Fortinet Exploits, Windows INET Folder, and AI Code Risks: Cyber Security Today for April 14

Mon Apr 14 2025

In this episode of Cybersecurity Today, host David Shipley discusses several pressing concerns in the cybersecurity landscape. Attackers have been exploiting Fortinet VPN devices to maintain access even after patches were applied; administrators are...

Summary

Cybersecurity Today: Fortinet Exploits, Windows INET Folder, and AI Code Risks – April 14, 2025

Host: Jim Love (Guest Host: David Shipley)
Release Date: April 14, 2025
Podcast Description: Updates on the latest cybersecurity threats to businesses, data breach disclosures, and strategies to secure your firm in an increasingly risky digital landscape.

1. Fortinet VPN Device Exploits

Timestamp: 00:00

David Shipley opens the episode by addressing a significant issue affecting Fortinet VPN administrators worldwide. Recently, attackers have been exploiting Fortinet devices by maintaining read-only access even after patches for multiple critical vulnerabilities were applied.

Key Points:

Post-Exploitation Technique: Attackers are using symbolic links in the Languages Files folder to retain access via the SSL VPN Web panel, despite patches being implemented.
Affected Vulnerabilities: The exploits target vulnerabilities such as CVE-2020-242475, CVE-2023-27997, and CVE-2024-21762.
Fortinet’s Response: Fortinet issued urgent notifications titled "Notification of Device Compromise FortiGate 40os Urgent action required," classified under TLP Amber Plus, advising customers to upgrade to the latest versions and treat all configuration files as potentially compromised.

Notable Quote: Benjamin Harris, CEO of Fortinet, emphasized the gravity of the situation:
"The first, in the wild, exploitation is becoming significantly faster than organizations can patch. And more importantly, attackers are demonstratively and deeper aware of this fact."
[Timestamp: 02:30]

Implications for Businesses: Organizations using Fortinet VPNs are urged to:

Upgrade Devices: Ensure all FortiGate devices are updated to the latest firmware.
Review Configurations: Follow Fortinet’s guidance to assess and restore compromised configuration files.
Monitor Access: Continuously monitor for any unauthorized access attempts post-patch application.

2. Mysterious Windows INETPUB Folder Creation

Timestamp: 15:45

Shipley transitions to discuss a peculiar development observed by Windows users following Microsoft's April Cumulative Update. A new folder named inetpub appeared on the C drive, typically associated with Internet Information Services (IIS) when web hosting services are enabled.

Key Points:

Unintended Folder Creation: Microsoft’s update intentionally creates an empty inetpub folder, which users are advised not to delete.
Associated Vulnerability: The creation is linked to the security flaw CVE-2025-21204, involving improper link resolution. This flaw allows local attackers to exploit symbolic links, potentially escalating permissions and manipulating file operations under the NT Authority System account.
Microsoft’s Advisory: Users are cautioned against deleting the inetpub folder. If accidentally removed, it can be recreated via the Windows Features panel by reinstalling IIS.

Notable Quote: A representative from Microsoft clarified the necessity of the folder:
"This empty folder had been intentionally created and should not be removed."
[Timestamp: 18:10]

Security Recommendations:

Do Not Delete INETPUB: Maintain the folder as instructed to prevent exploitation of the associated vulnerability.
Recreate If Necessary: If the folder is deleted, reinstall IIS to restore it properly.
Disable Unused Services: If IIS is not in regular use, disable it to minimize potential attack vectors.

3. Risks Associated with AI-Generated Code Dependencies

Timestamp: 25:20

The episode concludes with a discussion on the emerging risks posed by Generative AI in software development. Specifically, the focus is on "slop squatting," where AI models generate non-existent or malicious package dependencies, increasing the threat to software supply chains.

Key Points:

AI Hallucinations: Large Language Models (LLMs) like those used in code generation often fabricate dependencies, leading to security vulnerabilities.
Study Findings: Research since March 2024 indicates that over 5% of packages recommended by commercial AI models are non-existent, with open-source models reaching up to 20%.
Slop Squatting Defined: Seth Michael Larson from the Python Software Foundation describes this phenomenon as scammers exploiting AI's inaccuracies to introduce malicious code through bogus packages.

Notable Quote: Seth Michael Larson succinctly captures the threat:
"LLMs can't stop making up software dependencies and sabotaging everything."
[Timestamp: 28:45]

Preventative Measures:

Human Oversight: All AI-generated code and dependencies should be meticulously reviewed by experienced developers.
Verification Protocols: Implement strict verification processes to ensure the legitimacy of any suggested packages.
Education and Awareness: Train development teams on the risks of AI-generated dependencies and best practices to mitigate them.

Conclusion and Final Thoughts

David Shipley wraps up the episode by reiterating the importance of staying informed and vigilant against evolving cybersecurity threats. He highlights the necessity of proactive measures, such as regular updates, thorough reviews of AI-generated content, and adherence to security advisories from trusted vendors.

Final Quote: "Be extremely careful with AI generated code and review everything by humans. Don't just run it through another AI."
[Timestamp: 35:00]

Listeners are encouraged to reach out with their opinions and concerns via email at contact@EditorialEchnewsDay.ca or by leaving comments under the podcast's YouTube video.

Stay tuned for the next episode of Cybersecurity Today, hosted by Jim Love, where we continue to explore the latest in cybersecurity threats and defenses.

Transcript

David Shipley (0:00)

Attackers continue to exploit Patch Fortinet devices with Read Only Access Windows inetpub folder created by Security Fix. Don't delete, says Microsoft and AI hallucinating code dependencies becoming new supply chain risk this is cybersecurity today and I'm your host, David Shipley. Collective thumping sounds you may have heard last week was likely from thousands of Fortinet VPN administrators banging their heads on their desks after it was revealed attackers had maintained access to compromised VPN devices even after patches for multiple critical vulnerabilities. Fortinet issued a warning last week that threat actors were using a post exploitation technique that helped them maintain read only access to previously compromised Fortigate VPN devices even after the original attack had been patched. Last week, Fortinet emailed customers warning their FortiGate 40 OS devices were compromised based on telemetry received from Fortiguard devices. These emails were titled Notification of Device Compromise Fortigate 40os Urgent action required and given a TLP amber plus strict designation. It warned customers that attackers had left behind a file that enabled read only access to the compromised devices even after patches for such vulnerabilities as CVE 2020 242475, CVE2023 27997 and CVE2024 21762. The attackers created what's known as symbolic links in the Languages Files folder to the root file system on devices that had SSL VPN services enabled. That allowed the attackers to maintain read only access to the root file system through the publicly accessible SSL VPN Web panel even after the attackers had been discovered and evicted from compromised devices. In a statement shared with the Hacker News Watchtower, CEO Benjamin Harris said the incident is a concern for two important reasons. Quote first, in the wild, exploitation is becoming significantly faster than organizations can patch, harris said. And quote, more importantly, attackers are demonstratively and deeper aware of this fact, end quote. These attacks go back to at least 2023. Fortinet VPN clients are urged to upgrade to latest versions and to consult Fortinet's guidance on treating all configuration files as potentially compromised and to follow the company's recovery guidance. Did you notice a strange new folder on your Windows computer C drive recently? Turns out Microsoft's April Cumulative Update patches have created a folder called inetpub, which is normally only created and used when people enable web hosting services through its Internet Information Services, or iss, even though deleting the folder did not cause issues using Windows in test by some, Microsoft told BLEEPING computer on Thursday that this empty folder had been intentionally created and should not be removed. While Microsoft still has to explain why the security updates are creating this folder in the first place, the company updated an advisory for the Windows Process Activation Elevation of Privilege vulnerability, which is tracked as CVE2025 21 204, late last week to warn users not to delete the now empty inetpub folder on their hard drives. The CVE2025 21204 security flaw is caused by an improper link resolution issue before file access. This means that on unpatched devices, Windows Update may follow symbolic links in a way that can let local attackers trick the system into accessing or modifying unintended files or folders. Microsoft warns that successful exploitation can let local attackers with low privileges access escalate permissions and quote, perform and or manipulate file management operations on the victim machines in the context of the NT Authority System account, end quote. If you did end up deleting that strange inetpub folder after the April updates, you can recreate it by going to the Windows Turn on Windows features on or off Control Panel and installing Internet Information Services. This will recreate the inetpub folder with the same system ownership as the April update. Now, if you don't regularly use iis, make sure you go back and turn off that option and reboot your machine. This will remove the software, but it will leave that C Drive INET pub folder behind. Using code Created by Generative AI Large Language Models, or LLMs, without carefully reviewing it is always a risky play, but even more so now that attackers are looking for hallucinations in the code for existing package dependencies and creating those packages and loading them with malicious code. The Register nailed this issue in typical fashion with a fantastic headline last week. LLMs can't stop making up software dependencies and sabotaging everything, end quote. Researchers have been sounding the alarm on this issue Since March of 2024, and a recent study showed that more than 5% of packages recommended by commercial AI models didn't exist, and that figure jumped to a whopping 20% with open source models. This isn't just sloppy coding. It's a new spin on the issue of typo squatting, where scammers cook up bogus or misspelled package names to fool unsuspecting users. Seth Michael Larson, a security developer in residence at the Python Software foundation, has dubbed this AI issue slop squatting, with slop being shorthand for the messy, sometimes inaccurate output AI can produce. The lesson. Be extremely careful with AI generated code and review everything by humans. Don't just run it through another AI. We are always interested in your opinion and you can contact us@EditorialEchnewsDay CA or leave a comment under the YouTube video I've been your host David Shipley sitting in for Jim Love who will be back on Wednesday. Thank you for listening.

Summary

Cybersecurity Today: Fortinet Exploits, Windows INET Folder, and AI Code Risks – April 14, 2025

1. Fortinet VPN Device Exploits

Timestamp: 00:00

Key Points:

Post-Exploitation Technique: Attackers are using symbolic links in the Languages Files folder to retain access via the SSL VPN Web panel, despite patches being implemented.
Affected Vulnerabilities: The exploits target vulnerabilities such as CVE-2020-242475, CVE-2023-27997, and CVE-2024-21762.
Fortinet’s Response: Fortinet issued urgent notifications titled "Notification of Device Compromise FortiGate 40os Urgent action required," classified under TLP Amber Plus, advising customers to upgrade to the latest versions and treat all configuration files as potentially compromised.

Implications for Businesses: Organizations using Fortinet VPNs are urged to:

Upgrade Devices: Ensure all FortiGate devices are updated to the latest firmware.
Review Configurations: Follow Fortinet’s guidance to assess and restore compromised configuration files.
Monitor Access: Continuously monitor for any unauthorized access attempts post-patch application.

2. Mysterious Windows INETPUB Folder Creation

Timestamp: 15:45

Key Points:

Unintended Folder Creation: Microsoft’s update intentionally creates an empty inetpub folder, which users are advised not to delete.
Associated Vulnerability: The creation is linked to the security flaw CVE-2025-21204, involving improper link resolution. This flaw allows local attackers to exploit symbolic links, potentially escalating permissions and manipulating file operations under the NT Authority System account.
Microsoft’s Advisory: Users are cautioned against deleting the inetpub folder. If accidentally removed, it can be recreated via the Windows Features panel by reinstalling IIS.

Notable Quote: A representative from Microsoft clarified the necessity of the folder:
"This empty folder had been intentionally created and should not be removed."
[Timestamp: 18:10]

Security Recommendations:

Do Not Delete INETPUB: Maintain the folder as instructed to prevent exploitation of the associated vulnerability.
Recreate If Necessary: If the folder is deleted, reinstall IIS to restore it properly.
Disable Unused Services: If IIS is not in regular use, disable it to minimize potential attack vectors.

3. Risks Associated with AI-Generated Code Dependencies

Timestamp: 25:20

Key Points:

AI Hallucinations: Large Language Models (LLMs) like those used in code generation often fabricate dependencies, leading to security vulnerabilities.
Study Findings: Research since March 2024 indicates that over 5% of packages recommended by commercial AI models are non-existent, with open-source models reaching up to 20%.
Slop Squatting Defined: Seth Michael Larson from the Python Software Foundation describes this phenomenon as scammers exploiting AI's inaccuracies to introduce malicious code through bogus packages.

Notable Quote: Seth Michael Larson succinctly captures the threat:
"LLMs can't stop making up software dependencies and sabotaging everything."
[Timestamp: 28:45]

Preventative Measures:

Human Oversight: All AI-generated code and dependencies should be meticulously reviewed by experienced developers.
Verification Protocols: Implement strict verification processes to ensure the legitimacy of any suggested packages.
Education and Awareness: Train development teams on the risks of AI-generated dependencies and best practices to mitigate them.

Conclusion and Final Thoughts

Final Quote: "Be extremely careful with AI generated code and review everything by humans. Don't just run it through another AI."
[Timestamp: 35:00]

Listeners are encouraged to reach out with their opinions and concerns via email at contact@EditorialEchnewsDay.ca or by leaving comments under the podcast's YouTube video.

Stay tuned for the next episode of Cybersecurity Today, hosted by Jim Love, where we continue to explore the latest in cybersecurity threats and defenses.