{
  "$schema_note": "Apeiris incident-to-control map. A real documented attack, decomposed into stages and mapped to specific Apeiris control URIs with what each control does and why it matters at that stage. Machine-readable so a GRC/SIEM/agent pipeline can consume it. mapped != satisfied: this states which controls address each stage, not that any target satisfied them. Each control carries what it does, why it applies here, and the evidence to collect. Control IDs are Apeiris-native and are mapped to cited external frameworks (NIST, OWASP, ETSI, ISO, and others) in the domain JSON they link to.",
  "incident": {
    "name": "JADEPUFFER",
    "summary": "First documented end-to-end LLM-driven ransomware operation.",
    "source": "Sysdig Threat Research Team (Michael Clark)",
    "source_url": "https://www.sysdig.com/blog/jadepuffer-agentic-ransomware-for-automated-database-extortion",
    "published": "2026-07-01",
    "entry_vuln": "CVE-2025-3248 (Langflow unauthenticated RCE)",
    "downstream_vuln": "CVE-2021-29441 (Alibaba Nacos auth bypass) + unchanged default JWT signing key",
    "attribution_note": "Attack facts and IOCs are Sysdig's original research. Control mapping is Apeiris."
  },
  "generated": "2026-07-08",
  "stages": [
    {
      "stage": "initial_access",
      "attack": "Unauthenticated RCE on an internet-facing Langflow instance yields arbitrary Python on the host.",
      "assurance_gap": "The AI-orchestration process ran unsandboxed with broad host privileges, so code execution equals host control.",
      "controls": [
        {
          "uri": "apeiris://security/controls/EC-01",
          "name": "Sandbox the agent",
          "what_it_does": "Runs the orchestration process under process, namespace, and syscall isolation.",
          "why_here": "An RCE then yields execution inside a jail, not on the host: the arbitrary Python cannot reach the host credential store or the internal network from inside the sandbox.",
          "evidence": "Sandbox / seccomp profile in force; denied-syscall logs from the orchestration process."
        },
        {
          "uri": "apeiris://security/controls/EC-04",
          "name": "Minimal filesystem and tool access",
          "what_it_does": "Restricts the process to the least filesystem paths and tools it needs.",
          "why_here": "Even inside the jail, the broad secret sweep and the /tmp/creds.json staging require wide filesystem reach the control denies.",
          "evidence": "Least-privilege filesystem and tool policy; denied file-access events."
        }
      ]
    },
    {
      "stage": "credential_harvest",
      "attack": "The agent swept the environment for LLM provider API keys, cloud credentials, crypto wallets, and database credentials, then looted Langflow's own Postgres and a MinIO object store with default credentials.",
      "assurance_gap": "Long-lived provider and cloud credentials sat in the web-reachable process environment.",
      "controls": [
        {
          "uri": "apeiris://security/controls/EC-08",
          "name": "Keep secrets out of the prompt and context",
          "what_it_does": "Keeps credentials out of the process environment and model context, sourcing them from a broker at point of use.",
          "why_here": "The single richest step, sweeping provider keys and cloud credentials, returns nothing to harvest because the process holds no standing secrets.",
          "evidence": "Secret scan of the process environment showing no standing credentials; secrets-broker issuance records."
        },
        {
          "uri": "apeiris://agentic/controls/AA-02",
          "name": "API key and token lifecycle management",
          "what_it_does": "Places keys and tokens in a secrets manager with short TTL and rotation.",
          "why_here": "Any credential the agent does obtain is short-lived and scoped, so it expires or is revoked before it can be replayed.",
          "evidence": "Secrets-manager inventory; token TTL and rotation records."
        },
        {
          "uri": "apeiris://security/controls/IA-02",
          "name": "Short-lived, task-scoped keys",
          "what_it_does": "Issues ephemeral keys bound to a single task, never long-lived shared secrets.",
          "why_here": "A stolen key cannot be reused days later against cloud providers, collapsing the value of the whole harvest.",
          "evidence": "Short-lived token issuance log; evidence that no long-lived keys exist."
        }
      ]
    },
    {
      "stage": "command_and_control_and_exfil",
      "attack": "A crontab beacon phoned home to the C2 every 30 minutes, and the agent claimed (in its own comments, unverified) to stage data to an external server before destruction.",
      "assurance_gap": "No egress control on the orchestration host.",
      "controls": [
        {
          "uri": "apeiris://security/controls/EC-02",
          "name": "Filter outbound network traffic",
          "what_it_does": "Restricts egress to an allowlist of approved destinations.",
          "why_here": "The 30-minute beacon to the C2 and any bulk exfiltration are blocked at the network edge, since neither destination is on the allowlist.",
          "evidence": "Egress allowlist definition; blocked outbound-connection logs (e.g., the C2 beacon)."
        }
      ]
    },
    {
      "stage": "runtime_campaign",
      "attack": "Over 600 self-narrating payloads performed lateral discovery, backdoor injection, a container-escape survey, and mass schema destruction, adapting to failures in as little as 31 seconds.",
      "assurance_gap": "No runtime behavioral telemetry, anomaly detection, or automated stop.",
      "controls": [
        {
          "uri": "apeiris://security/controls/RT-01",
          "name": "OS-level telemetry",
          "what_it_does": "Captures what the agent actually does at the OS level: processes, syscalls, file and network activity.",
          "why_here": "The secret sweep, the lateral movement, and the mass DROP are observable as they happen, rather than reconstructed forensically afterward.",
          "evidence": "OS-level process, syscall, file, and network telemetry stream for the agent host."
        },
        {
          "uri": "apeiris://security/controls/RT-04",
          "name": "Anomaly detection with pause and kill",
          "what_it_does": "Detects anomalous behavior and triggers pause, kill switch, or containment.",
          "why_here": "The run is halted mid-campaign, for example at the lateral sweep or the first schema drop, instead of completing all 600-plus steps.",
          "evidence": "Anomaly-detection rules and pause / kill / containment event records."
        },
        {
          "uri": "apeiris://agentic/controls/AM-02",
          "name": "Anomalous action detection",
          "what_it_does": "Compares agent actions against a signed action manifest of what it is authorized to do.",
          "why_here": "Dropping production databases is outside any legitimate action manifest, so it is flagged the moment it is attempted.",
          "evidence": "Signed action manifest; anomalous-action detection events for out-of-manifest actions."
        },
        {
          "uri": "apeiris://agentic/controls/AM-07",
          "name": "Real-time alert and automated suspension",
          "what_it_does": "Suspends the agent automatically on a high-severity signal.",
          "why_here": "Closes the gap between detecting the anomaly and stopping it, which at 31-second adaptation speed is the difference between contained and complete.",
          "evidence": "Alert-to-suspension records; an automated agent-suspension event."
        }
      ]
    },
    {
      "stage": "vulnerable_framework",
      "attack": "Langflow itself, a credential-holding agent framework, was internet-exposed and unpatched, and years-old CVEs were sprayed automatically downstream.",
      "assurance_gap": "The agent framework was deployed without vetting, exposure review, or AI-aware threat modeling.",
      "controls": [
        {
          "uri": "apeiris://agentic/controls/AT-06",
          "name": "Third-party plugin vetting and sandboxing",
          "what_it_does": "Vets and sandboxes third-party agent frameworks and tools before they run.",
          "why_here": "A known-vulnerable framework holding credentials is not stood up internet-facing without a review that would catch the exposure.",
          "evidence": "Third-party framework vetting record and the sandbox policy applied to it."
        },
        {
          "uri": "apeiris://security/controls/AS-02",
          "name": "Static analysis of skills and manifests in CI",
          "what_it_does": "Statically analyzes agent skills and manifests in the build pipeline.",
          "why_here": "Surfaces the risky configuration (exposed code-execution endpoint, embedded credentials) before deployment.",
          "evidence": "CI static-analysis report over the agent skills and manifests."
        },
        {
          "uri": "apeiris://security/controls/RT-06",
          "name": "Map AI-native threats to ATT&CK and ATLAS",
          "what_it_does": "Extends ATT&CK and MITRE ATLAS to agentic and AI-native techniques.",
          "why_here": "The pattern of AI-adjacent host, then credential sweep, then lateral movement, then extortion becomes a modeled, detectable technique rather than a novelty.",
          "evidence": "ATT&CK / ATLAS-mapped detection-coverage record for AI-native techniques."
        }
      ]
    },
    {
      "stage": "encryption_and_destruction",
      "attack": "The agent encrypted 1,342 configurations with an ephemeral key it never saved, dropped tables and whole schemas, and left an extortion note. Based on Sysdig's observed artifacts, payment would not enable recovery.",
      "assurance_gap": "No AI-aware backup, recovery objectives, or continuity plan.",
      "controls": [
        {
          "uri": "apeiris://security/controls/GV-11",
          "name": "Recovery and compensation planning",
          "what_it_does": "Plans recovery and compensation for actions the agent has already taken.",
          "why_here": "Because recovery does not depend on the attacker's key, the ephemeral-key unrecoverability is survivable: you restore from your own backups.",
          "evidence": "Tested recovery / compensation runbook and a restore-from-backup evidence record."
        },
        {
          "uri": "apeiris://resilience/controls/RV-01",
          "name": "RTO and RPO definition and validation",
          "what_it_does": "Defines and tests recovery time and recovery point objectives for AI systems.",
          "why_here": "Turns config loss and database destruction into a bounded, measured continuity event.",
          "evidence": "RTO / RPO definitions plus their validation test results."
        },
        {
          "uri": "apeiris://resilience/controls/RP-01",
          "name": "AI-specific business continuity plan",
          "what_it_does": "Maintains a continuity plan covering AI-specific assets like configuration stores and model registries.",
          "why_here": "The Nacos configuration store is exactly the AI-adjacent asset a generic BCP tends to miss.",
          "evidence": "AI-specific business continuity plan covering configuration stores and databases."
        },
        {
          "uri": "apeiris://resilience/controls/RO-01",
          "name": "Failover execution procedures",
          "what_it_does": "Documents and tests failover execution.",
          "why_here": "Provides the tested path back to service after the destructive phase.",
          "evidence": "Failover execution test record."
        }
      ]
    }
  ]
}