CA/Browser Forum Cuts SLS/TLS Cert Lifespan to 47 Days; Threat Actors Maintained Persistence on Patched Fortinet Devices; Windows inetpub Folder is Part of a Security Fix

Members of the Certificate Authority/Browser Forum have voted to shorten the lifespan of SLS/TLS certificates to just under seven weeks. The changes will roll out gradually over the next several years until March 2029, when certificate lifetimes will be limited to 47 days. While the organization has argued that shortening the duration of the certificates' viability will improve security, others point out that the entities issuing the certificates will benefit financially from the changes. While no members of the CA/Browser Forum voted against the move, five members abstained from voting.

Fortinet has published an analysis of threat actor activity involving exploitation of known vulnerabilities to maintain remote read-only access to FortiGate devices even after the devices were updated to fixed versions of FortiOS. According to the Fortinet blog, "this was achieved via creating a symbolic link connecting the user file system and the root file system in a folder used to serve language files for the SSL-VPN." Fortinet has begun notifying affected users, and advising them to take steps to mitigate the issue.

Windows users may have noticed a new empty folder that appeared on their hard drives following last week's Patch Tuesday updates. The folder, %systemdrive%\inetpub, is related to Microsoft Internet Information Services (IIS) and is part of a security fix for CVE-2025-21204, a Windows Process Activation privilege elevation vulnerability. To address users' confusion about the folder, Microsoft has updated the vulnerability's advisory to read: "This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users." ZDNet offers instructions for restoring the folder if youÕve already deleted it.

In a threat trends blog post, Microsoft describes how ransomware actors are targeting domain controllers to quickly gain access to and compromise "highly privileged accounts" and to take advantage of centralized network access to affect the greatest number of assets within the targeted organization. Microsoft writes that theyÕve "seen in more than 78% of human-operated cyberattacks, threat actors successfully breach a domain controller. Additionally, in more than 35% of cases, the primary spreader deviceÑthe system responsible for distributing ransomware at scaleÑis a domain controller, highlighting its crucial role in enabling widespread encryption and operational disruption." They also acknowledge that protecting domain controllers presents difficulties because they "must remain highly accessible to authenticate users, enforce policies, and manage resources across the environment."

Microsoft has released Windows 11 Build 26100.3902 to Windows Insiders in the Release Preview Channel, including a preview of the Recall AI feature for Copilot+ PCs. The feature allows search and timeline-based browsing of anything previously displayed on screen, by using AI to capture, analyze, and index screenshots every three seconds, and has been removed from releases and delayed multiple times since its announcement in May 2024 due to widespread criticism and demonstrations of privacy risks. Dan Goodin at Ars Technica mentions concerns that Recall's database may also become "a gold mine for malicious insiders, criminals, or nation-state spies" among other abuses. The feature is opt-in, also requiring a Windows Hello verification, and now allows users to pause snapshot capture. Em, staff writer at Privacy Guides, reminds users that even those who do not use Recall may have their sensitive communications with users of Recall captured by the feature.

Researchers from three US universities have published a research paper showing that 16 popular LLMs hallucinate fictitious package repository names when generating code, potentially allowing dependency confusion attacks if a threat actor creates a new malicious package under a hallucinated name. Investigation using two unique prompt datasets showed "the average percentage of hallucinated packages is at least 5.2% for commercial models and 21.7% for open-source models, including a staggering 205,474 unique examples of hallucinated package names." The authors offer Retrieval Augmented Generation (RAG) and self-refinement as effective prompt engineering mitigations, noting that while supervised fine-tuning also reduces hallucinations, it diminishes code quality. A post by researchers at Socket notes that due to the plausibility and consistency of hallucinated package names (58% would repeat within 10 iterations), would-be attackers "can simply observe LLM behavior, identify commonly hallucinated names, and register them." Seth Larson, security developer-in-residence at the Python Software Foundation, coined the term "slopsquatting" for supply chain attacks using hallucinated package names, recommending that users manually check the validity of packages, and "even better, organizations can mirror a subset of PyPI within their own organizations to have much more control over which packages are available for developers."

The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has reached settlement with Northeast Radiology, P.C. (NERAD) over the latter's violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. In March 2020, NERAD submitted a breach report to OCR regarding inadequately protected radiology images and other electronic protected health information (ePHI) that were accessed by unauthorized individuals. An OCR investigation found that NERAD had not conducted "an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the ePHI in NERADÕs information systems." NERAD will pay a $350,000 fine and implement a plan, overseen by OCR, to improve data security. The incident affected ePHI belonging to nearly 300,000 people.

Laboratory Services Cooperative (LSC) has filed breach notifications with the attorneys general of several states, including California and Maine. LSC says they learned of the breach in late October 2024; a subsequent investigation was completed in February. The intruders stole information belonging to 1.6 million people. The compromised data include personal identification information, such as passport, ID card, and Social Security numbers; billing information including bank account and payment card details; health insurance information; and medical and clinical information, such as diagnoses, treatment, lab results, and other care details.

US car rental company Hertz has posted a notice of a data breach that took place between October and December of 2024, confirmed on February 10, 2025. The data known to have been accessed by an unauthorized third party were analyzed by April 2, 2025 and may include "name, contact information, date of birth, credit card information, driver's license information and information related to workers' compensation claims," belonging to some individuals, as well as "Social Security or other government identification numbers, passport information, Medicare or Medicaid ID ... or injury-related information associated with vehicle accident claims" belonging to "a very small number of individuals." The notice states that the attacker "exploited zero-day vulnerabilities within Cleo's platform," and Hertz has now reported the event to law enforcement and "confirmed that Cleo took steps to investigate the event and address the identified vulnerabilities." Hertz's notice to the Maine Attorney General's Office identified 3,409 Maine residents affected by the attack; a representative for Hertz did not give TechCrunch a total number of affected individuals, saying only that it would be "inaccurate to say millions." TechCrunch also notes that the details of this attack suggest it may be associated with the 2024 ransomware attacks by the Clop ransomware gang.

In an 8-K filing with the US Securities and Exchange Commission (SEC), Colorado-based kidney dialysis company DaVita disclosed a ransomware attack. The incident, which "encrypted certain elements of [DaVita's] network," was detected on Saturday, April 12, 2025. The attack has had an impact on DaVita's operations, although the extent is not clear. The company is providing patient care. According to their 4th Quarter 2024 statement, last year DaVita operated more than 3,100 outpatient dialysis centers, just over 500 of which were outside the US.