Cybercriminals Incorporate Claude Code in Extensive Credential Theft Operation

Claude Code AI Supports Credential Theft

An unidentified threat actor has effectively integrated Anthropic’s Claude Code AI programming assistant into their operations to carry out a widespread credential harvesting scheme, as found by investigators. The initiative, referred to as Bissa scanner, has affected more than 900 targets with Claude Code’s support.

Insights into the Bissa Scanner Operation

Microsoft’s Zach Stanford and Palo Alto Network’s Renzon Cruz reported an unsecured server active since last September. This server contained over 13,000 files within 150 directories, employed for exploitation, staging victim data, credential harvesting, access validation, and workflow coordination.

Framework and Data Collection

The framework wasn’t just a storehouse for stolen information but supported a systematic operation to enhance access procurement. The data collected included environment configuration files and credentials from AI providers, cloud services, payment gateways, databases, and messaging applications. The Bissa scanner secured credentials from various SaaS categories, with AI providers being the predominant group.

AI-Facilitated Workflow

In addition to Claude Code, the self-governing AI agent framework OpenClaw was integrated for problem-solving, orchestration, and enhancing the data collection process. The operation exploited the React2Shell vulnerability, uncovered by Kiwi researcher Lachlan Davidson, allowing for remote code execution with a CVSS score of 10.0.

Automation and Notification Platforms

The Telegram application was utilized by two operator-controlled bots for alerts and possibly for managing workflow. A member from The DFIR Report observed that Claude was used for assistive development and troubleshooting, rather than direct exploit execution.

Conclusion

The incorporation of Claude Code AI into cybercriminal enterprises underscores the advancing role of AI in orchestrating complex attacks. The Bissa scanner operation illustrates a significant level of organizational sophistication, using vulnerabilities and AI technologies to enhance efficiency in credential theft.

Q: What is the Bissa scanner operation?

A:

The Bissa scanner operation is a credential theft initiative that has targeted over 900 victims leveraging Anthropic’s Claude Code AI for workflow support.

Q: What function does Claude Code AI serve in this operation?

A:

Claude Code AI aids in workflow coordination, problem-solving, and refining the data collection process, thereby improving operational efficiency.

Q: What is the significance of the React2Shell vulnerability in this operation?

A:

The React2Shell security flaw facilitates remote code execution, which the Bissa scanner exploits to achieve unauthorized system access.

Q: What type of data is targeted for harvesting?

A:

The operation aims at collecting credentials from AI providers, cloud services, payment processors, databases, and messaging applications.

Q: How was the operation uncovered?

A:

Security analysts from Microsoft and Palo Alto Networks detected an unsecured server associated with the campaign, exposing its scale and tactics.

Q: What measures have been taken after the discovery?

A:

Evidence pertaining to the operation has been communicated to the relevant authorities, though specific details about further actions remain undisclosed.

• Category: Australia Tech News