Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

Netizen: Monday Security Brief (2/16/2026)

Netizen: Monday Security Brief (2/16/2026)

Today’s Topics:

  • DockerDash: Ask Gordon AI Flaw Exposed a Critical Trust Boundary in Docker Desktop
  • Reynolds Ransomware Bundles BYOVD Driver to Kill EDR Before Encryption
  • How can Netizen help?

DockerDash: Ask Gordon AI Flaw Exposed a Critical Trust Boundary in Docker Desktop

AI growth risk as Good Bots and a Bad Bot and chatbot as a social vulnerability for Robots gone rogue and the danger of robotic or artificial intelligence technology in a 3D illustration style.

Docker quietly closed a serious gap in its AI assistant, Ask Gordon, with the release of Docker Desktop version 4.50.0 in November 2025. The issue, dubbed “DockerDash” by researchers at Noma Labs, was not a typical memory corruption bug or authentication bypass. It was a failure of contextual trust inside an AI-assisted workflow, and it opened the door to remote code execution and sensitive data exposure through something as mundane as Docker image metadata.

At the center of the problem was how Ask Gordon parsed and interpreted Docker image LABEL fields. In a normal workflow, those labels are informational metadata attached to a Dockerfile. They describe authorship, versioning, licensing, or build context. Ask Gordon, however, treated those metadata fields as inputs that could be interpreted and forwarded through its Model Context Protocol (MCP) Gateway without meaningful validation. That design choice created a new injection surface inside the AI-to-tool execution path.

The attack chain described by Noma Labs was straightforward and uncomfortable. An attacker could publish a Docker image containing weaponized instructions embedded in LABEL fields. When a victim asked Ask Gordon about that image, the assistant would ingest and parse the metadata. Because it did not distinguish between descriptive metadata and embedded operational instructions, it could forward the parsed content to the MCP Gateway. The Gateway, acting as middleware between the large language model and local MCP tools, would then interpret the instructions as legitimate requests from a trusted source. With no contextual validation at each hop, the MCP tools would execute the command under the victim’s Docker privileges.

For cloud and CLI environments, this meant potential remote code execution with critical impact. For Docker Desktop users, the flaw also enabled high-impact data exfiltration. The same injection primitive could be used to extract environment details through MCP tooling. That included installed tool inventories, container configurations, mounted directories, Docker settings, and even aspects of the local network topology. In practical terms, a simple AI query about a container image could become the trigger for unintended local introspection and data leakage.

Noma Labs characterized the issue as Meta-Context Injection. The root failure was that the MCP Gateway could not differentiate between benign informational metadata and pre-authorized executable instructions. This is a textbook trust boundary violation. The assistant implicitly trusted container metadata as context, and the Gateway implicitly trusted the assistant’s forwarded requests as legitimate tool invocations. No stage applied zero-trust validation to the contextual data being passed along.

What makes this case significant is that the initial payload was hidden inside a legitimate supply chain artifact. Docker images are routinely pulled from registries and inspected through automated workflows. Embedding malicious instructions inside LABEL fields turns a descriptive field into an execution vector when AI agents are introduced into the pipeline. This moves AI supply chain risk from theory into operational reality.

Docker 4.50.0 also addressed a separate prompt injection issue reported by Pillar Security, where attackers could tamper with Docker Hub repository metadata to manipulate Ask Gordon’s behavior and exfiltrate data. Taken together, these fixes highlight a pattern. As AI assistants gain the ability to interact with local tools, the integrity of contextual inputs becomes as important as traditional code-level security controls.

From a defensive standpoint, this vulnerability reinforces a point many security teams are already wrestling with: AI agents must treat every upstream input as untrusted, even if it originates from a “trusted” source like an internal registry or official marketplace. Validation cannot stop at user prompts. It must extend to metadata, system context, and intermediary gateways that bridge language models and execution engines.

Reynolds Ransomware Bundles BYOVD Driver to Kill EDR Before Encryption

Malware attack virus alert. Person use smartphone with virtual warning sign with ransomware word. Warning notification, Cyber threats.

A newly identified ransomware family dubbed Reynolds is taking a familiar evasion technique and integrating it directly into the core payload. Researchers from Symantec and the Carbon Black Threat Hunter Team report that Reynolds embeds a bring your own vulnerable driver component inside the ransomware binary itself, collapsing what is often a multi-stage intrusion into a tighter, more efficient attack chain.

BYOVD is not new. Adversaries have relied on legitimate but vulnerable signed drivers for years to escalate privileges and disable endpoint security controls. The typical sequence involves deploying a separate utility first to load the flawed driver, terminating EDR processes, and only then launching the ransomware. Reynolds eliminates that separation. The vulnerable driver, an NsecSoft NSecKrnl kernel driver, is bundled directly within the ransomware package.

Once executed, Reynolds drops the NSecKrnl driver and abuses it to terminate processes tied to widely deployed endpoint security platforms. Reported targets include products from Avast, CrowdStrike Falcon, Palo Alto Networks Cortex XDR, Sophos including HitmanPro.Alert, and Symantec Endpoint Protection. By leveraging a signed but flawed kernel driver, the ransomware can interfere with security controls at a lower level in the stack, where defensive visibility is often reduced.

The NSecKrnl driver carries a known vulnerability, CVE-2025-68947, with a CVSS score of 5.7. The flaw enables termination of arbitrary processes. That capability is precisely what makes it valuable in a ransomware context. It has also been observed in prior campaigns, including activity attributed to a threat actor known as Silver Fox, which used similar vulnerable drivers such as truesight.sys and amsdk.sys to disable endpoint tools before deploying ValleyRAT. Reynolds is following a pattern that has been effective for others.

Bundling the driver inside the ransomware has operational advantages. There is no need for affiliates to stage a separate defense-evasion tool. There is no standalone binary that defenders can isolate as a precursor signal. The driver drop, process termination, and encryption routines are logically coupled. That consolidation reduces friction in affiliate-driven ecosystems and may lower the chance of early-stage detection.

Symantec’s analysis also points to pre-ransomware activity weeks before encryption. A suspicious side-loaded loader was present on the network prior to the final stage, suggesting the attackers had already established a foothold. After the ransomware executed, the GotoHTTP remote access tool appeared on the network, indicating an interest in maintaining persistence even after the encryption event. This pattern reflects a broader trend: ransomware is rarely a smash-and-grab operation. It is often the final act in a longer intrusion.

Sophos stated that it had blocking protections against the NSecKrnl driver since November 2025 and proactive safeguards against the ransomware payload for years. That response underscores a larger defensive challenge. Even when vendors block known vulnerable drivers, attackers frequently rotate through alternative signed drivers to achieve similar outcomes. The BYOVD technique persists because it relies on trusted digital signatures and kernel-level access.

Reynolds emerges against a backdrop of escalating ransomware activity and operational experimentation. High-volume phishing campaigns have delivered GLOBAL GROUP ransomware using LNK attachments that execute PowerShell to fetch a Phorpiex dropper. GLOBAL GROUP stands out for performing all activity locally, without data exfiltration, making it viable in air-gapped environments.

Infrastructure abuse has also intensified. Campaigns linked to WantToCry have leveraged virtual machines provisioned through ISPsystem. Weaknesses in default Windows templates within VMmanager allow reuse of static hostnames and system identifiers, enabling threat actors to spin up large volumes of infrastructure that complicate takedown efforts. Hostnames from this ecosystem have appeared in campaigns tied to operators such as LockBit, Qilin, Conti, and BlackCat.

Ransomware groups continue to professionalize. DragonForce now advertises a “Company Data Audit” service to assist affiliates during extortion negotiations, providing structured reports, communication templates, and negotiation guidance. This formalization of support functions mirrors legitimate business operations and signals sustained maturity in the ecosystem.

Meanwhile, LockBit 5.0 has shifted to ChaCha20 encryption across Windows, Linux, and ESXi systems, moving away from the AES approach used in earlier versions. The updated strain includes a wiper module, delayed execution options, a visible encryption progress bar, stronger anti-analysis features, and expanded in-memory execution to reduce disk artifacts. Other groups, including Interlock, have exploited vulnerable drivers such as GameDriverx64.sys, tracked as CVE-2025-61155, in their own BYOVD attacks to disable endpoint defenses before deploying ransomware and remote access tools.

Cloud environments are also under pressure. Operators are targeting misconfigured Amazon Web Services S3 buckets, relying on native cloud capabilities to delete, overwrite, or extract data without introducing obvious malware artifacts. In parallel, purely data-theft-driven extortion events continue to rise, decoupling impact from encryption.

The numbers reinforce the trajectory. Threat actors claimed 4,737 ransomware attacks in 2025, slightly above 2024 totals. Incidents involving data theft without encryption reached 6,182, representing a notable year-over-year increase. Average ransom payments climbed to $591,988 in the fourth quarter of 2025, driven by a handful of outsized settlements.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

Posted in , , , ,

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.