as the API call leaving the agent’s process. With a sandbox, that same operation has to clear the proxy first, which means it lands in the engineer’s review queue instead of in production.

Best Practices for Secure Agentic Production Work

1. Never give an agent your full production credentials. Create a scoped identity with the minimum permissions the specific task needs. If the agent is investigating a read-only issue, give it read-only access. The Kiro incident is what happens when this rule is skipped.
2. Inject secrets through a proxy, not through environment variables. A secret the agent never sees is a secret the agent cannot accidentally send to the wrong endpoint, leak in a log, or include in a code commit. Proxy injection turns the credential from data the agent holds into a capability the proxy provides.
3. Tag AI-assisted changes as a distinct change category. Track them, require senior review, and apply the two-person rule by default. This is not a slowdown for AI workflows. It is the same review discipline a senior engineer’s pull request would get, applied to an actor that ships at machine speed.
4. Read the policy log. sbx policy log records every connection attempt the proxy allowed or denied during a session. A blocked attempt to reach a destructive endpoint is exactly the signal you would want to see, and it stays buried unless someone looks.
5. Pair adoption metrics with blast-radius metrics. Amazon’s 80% Kiro target was a corporate OKR. The safeguards that should have moved alongside it were tracked nowhere. Pushing usage forward without also pushing safety boundaries forward is what set up the December outage.

Take Action

The path to safe agentic work in production-adjacent environments starts with one shift: stop giving agents the credentials you give your humans.

• Install Docker Sandboxes. The Docker Sandboxes documentation walks through installing sbx and running your first scoped-identity agent.
• Read the security model. The Docker Sandboxes security documentation covers credential handling, isolation layers, network policies, and workspace trust in detail.
• Try the proxy-injected secrets pattern. Running sbx secret set followed by sbx run is the quickest way to see how the threat model shifts when secrets sit outside the agent’s context rather than inside it.

If you’re new to this series, Issue 1 walks through the six categories of AI coding agent failures, and Issue 2 goes deep on the rm -rf ~/ incident on the filesystem layer.

Conclusion

The December Cost Explorer outage and the March outages on Amazon.com are points on the same line. They are what happens when an agent inherits an operator’s credentials, when the safeguards designed for human pace meet a decision-making loop that moves a thousand times faster, and when adoption gets pushed forward without anything pushing the safety boundary forward with it.

Amazon’s response is the part of the story worth holding onto. “User error, specifically misconfigured access controls” is true in the same way that “operator error, not the missing guardrail” was true for every famous industrial accident before guardrails were invented. The misconfigured access controls weren’t a typo. They were the structural decision to scale agentic adoption without scaling the identity model around it. Everything Amazon added afterward, the peer review, the senior sign-off on AI-assisted changes, the 90-day code safety reset, the “controlled friction” Treadwell described, points at the same gap. The agent needed to operate in a smaller box than the engineer it was running on behalf of.

Docker Sandboxes doesn’t try to make the agent more cautious; it changes what the agent can reach. The credentials sit outside the boundary. The destructive endpoints sit off the allowlist. The agent gets a real working environment, but not the production control plane.

Coming up in our series: Issue 4 will explore the GitGuardian sprawl report and the s1ngularity attack, where AI agents weaponized their own context windows to scan developer machines for credentials, and how proxy-injected secrets eliminate the exposure surface

Learn More

• Run agents safely with Docker Sandboxes: Visit the Docker Sandboxes documentation to get started.
• Explore the Docker MCP Catalog: Discover MCP servers that connect your agents to external services through Docker’s security-first architecture.
• Download Docker Desktop: The fastest path to a governed AI agent environment, with Docker Sandboxes, MCP Gateway, and Model Runner in a single install.
• Read the MCP Horror Stories series: Start with issue 1 to understand the protocol-layer security risks that complement the agent-layer risks covered here.

from Docker https://ift.tt/4QiDHTO
via IFTTT

Scripting the disassembler: Local agentic reverse engineering through vbdec’s live COM object model

• Analysis tools do not need AI built in to support agentic workflows; they simply need to expose their data through an external scripting interface. 
• Even traditional graphical user interface (GUI) applications can be made AI-accessible by publishing their internal object models, allowing agents to query and automate analysis without modifying the core application. 
• This approach can often be implemented with surprisingly little engineering effort, leveraging existing scripting technologies and application data structures. 
• By exposing structured data rather than adding predefined AI features, users can extend a tool's capabilities through prompts, turning new analyses into workflows instead of product feature requests. 
• The application becomes both an interactive viewer and a persistent data server, enabling local data to be parsed once and queried repeatedly across multiple agent sessions while keeping analyst-controlled data local.

---

The problem with VB6 binaries 

VB6 binaries are laid out as a complex file format with embedded metadata. Recovering advanced data embeddings means reimplementing VB6s’ internal file format: the VB header, the object table, and the P-code layout. This is a highly specialized task that takes dedicated tools to do accurately, but not every tool exposes an equivalent programmatic library. The technique in this blog shows how AI agents can automate existing tools and reach deep into the result set.

The recipe 

The whole technique comprises three pieces. Any one of them in isolation is interesting, but together they are a new working mode. 

The live model 

vbdec does not keep its parsed model locked behind its GUI. When a binary is loaded and remote scripting is enabled (Help → Options → Enable Remote Scripting), vbdec registers its central CVBProject object and its main form in the Windows Running Object Table (ROT) under the monikers vbdec.vbp and vbdec.frmMain. The ROT is a system-wide directory of live Component Object Model (COM) objects; any process can look an object up by moniker and receive a reference to the running instance. From a script, that is a single line:

Set o = GetObject("vbdec.vbp")

The variable o can now access the entire parsed project: every form, class, module, declared API, P-code body, control, and string, presented as a navigable object graph. The script is driving the disassembler itself. 

Note: For VB6 host applications in particular, this capability can even be forcefully added without source code access.

The contract 

A live model is useless to an agent that does not know its shape. vbdec now includes an AI agent support package that helps bridge this gap. The first is the operator briefing (“_claude_vbdec_ai_instructions.txt”) — a short markdown file that tells the agent what vbdec is, how to bind to the ROT, and how the object model is shaped. The second is the proto folder — 90 auto-generated class definitions covering every public class and form vbdec exposes. The agent treats these as the authoritative reference for member names and types. (The original IntelliSensesupport files were also usable for this task.)

The local agent 

The third piece is the agent. In this blog, Talos used Claude Code, run locally on the workstation. The user opens a terminal, points the AI at the briefing and prototypes, and simply describes what they would like analyzed. Claude Code then runs multiple .vbs files with cscript and explores the data through iterations. There is no preselected AI integration embedded in vbdec, no upload for the analyst’s binary, and no glue to be maintained as a separate codebase. The agent and disassembler share a machine and file system; analysis occurs locally, with only the model inference requests leaving the workstation.  

Whatever capability the agent adds next extends vbdec without any new code in the tool itself, and users are free to select whichever model they prefer.

What the analyst actually does 

Next are a couple examples tested against a P-code version of PDFStreamDumper.

Decompile a function 

The analyst names a function and asks for a source code reconstruction. The agent pulls the P-code, walks the VB-VM opcode stream, maps each construct to its VB6 equivalent, and produces a source level equivalent with inline comments.

Figure 1. Example output (right) compared to the original source function (left).

The reconstruction is not byte-identical, but the control flow is substantially recovered with agent comments added in. It is also interesting to note that the AI went into the subfunctions on its own, determined their purpose, and gave them reasonable names to complete its task decompiling the parent. This is usable reverse-engineering output that a human would spend substantial time producing, now scalable and generated in seconds.

Build a call graph 

The analyst picks a function and asks for its callees as a Graphviz DOT file. The agent walks each CCodeBody.Disasm, picks out the call opcodes (ImpAdCallI2, VCallHresult, LateMemCall, and others) and emits the DOT graph with depth tracking.

Figure 2. Example output for a target in PDFStreamDumper.

Dump every function to SQL 

To test a real automation-heavy use, the agent was next asked to enumerate every function in the binary and dump stats to a SQLite database including address, size, module, instruction count, callees, and external API calls. The agent did this in a single cscript pass over o.CodeObjects, classifying calls with the same rules used in the graph task. For PDFStreamDumper the result is a 600+-row database. Now the database can be explored with simple queries such as:

SELECT display_name FROM functions WHERE api_calls LIKE '%RtlMoveMemory%';

The binary has been transformed from something you must click through into something you can simply query. Whole-program questions that would be impractical by hand become single-line requests.  

The three tasks above — decompile, graph, export — used to be features that a tool vendor would have to design, build, and ship as menu items. They are now prompts a user can add on themselves. The capability surface of the tool has decoupled from the feature list of the tool.

Build an opcode reference database 

The same recipe scales beyond single analyses to producing reference data. In the next example the agent was tasked with building a complete opcode database for the VB6 P-code interpreter (MSVBVM60.dll; 1,165 dispatch slots). Two tools were coordinated. Vbdec was again used over the ROT to search and analyze actual examples of every opcode from a real binary (PDFStreamDumper). The results were then bolstered utilizing the idalib MCP server to read the actual runtime handler functions in VB runtime itself to verify what each opcode does at the dispatch level. 

The results were combined into a SQLite database that includes operand decoding, handler-verified semantics, alias relationships, corpus statistics, and written descriptions for every opcode. Resources such as this could now be fed back into AI agents to produce better P-code decompilation. This corpus of knowledge would be impractical to build by hand, yet was agentically synthesized in a matter of hours.

Figure 3. Opcode database AI created by analyzing disassembly from vbdec and IDA.

Application testing

The same mechanism can also be used to test the outputs of the tool itself. An agent pointed at the briefing and prototypes will exercise the real COM surface against actual data. With COM in particular this means there is no mock, no proxy, and no UI automation layers to debug in between.  

Method signature drift, type regressions, malformed objects, edge-case P-code, missing members are all easily exposed. The proto files and the briefing get tested alongside the API implementation itself.

What this makes possible 

This design pattern generalizes cleanly. Any analysis tool that publishes its internal model to the ROT and ships an operator briefing with prototypes can become a substrate for local agentic automation. The interactive GUI remains available for exploration; the agent handles everything that benefits from being repeatable, exhaustive, or fast. 

The architectural move is the part worth carrying away. The author of an analysis tool that holds structured data behind a UI does not have to predict the analyses their users will want.  

Publish the model, write the briefing, and hand the keys over to the user. Every user wish list idea now collapses into the same answer: Ask the agent. Tedious analysis can be easily automated.  

The local part is valuable as well. Sensitive binaries do not leave the analyst’s machine. There is no API key in the product and there is no service that can be discontinued. The agent is whichever agent the analyst already has. The contract between agent and tool is text files on a file system.

Conclusion 

While analysis tools commonly include internal scripting, exposing the application to external automation is what opens them to AI agents. ROT-published COM objects are well-suited to this because they are language-agnostic, process-agnostic, synchronous, and discoverable. Turning the analysis tool into a data server has additional benefits, such as allowing repeat query sessions without itself having to reload and reparse the data set.  

While the specific design in this paper was COM-based, any IPC communication protocol could be used. COM and IDispatch are particularly useful here because they are inherently scriptable without requiring additional marshaling or synchronization layers.  

Another aspect of this design that is easy to overlook is the utility of having a full GUI for data exploration at the forefront. Data can be explored and verified manually and then scripts written against it for bulk operations. While plugin frameworks have been the traditional solution to automation needs, plugin development is generally quite bulky in practice and often bound to a specific program version.

With this paradigm, the disassembler stops being a place you look at a binary, and becomes a service you ask questions of.

from Cisco Talos Blog https://ift.tt/qpE96X0
via IFTTT