![Iranian Hackers Target US Gas Stations [Exploitation Deep Dive] — Threat Digest](/og-image.svg)
An Iranian state-sponsored hacking group has been actively targeting automatic tank gauge (ATG) systems at gas stations across the United States, a concerning development that highlights the often-overlooked vulnerabilities in the nation’s fuel infrastructure. The modus operandi? Exploiting simple, internet-connected devices, many of which apparently lack even basic password protection. While officials assure the public that actual fuel levels couldn’t be manipulated — a detail that seems almost a footnote in the face of the intrusion itself — the ability to alter display readings is itself a significant cybersecurity red flag. This intrusion vector, long a theoretical concern for industry watchdogs, opens the door to masking critical issues like gas leaks or creating other, as-yet-undefined, risks to essential services.
This incident arrives on the heels of a rather embarrassing exposure involving a contractor for the Cybersecurity and Infrastructure Security Agency (CISA) itself. A GitHub repository, ominously named Private-CISA, was left publicly accessible for months, containing not just administrative keys for AWS GovCloud accounts but also — in plain text, no less — passwords for internal CISA systems. CISA insists no sensitive data was accessed, a claim that demands rigorous validation. The potential for lateral movement and system tampering, however, remains a stark, unavoidable consequence of such a lapse.
Is AI the Next Frontier in Threat Intelligence, or Just More Noise?
Anthropic’s Mythos platform is generating buzz, with a new feature allowing users to share cyber threat intelligence. The aim is noble: foster collective defense. But the reality, as illustrated by Cloudflare’s recent evaluation, is far more nuanced.
Cloudflare threw over 50 of its internal repositories at the Mythos model, and the results are mixed. It’s impressive that Mythos can construct exploit chains from low-severity bugs and spit out functional proofs of concept. That’s the stuff of headlines and boardroom presentations. Yet, the devil is, as always, in the details. Inconsistent refusals on legitimate research tasks and a high rate of false positives, particularly with C/C++ code, point to a system that’s still very much a work in progress. Cloudflare’s conclusion? A multi-stage harness is essential, not some generic agent, to get anything remotely useful and low-noise out of it. This isn’t a plug-and-play solution; it’s a research tool demanding significant human oversight and refinement.
The market, however, seems eager to bet on these emerging AI capabilities. NanoCo, developer of NanoClaw (pitched as an open-source alternative to OpenClaw), snagged a $12 million seed round. Investors include heavyweights like Valley Capital Partners and participation from Docker, Vercel, and monday.com. This influx of capital signals strong market confidence, but it also raises questions about valuation and sustainable business models in the AI security space.
Industrial Routers: The Unsung Heroes of Network Exploitation?
Beyond AI, the gritty reality of industrial control system (ICS) security continues to be a source of exploits. Four-Faith industrial cellular routers are the latest targets. Specifically, CVE-2024-9643, an authentication bypass flaw stemming from hardcoded administrative credentials, is seeing aggressive exploitation. CrowdSec data shows a dramatic uptick since late April, hitting mass exploitation levels by mid-May. These compromised routers aren’t just endpoints; they’re being folded into botnets, extending the reach of attackers and creating a distributed network for further nefarious purposes. It’s a classic case of critical infrastructure components becoming collateral damage in broader cyber campaigns.
Speaking of critical infrastructure, a zero-day vulnerability in a Huawei enterprise router brought Luxembourg’s entire telecom network to a standstill in July 2025. For over three hours, landline, 4G, and 5G services were offline, impacting hundreds of thousands. The attack exploited undocumented behavior, forcing routers into a continuous restart loop via specially crafted network traffic. POST Luxembourg confirmed it was a denial-of-service incident. The fact that no patch existed at the time underscores the inherent risk of zero-days, especially within deeply embedded network infrastructure.
Finally, a stark reminder of the human element in cybersecurity: a solo operator, powered by AI, has been running a five-year influence and fraud scheme known as Patriot Bait. Targeting patriotic and conservative audiences in the US, this campaign use AI for content generation and social media manipulation to build trust, then convert that trust into fraudulent cryptocurrency and credential theft. It’s a disturbing fusion of psychological manipulation and technological enablement, demonstrating that the human desire for connection and belonging can be a potent, exploitable vulnerability in the digital age.
An Open WebUI vulnerability (CVE-2026-45401) has also surfaced, a high-severity SSRF flaw that allows attackers to bypass URL validation through redirect handling. This is a significant concern for any application handling web requests.
