[00:00] Aaron Cole: I'm Aaron Cole, and this is Prime Cyber Insights.
[00:04] Aaron Cole: We're looking at a massive failure in the AI space today.
[00:07] Aaron Cole: Claude Bot, the local first assistant that went viral just a few days ago,
[00:12] Aaron Cole: is currently being used as a wide-open door for attackers.
[00:16] Aaron Cole: Within 72 hours of adoption, we're seeing everything from RCE vulnerabilities to active
[00:21] Aaron Cole: InfoStealer campaigns.
[00:23] Lauren Mitchell: I am Lauren Mitchell.
[00:25] Lauren Mitchell: It's a classic case of move-fast and break security.
[00:29] Lauren Mitchell: Claude Bot, now rebranded as MULTBOT, was supposed to be the future of local, secure computing.
[00:36] Lauren Mitchell: Instead, Aaron, we're finding that its architecture essentially invited threat actors in by leaving the front door unlocked and the keys on the counter.
[00:44] Aaron Cole: Exactly, Lauren.
[00:46] Aaron Cole: The project rebranded to MULTBOT because of trademark issues, but the technical debt remained.
[00:51] Aaron Cole: It's an open-source agent with full system access.
[00:54] Aaron Cole: It can read files, manage credentials, and execute shell commands.
[00:59] Aaron Cole: But because it was released with insecure defaults,
[01:02] Aaron Cole: attackers are identifying these deployments via Shodan and hijacking them instantly.
[01:07] Lauren Mitchell: The scale is what's really alarming.
[01:09] Lauren Mitchell: There are over 2,000 exposed gateways visible right now.
[01:14] Lauren Mitchell: I mean, the main culprit is port 18789.
[01:18] Lauren Mitchell: It's the default for the Claudebot Gateway, and it handles both web sockets for the agent's thinking and an HTTP server for the dashboard.
[01:28] Lauren Mitchell: If you don't bind that to the loopback address specifically,
[01:32] Lauren Mitchell: you're exposing a control channel to the entire network without authentication.
[01:37] Aaron Cole: And it gets worse when you look at how it stores data.
[01:40] Aaron Cole: Most secure apps use DPAPI or OS keychains.
[01:44] Aaron Cole: Multbot?
[01:44] Aaron Cole: He uses plain text JSON and markdown files.
[01:48] Aaron Cole: If an attacker gets into that directory, they aren't just getting a password.
[01:51] Aaron Cole: They're getting every API key for OpenAI, Anthropic, GitHub, and Jira in one go.
[01:57] Aaron Cole: No decryption needed.
[01:59] Lauren Mitchell: This has created a tiered threat landscape.
[02:02] Lauren Mitchell: We have Tier 1 opportunistic criminals using Red Line and Luma for smash-and-grab attacks,
[02:08] Lauren Mitchell: but we're also seeing Tier 3 nation-state actors interested in this.
[02:12] Lauren Mitchell: They want long-term persistence.
[02:14] Lauren Mitchell: Because these agents have memory and markdown files, an attacker can poison that memory to ensure the agent performs malicious actions even after a reboot.
[02:24] Aaron Cole: This is the definition of Shadow AI. Users are installing these tools to be more productive than
[02:30] Aaron Cole: without realizing they're essentially installing a remote-access Trojan with a personality.
[02:35] Aaron Cole: Lauren, we need to look at the defense side. Behavioral AI is really the only way to catch this.
[02:41] Aaron Cole: Tools like Sentinel-1 are flagging the shell spawning when these agents try to update configurations via unauthorized ZSH sub-processes.
[02:49] Lauren Mitchell: Mm-hmm. Detection has to be layered. You need those behavioral rules to calculate the probability of normalcy.
[02:57] Lauren Mitchell: When an AI agent starts modifying its own protocol servers at machine speed, that's a red flag.
[03:05] Lauren Mitchell: For organizations, the takeaway is clear. Treat these agents as privileged access pathways, not just shiny new productivity toys.
[03:15] Aaron Cole: Closing out, if you're using Multbot, check your bindings and your port exposures immediately.
[03:20] Aaron Cole: You can find our full vulnerability report and mitigation guide at pci.neuralnewscast.com.
[03:28] Aaron Cole: This is Aaron Cole. Thanks for joining us.
[03:30] Lauren Mitchell: And I am Lauren Mitchell.
[03:32] Lauren Mitchell: Stay secure, and we'll see you on the next Prime Cyber Insights.
[03:37] Lauren Mitchell: Neural Newscast is AI-assisted, human-reviewed.
[03:41] Lauren Mitchell: View our AI transparency policy at neuralnewscast.com.