Neural Newscast

[00:00] Announcer: From Neural Newscast, this is Prime Cyber Insights, Intelligence for Defenders,
[00:04] Announcer: Leaders, and Decision Makers.
[00:11] Aaron Cole: Welcome to Prime Cyber Insights. Today is March 16th, 2026, and we are tracking several critical
[00:18] Aaron Cole: infrastructure updates and significant hardening measures across the ecosystem.
[00:23] Lauren Mitchell: We are starting with a major botnet disclosure from the FBI involving the AV recon malware,
[00:30] Lauren Mitchell: which has reached a scale that demands immediate protection.
[00:33] Lauren Mitchell: practitioner attention.
[00:35] Aaron Cole: Lauren, the scope here is staggering.
[00:37] Aaron Cole: The FBI reports that AV Recon has compromised approximately 369,000 routers worldwide.
[00:45] Aaron Cole: effectively folding them into a massive global proxy network.
[00:49] Aaron Cole: This isn't just residential noise.
[00:51] Aaron Cole: It's a highly sophisticated infrastructure used for traffic obfuscation by advanced threat actors.
[00:57] Lauren Mitchell: It places immense pressure on edge security, Aaron.
[01:01] Lauren Mitchell: Speaking of the edge, Fortinet has just released patches for three critical vulnerabilities
[01:06] Lauren Mitchell: in FortiGate Next Generation firewalls.
[01:08] Lauren Mitchell: Specifically, CVE 2025-597-18 and CVE 2025-597-19 are the most concerning, both carrying a CVSS score of 9.8.
[01:24] Aaron Cole: Those are the SAML token flaws.
[01:27] Aaron Cole: Improper verification of cryptographic signatures allowed unauthenticated attackers to gain full administrative access to the appliances.
[01:35] Aaron Cole: Sentinel-1 notes that these were exploited in the wild earlier this year to establish long-term persistence.
[01:42] Lauren Mitchell: Correct. They also addressed CVE 2026-24858, which was abused as a zero day.
[01:50] Lauren Mitchell: Beyond emergency patching, practitioners are advised to rotate LDAP and active directory credentials associated with these appliances, and audit machine account quota settings to prevent lateral movement.
[02:04] Aaron Cole: While we're on threat actor movements, reports indicate North Korean groups are now leveraging the cacao talk messaging app for spearfishing campaigns.
[02:12] Aaron Cole: This represents a tactical shift toward more personal, mobile-centric social engineering.
[02:18] Lauren Mitchell: Which is why the Android 17 update is so timely.
[02:22] Lauren Mitchell: Google is testing a feature in its advanced protection mode that blocks non-accessibility
[02:27] Lauren Mitchell: apps from using the accessibility API.
[02:31] Lauren Mitchell: This effectively closes the primary vector that mobile malware uses to scrape screens and
[02:36] Lauren Mitchell: exfiltrate data.
[02:38] Aaron Cole: Exactly.
[02:39] Aaron Cole: Unless an app is a verified screen reader or switch-based tool, its permissions are revoked when the mode is active.
[02:45] Aaron Cole: It is a significant hardening step for high-risk users.
[02:49] Aaron Cole: That concludes today's briefing.
[02:51] Lauren Mitchell: Stay secure.
[02:52] Lauren Mitchell: For more technical analysis, visit pci.neuralnewscast.com.
[02:57] Lauren Mitchell: Neural Newscast is AI-assisted, human-reviewed.
[03:01] Lauren Mitchell: View our AI transparency policy at neuralnewscast.com.
[03:05] Announcer: This has been Prime Cyber Insights on Neural Newscast.
[03:09] Announcer: Intelligence for defenders, leaders, and decision makers.