Cybersecurity Snapshot: Agentic AI Security in Focus With Anthropic’s Chilling Abuse Disclosure and CSA’s New Identity Protection Framework

Check out Anthropic’s unvarnished description of how a brazen attacker maliciously used its Claude Code product. Plus, the CSA tackles IAM in agentic AI systems. In addition, cyber agencies issue a stark warning about cyber espionage threat from China-backed APT groups. And get the latest on SBOMs, IoT security and secure software provisioning!

Here are six things you need to know for the week ending August 29.

1 - Anthropic: Attacker turned Claude Code agentic AI tool into a master hacker

Here’s a wild story, even by the standards of the artificial intelligence world.

AI vendor Antrophic this week detailed how a sophisticated cyber crook weaponized its Claude Code product to “an unprecedented degree” in a large-scale extortion and data-theft campaign.

Specifically, the attacker used this agentic AI coding tool to:

• Automate reconnaissance.
• Harvest victims’ credentials.
• Breach networks.
• Make tactical and strategic decisions, such as choosing which data to exfiltrate, and crafting “psychologically targeted” extortion demands.
• Crunch exfiltrated financial data to pick appropriate ransom amounts.
• Generate “visually alarming” ransom notes.

The incident, the company said, takes AI-assisted cybercrime to another level.

“Agentic AI has been weaponized. AI models are now being used to perform sophisticated cyberattacks, not just advise on how to carry them out,” Anthropic wrote in a blog post.

This evolution of agentic-AI abuse complicates AI security efforts because this type of tool by its very nature acts autonomously and as such adapts to defensive tactics in real time.
 

^{(Image generated by Tenable using Google Gemini)}

By the time Anthropic shut down the attacker’s accounts, at least 17 organizations had been hit, including healthcare, emergency services, government and religious groups.

“We have also developed a tailored classifier (an automated screening tool), and introduced a new detection method to help us discover activity like this as quickly as possible in the future,” Anthropic wrote.

This incident, which Antropic labeled “vibe hacking,” is just one of 10 real-world use cases included in Anthropic’s “Threat Intelligence Report: August 2025” that detail abuses of the company’s AI tools.

Anthropic said it hopes the report helps the broader AI security community boost their own defenses.

“While specific to Claude, the case studies presented below likely reflect consistent patterns of behaviour across all frontier AI models. Collectively, they show how threat actors are adapting their operations to exploit today’s most advanced AI capabilities,” the report reads.

For more information about AI security, check out these Tenable Research blogs:

• “Frequently Asked Questions About DeepSeek Large Language Model (LLM)”
• “Frequently Asked Questions About Model Context Protocol (MCP) and Integrating with AI for Agentic Applications”
• “Frequently Asked Questions About Vibe Coding”
• “AI Security: Web Flaws Resurface in Rush to Use MCP Servers”
• “CVE-2025-54135, CVE-2025-54136: Frequently Asked Questions About Vulnerabilities in Cursor IDE (CurXecute and MCPoison)” 

2 - CSA: Traditional IAM can’t handle agentic AI identity threats

And speaking of agentic AI security: What happens when you give these autonomous AI systems the keys to your organization’s digital identities?

It’s a question that drove the Cloud Security Alliance (CSA) to come up with a proposal for how to better protect digital identities in agentic AI tools.

In its new paper "Agentic AI Identity and Access Management: A New Approach," the CSA argues that traditional approaches for identity and access management (IAM) fall short when applied to agentic AI systems.
 

“Unlike conventional IAM protocols designed for predictable human users and static applications, agentic AI systems operate autonomously, make dynamic decisions, and require fine-grained access controls that adapt in real-time,” the CSA paper reads.

The CSA proposes a new, adaptive IAM framework that pivots away from predefined roles and permissions and instead focuses on a continuous, context-aware approach. 

The framework is built on several core principles:

• Zero trust architecture
• Decentralized identity management
• Dynamic policy-based access control
• Continuous monitoring

“We then propose a comprehensive framework built upon rich, verifiable Agent Identities (IDs), leveraging Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs), that encapsulate an agent's capabilities, provenance, behavioral scope, and security posture,” the paper reads.

Key components of the framework include an agent naming service (ANS) and a unified global session-management and policy-enforcement layer.

For more information about IAM in AI systems:

• “A New Identity: Agentic AI boom risks busting IAM norms” (SC World)
• “A Novel Zero-Trust Identity Framework for Agentic AI: Decentralized Authentication and Fine-Grained Access Control” (Arvix.org)
• “Enterprises must rethink IAM as AI agents outnumber humans 10 to 1” (VentureBeat)

3 - Global alert: China-backed APTs hit critical infrastructure in cyber espionage campaign

Patch known exploited vulnerabilities. Adopt centralized logging. Secure your network’s edge devices.

Those are basic but essential steps that critical infrastructure organizations should take immediately to protect themselves against ongoing and global cyber attacks from advanced persistent threat (APT) attackers backed by the Chinese government (PRC).

So said multiple U.S. and international government agencies in the joint advisory “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System,” published this week.

“By exposing the tactics used by PRC state-sponsored actors and providing actionable guidance, we are helping organizations strengthen their defenses and protect the systems that underpin our national and economic security,” Madhu Gottumukkala, Acting Director of CISA, said in a statement.
 

The advisory primarily covers attacks against the network infrastructure of large telecom providers that have been attributed to actors identified by names including Salt Typhoon, Operator Panda, RedMike, UNC5807 and GhostEmperor since 2021.

A common theme: For initial entry, the attackers look for low-hanging fruit, such as vulnerabilities that have been disclosed and for which patches exist, including these:

• CVE-2024-21887
• CVE-2024-3400
• CVE-2023-20273
• CVE-2023-20198
• CVE-2018-0171 

Once inside, the attackers try to avoid detection so that they can maintain a long-term, persistent presence in the victims’ networks for intelligence gathering. While telecoms are the most common target, other critical infrastructure sectors, such as the military and transportation, have also been hit.

Key tactics highlighted in the advisory include:

• Living off the land: The actors leverage legitimate, built-in network administration tools and protocols, such as FTP and TFTP, to blend in with normal traffic and move laterally across networks.
• Credential harvesting: They are adept at stealing and using valid credentials to maintain access and escalate privileges within compromised environments.
• Data staging: The advisory notes that attackers often use internal FTP servers as staging areas to aggregate data before exfiltration, a key indicator of compromise for network defenders to monitor.

Here’s a small sampling of the many mitigation recommendations included:

• Prioritize monitoring firmware and software integrity by performing hash verifications against vendor databases.
• Review network device logs for unusual activity, such as cleared logs, disabled log forwarding, or configuration changes from unexpected locations.
• Implement robust access controls and phishing-resistant multi-factor authentication.
• Prioritize patching publicly known vulnerabilities that represent the highest risk, and specifically the CVEs the advisory singles out.

For more information about Salt Typhoon and related China-backed APT attacks against critical infrastructure, check out these Tenable blogs:

• “Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor”
• “Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors”
• “Telecoms May Face Tougher Regulations After Salt Typhoon Hacks”
• “New CISA Hardening Guidance Provides Valuable Insights for Network Security Engineers”
• “How to protect comms infrastructure from China-backed Salt Typhoon hackers”

4 - CISA tool aims to help orgs choose secure software

Buying new software is a security gamble. To improve the odds, CISA released a free interactive tool that walks organizations through a security checklist questionnaire before they buy. 

The agency says it offers a simple way to vet a vendor's security practices, covering everything from supply chain integrity to vulnerability management.

The free “Software Acquisition Guide: Supplier Response Web Tool” covers five key software-security areas:

• Supplier governance and attestations
• Software supply chain
• Secure software development
• Secure software deployment
• Vulnerability management
   

^{(Image generated by Tenable using Google Gemini)}

The tool is based on the CISA guide “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle,” published last year.

“Transforming the Software Acquisition Guide into an interactive format simplifies integrating cybersecurity into every step of procurement,” a CISA official said in a statement this week.

For example, the vulnerability management section covers topics including software vendors’ vulnerability disclosure and remediation policies; patching methods; granularity of vulnerability scanning; threat hunting techniques; and more.

While the tool is primarily aimed at government agencies, it is also available to the public.

For more information about vetting the security of software products prior to purchasing them:

• “Make simple software security checks part of your purchasing process” (CSO)
• “Choosing secure and verifiable technologies” (Australian Cyber Security Centre)
• “Security considerations when using open source software” (Canadian Centre for Cyber Security)

5 - NIST tackles IoT security with categorization of IoT device behavior

How do you stop your internet-of-things (IoT) devices from going rogue?

To help with that challenge, the U.S. National Institute of Standards and Technology (NIST) this week published guidance for capturing and documenting the network-communication behavior of IoT devices – an element that’s key for IoT cybersecurity.

“It enables the implementation of appropriate network access controls (e.g., firewall rules or access control lists) to protect the devices and the networks on which they are deployed,” reads the publication, titled “Methodology for Characterizing Network Behavior of Internet of Things Devices.”

Here’s the security challenge: The vast number of IoT devices and their dynamic and unpredictable communication patterns create a complex attack surface. An IoT device’s network activity can change based on user interaction, software updates or its current life cycle stage.
 

^{(Image generated by Tenable using Google Gemini)}

Thus, identifying and understanding how IoT devices should behave on the network can provide insights for adjusting their ability to communicate based on security criteria, as well as for flagging those that start acting suspiciously.

Basically, NIST is offering a method for fingerprinting your IoT devices’ normal network behavior and establishing a baseline of expected activity.

According to NIST, IoT makers and users who gather this network-behavior information using its methodology can create files based on the Manufacturer Usage Description (MUD) specification to manage access to and from those IoT devices.

MUD, according to NIST, offers a standard way of specifying the network communications that an IoT device needs to operate effectively. This allows network operators and security tools to use these MUD profiles to create precise access control lists or firewall rules. That way, organizations can enforce a least-privilege model for IoT devices.

To further streamline this process, NIST also created MUD-PD, an open-source tool designed to assist in developing MUD files by automating the task of characterizing IoT devices’ network behavior and generating corresponding MUD files.

For more information about IoT security:

• “Top 15 IoT security threats and risks to prioritize” (TechTarget)
• “New industry-backed IoT security standards aim to improve device safety” (ITPro)
• “Thousands of medical devices and systems pose IoT security risk” (Healthcare IT News)
• “AI, automation, and the future of IoT security: Meeting compliance without sacrificing speed” (SC World)
• “8 best practices for IoT data management” (TechTarget)

6 - CISA seeks input on updated SBOM guidance

Software bills of materials (SBOMs) have long been considered a key element for securing the software supply chain, and tools and practices associated with these software “lists of ingredients” continue to improve and evolve.

Recognizing SBOM advancements, increased adoption and new use cases in recent years, CISA is circulating a draft update of its 2021 publication "Minimum Elements for a Software Bill of Materials (SBOM)" for public comment.

“SBOM is a valuable tool that helps software manufacturers with addressing supply chain risks and several best practices have evolved significantly in recent years,” CISA Acting Executive Assistant Director for Cybersecurity Chris Butera said in a statement.
 

An SBOM lists all of the components that make up a piece of software, providing transparency into its makeup. That way, they help security teams quickly identify where in their environment they have, say, an open source component afflicted with a recently disclosed and critical vulnerability.

By reflecting on the evolution of SBOM practices and tooling, the updated document aims to create a more robust and detailed baseline for software component information.

Key updates in the proposed guidance include:

• New elements: The draft introduces several new fields, such as component hash, license information, the tool used for generation, and the context of the SBOM's creation.
• Enhanced clarity: It provides clearer definitions for existing elements, including the SBOM author, the software producer, and the component version.

As organizations become more adept at consuming and utilizing SBOM data, they can now demand more granular information from their software suppliers. CISA's updated guidance is a direct response to this trend, aiming to help organizations to conduct more thorough due diligence and better manage supply chain risks.

“An SBOM alone is data about software components. Analysis of SBOMs transforms data into insights about associated risks,” the draft update reads. For example, such insights can come from vulnerability management tools that ingest and analyze SBOM data, and then map it to other data sources.

The public comment period is open until October 3, 2025. 

For more information about SBOMs:

• “7 Recommendations to Improve SBOM Quality” (Carnegie Mellon University)
• “How to create an SBOM: Example and free template” (TechTarget)
• “Strengthen Your Supply Chain Security with Effective SBOM Management” (SANS)