Welcome reader to your CybersecurityHQ report

Brought to you by:

Cypago - Enterprise-grade Cyber GRC Platform

Cypago enables strategic decision making through a full Cyber GRC product suite to help you avoid business reputation impact, financial or client trust losses

—

Weekly Headlines

🎧 Listen to this newsletter on our AI-powered podcast

NSO Group Found Liable in WhatsApp Hack

A federal judge has ruled that Israeli spyware firm NSO Group is liable for damages in a 2019 hacking spree that breached over 1,000 WhatsApp users—quite the early Christmas gift for Meta-owned WhatsApp. The case, now proceeding to trial to determine damages, centers on allegations that NSO’s Pegasus spyware was used to target journalists, human rights advocates, and political dissidents.

WhatsApp head Will Cathcart posted on Threads that, “Surveillance companies should be on notice that illegal spying will not be tolerated.”

The ruling, issued by Judge Phyllis Hamilton of the Northern District of California, represents a rare win against companies producing commercial spyware, a market that has grown rapidly, with at least 74 countries contracting with private firms for these kinds of tools. NSO Group, which claims its products combat crime and terrorism, has denied wrongdoing.

The Biden administration, now in its final weeks, has sought to curb spyware use, particularly after Pegasus was used in 2021 to hack the iPhones of U.S. diplomats. 

FTC Orders Marriott to Strengthen Security

Cracking down on lax cybersecurity measures, the Federal Trade Commission (FTC) has ordered Marriott International and its subsidiary Starwood Hotels to implement a battery of data security measures in response to massive breaches that affected 344 million customers. The FTC says that, after acquiring Starwood in 2016, Marriott failed to establish robust security—which led to the exposure of customer data that included unencrypted passport numbers and payment details.

The order mandates the hotel giant introduce encryption, multi-factor authentication, vulnerability management, and incident response. Marriott must limit personal data retention, enable U.S. customers to request data deletion, and provide tools to monitor loyalty rewards accounts for unauthorized activity. IT systems must log and detect anomalies within 24 hours, with independent assessments conducted every two years for 20 years.

The breaches, spanning from 2014 to 2020, included Starwood’s payment system hack and a reservation database breach that Marriott inherited. An additional breach exposed the data of 5.2 million guests but went undetected for two years.

Marriott has until June 17, 2025, to fully comply with the order, which also requires notifying the FTC of security breaches within 10 days. In October 2024, Marriott settled with the FTC and 49 states for $52 million to address claims related to these failures, further emphasizing the need for enhanced data protection.

Major Bug Fixes Just Before Christmas

The week saw some major bug fixes—just in time for Christmas.

Apache Tomcat has released patches to fix CVE-2024-56337, a remote code execution vulnerability linked to CVE-2024-50379. The initial patch was incomplete for systems running older Java versions, requiring additional manual configuration. The issue arises from a race condition on case-insensitive file systems with write access enabled. Updated versions (11.0.2, 10.1.34, 9.0.98) include enhanced security checks, with future releases aiming for automated safer configurations.

Microsoft resolved a bug in Microsoft 365 that triggered "Product Deactivated" errors during subscription changes or license adjustments. The fix, deployed over the weekend, addresses disruptions caused by licensing modifications. Temporary workarounds, including reactivating the app or signing out and back in, were provided. Microsoft has also addressed recent issues causing app crashes and freezing in classic Outlook.

Adobe issued emergency updates for ColdFusion to patch CVE-2024-53961, a critical path traversal flaw that could allow attackers to read arbitrary files. With a proof-of-concept exploit available, administrators are urged to apply the patch within 72 hours and follow security guidelines. The flaw underscores the persistent threat of directory traversal vulnerabilities, a recurring challenge for software security.

CISA Issues New Cybersecurity Best Practices

The Cybersecurity and Infrastructure Security Agency (CISA) has issued new best practices (PDF) for government officials and politicians who may be highly targeted by cyber threats. The guidance emphasizes using end-to-end encrypted messaging apps, like Signal, to protect private communications. CISA also recommends employing phishing-resistant authentication, such as hardware-based FIDO keys, over less secure methods like SMS-based multi-factor authentication (MFA), which can be vulnerable to interception.

Keeping devices and apps updated is crucial, as newer hardware and software often include critical security enhancements. Password managers are advised for storing and generating strong, unique passwords, while adding a telecom PIN can help prevent SIM-swapping attacks. Personal VPNs are discouraged due to their questionable security practices, although organization-required VPNs may be used.

For iPhone users, enabling Lockdown Mode and iCloud Private Relay provides added privacy and security. Android users are encouraged to choose devices with robust security features, ensure encrypted communications using RCS, and rely on tools like Google Play Protect to detect malicious apps.

CISA urges users to report any cyber incidents, providing detailed information to aid in investigation and response. These steps are designed to reduce the risk of espionage and cyberattacks, ensuring safer mobile communications for all users.

Ransomware Attack Hits Ascension Health, 6 Million Impacted

We recently learned that Ascension Health, a Catholic healthcare nonprofit, suffered a ransomware attack in May 2024 that impacted nearly 6 million people. The hack accessed medical records, insurance details, Social Security numbers, and payment data. And it forced Ascension’s 140 hospitals across 19 states to operate manually for weeks, greatly disrupting services and endangering patient care.

During the outage, hospitals turned away ambulances, delayed critical imaging tests, and reverted to paper records. Nurses resorted to using shared Google Docs for prescriptions and communications, with some reporting delays of up to four hours for stroke-related CT scans. Operations suffered to the point of tripled wait times and canceled non-emergency appointments.

Victims of the breach are now being offered two years of identity protection and a $1 million fraud insurance policy. Despite initially downplaying the breach, Ascension later confirmed the attack affected 5.6 million individuals, making it one of the most severe healthcare breaches of the year—which is saying a lot given how many major hacks of this kind rocked the industry in 2024. Lawsuits have been filed in multiple states over the leak of sensitive data.

The Black Basta ransomware gang is suspected of involvement, although they have not claimed responsibility. The incident highlights the increasing threat of cyberattacks on healthcare systems and their devastating impact on patient care and privacy. 

Government Agencies Face Increasing Cyber Threats

It seems every week, there are news stories of random government agencies coming under cyber attack—here are a couple from last week. First, it was revealed that four months ago, the city of Santee, California, faced a significant cybersecurity breach involving stolen or encrypted data. The city awarded a $603,000 contract to Coveware, a firm specializing in ransomware recovery, to address the issue. However, officials have shared minimal details about the nature of the breach, the type of data compromised, or whether a ransom was demanded.

City Manager Marlene Best declined to comment further, stating, “I can’t really say anything about that.” The only official communication came in September, confirming that the incident, which occurred on August 20, disrupted the city’s administrative computer network. Santee, a San Diego County city with a population of roughly 60,000, continues to investigate the situation while remaining tight-lipped about the specifics.

And in related news, the Illinois Department of Human Services (IDHS) experienced a privacy breach exposing the Social Security numbers of over 4,500 individuals. The incident, resulting from a phishing campaign that hit employee accounts, also affected public assistance account information for more than 1.1 million clients.

IDHS has since notified affected individuals and is offering guidance on identity theft protection. Hopefully, they are also running some new training on how to avoid phishing attacks.

CybersecurityHQ 2024 Annual Report: A Year of Escalating Threats and Strategic Disruptions

In 2024, the cybersecurity landscape has seen unprecedented shifts, with cyber threats intensifying across every sector. From the U.S. government's takedown of the Chinese-backed Volt Typhoon operation targeting critical infrastructure to the rise of state-sponsored attacks like the ongoing "Salt Typhoon" espionage campaign, the global cyber battlefield is more volatile than ever.

Key incidents highlight the vulnerabilities of even the most secure organizations, with Microsoft suffering a breach by Russian-aligned hackers, and the FBI disrupting Chinese botnets that had infiltrated U.S. networks. Meanwhile, in the private sector, high-profile ransomware attacks, including those on healthcare giants like Change Healthcare, underscore the rising tide of cybercrime. The sophistication of these attacks continues to grow, with groups like LockBit and RansomHub ramping up their operations, exploiting every available flaw in both enterprise and government defenses.

Amid these challenges, the role of AI in cybersecurity has become a double-edged sword—empowering defenders but also providing new tools for cybercriminals. The U.S. SEC's new cybersecurity disclosure rules, meanwhile, are pushing for greater transparency, forcing organizations to rethink their strategies for incident reporting and risk management.

The CybersecurityHQ 2024 Annual Report dives deep into these developments, offering critical insights, statistical breakdowns, and an analysis of the future trajectory of cyber threats. For the cybersecurity professional, understanding these trends isn't just crucial; it's imperative for staying ahead in the ever-evolving digital arms race.

Upgrade your subscription for exclusive access to member-only insights and services.

Upgrade to paid

2025 Cybersecurity Trends: Evolving Threats Ahead

As we look to 2025, the cybersecurity landscape is set to shift dramatically. In the face of escalating ransomware-as-a-service platforms, AI-powered attacks, and an uptick in nation-state cyber operations, organizations must rethink their strategies. Ransomware groups will grow more organized, offering “customer support” and targeting high-value sectors like healthcare and finance. Meanwhile, geopolitical tensions will fuel cyber espionage, with critical industries like semiconductor manufacturing and biotech at risk.

In response, new regulations are coming—stricter penalties for non-compliance will force companies to adopt proactive security practices. From AI-driven defense to the transition to quantum-resistant algorithms, businesses must stay ahead of evolving threats. But as cybersecurity becomes more complex, resilience will take center stage. The focus will no longer solely be on preventing breaches but on minimizing damage and recovering quickly through advanced response systems, micro-segmentation, and robust backups.

The stakes have never been higher, and the pressure is on. As CybersecurityHQ's 2025 Forecast reveals, 2025 will be defined by innovation in both attack and defense—can your organization adapt fast enough to stay ahead of the threat? Stay informed and prepared with our in-depth analysis of the cybersecurity trends and challenges that will shape the next year.

Interesting Read

A new report from Chainalysis has some shocking numbers for the state of cybersecurity for crypto this past year. In 2024, crypto theft reached $2.2 billion, marking a 21% increase year-over-year, with 303 hacking incidents compared to 282 in 2023. The year began with a surge in thefts, totaling $1.58 billion by July, before slowing in the second half, likely influenced by geopolitical factors, such as a defense pact between Russia and North Korea.

The focus of attacks shifted throughout the year. DeFi platforms, often vulnerable due to rapid development cycles, were the primary targets in the first half. However, centralized services, including DMM Bitcoin and WazirX, became prominent targets in later quarters. Private key compromises accounted for 43.8% of stolen funds, highlighting the need for robust key management.

North Korean hackers stole $1.34 billion across 47 incidents, a 103% increase from 2023, and continued to dominate high-value exploits. These activities are linked to funding Pyongyang’s weapons programs. Notable attacks included the $305 million breach of DMM Bitcoin, where stolen funds were laundered through mixing and bridging services.

To combat this evolving threat, industry leaders are leveraging predictive technologies like Hexagate, which detects some attacks in real time. Strengthening security measures, fostering collaboration, and developing regulatory frameworks are critical to addressing the rising complexity of crypto crime and safeguarding the ecosystem.

Twitter Highlights

Stay Safe, Stay Secure.

The CybersecurityHQ Team