Today’s Topics:

LLM Agent Used in Post-Exploitation Attack After Marimo Vulnerability Exploit
Internet-Exposed Tank Gauges Become a Cyber Risk for U.S. Fuel and Industrial Sites
How can Netizen help?

LLM Agent Used in Post-Exploitation Attack After Marimo Vulnerability Exploit

A threat actor was observed using a large language model agent to conduct post-exploitation activity after compromising a publicly exposed Marimo notebook through CVE-2026-39987, a critical pre-authenticated remote code execution vulnerability affecting Marimo versions up to and including 0.20.4.

The activity, reported by Sysdig, shows how attackers are beginning to use AI agents after initial access to make live decisions inside compromised environments. In this case, the attacker exploited an internet-facing Marimo instance, searched the host for credentials, extracted two cloud access keys, then used those credentials to retrieve an SSH private key from AWS Secrets Manager. That key was later used to access a downstream SSH bastion server.

CVE-2026-39987 allows unauthenticated attackers to execute arbitrary system commands on vulnerable Marimo deployments. The flaw was fixed in Marimo 0.23.0, but exposed instances have since been targeted in active exploitation. Earlier activity tied to the bug involved reconnaissance and attempts to harvest sensitive data from honeypot environments. The Sysdig incident adds a new dimension: the attacker appeared to rely on an LLM agent to adapt post-compromise actions to the environment in real time.

The incident took place on May 10, 2026. After gaining access to the vulnerable Marimo system, the attacker collected credentials from the environment and used an AWS access key to call AWS Secrets Manager. From there, the attacker retrieved an SSH private key, authenticated to a bastion host, and launched eight short parallel SSH sessions against the downstream server.

Those sessions were used to extract the schema and full contents of an internal PostgreSQL database in under two minutes. The full attack chain lasted a little over an hour from initial access to database theft.

Sysdig identified several signs suggesting that an LLM agent was involved. The attacker appeared to improvise the database theft without prior knowledge of the schema. The database host did not contain an obvious application identifier, and there was no pre-staged schema dump available to the attacker. Even so, the activity moved from host access to a credential table within minutes.

A Chinese-language planning comment also appeared directly in the command stream during a credential search. The phrase, “看还能做什么,” translates to “See what else we can do.” Sysdig interpreted the leaked comment as another indicator that an agent-driven workflow was generating or coordinating commands during the intrusion.

The command structure also appeared optimized for machine consumption. Commands were separated by “—” delimiters, outputs were bounded, the “less” command was disabled, and standard error output was discarded to reduce noise. Those traits are consistent with an operator or agent trying to keep command output predictable for automated parsing.

Sysdig also pointed to value handoffs between commands. In one example, the attacker read the contents of the “~/.pgpass” file and appeared to feed the extracted database password into the next step. In another, the attacker listed files matching an SSH key pattern before reading the matching private key file. This suggests that the workflow was using prior command output to decide the next action, rather than following a static script.

The broader security concern is that AI-assisted post-exploitation can lower the effort required to operate inside unfamiliar environments. A traditional script may fail when a file is missing, a schema is unexpected, or an authentication step breaks. An agent-driven workflow can interpret the failure, adjust commands, and continue probing.

That adaptiveness changes the defender’s problem. Security teams are no longer only looking for prebuilt playbooks, known tools, or predictable command sequences. They also need to watch for behavior that looks exploratory but remains highly structured, fast, and machine-readable.

For organizations running Marimo, the immediate priority is to update to a fixed release, audit for public exposure, and investigate any internet-facing notebook environments that may have been accessible before patching. Credentials stored on affected hosts should be treated as exposed. AWS access keys, API keys, SSH keys, database passwords, and other secrets should be rotated where compromise is possible.

Security teams should also review cloud audit logs for unusual Secrets Manager access, unexpected AWS API calls, abnormal egress patterns, SSH authentication events using recently accessed keys, and suspicious database dump activity. Marimo instances should not be left publicly reachable without strong authentication, network controls, and monitoring. Notebook environments often sit close to sensitive data, developer credentials, cloud access, and internal infrastructure, making them high-value targets after exploitation.

Internet-Exposed Tank Gauges Become a Cyber Risk for U.S. Fuel and Industrial Sites

Cyberattackers are targeting internet-exposed automatic tank gauge systems in the United States, prompting federal agencies to warn fuel operators, industrial facilities, and other critical infrastructure organizations to remove the devices from public access and harden them against compromise.

The warning, issued by CISA, the FBI, the NSA, the Department of Energy, the Environmental Protection Agency, the Transportation Security Administration, the Department of Transportation, and the Department of Agriculture, focuses on automatic tank gauge systems, commonly known as ATGs. These devices are used to monitor fuel levels, liquid volume, temperature, leaks, alarms, and other storage tank conditions across gas stations, chemical facilities, farms, airports, hospitals, military sites, transportation operations, and industrial environments.

ATGs are often treated as background operational technology. They sit close to storage tanks, collect readings from probes, display measurements for operators, and in many deployments feed data into broader supervisory control and data acquisition environments. Their role can appear narrow from an IT perspective, but their operational value is high. A compromised gauge can interfere with how a site sees its inventory, how it detects leaks, how it responds to abnormal tank conditions, and how operators decide whether it is safe to continue normal activity.

Federal agencies said they are aware of malicious cyber activity targeting U.S.-based ATG systems. The activity has not been formally attributed to a named threat group, but officials and security researchers have been tracking attacks against internet-facing tank gauges at gas stations and other facilities. Some reporting has pointed to possible Iran-linked activity, though federal authorities have not publicly assigned blame in the joint guidance.

The core issue is exposure. Many ATG systems were never meant to sit directly on the public internet, yet scans continue to find reachable devices. In its reporting, Dark Reading cited Shadowserver data showing 909 discoverable ATG systems in the United States after honeypots were filtered out. Canada followed with 30 exposed devices, Australia with 22, and the United Kingdom and Brazil with four each. Those numbers suggest the U.S. remains the main center of exposed ATG risk, even after years of warnings.

This is not a new class of industrial security problem. More than a decade ago, researchers and scanning projects were already identifying thousands of unsecured tank gauges online. A 2015 report cited roughly 5,800 exposed automated tank gauges tied mostly to gas stations, truck stops, and convenience stores in the United States. Many of those systems lacked password protection. Researchers also built honeypot systems to observe attacker behavior and saw scanning, probing, defacement, tank-name manipulation, and denial-of-service activity.

The difference now is that exposed ATGs are being discussed in the context of active malicious activity against U.S. infrastructure, not just theoretical risk or security research. The federal notice says attackers have compromised internet-exposed devices and then modified them through command execution. Cybersecurity Dive reported that the attacks can involve disabling alerts or otherwise interfering with monitoring, which can prevent operators from trusting what the system is reporting.

The risk is not limited to someone changing a display label or causing nuisance downtime. ATGs can support inventory control, leak detection, tank capacity settings, overflow thresholds, alarms, relays, and other functions tied to the safe handling of fuel and industrial liquids. If an attacker changes those values, disables alarms, or hides abnormal readings, the operator may be working from false information. That can create safety risk, environmental risk, operational disruption, and financial loss.

Security researchers have also shown that many ATG products carry serious legacy risk. Bitsight’s 2024 research found multiple zero-day vulnerabilities across six ATG systems from five vendors. The affected product set included Maglink LX, Maglink LX4, OPW SiteSentinel, Proteus OEL8000, Alisonic Sibylla, and Franklin TS-550. The flaws included authentication bypass, hardcoded administrator credentials, OS command execution, SQL injection, cross-site scripting, privilege escalation, and arbitrary file read. Several were rated critical, and some could give an attacker full administrator access to the device application or even operating system-level access.

Those findings fit a broader pattern in operational technology. ATG systems are designed to last for years in field conditions, often in environments where downtime is difficult, patching is slow, and remote access is valued for maintenance. Security controls are frequently weaker than what would be expected on enterprise IT systems. Some devices still rely on old software stacks, default credentials, limited logging, or exposed management services. They are also too constrained to support traditional endpoint security tooling.

For attackers, that creates a direct path from internet exposure to operational impact. A device with default credentials, a hardcoded password, an authentication bypass, or command execution flaw may be reachable without first compromising the corporate network. Once accessed, the ATG can be altered, disrupted, or used as a foothold for deeper reconnaissance, depending on the network design around it.

The most direct defensive step is to remove ATG systems from public internet access. These systems should be placed behind segmented networks, protected by strong authentication, and accessed only through controlled remote access paths where remote maintenance is truly required. Operators should change default passwords, remove shared credentials, apply available firmware and software patches, disable unused services, restrict management interfaces, and monitor for unauthorized access attempts.

Credential hygiene is especially relevant for sites that rely on third-party maintenance providers. Remote access used by vendors, fuel service contractors, or managed service providers can become a weak point if accounts are shared, passwords are reused, or access remains enabled after it is no longer needed. Each account tied to ATG management should be individually assigned, limited by role, and logged.

Operators should also review ATG configurations for unexplained changes. That includes tank names, product labels, tank geometry, volume settings, alarm thresholds, relay settings, leak detection settings, user accounts, remote access configuration, network settings, and firmware versions. Sudden changes in readings, disabled alarms, failed polling from SCADA systems, abnormal outbound traffic, or repeated login failures should be treated as possible compromise indicators.

For larger industrial environments, this issue should be handled as part of OT asset management rather than a one-time cleanup. Organizations need an inventory of tank gauges, firmware versions, network exposure, access methods, vendor dependencies, and business processes that rely on ATG data. A device cannot be defended if the organization does not know it exists, where it is reachable from, or what safety decisions depend on it.

The attacks also show why segmentation alone is not enough if the device is still reachable from the open web. A firewall between IT and OT does little to protect an ATG that has its own exposed management interface. The first control is reducing reachability. The second is hardening access. The third is monitoring for misuse. The fourth is making sure unsafe physical outcomes are blocked by independent engineering controls, such as mechanical valves, local safety mechanisms, and one-way data paths where appropriate.

The broader lesson is that small industrial devices can create large operational risk. ATGs may not look like high-profile targets, but they sit at the boundary between cyber systems and physical processes. They measure fuel and liquid conditions that operators depend on, and in some cases they can influence alerts or downstream actions. When those devices are exposed, unpatched, or weakly authenticated, they give attackers a way to interfere with the data and controls that keep sites running safely.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

recent posts

about

Leave a comment Cancel reply