1 00:00:00,366 --> 00:00:04,266 Cybersecurity today would like to thank Meter for their support in bringing you 2 00:00:04,266 --> 00:00:10,086 This podcast Meter delivers a complete networking stack, wired, wireless and 3 00:00:10,086 --> 00:00:14,826 cellular in one integrated solution that's built for performance and scale. 4 00:00:15,366 --> 00:00:19,206 You can find them at meter.com/cst. 5 00:00:20,770 --> 00:00:23,850 Fortinet flaws still actively exploited. 6 00:00:23,850 --> 00:00:26,280 Windows 11 updates. 7 00:00:26,280 --> 00:00:27,900 Breaking some systems. 8 00:00:28,350 --> 00:00:33,300 A wiper aimed at Europe's power grid Attacker in the middle. 9 00:00:33,300 --> 00:00:38,190 Phishing hits energy firms a. And a flaw that could have put every 10 00:00:38,220 --> 00:00:40,950 AWS account on the planet at risk. 11 00:00:41,640 --> 00:00:45,930 This is cybersecurity today, and I'm your host, David Shipley. 12 00:00:46,980 --> 00:00:47,760 Let's get started. 13 00:00:48,840 --> 00:00:52,260 Our first story today is an update on one we've been covering 14 00:00:52,410 --> 00:00:56,489 for the last week, and it's not reassuring for Fortinet customers. 15 00:00:58,200 --> 00:01:03,330 Fortinet has confirmed that a critical 40 cloud single sign on authentication 16 00:01:03,330 --> 00:01:12,390 bypass tracked as CVE 20 25 59 7 1 8 is still not fully patched, despite 17 00:01:12,390 --> 00:01:14,395 fixes being released in early December. 18 00:01:15,475 --> 00:01:19,825 This follows reports from administrators who found fully patched FortiGate 19 00:01:19,825 --> 00:01:25,525 firewalls compromised In multiple cases, attackers created new administrative 20 00:01:25,525 --> 00:01:31,795 accounts enabled VPN access and exported firewall configurations within seconds 21 00:01:32,125 --> 00:01:34,045 pointing to automated exploitation. 22 00:01:35,265 --> 00:01:40,545 Security firm, Arctic Wolf says The campaign began January 15th and closely 23 00:01:40,545 --> 00:01:45,585 resembles activity seen in December when the vulnerability was first disclosed. 24 00:01:46,215 --> 00:01:50,565 At that time, the flaw allowed attackers to bypass authentication 25 00:01:50,775 --> 00:01:55,995 using crafted SAML messages when 40 Cloud SSO was enabled. 26 00:01:56,835 --> 00:02:01,755 Fortinet now acknowledges attackers are using a new attack path impacting 27 00:02:01,755 --> 00:02:06,045 devices that were fully up to date at the time of compromise. 28 00:02:06,525 --> 00:02:09,855 The company says it is working on a comprehensive fix and 29 00:02:09,855 --> 00:02:13,485 will issue an updated advisory once timelines are confirmed. 30 00:02:15,105 --> 00:02:18,825 Fortinet also warned that while exploitation has so far been observed 31 00:02:18,825 --> 00:02:25,395 through 40 Cloud SSO, the issue applies to all SAML based SSO implementations. 32 00:02:26,445 --> 00:02:30,105 As an interim mitigation, customers are advised to restrict 33 00:02:30,105 --> 00:02:35,355 administrative access to trusted IP addresses and disable 40 Cloud SSO. 34 00:02:36,045 --> 00:02:41,235 Where possible organizations finding indicators of compromise are being told 35 00:02:41,235 --> 00:02:46,515 to treat effective systems as fully compromised and to rotate credentials 36 00:02:46,515 --> 00:02:48,315 as part of their incident response. 37 00:02:49,275 --> 00:02:54,555 Shadow server estimates nearly 11,000 Fortinet devices remain exposed 38 00:02:54,555 --> 00:02:57,645 online with 40 Cloud SSO enabled. 39 00:02:58,455 --> 00:03:01,185 CISA previously added this vulnerability to its known 40 00:03:01,185 --> 00:03:02,805 exploited vulnerabilities list. 41 00:03:03,615 --> 00:03:07,425 Fortinet has not yet provided a timeline for a final fix. 42 00:03:09,425 --> 00:03:12,665 Our second story is a cautionary note for Windows administrators 43 00:03:12,665 --> 00:03:14,795 following January's Patch Tuesday. 44 00:03:15,335 --> 00:03:19,565 Microsoft says it is investigating reports that some Windows 11 systems 45 00:03:19,625 --> 00:03:25,505 failed to boot after installing January, 2026, security updates displaying an 46 00:03:25,565 --> 00:03:28,505 UNMOUNT boot volume error during startup. 47 00:03:29,240 --> 00:03:33,470 The issue affects Windows 11, version 25 H two, and all 48 00:03:33,470 --> 00:03:35,990 additions of versions 24 H two. 49 00:03:36,050 --> 00:03:42,980 After installing KB 5 0 7 41 0 9, cumulative update released January 50 00:03:42,980 --> 00:03:48,650 13 Affected systems fail to start normally and require manual recovery 51 00:03:48,650 --> 00:03:52,580 steps to boot again, Microsoft says Reports are limited and appear to 52 00:03:52,580 --> 00:03:58,160 affect physical devices only with no virtual machines reported as impacted. 53 00:03:58,850 --> 00:04:03,140 Microsoft has asked affected users and administrators to submit diagnostics 54 00:04:03,140 --> 00:04:06,410 through the feedback hub while it determines whether the issue is a 55 00:04:06,410 --> 00:04:08,510 regression caused by the update. 56 00:04:09,425 --> 00:04:10,205 Separately. 57 00:04:10,235 --> 00:04:14,615 Microsoft also released an out-of-band update to fix different January 58 00:04:14,615 --> 00:04:20,195 issues related to outlook, which were causing freezes when dot PST 59 00:04:20,195 --> 00:04:22,685 files were stored in cloud services. 60 00:04:24,125 --> 00:04:29,285 Quality issues with Microsoft patches ramped up in 2025 with a number of 61 00:04:29,285 --> 00:04:35,675 notable problems and 2026 appears to be off on a sour note, It's hard 62 00:04:35,675 --> 00:04:39,785 to convince systems administrators to patch quickly when mistakes like 63 00:04:39,785 --> 00:04:42,275 this keep happening more frequently. 64 00:04:44,585 --> 00:04:48,095 Our third story takes us to Europe, and a reminder that destructive 65 00:04:48,095 --> 00:04:52,625 cyber operations against critical infrastructure remain a real threat. 66 00:04:53,255 --> 00:04:57,305 A cyber attack targeting Poland's energy Systems in late December 67 00:04:57,425 --> 00:05:01,955 has been linked to sand worm, the Russian State sponsored hacking group 68 00:05:01,960 --> 00:05:06,575 with a long history of disruptive attacks, particularly in Ukraine, 69 00:05:07,385 --> 00:05:11,825 researchers say attackers attempted to deploy a new data wiping malware. 70 00:05:12,130 --> 00:05:17,590 Dubbed Dyno wiper during an attack that took place between December 29th and 30th. 71 00:05:18,430 --> 00:05:24,250 Polish officials say the attack targeted two combined heat and power plants, along 72 00:05:24,250 --> 00:05:27,970 with a management system controlling electricity generated from renewable 73 00:05:27,970 --> 00:05:29,860 sources, including wind and solar. 74 00:05:31,395 --> 00:05:36,280 The attack appears to have failed with no widespread outages reported. 75 00:05:36,950 --> 00:05:40,280 Poland's Prime Minister said the evidence points to groups directly 76 00:05:40,280 --> 00:05:42,380 linked to Russian intelligence services. 77 00:05:43,220 --> 00:05:47,750 Sand Worm is best known for its 2015 attack on Ukraine's power grid 78 00:05:47,780 --> 00:05:51,320 and has been linked to multiple destructive campaigns throughout 79 00:05:51,320 --> 00:05:55,760 2025 targeting Ukrainian government education and agriculture. 80 00:05:56,825 --> 00:06:00,815 Technical details in Dyna wiper remain limited and no public 81 00:06:00,815 --> 00:06:02,735 samples have surfaced so far. 82 00:06:03,305 --> 00:06:07,235 It's still unclear how access was gained or how long attackers 83 00:06:07,235 --> 00:06:09,545 remained inside Polish systems. 84 00:06:10,355 --> 00:06:14,890 This attack occurs while Canada, in particular continues to struggle to update 85 00:06:15,310 --> 00:06:17,945 its critical infrastructure security laws. 86 00:06:19,945 --> 00:06:23,785 Our fourth story is another warning from Microsoft this time about a 87 00:06:23,785 --> 00:06:27,295 highly coordinated phishing and business email compromise campaign 88 00:06:27,535 --> 00:06:29,245 targeting the energy sector. 89 00:06:29,845 --> 00:06:33,805 Microsoft says attackers are using multi-stage adversary in the middle, 90 00:06:33,805 --> 00:06:39,085 or A ITM approaches that begin with phishing emails sent from previously 91 00:06:39,085 --> 00:06:41,480 compromised, but trusted accounts. 92 00:06:42,625 --> 00:06:46,555 The messages impersonate SharePoint document sharing notifications, 93 00:06:46,735 --> 00:06:50,485 exploiting the fact that these services are widely used and trusted. 94 00:06:51,055 --> 00:06:55,225 A technique some have referred to as living off trusted sites. 95 00:06:56,155 --> 00:07:00,115 Victims are redirected to fake portals that steal credentials and session 96 00:07:00,115 --> 00:07:05,400 cookies in real time, allowing attackers to bypass standard MFA protections. 97 00:07:06,445 --> 00:07:10,735 Once inside attackers create malicious inbox rules to hide 98 00:07:10,735 --> 00:07:14,844 evidence of compromise, then use the account to launch large scale 99 00:07:14,844 --> 00:07:17,005 internal and external phishing. 100 00:07:17,605 --> 00:07:23,034 In one case, more than 600 phishing emails were sent from a single compromised inbox. 101 00:07:24,505 --> 00:07:28,434 Microsoft says remediation requires more than password resets. 102 00:07:29,095 --> 00:07:34,225 Organizations must revoke active sessions, remove attacker created rules, 103 00:07:34,465 --> 00:07:40,525 undo unauthorized MFA changes, and it's highly recommended that organizations 104 00:07:40,525 --> 00:07:44,515 support those controls with regular cybersecurity awareness training, 105 00:07:44,545 --> 00:07:46,315 and phishing simulation exercises. 106 00:07:48,359 --> 00:07:52,919 Our final story today involves what may be one of the most consequential cloud 107 00:07:52,919 --> 00:07:54,509 security near misses of the decade. 108 00:07:55,754 --> 00:08:01,544 Security researchers at Wiz disclosed a vulnerability in AWS code build, dubbed 109 00:08:01,604 --> 00:08:06,914 code breach that could have allowed attackers to take over AWS managed GitHub 110 00:08:06,914 --> 00:08:14,474 repositories, including the AWS JavaScript SDKA core component used by the AWS 111 00:08:14,474 --> 00:08:17,474 console and countless cloud applications. 112 00:08:18,284 --> 00:08:23,474 The issue stemmed from a subtle misconfiguration in the CICD webhook 113 00:08:23,474 --> 00:08:29,564 filters, missing just two characters in a regular expression, also known 114 00:08:29,564 --> 00:08:34,754 as a RegX meant attackers could bypass restrictions, trigger privilege 115 00:08:34,754 --> 00:08:40,424 builds, and extract highly privileged GitHub admin tokens directly from 116 00:08:40,424 --> 00:08:42,974 AWS's own build environments. 117 00:08:43,799 --> 00:08:47,729 With that level of access, attackers could have injected malicious code into 118 00:08:47,729 --> 00:08:54,509 trusted AWS SDKs, creating a platform wide supply chain compromise that 119 00:08:54,509 --> 00:09:00,059 researchers say could have put every single AWS account on the planet at risk. 120 00:09:01,589 --> 00:09:06,329 Wiz demonstrated how predictable GitHub user IDs could be generated to exploit 121 00:09:06,329 --> 00:09:10,979 the flaw, enabling full administrative control over the affected repositories. 122 00:09:11,849 --> 00:09:15,269 AWS remediated the issue within days of disclosure. 123 00:09:15,269 --> 00:09:19,679 In August, 2025, rotated credentials, audited, spilled pipelines, and 124 00:09:19,679 --> 00:09:21,839 added additional safeguards. 125 00:09:22,379 --> 00:09:26,459 The company says it found no evidence of exploitation in the wild. 126 00:09:27,359 --> 00:09:32,189 Still, the significance here is the scale of the potential impact. 127 00:09:33,059 --> 00:09:38,219 This wasn't a customer misconfiguration, it was a weakness in the core 128 00:09:38,219 --> 00:09:42,779 machinery that runs AWS itself 129 00:09:45,299 --> 00:09:48,599 across today's stories, the theme is pretty consistent. 130 00:09:49,544 --> 00:09:54,914 Authentication failures, patch quality problems, trusted systems abused, and in 131 00:09:54,914 --> 00:10:01,784 one case, a small single overlooked detail that could have reshaped how the global 132 00:10:01,784 --> 00:10:05,684 cloud works for the worse cyber risk. 133 00:10:05,684 --> 00:10:09,679 Today isn't just about individual breaches, it's about systemic 134 00:10:09,909 --> 00:10:16,604 fragility and how small failures could cascade at enormous scale. 135 00:10:17,444 --> 00:10:22,154 Whether that's attacks on critical infrastructure like power plants or 136 00:10:22,154 --> 00:10:24,314 bringing down an entire cloud environment. 137 00:10:26,114 --> 00:10:30,974 That's it for cybersecurity today, for Monday, January 26th. 138 00:10:31,964 --> 00:10:33,104 I'm David Shipley. 139 00:10:33,794 --> 00:10:38,564 Stay safe, stay informed, and Jim Love will be back on 140 00:10:38,564 --> 00:10:40,034 the news desk on Wednesday. 141 00:10:41,249 --> 00:10:44,759 A reminder, if you enjoy the show, please tell others. 142 00:10:45,509 --> 00:10:48,929 Consider leaving us a review and remember to like and subscribe. 143 00:10:49,679 --> 00:10:53,369 We'd love to reach even more people, and we continue to need your help. 144 00:10:54,179 --> 00:10:54,929 Thanks for listening. 145 00:10:56,030 --> 00:10:59,540 And that is our show, and we'd like to thank Meter for their support 146 00:10:59,540 --> 00:11:03,770 in bringing you this podcast Meter delivers full stack networking 147 00:11:03,770 --> 00:11:08,600 infrastructure, wired, wireless, and cellular to leading enterprises. 148 00:11:08,840 --> 00:11:12,410 Working with their partners meter designs, deploys and manages 149 00:11:12,410 --> 00:11:14,720 everything required to get performant. 150 00:11:14,770 --> 00:11:18,940 Reliable and secure connectivity in your space. 151 00:11:19,330 --> 00:11:22,570 They design the hardware, the firmware, build the software, 152 00:11:22,690 --> 00:11:25,210 manage deployments, and run support. 153 00:11:25,540 --> 00:11:29,740 It's a single integrated solution that scales from branch offices 154 00:11:29,890 --> 00:11:34,120 to warehouses to large campuses, all the way to data centers. 155 00:11:34,600 --> 00:11:38,050 Book a demo at me.com/cst. 156 00:11:38,410 --> 00:11:42,670 That's METE r.com/cst.