<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Zero-Trust - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/zero-trust/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 19 Jan 2024 16:30:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/zero-trust/feed.xml" rel="self" type="application/rss+xml"/><item><title>Unsecured Model Context Protocol (MCP) Server Deployments Expose AI Integrations</title><link>https://feed.craftedsignal.io/briefs/2024-01-19-mcp-server-exposure/</link><pubDate>Fri, 19 Jan 2024 16:30:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-19-mcp-server-exposure/</guid><description>Unsecured Model Context Protocol (MCP) servers, used to connect AI agents to enterprise tools, lack authentication and audit trails, leading to data exfiltration, private repo leaks, cross-tenant exposure, and remote code execution due to AI agents using valid user credentials to make API calls based on potentially poisoned context.</description><content:encoded><![CDATA[<p>The Model Context Protocol (MCP) is a standard used to connect AI agents, such as those in Claude, ChatGPT, Copilot, Gemini, and Cursor, to enterprise tools. By early 2026, researchers discovered approximately 7,000 exposed MCP servers on the open internet, revealing a significant security gap. The core issue lies in MCP's design, which lacks built-in authentication, authorization, and audit trails. This absence allows AI agents to make API calls using valid user credentials, bypassing traditional security measures. The vulnerability has led to over 30 CVEs in 60 days, impacting various platforms and services and creating blind spots in zero-trust architectures. The high volume of SDK downloads, reported at 97 million per month, indicates widespread adoption and a correspondingly large attack surface.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies an exposed MCP server on the internet through network scanning or vulnerability research.</li>
<li>The attacker crafts a malicious prompt or manipulates the context provided to an AI agent connected to the MCP server.</li>
<li>The AI agent processes the poisoned context and formulates an API request based on the attacker's manipulated input.</li>
<li>The AI agent authenticates to enterprise resources using valid user credentials, which were previously provided to it.</li>
<li>The MCP server relays the AI agent's API request to the targeted enterprise service (e.g., WhatsApp, GitHub, Asana).</li>
<li>The enterprise service processes the request as legitimate due to the valid credentials, granting access to sensitive data.</li>
<li>The attacker leverages the compromised AI agent to exfiltrate data from WhatsApp or other targeted services.</li>
<li>The attacker gains unauthorized access to private GitHub repositories via prompt injection or achieves remote code execution through vulnerabilities in OAuth proxy packages.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Observed impacts include the exfiltration of WhatsApp data, leaks of private GitHub repositories through prompt injection in public issues, cross-tenant exposure through Asana integrations, and remote code execution via compromised OAuth proxy packages. The exploitation of unsecured MCP servers undermines zero-trust architectures by allowing unauthorized actions to be performed with valid credentials. Given the widespread adoption of MCP, as indicated by 97 million SDK downloads per month, a successful attack can lead to significant data breaches, intellectual property theft, and compromise of sensitive systems.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule for detecting unusual network connections to external MCP servers, focusing on processes not typically associated with AI agent integrations, to identify potential exploitation attempts (see &quot;Detect Unusual Outbound Connection to Known MCP Ports&quot;).</li>
<li>Implement the Sigma rule to monitor for suspicious process execution related to common AI agent processes accessing network resources, looking for command-line arguments indicative of exploitation (see &quot;Detect Suspicious AI Agent Process Network Activity&quot;).</li>
<li>Enforce strict network segmentation to limit the blast radius of compromised MCP servers and AI agents.</li>
<li>Regularly audit and monitor AI agent activity logs for suspicious patterns and anomalies, focusing on data access and API calls.</li>
<li>Reference the provided URL and other threat intelligence sources to stay updated on emerging MCP vulnerabilities and exploitation techniques.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>ai</category><category>mcp</category><category>zero-trust</category><category>data-exfiltration</category><category>rce</category></item></channel></rss>