In this episode of Cybersecurity Today, host David Shipley discusses several pressing concerns in the cybersecurity landscape. Attackers have been exploiting Fortinet VPN devices to maintain access even after patches were applied; administrators are urged to upgrade and follow recovery guidance. Microsoft has created a new INET Pub folder through its latest Windows update, advising users not to delete it due to a linked security flaw. Lastly, AI-generated code dependencies are becoming a serious supply chain risk, with attackers creating malicious packages based on AI hallucinations. Users are advised to thoroughly review AI-generated code to avoid 'slop squatting'.
00:00 Introduction and Fortinet VPN Exploits
02:46 Microsoft's INET Pub Folder Issue
04:57 AI Hallucinations and Code Dependencies
06:22 Conclusion and Contact Information
Episode Transcript
Attackers continued to exploit patchFortinet devices with read only access.
Windows INET Pub foldercreated by security fix.
Don't delete.
Says Microsoft and AIhallucinated code dependencies
becoming new supply chain risk.
This is Cybersecurity today, andI'm your host, David Shipley.
(00:22):
Collective thumping sound.
You may have heard last week waslikely from thousands of Fortinet VPN
administrators banging their headson their desks after it was revealed.
Attackers had maintained access tocompromise VPN devices, even after patches
for multiple critical vulnerabilities.
Fortinet issued a warning last weekthat threat actors were using a post
(00:43):
exploitation technique that helpedthem maintain read only access to
previously compromised FortiGateVPN devices even after the original
attack had been patched last week.
Fortinet emailed customers warningtheir FortiGate for OS devices
were compromised based on telemetryreceived from 40 guard devices.
(01:04):
These emails were titled Notificationof Device Compromise FortiGate 40 Os.
Urgent Action Required and given ATLP Amber Plus Strict Designation.
It warned customers that attackershad left behind a file that enabled
read only access to the compromiseddevices even after patches, for such
(01:24):
vulnerabilities as CVE 20 22 42, 4 7 5 CVE20 23, 27, 9 97 and CVE 20 24 2 1 7 6 2.
The attackers created what's known assymbolic links in the languages files
folder to the root file system ondevices that had S-S-L-V-P-N services
(01:49):
enabled that allowed the attackersto maintain read only access to the
root file system through the publiclyaccessible S-S-L-V-P-N web panel, even
after the attackers had been discoveredand evicted from compromised devices.
In a statement shared with thehacker News, Watchtower, CEO Benjamin
Harris said The incident is aconcern for two important reasons.
(02:14):
Quote, first in the wild exploitationis becoming significantly faster
than organizations can Patch Harrissaid and quote, more importantly,
attackers are demonstrably anddeeper aware of this fact end quote.
These attacks go back to at least 2023.
Fortinet VPN clients are urgedto upgrade to latest versions and
(02:37):
to consult Fortinets guidance ontreating all configuration files as
potentially compromised and to followthe company's recovery guidance.
Did you notice a strange new folderon your Windows computer C Drive?
Recently?
Turns out Microsoft'sApril cumulative update.
Patches have created a folder calledInet Pub, which is normally only
(02:58):
created and used when people enableweb hosting services through its
internet information services or ISS.
Even though deleting the folder didnot cause issues using Windows in
task by some Microsoft told Bleepingcomputer on Thursday that this
empty folder had been intentionallycreated and should not be removed.
(03:18):
While Microsoft still has to explainwhy the security updates are creating
this folder in the first place, thecompany updated an advisory for the
Windows process activation, elevationof privilege, vulnerability, which is
tracked as CVE 20 25 21, 2 0 4, late lastweek to warn users not to delete the now
(03:39):
empty INET folder on their hard drives.
The CVE 20 25 21 2 0 4 securityflaw is caused by an improper link
resolution issue before file access.
This means that on unpatched deviceswindows update may follow symbolic links
in a way that can let local attackerstrick the system into accessing or
(04:01):
modifying unintended files or folders.
Microsoft warns that successfulexploitation can let local attackers
with low privileges, escalate permissionsand perform and or manipulate file
management operations on the victimmachines in the context of the NT
Authority system account End quote.
(04:22):
I. If you did end up deleting thatstrange Inet Pub folder after the
April updates, you can recreate it bygoing to the windows, turn on windows,
features on or off control panel andinstalling internet information services.
This will recreate the InetPub folder with the same system
ownership as the April update.
(04:43):
Now if you don't regularly use IIS,make sure you go back and turn off
that , option and reboot your machine.
This will remove the software, but it willleave that C Drive INET Pub folder behind.
I.
Using code created by generativeai, large language models, or
LLMs without carefully reviewing.
(05:04):
It is always a risky play, buteven more so now that attackers are
looking for hallucinations in the codefor existing package dependencies
and creating those packages andloading them with malicious code.
The register nailed this issue intypical fashion with a fantastic
headline last week quote, LLMscan't stop making up software
(05:26):
dependencies and sabotaging everything.
End quote, researchers have beensounding the alarm on this issue since
March of 2024, and a recent studyshowed that more than 5% of packages
recommended by commercial AI modelsdidn't exist, and that figure jumped to
a whopping 20% with open source models.
(05:47):
This isn't just sloppy coding.
It's a new spin on the issue oftypo squatting, where scammers cook
up, bogus or misspelled packagenames to fool unsuspecting users.
Seth Michael Larson, a securitydeveloper in residence at the Python
Software Foundation, has dubbed thisAI issue slop squatting with slop being
(06:07):
shorthand for the messy, sometimesinaccurate output AI can produce.
The lesson.
Be extremely careful with AI generatedcode and review everything by humans.
Don't just run it through another ai.
We are always interested in your opinion.
And you can contact us ateditorial@technewsday.ca or leave
(06:29):
a comment under the YouTube video.
I've been your host, DavidShipley, sitting in for Jim Love,
who will be back on Wednesday.
Thank you for listening.
I.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com