CISO Weekly Intelligence Record — Week Ending December 28, 2025

Welcome reader to your CybersecurityHQ CISO Weekly Intelligence Brief.

In partnership with:

Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

CybersecurityHQ publishes analyst-grade cyber intelligence for CISOs and security leaders operating at Fortune 100 scale. Each briefing captures recurring structural security failures and exposed decision breakdowns across identity, machine trust, third-party access, and enterprise attack surfaces. The purpose is executive judgment, not headline reaction.

Get the 6-minute executive audio briefing of this week’s report.

1. EXECUTIVE SIGNAL SNAPSHOT

• U.S. Treasury disclosed breach via compromised BeyondTrust credential; OFAC, Office of Financial Research, and Secretary's office accessed by a Chinese state-linked actor (December 30 disclosure, December 8 notification).

• Salt Typhoon confirmed in nine U.S. telecoms; a small number of highly privileged credentials accessed over 100,000 routers; eradication timeline remains undefined (White House briefing, December 27).

• Clop claimed Cleo MFT exploitation via CVE-2024-50623 and CVE-2024-55956; dozens of organizations named, with manufacturing prominently represented.

• FCC proposed CALEA declaratory ruling requiring telecom carriers to secure networks from unlawful access; annual cybersecurity risk management certification proposed.

• Carrier disclosures diverged on scope and victim status, underscoring inconsistent ownership of incident narratives.

2. PATTERN CONVERGENCE

Every major incident disclosed this week traced to a credential, key, or session belonging to an organization other than the one experiencing operational impact. Treasury was breached through a BeyondTrust credential. Telecoms were compromised via credentials with disproportionate scope. Cleo's MFT customers inherited exposure through a vendor platform they procured for secure transfer. The common property is not a shared vulnerability class. It is a shared failure to bound the operational consequences of third-party credential compromise. Across cases, the unresolved question was not detection or containment, but who owned disclosure timing once access crossed organizational boundaries.

3. UNRESOLVED EDGE

If a vendor's compromised credential grants access to your environment, whose disclosure timeline would you defend under regulatory scrutiny: the vendor's, or your own?

Personal Judgment Coverage required