A

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST.

B

Fortinet quietly patches zero day under active exploitation North Korean IT workers infiltrate 136 companies Jaguar Land Rover, softW cyberattack cost the company over 220 million so far garbage in, garbage out numerous AI platforms hit with copy pasted flaw this is Cybersecurity Today and I'm your host David Shipley, back home in New Brunswick after a fun few days in Los angeles attending the ChannelPro Defend conference. Let's get started. It's another rough week for Fortinet customers. Again, the company has confirmed it silently patched a near perfect 10 critical zero day vulnerability in its Fortaweb web application firewall, a flaw that researchers say is now being massively exploited in the wild. According to reporting from Bleeping Computer, this issue first surfaced in early October when threat intel firm Diffuse spotted attackers abusing an unknown path traversal bug to create brand new administrative accounts on exposed 40 web devices. DEFUSE shared a proof of concept of the attack on October6, showing how attackers were sending crafted HTTP POST requests to a Fortinet endpoint to slip past authentication and provision local admin level users. From there, things escalated quickly. Researchers at Watchtower Labs not only reproduced the exploit, but released a Defender focused tool called Fortit Web Authenticator Bypass Artifact generator say that three times fast to help organizations detect vulnerable systems. Rapid7 later confirmed that versions 8.0.1 and earlier were affected and that publicly available exploits stopped working after upgrading to 8.0.2. That's a strong hint. And now we have confirmation that Fortinet had quietly resolved the issue without initially disclosing it. On Friday, Fortinet officially acknowledged the vulnerability, now tracked as CVE20256444.60, which has a massive score of 9.8 out of 10 on the CVSS. The flaw boils down to a path confusion bug in the 40 web gui that allows unauthenticated attackers to run administrative commands via crafted HTTP or HTTPs requests. Fortinet says it has seen active exploitation in the wild. A patch is already available, but notably it wasn't released until October 28, roughly three weeks after the first signs of exploitation. If you use 40Web, today is the day to check to make sure you're running the latest patch versions. And if you're in the US Federal government The clock is ticking. CISA added the vulnerability to its known exploited list on Friday and has ordered agencies to patch by November 21st. CISO warns this type of flaw is a common starting point for attackers and poses a significant risk to government systems if you can't upgrade immediately. Fortinet recommends disabling HTTP and HTTPs access on all Internet facing management interfaces and ensuring access is restricted to trusted networks. But really, you should get patching Admins should also comb through their configuration files and logs for any new or unauthorized administrator accounts. That's a key indicator of compromise in this campaign. Bleeping Computer notes that Fortinet hasn't yet responded to their questions about the attacks. And of course this isn't an isolated incident. Back in August, Fortinet patched another critical vulnerability, a command injection vulnerability in Fortisim just a day after Graynoise flagged a spike in brute force activity targeting Fortinet. SSL VPNs bottom line here, if you rely on Fortinet, you need to patch immediately. Attackers are already ahead of the game on this one, and the window for defensive action? Well, it's been shattered, so best to get it patched and closed The US Department of Justice has announced that five people have pled guilty in a major case involving North Korea's covert effort to infiltrate Western companies by posing as remote IT workers. According to reporting from the Hacker News, this scheme impacted more than 136 U.S. organizations and generated millions of dollars for the North Korean regime, money that ultimately helps fund its nuclear and missile programs. For several years, North Korea has run a global operation where its workers living abroad apply for remote jobs at Western companies using stolen or borrowed U.S. identities. Once hired, they route their salaries back to the dprk. The individuals who pleaded guilty played a key role in enabling this fraud. Their involvement including letting overseas IT workers use their US Identities to get hired by American companies, hosting company laptops in their homes and installing remote access software. So overseas workers could appear to be logging in from inside the United States, helping workers pass background checks, including handling onboarding tasks and even participating in drug testing on their behalf. Selling stolen American identities through an online service designed to help overseas workers obtain freelance and full time IT jobs and running laptop farms. Houses filled with company issued machines connected for remote use so that workers could mimic US Time zones and activity patterns. You gotta give it for the North Koreans on this one. They really thought it through. According to the DOJ, the operation involved hundreds of stolen identities, at least three separate laptop farms, and more than 2.2 million in revenue directed back to North Korea. In a related move, the US government has filed civil complaints to seize over 15 million in cryptocurrency from North Korea's APT38 Blue Nora hacking unit. Those funds are tied to high value crypto thefts at exchanges in Estonia, Panama and Cychelles, part of the regime's long running cybercrime strategy. This case follows recent Treasury Department sanctions targeting North Korea's global financial facilitators who help move and launder money from these schemes. Of course, this isn't just a typical cybercrime story. It's a national security issue. Remote work environments have opened new opportunities for sanctioned states like North Korea to slip past corporate controls. When companies unknowingly employ DPRK IT workers, they're not only helping send money to a hostile regime, but they're opening the door to potential data theft, sabotage or espionage. So how do you mitigate this risk? Well, for my company, Boseron, we've actually implemented a mandatory in person first week for remote employees. We pay to bring staff to our headquarters to meet with their manager and the rest of the team. It's one surefire real time way in real life to mitigate against this impersonation scheme. Oh, and there's an added bonus. It makes for an even better onboarding experience and a chance for our team members to experience elements of our company's culture. We've hit a major milestone in the world of cyber risk, and it's not a good one. For the first time, a cyber attack has caused a measurable impact on a country's gross domestic product. And it's not going to be the last time. According to Bleeping Computer. Jaguar Land Rover has revealed the financial hit from its September cyberattack. About 196 million pounds, or about 220 million USD, lost in just a single quarter. The attack forced the company to halt production, shut down its plants and send workers home. For weeks, a cybercrime group calling itself Scattered Lapses Hunters claimed responsibilities. And of course, this shutdown didn't just affect Jaguar employees. There were 220,000 other employees tied to the UK based supply chain who were also affected. The shutdown was so severe that the UK government had to step in with a 1.5 billion pounds loan guarantee just to keep JLR and its supply chain afloat. When the company released its financial results, the damage was quite clear. JLR reported a loss of almost 500 million pounds for the quarter. They also reported negative EBIT. That's earnings before interest and taxes, essentially a measure of how profitable the core business is. JLR's EBIT margin dropped to negative 8.6, down from plus 5.1 last year. In plain language, the attack pushed what was a healthy, profitable business deep into the red. The bank of England then made it real. In its latest monetary policy report. It said the UK GDP came in weaker than expected for the quarter and directly cited the JLR cyberattack as one of the key reasons behind that weakness. This marks the first time a single cyber incident at one company has been large enough to impact a national supply chain and drag down a country's economic output. JLR says operations are now stabilized, suppliers are back online, and production has fully resumed. But the lesson here is much bigger than that. Cyber attacks aren't just corporate problems anymore. They can hit national economies at the worst possible time. And as supply chains get even more digital and tightly interconnected, this absolutely won't be the last time we see a major hit against a company have huge waves throughout a nation's supply chain. There's an old saying in computing garbage in, garbage out. But in the fast moving world of AI development, we're seeing something even more dangerous. Garbage copied everywhere. Researchers at Oligo Security discovered a chain of serious remote code execution vulnerabilities across major AI inference frameworks from Meta, Nvidia, Microsoft, and popular open source projects like Vllm and sglang. And the root cause wasn't a sophisticated cyber attack. It was something far simpler developers copying insecure code patterns from one project to another, sometimes line for line. Oligo calls this a shadow MQ pattern. The same flawed code replicated across multiple AI systems. And because these frameworks are widely reused in enterprise AI stacks, the vulnerability became a systemic risk. There were two technologies at the center of this flaw. First, Zenmq. It's a messaging system that moves data between machines. If it's not locked down appropriately, anyone can send data to a server and Python Pickle Python Pickle is a tool that saves and loads Python objects. It's incredibly convenient, but extremely dangerous with untrusted data. Because Pickle can run code during loading, it was never designed for network exposed environments. The first sentence in its documentation says this in plain language, the Pickle module is not secure. These AI frameworks were taking network data from zero MQ and then feeding it directly into Pickle. This creates a straight line for attackers to run their own code on GPU servers. Bad news? Why does it matter? Well, inference servers handle sensitive customer prompts, model weights, enterprise data, and high value GPU workloads Olego found thousands of exposed zero MQ endpoints online. A successful attack could let someone execute arbitrary code, steal models or data, hijack GPU clusters, install crypto miners, or pivot deeper into a corporate environment. So here's the lesson. This is exactly why AI coding assistants should only be used by trained professional software developers. Any experienced Python developer knows never to use Pickle with untrusted network data. Hell, even a novice who bothers to read the documentation would know this. But AI generated code, especially when copied by someone rushing and not reviewing it, can reproduce these kinds of bad ideas at scale. Folks, check your AI tool outputs and don't copy and paste code if you don't understand it. AI tools can absolutely accelerate productivity, help catch errors, improve QA, and support development teams. But they cannot replace skilled humans who understand secure coding practices, architectural risk, and the consequences a small issue can have when it snowballs in a large ecosystem. Good news, patches are already out for affected systems. If you're responsible for this kind of infrastructure, make sure you've cleaned up the mess I'm back on the road this week speaking at B Sides, Ottawa's Policy Village about the state of Canada's cyber and digital legislation. Tldr not good. If you're at the event, please do say hi. I'm excited to be supporting great hackers and innovators like my friend Julian Richard, who is working with innovators and entrepreneurs and thinkers from the United States to help bring some great ideas like Hackers on the Hill, which is in Washington, to Parliament Hill in Canada. Our goal is to connect policymakers and politicians with cybersecurity experts and ethical hackers to help answer their questions and to help Canada be more secure. You can contact us@technewsday.com or leave a comment under the YouTube video. Please help us spread the word about the show like subscribe consider leaving a review and if you enjoy the show, please tell others. We'd love to grow our audience and we need your help. I've been your host David Shipley, Jim Love will be back on Wednesday.

A

Once again we'd like to thank Meter for their support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises and working with their partners, Meter designs, deploys and manages required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, they build the software, manage deployments and run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses all the way to data centers. Book a demo@meter.com CST that's M E T E R COM CST.