A (0:00)

Canada's House of Commons breached by unknown threat actor Fortinet faces a storm of high severity vulnerabilities in numerous products. Microsoft reminds of Windows 10 support ending in two months and cybersecurity researchers seize on malware source code leak this is Cybersecurity Today and I'm your host David Shipley coming to you from unusually smoky Fredericton, New Brunswick, where we're getting through a series of extremely unusual and severe forest fires. Canada's House of Commons and its version of the nsa, the Communications Security Establishment, are investigating a data breach involving parliamentary employee information, according to an internal email obtained by the CDC. The breach was discovered on Friday, August 8th and reported to staff on Monday, August 11th. The email message to staff said a malicious actor exploited a recent Microsoft vulnerability to gain unauthorized access to a database used to manage computers and mobile devices. The CBC did not clarify which Microsoft vulnerability was used. Microsoft has had two major vulnerabilities so far this summer. One earlier this summer with SharePoint Server and another more recently in August in hybrid exchange and Microsoft 365 setups tracked as CVE2025, 53, 786. Microsoft had warned that this exploit could allow for full domain takeover, which lines up with some of the details of the CVC report. The stolen data includes employee names, job titles, office locations, email addresses and technical details about House managed devices. The House of Commons has warned members and employees to be vigilant since the data could be used in scams or impersonation attempts. Now, I'd honestly be surprised if the attack took place on August 8th. If this was the SharePoint vulnerability, that would be a pretty stunning failure to mitigate a risk that was well known by that point. It makes way more sense for this to be the hybrid Exchange vulnerability. Now I also can't rule out some other yet to be disclosed vulnerability, but that would be even more surprising at this point. There may also have been much more information lost than what was mentioned in the employee focused email alert. We'll have to wait and see what the full extent of this compromise was. In the United States, they issued an emergency directive around the Exchange vulnerability on Thursday, August 7th and gave federal agencies a short turnaround time to get patched until the following Monday morning, August 11th. But if Ottawa was hit by CVE 2020, even that window wouldn't have been good. It was hit the very next day after the CVE became known. That's interesting. That's an example of how fast threat actors can act, especially when they think a door is closing the CSC confirmed it is providing support to the House of Commons, but did say attribution of the incident has not been made. Investigating and attributing malicious activity, it noted, takes time and resources. Canada's National Cyber Threat Assessment released recently reported a sharp rise in both the number and the severity of incidents, highlighting Canada is a valuable target for cybercriminals and state sponsored actors, with China identified as the most sophisticated threat facing the country. Last week I warned of a spike in malicious activity targeting Fortinet devices that researchers had noticed. This week we've got not one but two high severity issues now confirmed, and researchers are still on the lookout for a possible third specifically targeting Fortinet VPN devices. Fortinet released fixes for multiple flaws, including a critical Fortisim bug CVE2025 2525. 6, rated 9.8 out of 10 and already being exploited in the wild. This flaw allows unauthenticated attackers to run unauthorized code or commands. It was patched in version 7.3.2, 7, 2.6, 7, 1.8, 7.0.4 and 6.7.10. Version 7.4 are not affected and branches below 6.7 will not get a fix. Customers unable to upgrade are advised to restrict port 7900. Fortinet also patched an authentication bypass, CVE2024 26009 which which was rated 8.1 out of 10. This one affected 40 OS, 40 proxy and 40 PAM. It can be exploited on devices managed by 40 manager if the attacker knows the device's serial number. Successful exploitation could allow for arbitrary code execution. Separately, researcher Aviv Y disclosed and named another bug Fort Majeure CVE202552 970, another 8.1 out of 10 vulnerability in Fortaweb. This bug allows authenticators to create forged authentication cookies with an all zero encryption key, impersonating any active user. Microsoft is once again warning that Windows 10 is entering end of life. Well, sort of. Let me explain. Mark your calendars. October 14, 2025. That's the official retirement date. After that, no more security patches, no more bug fixes, and no more tech support unless you're willing to pay. Because in classic Microsoft fashion, end of life really means pay us more money. For more time, enter the Extended Security Updates program at $61 per device per year for enterprises or $30 per device for home users, or free if you enable Windows Cloud Backup tool or use some Microsoft reward points. Windows 10 devices tied to Windows 365 Cloud PCs will also get ESU at no extra charge. Meanwhile, adoption of Windows 11 has finally edged ahead. Stat Counter reports 53% devices now run Windows 11, compared to 42% on Windows 10, and gamers are leading with nearly 60% already migrated. Well, amidst all the bad news, here's something that can make you smile. It's a rare bit of good news. Sometimes attackers mess up on security, too. Cybersecurity researchers have gained rare insight into the Earmac 3.0 malware, an advanced Android banking Trojan, thanks to a full source code leak discovered in an open directory. The leak included not just the Android backdoor, but also the command and control backend, a react control panel, a Golang exfiltration server, a and even an APK builder for making custom malware. According to Hunt IO, Ermac 3.0 can now target over 700 banking, shopping and cryptocurrency apps using sophisticated form injection methods. It's linked to the threat actor Duke Eugene and traces back to malware families like Cerberus, BlackRock, and Hook. Analysis of the code revealed big weaknesses, hard coded JWT secrets, a static admin token, default root credentials, Change Me, please Seriously, and even an open registration option in the admin API. Importantly, researchers tied this code to live operational infrastructure, identifying active command and control panels and exfiltration servers still running in the wild. This gives us defenders something rare, real indicators of compromise and infrastructure fingerprints we can act upon and we can use to track, disrupt and dismantle ermac campaigns. If you missed Saturday's fantastic dive into the ransomware and Dark Web underground with Flare's awesome researcher Tammy Harper, do yourself a favor and check it out. Tammy's one of the brightest minds in this space, and she and Jim do a great job of making this complex topic easy to follow. As always, stay skeptical, stay patched, and be prepared to contribute to Windows 10's pension if you want to keep it around after October 14th. We're always interested in your opinion and you can contact us@EditorialEchnewsDay CA or you can leave a comment under the YouTube video. Please help us spread the word about the show. Like subscribe and if you don't mind, think about leaving a review. And if you enjoy the show, please tell others. We'd love to grow our audience and we need your help. I've been your host, David Shipley. Jim Love will be back on Wednesday. Thanks for listening.