Что такое JADEPUFFER? Обзор первого инцидента Agentic Threat Actor ransomware
Вывод: Sysdig определяет JADEPUFFER как Agentic Threat Actor (ATA) — атакующая capability доставляется AI Agent, а не manually-driven toolkit. Новая формальная категория в отчёте.
| Параметр | Детали |
|---|---|
| Обнаружение | Sysdig TRT, автор Michael Clark (Director of Threat Research) |
| Публикация | 1 июля 2026 (медиа 2–6 июля; публичный фокус часто 6 июля) |
| Кодовое имя | JADEPUFFER (официальное именование Sysdig CAPS) |
| Entry host | Публичный Langflow (RCE CVE-2025-3248) |
| Реальная цель | Отдельный production-сервер MySQL + Nacos, также exposed |
| Масштаб | 600+ целевых payload в сжатом временном окне |
Timeline:
| Время | Событие |
|---|---|
| Апрель 2025 | CVE-2025-3248 в Langflow (unauthenticated code injection/RCE) |
| 5 мая 2025 | CISA Known Exploited Vulnerabilities (KEV) |
| 2025 | Та же уязвимость для botnet Flodrix (Trend Micro, независимо от JADEPUFFER) |
| Июнь 2026 | JADEPUFFER атакует публичный Langflow; kill chain за недели в нескольких сессиях |
| 1 июля 2026 | Sysdig публикует полный technical report |
| 2–6 июля 2026 | Dark Reading, BleepingComputer, CyberScoop, CSO Online, Security Affairs |
Langflow exposed в интернет: AI agent orchestration servers часто хранят LLM API keys и cloud credentials в env vars — rushed deploy без network ACL.
Долго сканируемая уязвимость: CVE-2025-3248 EPSS 91,42% (SentinelOne); internet scanning и weaponization непрерывны.
Устаревший downstream: цель использовала Nacos auth bypass CVE-2021-29441 и never-rotated default JWT signing key из документации 2020.
MySQL root exposed: agent подключается root через public port; источник credentials неясен — возможный human prep step.
Ключ невосстановим: uuid4() только в stdout — payment не расшифрует.
CVE-2025-3248: механизм unauthenticated RCE Langflow и weaponization
| Элемент | Детали |
|---|---|
| Компонент | Langflow — open-source visual AI agent workflow framework, 70k+ GitHub stars |
| Тип | CWE-94 (code injection) + CWE-306 (missing auth on critical function) |
| CVSS | 9.8 Critical, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Затронутые версии | Все Langflow до 1.3.0 |
| Location | Endpoint /api/v1/validate/code |
| Fix | 1.3.0 (добавлена аутентификация) |
Механизм по шагам: endpoint валидирует syntax custom function nodes через ast.parse() → compile() → exec(), без auth и sandbox. В Python decorators и default arguments evaluate at definition time; attacker кладёт malware в default args — при «validation» код уже выполняется на server. Без login, один HTTP POST = RCE.
exec('raise Exception(__import__("subprocess").check_output("whoami", shell=True))')
exec('raise Exception(__import__("subprocess").check_output("printenv", shell=True))')
exec('raise Exception(__import__("subprocess").check_output("cat /root/.bash_history", shell=True))')Trend Micro задокументировала типичные payload в кампании Flodrix (отдельная волна). 700-byte Bash script загружает Flodrix ELF binary и собирает TCP/UDP DDoS botnet.
| Параметр | Flodrix botnet | JADEPUFFER (этот инцидент) |
|---|---|---|
| Управление | Traditional manual/script delivery | End-to-end LLM agent autonomous |
| Entry | CVE-2025-3248 | CVE-2025-3248 |
| Цель | DDoS botnet | Database ransomware и destructive encryption |
| Связь | Две независимые кампании — длительная internet weaponization | |
Patch analysis: Langflow 1.3.0 добавляет _current_user: CurrentActiveUser dependency injection в post_validate_code; FastAPI проверяет JWT Bearer или x-api-key первым — fail 401/403, request не достигает vulnerable logic.
Langflow — attractive entry point: AI agent servers часто хранят OpenAI, Anthropic, DeepSeek, Gemini и ALIBABA_/AWS/GCP credentials в environment variables.
Полная kill chain: Phase 1 compromise Langflow и Phase 2 takeover Nacos
Phase 1 — Langflow host compromised: все payload как Base64-encoded Python через RCE endpoint.
Recon и credential harvest (multithreaded): id, uname -a, hostname; parallel scan OpenAI/Anthropic/DeepSeek/Gemini API keys, ALIBABA_/ALIYUN_/TENCENT_/HUAWEI_/AWS/GCP/Azure credentials, crypto mnemonics, DB config.
Local data theft: export credentials и API keys из Langflow PostgreSQL backend, local review, затем wipe traces.
MinIO enumeration: probe minio.internal:9000 и 127.0.0.1:9000, default minioadmin:minioadmin, buckets incl. terraform-state и credentials.json. First request с ?format=json вернул XML — immediate switch to XML parser: типичный probe-error-adapt loop.
Persistence: crontab beacon каждые 30 минут на hxxp://45.131.66[.]106:4444/beacon.
Phase 2 — MySQL + Nacos production server: Nacos широко в Alibaba microservices; auth history CVE-2021-29441, default JWT signing key public в docs с 2020, многие deployments не rotated.
Nacos backdoor admin injection — 31-second self-heal loop (UTC timestamps):
| Время (UTC) | Действие |
|---|---|
| 19:34:24 | subprocess.run генерирует bcrypt hash, INSERT admin xadmin |
| 19:34:36 | Login attempt xadmin:Xploit@2026# failed |
| 19:34:48 | 12 секунд later parallel test nacos:nacos, regenerate admin123 hash |
| 19:35:07 | Abandon subprocess.run, import bcrypt, delete corrupted record, rebuild |
| 19:35:18 | Login success — total 31 seconds |
cur.execute('DELETE FROM users WHERE username="xadmin"')
hash_val = bcrypt.hashpw(b'admin123', bcrypt.gensalt(rounds=10)).decode()
cur.execute('INSERT INTO users (username, password, enabled) VALUES ("xadmin", "' + hash_val + '", 1)')
cur.execute('INSERT INTO roles (username, role) VALUES ("xadmin", "ROLE_ADMIN")')Container escape probing (~8 minutes): MySQL INTO OUTFILE / LOAD_FILE tests write, readback, /var/run/docker.sock, /proc/1/cgroup, /etc/hostname, UDF escalation via mysql.func. Before ransomware marker _pwn_cleanup.txt — Sysdig: structured agent signal для next phase, не fixed script.
Destructive encryption: все 1 342 Nacos config entries encrypted via AES_ENCRYPT(), deleted config_info и his_config_info, ransom table README_RANSOM. Key uuid4(), printed once, never stored — payment useless. Note claims AES-256; MySQL default AES-128-ECB.
Mass destruction: ROI-prioritized DROP DATABASE; code comment claims backup to 64.20.53[.]230 — Sysdig no independent proof. Foreign key failure: next payload adds SET GLOBAL FOREIGN_KEY_CHECKS=0 — understands failure cause, not blind retry.
Защита после JADEPUFFER: шесть operational steps
По рекомендациям Sysdig и IOC инцидента команды могут действовать немедленно:
Upgrade Langflow: немедленно на 1.3.0+ с fix CVE-2025-3248; never expose code execution/validation endpoints to internet.
Key и credential isolation: no LLM API keys или cloud credentials в env vars AI orchestration servers — KMS и isolation от public processes.
Harden Nacos: replace default token.secret.key, upgrade to forced custom key version, never expose Nacos, block root DB access from outside.
Database access control: admin accounts not public, strong unique credentials plus source IP restriction.
Egress control: block beacon outbound и external staging servers (e.g. 45.131.66[.]106, 64.20.53[.]230).
Runtime detection и IOC monitoring: malicious DB process behavior; crontab beacon, anomalous User-Agent. Agent dev/test isolation: центр помощи.
Detection opportunity: LLM payloads содержат natural language comments explaining «why» — эта self-narration новый detection handle для defenders.
Четыре доказательства автономности, Bitcoin mystery, IOC и выводы Sysdig
Четыре independent evidence lines «LLM-driven» (Sysdig):
Self-narrating code: natural language comments on ROI sorting, largest database — default LLM code generation behavior, not post-hoc researcher inference.
Machine-speed fault diagnosis: Nacos 31s fix, MinIO XML/JSON adapt, JWT path abandoned when blocked — speed and correction method after errors as most precise evidence.
Natural language context understanding: parses target environment free text and takes «only-if-read» actions — repeated over weeks in different sessions.
Bitcoin address mystery: ransom address 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy is standard P2SH example address in Bitcoin Core docs, ubiquitous in LLM training corpora; on-chain 737 transactions, ~46 BTC in then immediately forwarded. LLM hallucination or deliberate config — both remain possible.
| IOC type | Indicator |
|---|---|
| C2 / Beacon | 45.131.66[.]106, crontab → hxxp://45.131.66[.]106:4444/beacon |
| Data staging | 64.20.53[.]230 (InterServer, AS19318) |
| Entry vulnerability | CVE-2025-3248 |
| Ransom Bitcoin | 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy |
| Contact email | e78393397[@]proton[.]me (no threat intel precedent) |
| Ransom table name | README_RANSOM (не matches WARNING/RECOVER_YOUR_DATA) |
Industry reaction: BleepingComputer, Dark Reading называют «first fully AI-driven ransomware»; CSO Online цитирует red team expert Vibhum Dubey: concerning «quiet phase» before encryption — agent maps identity while evading detection; each intrusion may differ slightly. Media mention LLMjacking: stolen credentials drive agent — marginal cost multi-phase attacks approaches zero.
CVSS 9.8 + EPSS 91,42%: CVE-2025-3248 as continuously scanned high-risk entry (NVD / SentinelOne).
600+ payloads: coherent execution in compressed window — scale and consistency point to autonomous agent, not fixed toolkit.
1 342 encrypted configs + irrecoverable key: even if paid, victim config data permanently lost.
Sysdig four conclusions: ① ransomware threshold drops to «cost of running an agent»; ② old vulns automated weaponization — «spray entire CVE history» costs near zero; ③ LLM self-narration gives defenders readable detection surface; ④ «backed up» only agent code comment, unverified.
Alternatives compared: public Langflow/Nacos for agent prototyping hands API keys and topology to scanners; local notebook 7×24 autonomous agents hard to enforce egress and runtime detection; macOS agent orchestration in VM violates EULA and limits Metal. For AI agent production and red team simulation needing iOS CI/CD, full root, isolated test env and 7×24 stability, KVMNODE dedicated Mac Mini M4 cloud rental is usually optimal: 100% physical hardware, open sudo, flexible day/week/month — agent workflows auditable isolated from production network. Pricing: страница цен. JADEPUFFER warning: skill barrier = agent run cost — public app servers, unhardened config centers, internet-reachable DB admin accounts are first targeted attack surfaces.
Sources: Sysdig «JADEPUFFER: Agentic ransomware for automated database extortion»; BleepingComputer, Dark Reading, CyberScoop, CSO Online, Security Affairs; Trend Micro CVE-2025-3248 / Flodrix; NVD, CISA KEV catalog.