A (0:00)

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale, and you can find them@meter.com CST Over 3.2 million Fortnet devices were exposed in an actively exploited Forticloud authentication bypass. Docker patches critical Ask Gordon A flaw and hugging face is abused to quietly deliver Android malware through fake apps. This is Cybersecurity Today. I'm your host Jim love more than 3 million Fortinet devices were found exposed online with web accessible management interfaces vulnerable to an authentication bypass tracked as cve. Fortnet has confirmed the flaw and that it's been exploited in the wild. The issue affects deployments where forticloud single sign on is enabled on the management interface. An attacker with any valid Forta Cloud account and a registered device could authenticate into other organizations Fortinet devices crossing tenant boundaries. While Forta Cloud SSO is disabled by default, Fortinet says administrators often enable it during forticare device registration unless they explicitly turn off the option labeled Allow administrative login using Forta Cloud sso. When it's left enabled and exposed to the Internet, the feature becomes the entry point. Once inside, attackers were observed to create local administrator accounts to maintain persistence, Fortinet reports these accounts were deliberately given legitimate looking names that would not immediately raise suspicion, including Audit, Back, Backup, IT Admin, SEC Admin Support, SVC Admin, and System. Affected products include 40 OS, 40 Manager, 40 Analyzer, 40 Proxy, and 40 Web across multiple supported released branches. The vulnerability carries a CVSS score of 9.4, and it's been added to the US Cybersecurity and Infrastructure Security Agency CISA's known exploited vulnerabilities catalog, which usually means they're confirming active exploitation. Fortinet has issued patches and CISA has set an aggressive remediation deadline for affected organizations. As part of its response, Fortinet disabled Forticloud SSO on the ForticLoud service itself on January 26th. The service was re enabled on January 27th, but it now blocks authentication attempts from devices running vulnerable firmware versions. As a result, customers must upgrade to the latest fixed versions for forticloud SSO authentication to function. Fortnet's advisory, which we've linked in the show notes, includes detailed indicators of compromise, including the IP addresses and administrator account names observed in active attacks. Administrators are advised to review those indicators closely during incident response and threat hunting activities. Docker has released Docker Desktop version 4.50.0 to fix a critical security flaw in Docker's built in AI assistant. The issue could allow attackers to hide malicious instructions inside Docker image metadata, which the AI assistant would then read and act on. Ask Gordon is Docker's AI assistant built directly into Docker Desktop and and the Docker command line. It's designed to help developers understand images, configurations, and workflows by answering questions in plain language. To do that, Gordon automatically reads contextual information, including the image metadata. The vulnerability arose because Gordon did not clearly distinguish between data and instructions. If a developer asked Gordon about a Docker image and that image contained carefully crafted metadata, the AI could interpret that metadata as instructions rather than information. Those instructions could then be passed along to Docker's Model Context Protocol, or MCP Gateway, which connects the AI assistant to Docker tools. And because McP assumes the AI's requests are trustworthy by design, those hidden instructions could be executed with the user's own permissions. In some configurations that allowed remote code execution in more restricted setups, researchers showed it could still be used for high impact data exfiltration, pulling internal configuration details and sending them outside the environment. Security researchers would describe this as a form of indirect prompt injection. Instead of typing a malicious prompt directly into the AI, the attacker hides the instructions somewhere the AI is trained to read, in this case Docker image metadata. It's the same class of problems seen in large language models, but applied to an AI assistant embedded inside a developer tool. Docker's fix requires explicit user confirmation before Gordon can invoke MCP connected tools, breaking the automatic execution chain. And Docker is urging users to Update to version 4.50.0 immediately. The deeper issue here is that AI assistants are treated as passive helpers when in reality, in this new agent environment, they can take real actions and they're implicitly trusted simply because they live inside an application. And this incident shows both of those assumptions are wrong. Security researchers are warning about a patient multi stage Android malware campaign that used Hugging Face to host malicious payloads, giving the operation a level of legitimacy that helped it evade suspicion. According to a post by Bitdefender, attackers were distributing fake Android apps that appeared harmless during installation. That's because the apps themselves did not initially contain malware. Instead, after installation, they contacted external infrastructure to download a remote access Trojan or a RAT hosted on Hugging Face repositories, abusing the platform's reputation as a trusted developer and AI resource. Now, critically, these apps were not delivered through the Google Play Store. Victims were directed to install APK files outside the official app ecosystem, a process we all know as sideloading. Now, people might assume that Hugging Face is a reliable source, and it does host legitimate code and models. But it's not set up to screen Android binaries the way an app store does, and the malicious payloads were able to blend in and persist, Bitdefender says. The malware enabled persistent remote access, including device surveillance, data theft, and the ability to deploy additional components later. The campaign relied on delayed execution and clean first impressions, allowing it to bypass both automated scans and casual user scrutiny. It also could take users to what seemed to be legitimate sites, where they could enter their credentials and have those captured. Detection and prevention hinges on a few points. Unexpected outbound connections from newly installed apps, especially the code hosting platforms, are a warning sign. But more fundamentally, sideloading apps even from well known platforms, significantly raises risks. Google and other app store operators have learned the hard way that every app update has to be screened, not just the initial upload. That same discipline doesn't always exist outside official app stores, and there's a lesson here about patience. Modern phishing and malware campaigns are increasingly designed to wait, blend in, borrow trust, and when attackers take their time, shortcuts in how the apps are installed and where they come from can quietly undo even very careful security habits. And that's our show. We'd like to thank Meter for their support in bringing you the podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys, and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments, and even run support. It's a single, integrated solution that scales from branch offices, warehouses, and large campuses all the way to data centers. Book a demo@meter.com CST that's M E T E R.com CST I'm your host, Jim Love. Thanks for listening.