FBI Warns of 369,000 Compromised Routers [Prime Cyber Insights]

[00:00] Announcer: From Neural Newscast, this is Prime Cyber Insights, Intelligence for Defenders, [00:04] Announcer: Leaders, and Decision Makers. [00:11] Aaron Cole: Welcome to Prime Cyber Insights. Today is March 16th, 2026, and we are tracking several critical [00:18] Aaron Cole: infrastructure updates and significant hardening measures across the ecosystem. [00:23] Lauren Mitchell: We are starting with a major botnet disclosure from the FBI involving the AV recon malware, [00:30] Lauren Mitchell: which has reached a scale that demands immediate protection. [00:33] Lauren Mitchell: practitioner attention. [00:35] Aaron Cole: Lauren, the scope here is staggering. [00:37] Aaron Cole: The FBI reports that AV Recon has compromised approximately 369,000 routers worldwide. [00:45] Aaron Cole: effectively folding them into a massive global proxy network. [00:49] Aaron Cole: This isn't just residential noise. [00:51] Aaron Cole: It's a highly sophisticated infrastructure used for traffic obfuscation by advanced threat actors. [00:57] Lauren Mitchell: It places immense pressure on edge security, Aaron. [01:01] Lauren Mitchell: Speaking of the edge, Fortinet has just released patches for three critical vulnerabilities [01:06] Lauren Mitchell: in FortiGate Next Generation firewalls. [01:08] Lauren Mitchell: Specifically, CVE 2025-597-18 and CVE 2025-597-19 are the most concerning, both carrying a CVSS score of 9.8. [01:24] Aaron Cole: Those are the SAML token flaws. [01:27] Aaron Cole: Improper verification of cryptographic signatures allowed unauthenticated attackers to gain full administrative access to the appliances. [01:35] Aaron Cole: Sentinel-1 notes that these were exploited in the wild earlier this year to establish long-term persistence. [01:42] Lauren Mitchell: Correct. They also addressed CVE 2026-24858, which was abused as a zero day. [01:50] Lauren Mitchell: Beyond emergency patching, practitioners are advised to rotate LDAP and active directory credentials associated with these appliances, and audit machine account quota settings to prevent lateral movement. [02:04] Aaron Cole: While we're on threat actor movements, reports indicate North Korean groups are now leveraging the cacao talk messaging app for spearfishing campaigns. [02:12] Aaron Cole: This represents a tactical shift toward more personal, mobile-centric social engineering. [02:18] Lauren Mitchell: Which is why the Android 17 update is so timely. [02:22] Lauren Mitchell: Google is testing a feature in its advanced protection mode that blocks non-accessibility [02:27] Lauren Mitchell: apps from using the accessibility API. [02:31] Lauren Mitchell: This effectively closes the primary vector that mobile malware uses to scrape screens and [02:36] Lauren Mitchell: exfiltrate data. [02:38] Aaron Cole: Exactly. [02:39] Aaron Cole: Unless an app is a verified screen reader or switch-based tool, its permissions are revoked when the mode is active. [02:45] Aaron Cole: It is a significant hardening step for high-risk users. [02:49] Aaron Cole: That concludes today's briefing. [02:51] Lauren Mitchell: Stay secure. [02:52] Lauren Mitchell: For more technical analysis, visit pci.neuralnewscast.com. [02:57] Lauren Mitchell: Neural Newscast is AI-assisted, human-reviewed. [03:01] Lauren Mitchell: View our AI transparency policy at neuralnewscast.com. [03:05] Announcer: This has been Prime Cyber Insights on Neural Newscast. [03:09] Announcer: Intelligence for defenders, leaders, and decision makers.