Cyber security experts at Wiz discovered that a bug in six famous AI coding assistants allows a booby-trapped code project to silently take ...
Mount Royal University (MRU) has confirmed that threat actors stole data and deleted files after breaching the university's network in a cyberattack that continues to affect recovery efforts weeks after the incident.
In an update published on its website, the Calgary-based public university said the attack occurred on June 17 and that internal technical teams are working alongside external cybersecurity specialists to investigate the intrusion, determine its full scope, and restore affected systems.
The cyberattack disrupted a wide range of university services, including internet connectivity, online platforms, and several internal systems used across campus. Recovery efforts remain ongoing, with the university warning that restoring all affected services may take several weeks or, in some cases, months.
According to the university's investigation, attackers gained unauthorized access to data stored on the institution's "H drive," a file storage system used by students and employees. Investigators have confirmed that files stored within certain folders were accessed and exfiltrated before the attackers deleted the original copies, a move that has further complicated recovery operations.
"We regret to inform our community that our investigation has now shown that data within certain folders on the University's 'H drive' was accessed and taken by an unauthorized actor," the university said in its advisory.
MRU said the affected folders contained information relating to current and former students, current and former employees, as well as other individuals whose data was stored within the impacted environment. The university has not yet disclosed the exact categories of information exposed or the total number of people affected.
The investigation also found that attackers deleted data stored on a separate departmental file storage system known as the "J drive." While the university said there is currently no evidence that information from the J drive was accessed or copied before it was erased, officials cautioned that recovering the deleted data remains an ongoing process and acknowledged that a complete restoration may not be possible.
The university has reported the incident to the Alberta Information and Privacy Commissioner and notified law enforcement authorities. Officials added that determining the precise impact for each affected individual will take time because the deletion of files has made forensic analysis more complex. Individuals whose information is confirmed to have been affected will receive direct notifications as the investigation progresses.
Responsibility for the attack has been claimed by the cybercrime group CMD Organization, which has published samples of what it alleges is stolen university data, including passport scans and other sensitive documents.
The group is demanding a ransom of 30 Bitcoin, valued at approximately $1.9 million at current exchange rates, and has reportedly given the university six days to respond before releasing additional data. CMD Organization also appears to operate an auction-based extortion model, advertising exclusive access to stolen datasets for the highest bidder through both clear web and dark web leak sites. At the time of writing, the group lists approximately 30 organizations on its extortion portal.
Founded more than a century ago, Mount Royal University currently serves about 11,560 students, including roughly 12,500 undergraduate learners.
As recovery work continues, the university said it will provide additional updates as more information becomes available. MRU is also offering two years of credit monitoring and identity theft protection to current employees and individuals who have worked at the university within the past five years.
After this, the attacker could read chats, steal user data, and command bots to send hacker-written texts such as re-entering a password.
Cyber security firm Varonis discovered the tactic and called it ‘Rogue Agent.’ The bug impacted only businesses that make agents with custom Code Blocks and Dialogflow’s Playbooks, which allows hackers to add their own Python. The attack was not remote, or unauthorized.
For the attack to happen, it required the dialogflow.playbooks.update green light one such agent, which restricts the hacker to an infected insider or a breached developer account, not some stranger on the web. From that point, the reach extended to every agent inside the project.
Google has patched the bug, and Varonis and Google have said there are no signs that the flaw was deployed in a real attack or campaign.
Dialogflow’s Code Blocks allows developers to add custom Python to a chatbot’s flow to test input, invoke defined tools, and control behavior.
The code runs within a Google-operated Cloud Run environment, and every agent that uses Code Blocks in the similar Google Cloud project shares one incident of it. The customer cannot control or see the environment that Google runs, meanwhile Varonis discovered no real separation between the agents within it.
When the agent runs a Code Block, the code is added to internal setup code and sent to Python’s exec()function. The functions and variables that block can touch are defined by the setup.
Functions consist(), which makes the bot reply with a given string, whereas variables consist of a history of full chats and state for session information such as the session ID.
Varonis discovered code_execution_env.py, the file that does this wrapping, lying in the shared environment with write access.
As the file was writable, a single Code Block could change it. The block downloads an altered code_execution_env.py from a threat actor-controlled server and overwrites the original within the running container.
After that, the attacker’s variant commands every Code Block deployment throughout every agent that shares the environment. The attacker’s code sits in the same place as the real code, with similar access to respond(), state, and history,