Today's picture
Two disclosures published this week signal a shift in what attackers are targeting and why. Lotus Wiper was deployed against Venezuela's energy sector with no ransom demand and no negotiation. The goal was to destroy systems permanently, and the attackers spent months inside the environment preparing before pulling the trigger. Separately, a misconfiguration in Microsoft's Azure SRE Agent allowed anyone with a free Azure account to silently read another organization's AI agent conversations in real time, including every command it ran and every credential it returned.
Threat snapshot
2 new · 3 monitoring
New
Destructive
Lotus Wiper targeted Venezuela's energy sector with no ransom demand. Pure destruction.
Compiled September 2025, deployed December 2025. Overwrites physical drives, deletes restore points, leaves systems permanently unrecoverable. Geopolitically motivated. No payment path.
New
Cloud
CVSS 8.6
Azure SRE Agent flaw let any outside tenant silently watch your cloud operations in real time.
CVE-2026-32173. Free Azure account plus 15 lines of code. Read commands, credentials, and reasoning from another company's AI agent. Patched server-side by Microsoft.
Monitoring
KEV Listed
BlueHammer CVE-2026-33825 added to CISA KEV. RedSun and UnDefend still unpatched.
KEV listing confirms active exploitation of the patched Defender flaw. The two unpatched exploits in the chain remain in the wild with no fix from Microsoft.
Detailed intelligence
Full analysis
01 New Destructive
Lotus Wiper targeted Venezuela's energy sector with no ransom demand. Pure destruction, months in the making.
Lotus Wiper
What happened
Kaspersky published research this week on Lotus Wiper, a previously unknown destructive malware used in targeted attacks against Venezuela's energy and utilities sector in late 2025 and early 2026. The malware was compiled in September 2025 and a sample was uploaded to a public malware repository from a machine in Venezuela in mid-December, weeks before significant geopolitical events in the region in early January. The attack carries no ransom demand, no extortion mechanism, and no payment path. The sole objective is permanent destruction.
The attack chain begins with two batch scripts that coordinate across domain-joined machines before the wiper deploys. The first script checks for a remote trigger file on the organization's NETLOGON share, allowing the attacker to control when destruction begins across multiple systems simultaneously. The second script enumerates user accounts, resets passwords to random strings, disables accounts, logs off all active sessions, and disconnects network interfaces before the wiper runs. Lotus Wiper itself operates at a low level, interacting directly with physical disks. It deletes all Windows restore points, overwrites every physical sector with zeroes, clears the USN journal to eliminate forensic traces, and deletes all files across every mounted volume. Files that cannot be deleted immediately are scheduled for removal at the next reboot. The result is a system that cannot be restored through any standard recovery method.
Kaspersky notes the malware targeted machines running pre-Windows 10 1803 versions, indicating the attackers had detailed knowledge of the environment and likely had persistent access for months before the destructive phase began. No attribution to a specific threat actor has been confirmed.
CyberSip Take
The absence of a ransom demand is the most operationally significant detail in this story. Defenders are trained to think about attackers in terms of financial motivation. Ransomware groups want money, so they stop short of permanently destroying systems because destroyed systems cannot pay. Lotus Wiper flips that calculus entirely. An attacker whose goal is disruption of national energy infrastructure has no interest in negotiation. The attack is the goal, not a precursor to it.
Two things in this research are worth internalizing beyond the Venezuela-specific context. First, the attackers targeted older Windows versions that were present in the environment, indicating months of reconnaissance before they acted. Pre-positioning inside critical infrastructure networks before a destructive payload runs is not a new technique, but the September 2025 compile date and December deployment date show exactly how much lead time these actors built in. Second, the NETLOGON-based trigger mechanism means the wiper was designed to run across multiple systems at the same time. This is not a single-machine attack. Organizations in energy, utilities, and critical infrastructure should treat this as a reference case for what a well-resourced, non-financially-motivated adversary looks like in practice. The defensive implication is that incident response planning needs a scenario where backup restoration is the answer, because the other tools are gone.
Recommended actions
- Verify that offline or air-gapped backups exist for critical systems and have been tested for restoration. Lotus Wiper is specifically designed to destroy the recovery mechanisms that on-device backups depend on.
- Audit Windows versions across OT and critical infrastructure environments. The targeting of pre-Windows 10 1803 systems suggests attackers specifically sought out unpatched legacy machines.
- Monitor NETLOGON share access for unexpected files or changes, particularly files with XML extensions from unknown sources. The remote trigger mechanism relies on this share.
- Watch for use of native tools like diskpart, robocopy, and fsutil in automated or scripted contexts on servers. These appear in the pre-wipe preparation phase.
Derived from Kaspersky threat research and independent malware analysis
02 New Cloud CVSS 8.6
Azure SRE Agent flaw let any outside tenant silently watch your cloud operations in real time.
CVE-2026-32173
What happened
Enclave AI researcher Yanir Tsarimi disclosed a critical authentication flaw in Microsoft's Azure SRE Agent, a cloud AI tool that autonomously monitors Azure environments, diagnoses outages, and executes remediation actions on behalf of IT teams. The agent has access to logs, source code, deployment credentials, and integrations with incident management platforms. The flaw, tracked as CVE-2026-32173 with a CVSS score of 8.6, stemmed from a misconfiguration in how the agent's event hub authenticated connecting clients.
The Entra ID app registration behind the hub was configured as multi-tenant, meaning any account from any Entra ID tenant could obtain a valid token that the hub would accept. Once connected, the hub broadcast all events to all clients with no identity filtering. An outside attacker needed only a free Azure account, the target agent's web address, and roughly 15 lines of code. The exposed stream included user prompts, agent responses, internal reasoning traces, every command executed with full arguments, and all command output. Tsarimi demonstrated reading live deployment credentials for web applications from another organization's agent during testing. The attack left no trace in the target organization's logs. Microsoft confirmed the flaw, rated it critical, and patched it on the server side. No customer action is required to receive the fix, but organizations using the Azure SRE Agent should audit what access and integrations the agent has been granted.
CyberSip Take
This item belongs in the same category as the nginx-ui MCP authentication bypass from Issue 5 and the Atlassian MCP server chain from Issue 4. AI agents are being shipped into production with privileged access to infrastructure, and the authentication controls around the data streams those agents produce are not receiving the same scrutiny as the agents themselves.
The Azure SRE Agent has access to exactly the data an attacker would most want: commands being run on production systems, credentials returned by those commands, source code, and a real-time view of what the operations team is doing and thinking. The flaw was server-side and Microsoft fixed it without customer action, which is the best outcome. But the underlying pattern is worth taking seriously: every AI agent you deploy that has privileged access to your infrastructure is also producing a stream of sensitive data that needs to be secured like any other privileged channel. The question to ask about any AI agent in your environment is not just what it can access, but who can see what it is doing.
Recommended actions
- No customer action is required to receive the CVE-2026-32173 patch. Microsoft applied the fix server-side. Verify your Azure SRE Agent is running on the current version to confirm the patch is in effect.
- Audit the permissions granted to the Azure SRE Agent in your environment. The agent should operate under a dedicated managed identity with the minimum permissions required. Broad integrations with source repositories, incident platforms, and command execution paths warrant review.
- Review logging for the Azure SRE Agent. Understand what is captured and whether those logs are available in your SIEM. If the agent touches production credentials or deployment secrets, those interactions should be auditable.
- Treat this as a prompt to apply the same scrutiny to any other AI agents in your environment that have been granted infrastructure access. Token validation, tenant isolation, and data stream security all warrant review before deployment at production scale.
Derived from Enclave AI research disclosure and Microsoft security advisory
Still watching
Aging items · days 2–7
Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.
Defender BlueHammer CVE-2026-33825 added to CISA KEV (see Issue 7 for full detail). Patched in April Patch Tuesday. RedSun and UnDefend remain unpatched and active. Verify Defender signature update timestamps, not just service status.
Day 2
Teams helpdesk impersonation campaign (Issue 10). No new developments. Review external Teams access settings and add Quick Assist to security awareness training.
Day 2
Apache ActiveMQ CVE-2026-34197 (Issue 6). Federal deadline April 30. Active exploitation continues. Patch to version 5.19.4 or 6.2.3 if not yet done.
Day 7
Cross-source standouts
What connects this week
01
Not every attacker wants money. Some want the lights off.
Lotus Wiper is the clearest illustration this month of a threat category that does not fit the ransomware response playbook. When the goal is destruction rather than extortion, paying does not help, negotiating does not help, and the standard incident response assumption that you can restore from backup depends entirely on whether the attacker destroyed your recovery infrastructure first. Lotus Wiper destroyed it first. This month also featured the Stryker wipe from Issue 3 and the Venice flood system intrusion from Issue 8. The pattern across April is that destructive and disruptive attacks against physical and critical infrastructure are not hypothetical scenarios, and defense strategies built entirely around financial threat actors leave a gap.
02
AI agents are production infrastructure now and need to be secured like it
The Azure SRE Agent flaw is the fourth AI agent security item in this brief this month, following the nginx-ui MCP authentication bypass in Issue 5, the Atlassian MCP chain in Issue 4, and the ATHR voice phishing platform in Issue 6. Each of them reflects the same gap: AI tools are being granted privileged access to production systems faster than the security controls around them are being designed and reviewed. The question that needs an answer before any agent is deployed with production access is straightforward. Who can see what this agent is doing, and is that access appropriately controlled?
Past issues · 7-day archive