MCP, which Anthropic announced as open source code in 2024, is a protocol that allows AI (artificial intelligence) systems, especially large language model-based applications (LLM) to connect directly with external tools and services.
Like any other open source tool, MCP can be taken advantage of by bad guys. In a recent study, experts from Kaspersky Emergency Response Team (Kaspersky Emergency Response Team - GERT) conducted a pilot scenario, simulating how attackers took advantage of MCP servers.
The experiment aims to illustrate how attackers attack the supply chain through this protocol, and at the same time show the level of damage that can occur when organizations and businesses use tools such as MCP without thorough inspection and review.
In a cybersecurity lab, experts simulate a Programmer's computer with a malicious MCP server installed, which can collect a variety of sensitive data, including:
- Password saved in the browser
- Credit card information
- cryptocurrency wallet file
- API token and certificate information
- Cloud settings and many other types of data
In a simulation attack, users are easily deceived by not recognizing any unusual signs. Although Kaspersky has never recorded this attack method in practice, users should still be wary that cybercriminals can take advantage of this method not only to steal sensitive data but also to carry out other dangerous acts such as running malware, installing backdoors or distributing malware for blackmail.
Faced with these risks, cybersecurity experts also make recommendations to help businesses reduce risks from MCP- take advantage attacks.
Check MCP carefully before installing: All new servers need to be scan, evaluated and approved before being put into actual use. Businesses should maintain a white list of approved servers to easily detect and control any new factors that appear.
Limit access: Operate servers in containers or virtual machines, only grant access to truly necessary folders, while separating networks, ensuring that the development environment cannot connect to the production system or other sensitive systems.
Monitor unusual behavior: It is necessary to record all prompt and feedback questions to promptly detect hidden instructions or unusual operations. Pay special attention to suspicious signs such as unexpected SQL commands or unusual data flows, such as data sent outside of programs not in the normal operating process.
Deploy security management services such as Managed detection and response (MDR) and/or Incident response: These services cover the entire incident handling process, from threat detection, continuous protection to troubleshooting. This solution still helps businesses defend against sophisticated attacks, investigate incidents and provide the necessary expertise, even when businesses lack specialized cybersecurity personnel.
