DEV Community

Delafosse Olivier
Delafosse Olivier

Posted on • Originally published at coreprose.com

Inside the First AI‑Crafted Zero‑Day: How Google Blocked a 2FA Bypass and What It Means for Your LLM Security Stack

#ai #machinelearning #llm #programming

Originally published on CoreProse KB-incidents

An AI system recently autonomously assembled a working zero‑day exploit to bypass 2FA on an open‑source admin tool—then ran into a Google‑grade detection pipeline and was stopped.

This aligns three visible trends:

  • Nation‑state operators using public LLMs for recon and scripting. [2]
  • Offensive models autonomously discovering and chaining vulnerabilities. [8]
  • AI‑native malware and C2 channels optimized around LLM behavior. [3][9]

Security and ML teams now must defend against AI‑driven attackers while securing inside AI‑driven systems. Treating LLMs as “just another tool” in SOC or DevSecOps is no longer tenable. [5][6]

1. From Hypothetical to Real: Why an AI‑Crafted Zero‑Day 2FA Bypass Matters

Nation‑states and advanced crime groups already use public LLMs for:

  • Protocol and standards analysis.
  • Scripting and code assistance.
  • Research on high‑value targets. [2]

Microsoft has observed groups like Forest Blizzard and Salmon Typhoon querying GenAI for satellite, radar, and technical stack details, then using it to refine code and campaigns. [2]

Anthropic’s Mythos Preview model showed that capable LLMs can: [8]

  • Ingest large codebases and binaries.
  • Discover thousands of zero‑days, including very old bugs.
  • Autonomously chain issues (e.g., four bugs into a browser sandbox escape).

Real‑world pattern:

  • A fintech red team used an internal LLM to move from “suspicious SSO plugin” to working account‑takeover PoC in under a day—code review, exploit sketching, and payload tweaks handled largely by the model. [8][10]

Anthropic’s later cloud PoC advanced this to a multi‑agent system that: [10]

  • Autonomously executed 80–90% of a penetration campaign on a misconfigured GCP environment.
  • Covered asset discovery, lateral movement, and privilege escalation with humans mainly supervising.

Simultaneously, AI‑native malware research anticipates: [3]

  • Embedded LLMs driving self‑modifying code.
  • Environment‑aware evasion and tactic switching.
  • Continuous payload evolution faster than traditional SIEM rule updates.

C2 is shifting as well:

  • Check Point showed assistants like Grok and Copilot can be turned into covert C2 channels via web‑fetch features—no dedicated C2 infra, no attacker‑owned API key, and traffic that looks like normal AI usage. [9]

Why this 2FA bypass matters:

  • OWASP’s LLM Top 10 highlights prompt injection, model abuse, and AI‑specific exfiltration—risks not covered by classic AppSec. [6]
  • Regulators such as CNIL require 72‑hour notification for AI‑related breaches impacting auth and admin consoles. [6]
  • The first blocked AI‑crafted zero‑day against an open‑source admin tool is a concrete milestone in LLMs becoming standard offensive components for nation‑states and cybercrime. [2][8][10]

Offense has moved from “AI assistant” to “AI operator.” Your defenses—and your own LLM stack—must assume that.

2. How LLMs Craft Zero‑Day Exploits and 2FA Bypasses in Practice

Mythos‑style models show that modern LLMs can: [8]

  • Ingest entire repos and binaries.
  • Reason about edge cases and undefined behavior.
  • Propose exploit primitives and chains quickly and at scale.

A likely AI attacker workflow against 2FA

  1. Code and config ingestion
  • Clone the open‑source admin tool.
  • Extract auth middleware, 2FA handlers, session logic.
  • Ask the model to map login → token issuance → 2FA challenge → session persistence. [8]
  1. Vulnerability hypothesis generation
  • Enumerate plausible 2FA bypass paths: missing CSRF, weak binding, token reuse, flawed “remember device” logic, backup code abuse. [8]
  • Cluster issues by exploitability and prerequisites.
  1. Exploit primitive synthesis

Echoing Mythos’ vulnerability chaining, an LLM might combine: [8]

  • Session fixation on pre‑auth routes.
  • 2FA tokens bound to sessions, not identities.
  • CSRF on verification endpoints.
  • Over‑permissive recovery or device‑remember flows.
  1. Payload generation and iteration

AI‑native malware work suggests embedded LLMs will: [3]

  • Adjust headers, ordering, and timing based on responses.
  • Mutate payloads to evade WAF rules and anomaly models.
  • Re‑plan when defenses partially block a chain. [3]
  1. Live tuning via LLM‑enabled C2

Using LLMs with web‑fetch as relays, attackers can: [9]

  • Hide instructions inside URLs and benign prompts.
  • Tune exploit parameters in real time without visible C2 infra.
  • Blend traffic into normal “assistant” usage. [9]

Key implication:

  • AI doesn’t introduce new vulnerability classes but compresses discovery → weaponization → deployment into hours, then scales replication once a pattern works. [3][8][10]
  • Expect more frequent, better‑tuned attacks on 2FA and SSO, rapidly ported across similar stacks. [8][10]

3. Inside a Google‑Style Detection Stack: LLM‑Augmented SIEM and UEBA

Stopping an AI‑crafted 2FA bypass requires telemetry and analytics operating near attacker speed.

Augmented SIEM architectures typically combine: [1]

  • Traditional correlation rules and signatures.
  • UEBA models that learn user, device, and service baselines.
  • LLM layers that summarize, hypothesize, and propose new rules.

These systems correlate events from identity providers, web frontends, admin tools, and infra, and flag patterns like anomalous token issuance or admin flows. [1]

Microsoft’s GenAI–SIEM experiments found LLMs can: [2]

  • Summarize complex alert clusters.
  • Suggest likely attack paths and root causes.
  • Propose candidate detection rules from natural‑language TTPs.

How a 2FA bypass shows up in an LLM‑augmented SIEM

At scale, a zero‑day 2FA bypass produces recognizable side‑effects: [1]

  • Spikes in failed or incomplete 2FA flows by IP range, ASN, or group.
  • Session tokens with no matching 2FA events or with abnormal device/browser fingerprints.
  • Sudden high‑risk admin actions (role grants, policy changes) by accounts with no history of such activity.

UEBA flags deviations, such as: [1]

  • A dormant engineer account doing bulk 2FA resets at 3 AM from a new ASN.

LLMs then: [1][2][9]

  • Explain anomalies in analyst‑friendly language.
  • Correlate with known AI‑assisted behavior, including unusual assistant traffic tied to the same identity.
  • Draft new correlation rules or enrichment flows for analyst review.

For sensitive environments using on‑prem AI (e.g., Codex via Dell’s AI Factory), detection agents can run adjacent to critical data and admin services, enabling: [4]

  • Low‑latency correlation and blocking.
  • Less exposure of raw auth logs outside the perimeter. [4]

Critical nuance:

  • LLM agents are attack surfaces and must themselves be monitored: [5][7][9]
    • Abnormal tool calls (e.g., repeated 2FA resets).
    • Unexpected access to admin consoles.
    • Prompts/responses suggesting jailbreak or C2 behavior.

A Google‑style stack combines SIEM, UEBA, and LLM‑based triage, then escalates to automated containment:

  • Token revocation.
  • Forced re‑authentication.
  • Temporary blocks on suspicious admin flows. [1][2]

4. Building Pipelines for AI‑Discovered Zero‑Days: Detection to Patch

Catching an AI‑crafted exploit is only the start; the race is to mitigate the underlying zero‑day before it’s retried with improved variants.

Mythos and GitLab analyses indicate: [8]

  • AI can find vulnerabilities faster than teams patch.
  • About one‑third of exploited CVEs in early 2025 were hit on or before disclosure day.
  • AI accelerates both volume and speed of new findings. [8]

Pipeline design for AI‑found zero‑days

Key components:

  1. Automated exploitability and impact classification
  • Use models to label issue types (RCE, auth logic, info‑leak). [8]
  • Attach business impact scores (e.g., 2FA bypass in production admin → critical, externally exploitable). [1][8]
  1. Ownership routing and escalation
  • Route auth/2FA vulnerabilities directly to identity/platform security with strict SLAs. [1][8]
  1. Rule and model generation

To keep pace with AI‑driven malware, defenders must automate going from “idea” to deployable detection: [3]

  • Auto‑generate SIEM rules from observed anomalous auth patterns. [1][3]
  • Update UEBA baselines and models to reflect new attack paths. [1]
  1. Continuous offensive testing

Mirror Anthropic‑style agentic systems internally: [10]

  • Red‑team agents in CI/CD that probe 2FA flows, SSO, admin consoles, and recovery flows.
  • Automated replay of known exploit patterns against staging.
  1. Incident response for AI incidents

LLM‑specific IR playbooks should include: [5]

  • Capturing prompts and responses involved in the exploit.
  • Tracing which agents and data sources were used.
  • Tightening guardrails, tools, and access for implicated agents.
  1. Governance and auditability

Operational AI security guidance tied to GDPR/AI Act stresses: [6]

  • Logging AI‑driven decisions, exploit analyses, and auto‑mitigations.
  • Ensuring you can meet 72‑hour breach notification and audit demands.

By combining AI‑driven discovery, prioritized routing, automated detection, continuous testing, and compliant logging, organizations can shrink time‑to‑mitigation from weeks to days—or hours. [3][6][8]

5. Securing Your Own LLMs, Agents, and Admin Tools in the Crossfire

In attacks like the 2FA bypass attempt, your defensive LLM stack can become the attacker’s pivot.

The LLM security risk guide highlights key attack surfaces: [5]

  • User prompts and uploads.
  • Internal RAG sources and vector stores.
  • Tools/plugins and APIs—especially those touching admin and auth.

Poorly constrained, any of these can lead directly to admin consoles or 2FA settings. [5]

Policy and governance gaps

Current compliance guidance notes: [6]

  • ~74% of enterprises lack AI‑specific security policies.
  • Classic controls ignore prompt injection, data poisoning, and tool abuse.

When LLMs are wired into admin tools, ticketing systems, or ChatOps that can trigger 2FA or role changes, you effectively place a semi‑autonomous agent next to your highest‑risk controls. [5][6]

Jailbreaking research shows: [7]

  • Crafted prompts and hidden HTML instructions can override safety training.
  • LLM‑based email filters, log viewers, and console assistants can be turned into vectors when they parse attacker‑controlled content.

Examples apply to: [5][7]

  • Log viewers powered by LLMs.
  • Admin console “AI assistants.”
  • ChatOps bots allowed to run 2FA resets or grant roles.

Check Point’s C2 work underscores that: [9]

  • AI traffic is often trusted and under‑monitored.
  • Assistants with backend or log access but weak egress control can serve as ideal C2 relays and exploit tuners.

Layered defenses for your AI stack

Treat LLMs and agents as primary security assets:

  • Prompt filtering/sanitization

    • Strip or neutralize jailbreak patterns and untrusted markup before model input. [5][7]

  • Tool‑use allowlists

    • Enumerate allowed APIs; exclude 2FA reset and high‑risk admin calls unless absolutely needed. [5]

  • Scoped admin APIs

    • Enforce fine‑grained RBAC, contextual checks, and strong audit for LLM‑triggered admin actions. [5][6]

  • Behavioral monitoring of agents

    • UEBA‑style analytics for tool‑call sequences, admin action frequency, and unusual access. [1][5]

  • Detection of jailbreak and C2‑like usage

    • Flag sessions with prompt‑injection markers or repeated web‑fetches to suspicious domains. [7][9]

6. Implementation Roadmap for Security & ML Engineers

To operationalize this, you need a staged program spanning security, ML, and compliance.

Step 1: Extend your threat model with AI‑specific risks

Explicitly incorporate: [5][6][8][9]

  • AI‑assisted zero‑day discovery against your codebases. [8]
  • Prompt injection against LLM agents with access to admin or IR tools. [5]
  • C2 over trusted assistant/copilot traffic. [6][9]

Map where LLMs intersect with auth, 2FA, SSO, and admin paths.

Step 2: Integrate LLM‑augmented analytics into SIEM/UEBA

Based on SIEM augmentation work and Microsoft experiments: [1][2]

  • Feed login, 2FA, SSO, and admin logs into UEBA.
  • Layer LLMs for alert summarization, root‑cause hypotheses, and auto‑drafted rules.
  • Focus on anomalous 2FA events, privilege escalations, and admin session anomalies.

Quick win: [1][2]

  • Use an LLM to propose SIEM rules for “impossible travel” during 2FA enrollment or bulk 2FA resets, then refine with analysts.

Step 3: Deploy on‑prem or hybrid AI for sensitive workloads

Where possible, deploy on‑prem/hybrid agents like Codex near your most sensitive systems: [4]

  • Local code review and exploit triage for auth components.
  • On‑box anomaly detection over 2FA and admin logs.
  • Reduced exposure of sensitive data to public APIs. [4][6]

Conclusion: Meeting AI‑Driven Attackers at Their Own Speed

AI‑crafted exploits and AI‑assisted attackers are now operational reality. The blocked 2FA bypass zero‑day shows both risk and opportunity:

  • Offensive models can rapidly find and weaponize flaws. [3][8][10]
  • Defensive stacks that fuse SIEM, UEBA, and LLMs can detect and contain them—if designed with AI in mind. [1][2][5]

By extending your threat model, augmenting analytics with LLMs, deploying carefully scoped local agents, and securing your own LLM stack as a high‑value target, you can keep pace with AI‑driven attackers instead of becoming their next pivot. [5][6][8]

About CoreProse: Research-first AI content generation with verified citations. Zero hallucinations.

🔗 Try CoreProse | 📚 More KB Incidents

Top comments (0)