Attackers continued to exploit patch Fortinet devices with read only access. Windows INET Pub folder created by security fix. Don't delete. Says Microsoft and AI hallucinated code dependencies becoming new supply chain risk. This is Cybersecurity today, and I'm your host, David Shipley. Collective thumping sound. You may have heard last week was likely from thousands of Fortinet VPN administrators banging their heads on their desks after it was revealed.
Attackers had maintained access to compromise VPN devices, even after patches for multiple critical vulnerabilities. Fortinet issued a warning last week that threat actors were using a post exploitation technique that helped them maintain read only access to previously compromised FortiGate VPN devices even after the original attack had been patched last week. Fortinet emailed customers warning their FortiGate for OS devices were compromised based on telemetry received from 40 guard devices.
These emails were titled Notification of Device Compromise FortiGate 40 Os. Urgent Action Required and given A TLP Amber Plus Strict Designation. It warned customers that attackers had left behind a file that enabled read only access to the compromised devices even after patches, for such vulnerabilities as CVE 20 22 42, 4 7 5 CVE 20 23, 27, 9 97 and CVE 20 24 2 1 7 6 2.
The attackers created what's known as symbolic links in the languages files folder to the root file system on devices that had S-S-L-V-P-N services enabled that allowed the attackers to maintain read only access to the root file system through the publicly accessible S-S-L-V-P-N web panel, even after the attackers had been discovered and evicted from compromised devices.
In a statement shared with the hacker News, Watchtower, CEO Benjamin Harris said The incident is a concern for two important reasons. Quote, first in the wild exploitation is becoming significantly faster than organizations can Patch Harris said and quote, more importantly, attackers are demonstrably and deeper aware of this fact end quote. These attacks go back to at least 2023.
Fortinet VPN clients are urged to upgrade to latest versions and to consult Fortinets guidance on treating all configuration files as potentially compromised and to follow the company's recovery guidance. Did you notice a strange new folder on your Windows computer C Drive? Recently? Turns out Microsoft's April cumulative update.
Patches have created a folder called Inet Pub, which is normally only created and used when people enable web hosting services through its internet information services or ISS. Even though deleting the folder did not cause issues using Windows in task by some Microsoft told Bleeping computer on Thursday that this empty folder had been intentionally created and should not be removed.
While Microsoft still has to explain why the security updates are creating this folder in the first place, the company updated an advisory for the Windows process activation, elevation of privilege, vulnerability, which is tracked as CVE 20 25 21, 2 0 4, late last week to warn users not to delete the now empty INET folder on their hard drives. The CVE 20 25 21 2 0 4 security flaw is caused by an improper link resolution issue before file access.
This means that on unpatched devices windows update may follow symbolic links in a way that can let local attackers trick the system into accessing or modifying unintended files or folders. Microsoft warns that successful exploitation can let local attackers with low privileges, escalate permissions and perform and or manipulate file management operations on the victim machines in the context of the NT Authority system account End quote.
I. If you did end up deleting that strange Inet Pub folder after the April updates, you can recreate it by going to the windows, turn on windows, features on or off control panel and installing internet information services. This will recreate the Inet Pub folder with the same system ownership as the April update. Now if you don't regularly use IIS, make sure you go back and turn off that , option and reboot your machine.
This will remove the software, but it will leave that C Drive INET Pub folder behind. I. Using code created by generative ai, large language models, or LLMs without carefully reviewing. It is always a risky play, but even more so now that attackers are looking for hallucinations in the code for existing package dependencies and creating those packages and loading them with malicious code.
The register nailed this issue in typical fashion with a fantastic headline last week quote, LLMs can't stop making up software dependencies and sabotaging everything. End quote, researchers have been sounding the alarm on this issue since March of 2024, and a recent study showed that more than 5% of packages recommended by commercial AI models didn't exist, and that figure jumped to a whopping 20% with open source models. This isn't just sloppy coding.
It's a new spin on the issue of typo squatting, where scammers cook up, bogus or misspelled package names to fool unsuspecting users. Seth Michael Larson, a security developer in residence at the Python Software Foundation, has dubbed this AI issue slop squatting with slop being shorthand for the messy, sometimes inaccurate output AI can produce. The lesson. Be extremely careful with AI generated code and review everything by humans. Don't just run it through another ai.
We are always interested in your opinion. And you can contact us at [email protected] or leave a comment under the YouTube video. I've been your host, David Shipley, sitting in for Jim Love, who will be back on Wednesday. Thank you for listening. I.