Full Report
Check out best practices for preventing mobile communications hacking. Plus, how the U.S. government can improve financial firms’ AI use. Meanwhile, the FBI warns about a campaign to hack vulnerable webcams and DVRs. And get the latest on a Chinese APT’s hack of the Treasury Department; the federal government’s AI use cases; and cyber tips for SMBs.Dive into six things that are top of mind for the week ending Jan. 3.1 - CISA: How VIPs – and everyone else – can secure their mobile phone useIn light of the hacking of major telecom companies by China-affiliated cyber spies, “highly targeted” people should adopt security best practices to protect their cell phone communications.So said the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in the new publication “Mobile Communications Best Practice Guidance,” aimed at high-profile individuals such as senior government officials and political party leaders.The guidance, which applies to anyone interested in securing their mobile communications, is divided into three categories: general recommendations; best practices for iPhone users; and best practices for Android users.“While no single solution eliminates all risks, implementing these best practices significantly enhances protection of sensitive communications against government-affiliated and other malicious cyber actors,” the guidance reads.General recommendations include:Use messaging applications that offer end-to-end encrypted communications – for text messages, and for voice and video calls – and that are compatible with both iPhone and Android operating systems.Don’t use SMS as your second authentication factor because SMS messages aren’t encrypted. Instead, enable Fast Identity Online (FIDO) authentication for multi-factor authentication. Another good MFA option: authenticator codes.Regularly update your phone’s operating system and your mobile applications to their latest versions. Get your phone manufacturer’s newest cell phone model to get the latest hardware-dependent security features.To get all the details, read the full, five-page document “Mobile Communications Best Practice Guidance.”For more information about how to protect your mobile phone from hackers:“Ten Steps to Smartphone Security” (U.S. Federal Communications Commission)“Mobile Device Best Practices” (U.S. National Security Agency)“8 simple ways to protect your smartphone from hackers” (PC World)“Stop hackers cold: Tech tips to secure your phone's data and location” (USA Today)VIDEOHow to remove a hacker from your phone? (Cybernews)2 - Unambiguous regulations, consumer protections sought in banks’ AI useMore precise definitions of AI models and systems. Clarification on AI data privacy standards. Enhanced AI regulatory frameworks. Those are just some of the requests that the Treasury Department received after it asked for feedback about artificial intelligence (AI) use in the financial industry.Financial firms, consumer groups, technology vendors, trade associations and others sent the agency 103 comment letters in response to its “Uses, Opportunities, and Risks of Artificial Intelligence (AI) in the Financial Services Sector” request for information.“The respondents commented on existing use cases, expansive opportunities, and associated risks, underscoring the potential for AI to broaden opportunities while amplifying certain risks,” reads the report “Artificial Intelligence in Financial Services.”At a high level, requests from respondents included:Align definitions of AI models and systems applicable to the financial services sector to make collaboration and coordination among agencies and stakeholders easier.Further clarify standards for data privacy, security, and quality for financial firms developing and deploying AI.Expand consumer protections.Explain how financial firms can comply with current consumer protection laws that apply to existing and emerging technologies.Offer guidance to assist financial firms as they assess AI models and systems for compliance.Enhance regulatory frameworks and develop consistent federal-level standards. Facilitate domestic and international collaboration among governments, regulators, and the financial services sector.For more information about the risks and opportunities of AI in the financial industry:“Artificial Intelligence and Machine Learning in Financial Services” (U.S. Congressional Research Service)“Artificial Intelligence: Opportunities and Risks for the Financial Sector” (International Banker)“The Financial Stability Implications of Artificial Intelligence” (Financial Stability Board)“The AI Revolution: Opportunities and Challenges for the Finance Sector” (The Alan Turing Institute)“The rise of artificial intelligence: benefits and risks for financial stability” (European Central Bank)3 - FBI: HiatusRAT campaign targets webcams and DVRsHackers are unleashing the HiatusRAT malware against web cameras and digital video recorders (DVRs) made by several Chinese vendors whose devices may have unpatched vulnerabilities.That’s the warning from the FBI, which added that the cybercrooks are looking to exploit weak vendor-supplied password and vulnerabilities including CVE-2017-7921, CVE-2018-9995,CVE-2020-25078, CVE-2021-33044 and CVE-2021-36260.The hackers have been observed targeting devices from vendors Xiongmai and Hikvision, and using webcam scanning tool Ingram and authentication-cracking tool Medusa.“The FBI recommends limiting the use of the devices mentioned in this PIN and/or isolating them from the rest of your network,” reads the FBI alert titled “HiatusRAT Actors Targeting Web Cameras and DVRs.”Other FBI recommendations include:Promptly patch and update operating systems, software and firmware.Consider removing devices from your network that are no longer supported by their manufacturer.Regularly change passwords for network systems and accounts, and don’t use default and weak passwords.Require multi-factor authentication.Segment your network.Back up critical assets and store the backups offline.Use monitoring tools that log network traffic and alert you about anomalous network activity.For more information about securing internet-of-things (IoT) devices, check out these Tenable resources:“How to Unlock Advanced IoT Visibility for Cyber-Physical Systems” (blog)“Unlock advanced IoT visibility to better secure your OT environment” (on-demand webinar)“How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)“How to Effectively Communicate OT/IoT Risk Across the Enterprise” (on-demand webinar)“Discover, Measure, and Minimize the Risk Posed by Your Interconnected IT/OT/IoT Environments” (on-demand webinar)4 - Federal government using AI for wide variety of tasksIs your business in the midst of figuring out how to leverage AI to improve its operations and services? If so, you might be interested in how Uncle Sam is attempting to do the same.As of mid-December, U.S. federal government agencies had launched 1,700-plus AI use cases, including for evaluating patent applications; analyzing extreme weather; and determining disability benefits.Specifically, 37 federal agencies submitted their AI uses as of mid-December 2024 to the Office of Management and Budget (OMB), which tallied 1,757 use cases, including almost 230 that can impact people’s rights and safety.Most AI use cases fell into these three categories:Helping agencies fulfill their missionsProviding health and medical servicesDelivering government servicesThe agency with the most AI use cases is the Department of Health and Human Services (271), followed by the Department of Veteran Affairs (229) and the U.S. Agency for International Development (137).Veteran Affairs is by far the agency with the most safety- and rights-impacting use cases (145). For these use cases, agencies must document how they’re implementing safeguards to mitigate the rights and safety risks.To get more information about the federal government’s AI use, check out:The OMB’s Github page “2024 Federal Agency AI Use Case Inventory”CIO.gov’s writeup about the AI use case inventoryAI.gov’s AI use cases pageFor more information about responsible usage and AI security, check out these Tenable blogs:“AI Security Roundup: Best Practices, Research and Insights”“How to Discover, Analyze and Respond to Threats Faster with Generative AI”“Never Trust User Inputs — And AI Isn't an Exception: A Security-First Approach”“Securing the AI Attack Surface: Separating the Unknown from the Well Understood”“Do You Think You Have No AI Exposures? Think Again”5 - Treasury Department discloses hack by China-linked APT groupAn advanced persistent threat (APT) hacking group sponsored by the Chinese government breached a Treasury Department system, an incident the agency describes as “major.”In a letter sent this week to the U.S. Senate, the Treasury Department said the hackers accessed a key used by a third-party vendor to protect a cloud-based service. That breached system is used to provide remote tech support to Treasury Departmental Offices (DO) users.“With access to the stolen key, the threat actor was able (to) override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users,” the letter reads.News agency Reuters posted a copy of the letter, which was penned by Aditi Hardikar, Assistant Secretary for Management at the Treasury Department, and sent to Sen. Sherrod Brown, Chairman of the Committee on Banking, Housing and Urban Affairs; and to Sen. Tim Scott, the committee’s Ranking Member.The compromised service from the third-party vendor was taken offline and the agency has no evidence that the APT hackers have continued accessing Treasury Department data. It will provide more details in a supplemental report, according to the letter.For more information about how to protect your organization from APT attacks:“Advanced Persistent Threat Security: 5 Modern Strategies” (IEEE Computer Society)“Understanding Advanced Persistent Threats and How to Stop Them” (Biz Tech Magazine)“How To Defend Against APT Attacks: What You Need To Know” (Endpoint Security for Small Business)“Nation-State Cyber Actors” (CISA)“What is an advanced persistent threat?” (TechTarget)6 - CRI: Cyber resolutions for SMBs in the new yearIt’s “resolutions” time again.Now that the new year has begun, we take stock of what we could be doing better and pledge to modify certain practices and habits.So how can small-and-medium sized businesses (SMBs) enhance their cybersecurity posture in 2025? Here are five suggested cyber resolutions from the Cyber Readiness Institute, a non-profit organization created to offer free cyber tools and resources for SMBs.Use multi-factor authentication to protect online accounts.Designate a “cyber leader” who’ll be tasked with monitoring cyberthreats, share best practices and foster cyber awareness.Offer cybersecurity awareness training to your staff.Draft a business continuity plan outlining how your SMB will maintain operations if it suffers a cyberattack.Acquire cyberinsurance.For more cybersecurity resolutions to act upon in 2025, check out:“New Year’s cybersecurity resolutions that every startup should keep” (TechCrunch)“Cybersecurity Resolutions: Skill Sets to Prioritize in 2025” (Bank Infosecurity)“Cyber Resolutions for 2025: Because Hackers Won't Take a Day Off” (CyberPeace)“5 cybersecurity habits to take into 2025” (TechRadar)“8 Cybersecurity Trends and Opportunities for 2025” (MSSP Alert)
Analysis Summary
# Threat Intelligence Summary: Weekly Cyber Snapshot (Week Ending Jan 3)
This summary consolidates key threat intelligence narratives from the weekly report covering mobile security best practices, FBI alerts on IoT vulnerabilities, APT activity targeting a federal agency, and regulatory focus on AI in finance.
## Main Topic 1: CISA Guidance on Mobile Communications Security for VIPs and General Users
CISA released "Mobile Communications Best Practice Guidance" following hacks of major telecom companies by China-affiliated cyber spies, emphasizing protection for highly-targeted individuals but applicable to all users.
### Key Points
- The guidance is divided into general recommendations, and specific best practices for iPhone and Android users.
- Implementing these measures "significantly enhances protection" against government-affiliated and other malicious cyber actors.
### Threat Actors
- China-affiliated cyber spies (State-sponsored actors).
### TTPs
- Hacking major telecom companies (implied initial access/targeting infrastructure).
### Affected Systems
- Mobile phone communications (iPhone and Android).
### Mitigations
- Use messaging apps offering end-to-end encryption for text, voice, and video.
- **DO NOT** use SMS for second-factor authentication (it is not encrypted).
- Enable Fast Identity Online (FIDO) authentication or use authenticator codes for MFA.
- Regularly update phone operating systems and mobile applications.
- Upgrade to the newest phone model available to leverage hardware-dependent security features.
## # Main Topic 2: FBI Warning on HiatusRAT Campaign Targeting IoT Devices
The FBI issued an alert regarding the HiatusRAT malware being deployed against vulnerable webcams and DVRs manufactured by specific Chinese vendors.
### Key Points
- The campaign exploits weak, vendor-supplied default passwords and known vulnerabilities.
- The FBI recommends isolating targeted devices from the main network.
### Threat Actors
- Unspecified cybercriminals utilizing HiatusRAT malware.
### TTPs
- Exploitation of unpatched vulnerabilities (including specific CVEs).
- Use of authentication-cracking tools (Medusa) and webcam scanning tools (Ingram).
- Targeting IoT devices for remote access.
### Affected Systems
- Web cameras and Digital Video Recorders (DVRs) from vendors Xiongmai and Hikvision.
- Devices vulnerable to: CVE-2017-7921, CVE-2018-9995, CVE-2020-25078, CVE-2021-33044, CVE-2021-36260.
### Mitigations
- Promptly patch and update operating systems, software, and firmware.
- Limit use of targeted devices or isolate them from the primary network.
- Remove devices from the network if they are no longer supported by the manufacturer.
- Regularly change passwords; avoid default/weak passwords.
- Require multi-factor authentication where possible.
- Implement network segmentation.
- Maintain offline backups of critical assets.
- Utilize monitoring tools for network traffic anomaly detection.
## Main Topic 3: China-Linked APT Group Hacks US Treasury Department
An Advanced Persistent Threat (APT) group sponsored by the Chinese government successfully breached a U.S. Treasury Department cloud service environment.
### Key Points
- The attackers gained access via a compromised key belonging to a third-party vendor supporting remote tech support services for Treasury Departmental Offices (DO) users.
- The breach allowed the actor to override security, access user workstations remotely, and view certain unclassified documents.
- The compromised service was taken offline, and the Treasury reported no evidence of continued access.
### Threat Actors
- Advanced Persistent Threat (APT) group sponsored by the Chinese government (Attribution by the Treasury Department).
### TTPs
- Compromise of third-party vendor credentials/keys for supply chain exploitation.
- Overriding security measures on a cloud-based service.
- Remote access to user workstations.
### Affected Systems
- A key used by a third-party vendor to protect a cloud-based service.
- Certain Treasury Departmental Offices (DO) user workstations.
### Mitigations
- Enhanced security controls and key management for third-party vendor access.
- Immediate isolation and remediation of compromised third-party services.
- Ongoing monitoring for continued unauthorized access following incident response.
***
## Top Stories Summary
### Story 1: CISA Offers Security Tips for Mobile Phone Users
**Summary:** CISA released guidance focusing on securing mobile communications against sophisticated threats, advising high-profile individuals and the general public to use end-to-end encrypted messaging and switch from SMS-based MFA to FIDO or authenticator codes.
**Source:** Article Section 1
### Story 2: FBI Warns of HiatusRAT Targeting Unsecured Webcams and DVRs
**Summary:** The FBI alerted organizations about the HiatusRAT malware exploiting vulnerabilities and weak default passwords in specific Chinese-manufactured webcams and DVRs. Mitigation focuses on patching and network isolation.
**Source:** Article Section 3
### Story 3: Treasury Department Discloses Major Hack by Chinese APT
**Summary:** A Chinese-linked APT successfully breached a Treasury Department system by compromising a key held by a third-party vendor, leading to unauthorized remote access of user workstations and exfiltration of some unclassified documents.
**Source:** Article Section 5