Threat Brief | AI Ran a Ransomware Attack On Its Own — And a Firewall Flaw Is Now Feeding the Gangs

netMethods Threat Brief

This week delivered three very different headlines that all point to the same uncomfortable truth: attackers no longer need to be brilliant. They need you to leave something exposed. Here's what happened, and what it means for your business.

1. An AI ran a full ransomware attack — with no human at the keyboard

Researchers at Sysdig documented what they believe is the first ransomware operation carried out entirely by an autonomous AI agent. Nicknamed JADEPUFFER, the AI handled every step itself — scouting the network, stealing credentials, moving between systems, encrypting data, and even writing the ransom note — with no operator driving it in real time. In one moment it hit a failed login and diagnosed and fixed the problem in 31 seconds.

How did it get in? Not through some exotic new weapon. It walked through a year-old, already-patched flaw in an internet-facing server (a tool called Langflow) that simply had never been updated.

So what: The barrier to running ransomware just dropped to "whatever it costs to rent an AI agent." Worse, in this case the AI generated an encryption key it never saved and deleted data anyway — so paying the ransom wouldn't have brought anything back. The takeaway isn't really about AI. It's that an unpatched, internet-facing system is now something that gets probed automatically, at machine speed, around the clock. Patch discipline and tested, offline backups just went from "good practice" to "the whole game."

2. A firewall break-in is now feeding two ransomware gangs

Earlier reporting revealed FortiBleed — a campaign that quietly turned exposed Fortinet firewalls into credential-stealing devices, sniffing VPN logins and passwords straight off network traffic across roughly 430,000 devices worldwide. This week, SOCRadar connected that stolen access directly to two active ransomware crews, INC Ransom and Lynx. It's the first confirmed link between the firewall harvest and actual ransomware being deployed — and both gangs favor manufacturing, healthcare, and industrial targets.

So what: Your firewall is supposed to be the thing keeping attackers out. Here, it became the thing quietly letting them in. If you run Fortinet gear, treat any internet-exposed device as potentially compromised: patch it, rotate VPN and admin credentials, hunt for unfamiliar admin accounts, and enforce multi-factor authentication everywhere. A firewall you haven't touched in a year is not protecting you — it may be working against you.

3. Even the biggest consultancy leaked its keys

Accenture — one of the largest IT services firms on earth — confirmed a breach after a seller advertised roughly 35GB of stolen data. The eye-catching part was source code, but the genuinely dangerous part was the live cloud credentials that came with it: Azure access tokens, storage keys, and SSH/RSA keys.

So what: Source code can be rebuilt. Working keys open doors until someone shuts them. Long-lived tokens and access keys tend to pile up quietly in most environments — in code, in config files, in old integrations nobody remembers. This is a reminder to rotate them on a schedule, keep secrets out of your codebase, and regularly audit what still has valid access to your systems.

The common thread

None of this week's incidents required a criminal mastermind. They required a forgotten server, an unrotated credential, and an exposed firewall. That's the everyday exposure that automated, AI-assisted attackers are built to find — and it's exactly what continuous monitoring, disciplined patching, and credential hygiene are built to catch before they become a bad Monday.

If you're not sure what the oldest unpatched system on your network is right now, that's worth answering this week. See how netMethods keeps Southern California organizations continuously monitored and patched »

netMethods — Reliable IT. Practical AI. One Local Team. Serving Orange County and Southern California.

Image: BleepingComputer.

Next
Next