SINGAPORE – News on April 7 that Anthropic withheld the public launch of its latest artificial intelligence model, sharing it with only a tightly controlled group, has triggered a harsh reality check. The San Francisco-based research firm announced that its latest Claude Mythos Preview is being shared with approximately 50 technology firms, including Microsoft, Google, Amazon, and Apple as part of an initiative known as Project Glasswing. The tool’s capabilities to autonomously attack existing software without human intervention have raised significant concerns.
In a grave note on its website, Anthropic stated: “Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely. The fallout – for economies, public safety, and national security – could be severe.” AI models have been known to assist hackers in identifying software flaws for years, reducing the discovery time of zero-day vulnerabilities from months to hours. These vulnerabilities are flaws unknown to the software maker and thus lack an immediate fix.
However, with the introduction of Claude Mythos Preview, AI models have progressed to a point where they can act autonomously, discovering new vulnerabilities and generating code to exploit these flaws. This development has significantly lowered the barrier to exploiting multiple minor vulnerabilities for a full system compromise, leading to widespread alarm across sectors.
Following the April 7 news, U.S. Treasury Secretary Scott Bessent and Federal Reserve Chairman Jerome Powell convened an unexpected meeting with Wall Street leaders due to concerns that Claude Mythos Preview could usher in a new era of increased cyber risk. Similarly, South Korea’s Ministry of Science and ICT held an emergency briefing with major domestic cybersecurity firms to strategize countermeasures.
The Cyber Security Agency of Singapore (CSA) has flagged heightened risks to critical service operators in Singapore, which encompasses those in banking, energy, and telecommunications. Although the advanced AI capabilities have yet to be abused, CSA has issued an advisory urging all firms to proactively prepare against potential risks.
The fears are tangible. So far, Claude Mythos Preview has identified thousands of high-severity zero-day vulnerabilities, including previously overlooked flaws in major operating systems and web browsers. For example, it discovered a 27-year-old bug in OpenBSD, a highly regarded open-source operating system known for its security focus. This vulnerability allowed for remote crashes and is particularly alarming given OpenBSD’s use in sectors requiring robust network security.
Experts argue that the deep-rooted nature of this vulnerability could have been mitigated, as AI security tools typically detect and stop attackers at the edge of the network. Yet, attackers do not rely solely on new zero-day vulnerabilities. Historically, about 75% of all compromises involve one or more of just ten known vulnerabilities, all of which had available patches.
The 2017 global spread of the WannaCry ransomware exemplifies this, as it exploited a known vulnerability in Microsoft Windows’ Server Message Block protocol, even though a security patch was released two months prior. More than 230,000 computers across 150 countries, including those of the British National Health Service and FedEx, had not applied the fix, leading to widespread disruption.
In another significant incident, the background check company National Public Data reported in 2024 a massive breach affecting 2.9 billion individuals across the US, Britain, and Canada. Hackers exploited unpatched vulnerabilities in the company’s open-source Apache servers, despite fixes existing two years prior. The stolen data was later sold for $3.5 million on the dark web, culminating in the company’s bankruptcy.
In Singapore, a major data breach in 2018 affecting 1.5 million patients’ personal information was similarly attributed to unpatched servers and other security oversights. These incidents underline the critical issue of applying software patches effectively within organizations.
Unpatched software flaws remain a leading cause of cyberattacks. Many organizations struggle with timely patch application, as IT departments often face immense pressure. They are typically unrecognized when systems run smoothly but are immediately blamed when issues arise. This has fostered a culture of hesitance, leading to an “if it ain’t broke, don’t fix it” mentality towards patching.
Patching systems is further complicated by the need to test updates extensively, which can take months. Organizations often prioritize maintaining operational continuity over implementing patches, fearing disruption to essential services. Consequently, patch fatigue sets in, with thousands of vulnerabilities reported each year and frequent updates issued by vendors. This means organizations are often prompted to apply multiple fixes daily.
As stakeholders process the implications of Claude Mythos Preview, investing in AI-powered patch testing should become a top priority. Although outpacing flaw discovery may be unrealistic, acknowledging the necessity of timely patching is a crucial first step.
On an individual level, consumers can also bolster their security by using unique passwords for different accounts, enabling multi-factor authentication, and updating their devices promptly. Additionally, users should exercise caution with unsolicited links that may lead to data breaches.
If Claude Mythos Preview was intended as a public relations exercise, it succeeded, capturing the attention of numerous reputable media outlets. This attention has sparked a competitive race for leadership in AI-driven cybersecurity solutions, as other firms, including OpenAI, work on advanced models to address emerging threats. In the wake of these developments, all organizations must rigorously evaluate their security processes, particularly regarding automation in patch testing.
See also
Anthropic’s Claims of AI-Driven Cyberattacks Raise Industry Skepticism
Anthropic Reports AI-Driven Cyberattack Linked to Chinese Espionage
Quantum Computing Threatens Current Cryptography, Experts Seek Solutions
Anthropic’s Claude AI exploited in significant cyber-espionage operation
AI Poisoning Attacks Surge 40%: Businesses Face Growing Cybersecurity Risks
