Fortinet Exploits, Windows INET Folder, and AI Code Risks: Cyber Security Today for April 14

David Shipley

Attackers continue to exploit Patch Fortinet devices with Read Only Access Windows inetpub folder created by Security Fix. Don't delete, says Microsoft and AI hallucinating code dependencies becoming new supply chain risk this is cybersecurity today and I'm your host, David Shipley. Collective thumping sounds you may have heard last week was likely from thousands of Fortinet VPN administrators banging their heads on their desks after it was revealed attackers had maintained access to compromised VPN devices even after patches for multiple critical vulnerabilities. Fortinet issued a warning last week that threat actors were using a post exploitation technique that helped them maintain read only access to previously compromised Fortigate VPN devices even after the original attack had been patched. Last week, Fortinet emailed customers warning their FortiGate 40 OS devices were compromised based on telemetry received from Fortiguard devices. These emails were titled Notification of Device Compromise Fortigate 40os Urgent action required and given a TLP amber plus strict designation. It warned customers that attackers had left behind a file that enabled read only access to the compromised devices even after patches for such vulnerabilities as CVE 2020 242475, CVE2023 27997 and CVE2024 21762. The attackers created what's known as symbolic links in the Languages Files folder to the root file system on devices that had SSL VPN services enabled. That allowed the attackers to maintain read only access to the root file system through the publicly accessible SSL VPN Web panel even after the attackers had been discovered and evicted from compromised devices. In a statement shared with the Hacker News Watchtower, CEO Benjamin Harris said the incident is a concern for two important reasons. Quote first, in the wild, exploitation is becoming significantly faster than organizations can patch, harris said. And quote, more importantly, attackers are demonstratively and deeper aware of this fact, end quote. These attacks go back to at least 2023. Fortinet VPN clients are urged to upgrade to latest versions and to consult Fortinet's guidance on treating all configuration files as potentially compromised and to follow the company's recovery guidance. Did you notice a strange new folder on your Windows computer C drive recently? Turns out Microsoft's April Cumulative Update patches have created a folder called inetpub, which is normally only created and used when people enable web hosting services through its Internet Information Services, or iss, even though deleting the folder did not cause issues using Windows in test by some, Microsoft told BLEEPING computer on Thursday that this empty folder had been intentionally created and should not be removed. While Microsoft still has to explain why the security updates are creating this folder in the first place, the company updated an advisory for the Windows Process Activation Elevation of Privilege vulnerability, which is tracked as CVE2025 21 204, late last week to warn users not to delete the now empty inetpub folder on their hard drives. The CVE2025 21204 security flaw is caused by an improper link resolution issue before file access. This means that on unpatched devices, Windows Update may follow symbolic links in a way that can let local attackers trick the system into accessing or modifying unintended files or folders. Microsoft warns that successful exploitation can let local attackers with low privileges access escalate permissions and quote, perform and or manipulate file management operations on the victim machines in the context of the NT Authority System account, end quote. If you did end up deleting that strange inetpub folder after the April updates, you can recreate it by going to the Windows Turn on Windows features on or off Control Panel and installing Internet Information Services. This will recreate the inetpub folder with the same system ownership as the April update. Now, if you don't regularly use iis, make sure you go back and turn off that option and reboot your machine. This will remove the software, but it will leave that C Drive INET pub folder behind. Using code Created by Generative AI Large Language Models, or LLMs, without carefully reviewing it is always a risky play, but even more so now that attackers are looking for hallucinations in the code for existing package dependencies and creating those packages and loading them with malicious code. The Register nailed this issue in typical fashion with a fantastic headline last week. LLMs can't stop making up software dependencies and sabotaging everything, end quote. Researchers have been sounding the alarm on this issue Since March of 2024, and a recent study showed that more than 5% of packages recommended by commercial AI models didn't exist, and that figure jumped to a whopping 20% with open source models. This isn't just sloppy coding. It's a new spin on the issue of typo squatting, where scammers cook up bogus or misspelled package names to fool unsuspecting users. Seth Michael Larson, a security developer in residence at the Python Software foundation, has dubbed this AI issue slop squatting, with slop being shorthand for the messy, sometimes inaccurate output AI can produce. The lesson. Be extremely careful with AI generated code and review everything by humans. Don't just run it through another AI. We are always interested in your opinion and you can contact us@EditorialEchnewsDay CA or leave a comment under the YouTube video I've been your host David Shipley sitting in for Jim Love who will be back on Wednesday. Thank you for listening.