Kaspersky has found that Model Context Protocol (MCP) could be weaponized by cybercriminals as a supply chain attack vector, potentially leading to harmful impacts, including, but not limited to the leakage of password, credit card, cryptowallet and other types of data. In their new research, Kaspersky experts show the concept of an attack and share mitigation measures for businesses who integrate AI tools into their workflows.
Open-sourced by Anthropic in 2024, the Model Context Protocol (MCP) is a standard that gives AI systems, especially LLM-based apps, a consistent way to connect to external tools and services. For instance, organizations may use it to let LLMs search and update documents, manage code repositories and APIs, or access CRM, financial, and cloud data.
Like any open-source tool, MCP can be abused by cybercriminals. In their new research, Kaspersky Emergency Response Team experts built a proof-of-concept that simulates how attackers might abuse an MCP server. This was to demonstrate how the supply chain attacks can unfold through the protocol and to showcase the potential harm that might come from running such tools without proper auditing. Performing a controlled security lab test, they simulated a developer workstation with a rogue MCP server installed, ultimately harvesting such sensitive data types as:
● browser passwords
● credit card data
● cryptocurrency wallet files
● API tokens and certificates
● cloud configurations and more
During the simulated attack a “victim” only sees the legitimate output. Kaspersky has not yet observed this vector in real life and warns that the vector may be used by cybercriminals not only to extract sensitive data, but also to cause other harmful impacts such as executing malicious code, installing backdoors and deploying ransomware, etc.
In their research, Kaspersky used Cursor as the AI example client to connect with the weaponized MCP server, though the same attack concept may be applied to other LLMs as well. Cursor and Anthropic have been notified of the research outcomes.
“Supply chain attacks remain one of the most pressing threats in the cybersecurity space, and the potential weaponization of MCP we demonstrated follows this trend. With the current hype around AI and the race to integrate these tools into workflows, businesses may lower their guard and, by adopting a seemingly legitimate but unproven custom MCP, perhaps posted on Reddit or similar platforms, end up suffering a data leak. This underscores the importance of a strong security posture. In our new white paper, we share the technical details of this potential attack vector along with measures to help avoid falling victim,” says Mohamed Ghobashy, Incident Response Specialist in the Kaspersky Global Emergency Response Team.
The detailed research is presented on Securelist. To manage the risks associated with MCP abuse attacks, Kaspersky experts suggest that users:
● Check the MCP before installation. Submit every new server to a process where it’s scanned, reviewed, and approved before production use. Maintain a whitelist of approved servers so anything new stands out immediately.
● Lock it down. Run servers in containers or virtual machines with access limited to only the folders they require, and isolate networks so development environments can’t reach production or other sensitive systems.
● Monitor for odd behavior and anomalies. Log every prompt and response so that hidden instructions or unusual tool calls can be spotted in the transcript. Keep an eye out for suspicious prompts, unexpected SQL commands, or unusual data flows, like outbound traffic triggered by agents outside standard workflows.
● Adopt managed security services by Kaspersky such as Managed Detection and Response (MDR) and / or Incident Response, covering the entire incident management cycle – from threat identification to continuous protection and remediation. They help to protect against evasive cyberattacks, investigate incidents and get additional expertise even if a company lacks cybersecurity workers.
:
