Cyber Weekly Newsletter

Cyber Weekly Newsletter for Friday January 10, 2025

The weekly Security, Tech and Cybercrime newsletter from Riskigy's vCISO Cybersecurity team

Cybersecurity awareness tips and alerts from Riskigy to empower your team to #BeCyberSmart #CyberAware

This Weeks Need-to-Know News and Alerts

??SonicWall is emailing customers urging them to upgrade their firewall's SonicOS firmware to patch an authentication bypass vulnerability in SSL VPN and SSH management that is "susceptible to actual exploitation." https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-patch-exploitable-sslvpn-bug-immediately/

??Microsoft will force install the new Outlook email client on Windows 10 systems starting with next month's security update. The announcement was made in a new message added to the company's Microsoft 365 Admin Center, tagged MC976059, and it applies to Microsoft 365 apps users. https://www.bleepingcomputer.com/news/microsoft/microsoft-to-force-install-new-outlook-on-windows-10-pcs-in-february/

?? Bad Tenable plugin updates take down Nessus agents worldwide. Tenable says customers must manually upgrade their software to revive Nessus vulnerability scanner agents taken offline on December 31st due to buggy differential plugin updates. https://www.bleepingcomputer.com/news/security/bad-tenable-plugin-updates-take-down-nessus-agents-worldwide

??Microsoft fixes OneDrive bug causing macOS app freezes. Microsoft has fixed a known issue causing macOS applications to freeze when opening or saving files in OneDrive. https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-onedrive-bug-causing-macos-app-freezes/

?? CrowdStrike is warning a phishing campaign is impersonating the company in fake job offer emails to trick targets into infecting themselves with a Monero cryptocurrency miner (XMRig). Targets are asked to download a supposed "employee CRM application". https://www.bleepingcomputer.com/news/security/fake-crowdstrike-job-offer-emails-target-devs-with-crypto-miners

?? Proton Mail still recovers from worldwide outage. Privacy firm Proton suffered a massive worldwide outage Thursday, taking down most services, with Proton Mail and Calendar users still unable to connect to their accounts. https://www.bleepingcomputer.com/news/technology/proton-mail-still-down-as-proton-recovers-from-worldwide-outage

?? A vulnerability in the open-source vulnerability scanner Nuclei could allow attackers to bypass signature verification and sneak malicious code into templates that execute on local systems. Nuclei scans websites for vulnerabilities and other weaknesses. https://www.bleepingcomputer.com/news/security/nuclei-flaw-lets-malicious-templates-bypass-signature-verification

?? The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three flaws impacting Mitel MiCollab. A path traversal vulnerability in Mitel MiCollab that could allow an attacker to gain unauthorized and unauthenticated access. https://thehackernews.com/2025/01/cisa-flags-critical-flaws-in-mitel-and.html

??Ivanti Flaw Actively Exploited. Ivanti is warning that a critical security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA Gateways has come under active exploitation in the wild beginning mid-December 2024. https://thehackernews.com/2025/01/ivanti-flaw-cve-2025-0282-actively.html

??New HIPAA Rules Mandate 72-Hour Data Restoration and Annual Compliance Audits. Health and Human Services' (HHS) Office for Civil Rights (OCR) has proposed new cybersecurity requirements for healthcare organizations. https://thehackernews.com/2024/12/new-hipaa-rules-mandate-72-hour-data.html

??The White House announced the launch of the U.S. Cyber Trust Mark, a new cybersecurity safety label for internet-connected consumer devices. The Cyber Trust Mark label, which will appear on smart products sold in the United States later this year. https://www.bleepingcomputer.com/news/security/us-govt-launches-cybersecurity-safety-label-for-smart-devices

??Premium WordPress plugin with more than 20,000 sales "Fancy Product Designer" from Radykal is vulnerable to two critical severity flaws that remain unfixed in the current latest version. https://www.bleepingcomputer.com/news/security/unpatched-critical-flaws-impact-fancy-product-designer-wordpress-plugin

??Banshee 2.0 Malware Steals Apple's Encryption to Hide on Macs. The macOS infostealer "Banshee" has been spotted skating by antivirus programs using a string encryption algorithm it stole from Apple. https://www.darkreading.com/threat-intelligence/banshee-malware-steals-apple-encryption-macs

??Researcher Uncovers Zero-Click Exploit Targeting Samsung Devices. The high-severity vulnerability, tracked as CVE-2024-49415 (CVSS score: 8.1), affects Samsung devices running Android versions 12, 13, and 14. https://thehackernews.com/2025/01/google-project-zero-researcher-uncovers.html

From Our Blog

? FBI Issues warning about Fraudulent Emergency Data Requests

The Federal Bureau of Investigation (FBI) has released a notification to highlight a trend of compromised US and foreign government email addresses used to conduct fraudulent emergency data requests. Fraudulent Emergency Data Requests (EDRs) are a growing cybersecurity threat where hackers impersonate law enforcement officials to obtain sensitive user data from technology companies and service providers....Read more at https://riskigy.com/blog/f/fbi-issues-warning-about-fraudulent-emergency-data-requests

? How to Avoid Common Password Mistakes

Passwords play a critical role in business security, making proper management essential. At the forefront of this topic is the National Institute of Standards and Technology (NIST), which recently released updated guidelines outlining technical requirements and recommendations for password management and authentication…Read more at https://riskigy.com/blog/f/how-to-avoid-common-password-mistakes

? AI is the new Boogeyman: Outspooking Freddy, Jason, and Michael

Horror movies? Pfft. Child's play! We've all been at the edge of our seats watching Freddy Krueger show up in dreams with those fashionable knives-for-fingers gloves, Jason Voorhees make camping the worst idea ever, and Michael Myers basically ruin Halloween for everyone in Haddonfield. Learn more now at https://riskigy.com/blog/f/ai-is-the-new-boogeyman-outspooking-freddy-jason-and-michael

? Defending the Human Element in Cyber Attacks

The human element in cybersecurity refers to the behaviors, interactions, and decisions made by people that impact the security of information technology systems. These can include actions as simple as choosing a password, clicking a link in an email, or sharing sensitive information… Read more at https://riskigy.com/blog/f/defending-the-human-element-in-cyber-attacks

Recent Data Breach News

??Treasury hackers also breached US foreign investments review office. Silk Typhoon Chinese state-backed hackers have reportedly breached a Treasury Department office that reviews foreign investments for national security risks. https://www.bleepingcomputer.com/news/security/treasury-hackers-also-breached-us-foreign-investments-review-office/

??Spanish telecommunications company Telefónica confirms its internal ticketing system was breached after stolen data was leaked on a hacking forum. Telefónica is a Spanish multinational telecommunications company operating in twelve countries with over 104,000 employees. https://www.bleepingcomputer.com/news/security/telefonica-confirms-internal-ticketing-system-breach-after-data-leak

??Data breach exposes cannabis buyers’ IDs and purchases. Popular cannabis brand STIIIZY disclosed a data breach this week after hackers breached its point-of-sale (POS) vendor to steal customer information, including government IDs and purchase information. https://www.bleepingcomputer.com/news/security/stiiizy-data-breach-exposes-cannabis-buyers-ids-and-purchases/

??BayMark Health Services, North America's largest provider of substance use disorder (SUD) treatment and recovery services, is notifying an undisclosed number of patients attackers stole their personal and health information in a September 2024 breach. https://www.bleepingcomputer.com/news/security/largest-us-addiction-treatment-provider-notifies-patients-of-data-breach

?? IT services giant Atos said its systems have not been compromised after a ransomware group claimed to have stolen data belonging to the company. A group named Space Bears listed Atos on its leak website claiming to have obtained a “company database”. https://www.securityweek.com/it-giant-atos-responds-to-ransomware-groups-data-theft-claims

?? New York Hospital Says Ransomware Attack Data Breach Impacts 670,000. Richmond University Medical Center has been investigating a ransomware attack since May 2023 and it recently determined that it affects 670,000 people. https://www.securityweek.com/new-york-hospital-says-ransomware-attack-data-breach-impacts-670000

??Telegram hands over data on thousands of users to US law enforcement. Telegram reveals that the communications platform has fulfilled 900 U.S. government requests, sharing the phone number or IP address information of 2,253 users with law enforcement. https://www.bleepingcomputer.com/news/legal/telegram-hands-over-data-on-thousands-of-users-to-us-law-enforcement

?? Green Bay Packers' online store hacked! The Green Bay Packers football team is notifying fans that a threat actor hacked its official online retail store in October and injected a card skimmer script to steal customers' personal and payment information. https://www.bleepingcomputer.com/news/security/green-bay-packers-online-store-hacked-to-steal-credit-cards

?? The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirms there are no indications that the cyber attack targeting the Treasury Department impacted other agencies. The agency is working closely with the Treasury Department and BeyondTrust. https://thehackernews.com/2025/01/cisa-no-wider-federal-impact-from.html

?? More U.S. companies have been added to the list of telecommunications firms hacked in a wave of breaches by a Chinese state-backed threat group tracked as Salt Typhoon. Chinese hackers also breached Charter and Windstream networks. https://www.bleepingcomputer.com/news/security/charter-and-windstream-among-nine-us-telecoms-hacked-by-china

Blog Post Spotlight

SEC 2025 Examination Priorities: Highlight Focus on Cybersecurity

As we steer towards 2025, the United States Securities and Exchange Commission (SEC) has laid out a roadmap that underscores its commitment to safeguarding the integrity of the financial markets against the backdrop of rapid technological evolution. This commitment is vividly reflected in its recently unveiled Examination Priorities for Fiscal Year 2025. In an era where digital threats loom large and technological advancements are relentless, the SEC's focus on cybersecurity emerges not just as a priority but as a necessity.

The Securities and Exchange Commission (SEC) has released its 2025 examination priorities, with a significant focus on cybersecurity. As cyber threats continue to evolve, the SEC aims to ensure that firms are adequately protecting investor information, records, and assets.

Here are key cybersecurity-related priorities for 2025:

1. Data Loss Prevention

The SEC will scrutinize firms’ data loss prevention measures. This includes evaluating how firms prevent unauthorized access and loss of sensitive data. Effective data loss prevention strategies are crucial for safeguarding investor information and maintaining trust.

2. Access Controls

Access controls are a critical component of cybersecurity. The SEC will examine how firms implement and manage access controls to protect sensitive information. This includes ensuring that only authorized personnel have access to critical systems and data.

3. Account Management

Proper account management is essential to prevent unauthorized access. The SEC will focus on how firms manage user accounts, including the processes for creating, modifying, and terminating accounts. This also involves monitoring for suspicious activity and ensuring that accounts are secure.

Incident Response and Notification

A noteworthy aspect of the SEC's cybersecurity emphasis is its focus on Incident Response and Notification Procedures. In an acknowledgement of the inevitability of cyber incidents, the SEC prioritizes the examination of how registered entities prepare for, respond to, and recover from cybersecurity breaches. This entails a thorough review of entities' incident response plans to verify their effectiveness in swiftly identifying, containing, and mitigating the impacts of cyber incidents.

Equally critical is the scrutiny of firms’ notification processes. The SEC considers the timely disclosure of cyber incidents to affected stakeholders and regulators as essential. This aligns with the broader goal of transparency and the protection of investors from the adverse consequences of latent vulnerabilities and undisclosed breaches.

Third-Party Risks

The SEC's approach to addressing these concerns in 2025 is multifaceted, focusing on ensuring that firms have comprehensive risk management strategies and controls in place for their third-party engagements. The key areas include:

Due Diligence and Oversight: Firms are expected to conduct thorough due diligence before engaging with third-party vendors and continuously monitor these relationships to ensure adherence to cybersecurity standards. The SEC prioritizes examining the processes firms use to evaluate the cybersecurity practices of third parties and the contractual obligations imposed on these vendors to maintain high cybersecurity standards.

Incident Response and Vendor Management:

A significant component of third-party risk management is how firms prepare for and respond to incidents that originate from or affect third-party products and services. Firms must have robust communication channels and incident response plans that include third parties to ensure swift action and mitigation. The SEC will focus on the integration of third-party risk into firms’ overall incident response plans and the effectiveness of these plans in addressing incidents involving external vendors.

Takeaways

These priorities not only underscore the importance of cybersecurity vigilance but also highlight the SEC’s commitment to adaptive and proactive regulatory oversight. The SEC’s focus on these areas highlights the importance of robust cybersecurity practices in protecting investors and maintaining the integrity of the financial markets.

The SEC’s 2025 Examination Priorities mark a significant stride towards a future where financial stability is intrinsically linked with cybersecurity resilience. It’s a call to action for market participants to elevate their cybersecurity postures, ensuring that they not only comply with regulatory expectations but also contribute to the overarching goal of maintaining market integrity

By addressing these key areas, the SEC aims to mitigate risks and protect the interests of investors in an increasingly digital and interconnected world. Firms are encouraged to review and strengthen their cybersecurity measures in line with these priorities to ensure compliance and enhance their overall security posture.

Cybersecurity Is Complex! We Are Here To Help

Cyberthreats are everywhere, you don’t have to face them alone. Get Cybersecurity & Tech help from Riskigy!

?Looking for an expert to assist your firm or clients?

?Need a pro to explain Tech or Cyber to your management?

?Vetting a new investment or acquisition?

?Want to build a cyber aware staff?

?Need immediate assistance with an incident?

?Considering adding a vCISO or vCTO to your team?

?Seeking help with SOC-2, SEC/FINRA, or FTC readiness?

Contact us to discuss how we can assist!