Welcome reader to your CybersecurityHQ report

Brought to you by:

Cypago - Enterprise-grade Cyber GRC Platform

Cypago enables strategic decision making through a full Cyber GRC product suite to help you avoid business reputation impact, financial or client trust losses

—

Weekly Headlines

🎧 Listen to this newsletter on our AI-powered podcast

U.S. Launches Cyber Trust Mark Program

The snowy, lame-duck period in Washington heats up with the U.S. government announcing the upcoming launch of its Cyber Trust Mark cybersecurity labeling program for internet-connected devices, set to begin in 2025. First introduced by the Biden administration in June 2023, the program aims to help consumers make informed decisions about device security, similar to the Energy Star labeling initiative for energy efficiency. Originally scheduled for 2024, the program will now allow companies to submit products for testing and certification “soon,” with certified products expected on shelves in 2025.

The voluntary program targets consumer devices like routers, smart speakers, and baby monitors, which often lack anything close to meaningful cybersecurity measures like strong default passwords and automatic updates.

The certified products will have a QR code on its packaging that will lead you to details about security features, including support periods and update practices. The hope is that retailers like Best Buy and Amazon plan to feature these prominently, so that it builds up an identity all its own in the mind of consumers. The official White House statement even includes warm, if wooden, statements to this effect by bigwigs at major outlets. Steve Downer (VP at Amazon) is quoted saying, “Amazon supports the U.S. Cyber Trust Mark’s goal to strengthen consumer trust in connected devices. We believe consumers will value seeing the U.S. Cyber Trust Mark both on product packaging and while shopping online.”

The program’s cybersecurity standards, developed by the National Institute of Standards and Technology (NIST), will include as-yet-unknown requirements for passwords, data protection, software updates, and incident detection. While the full standards are pending, NIST is already promulgating recommendations for consumer-grade router products.

U.S. Deputy National Security Adviser Anne Neuberger also announced plans for a second phase focusing on securing small office and home office (SOHO) routers. Additionally, an executive order requiring the federal government to purchase only Cyber Trust Mark-certified products is being finalized, with implementation expected in 2027.

EU Court Orders Self-Fine for Data Breach

More interesting government news, this time over in Europe. The EU General Court has, for the first time, ordered the European Commission to pay damages for breaching its own data protection rules. That’s right, the EU has fined itself.

A German citizen was awarded €400 ($412) after the Commission improperly transferred his personal data, including his IP address, to the U.S. without adequate safeguards.

The breach occurred when the individual used the "Sign in with Facebook" option on the EU login page to register for a conference. The court ruled that this violated the EU’s General Data Protection Regulation (GDPR), known for its world-leading data privacy standards.

Lack of GDPR compliance has recently led to major fines for companies like Meta, Klarna, and LinkedIn.

CISA Warns of Critical Oracle, Mitel Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about critical vulnerabilities in Oracle WebLogic Server and Mitel MiCollab systems that are actively being exploited. These flaws have been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog, urging U.S. federal agencies to secure their networks by January 28 under Binding Operational Directive (BOD) 22-01.

One vulnerability, CVE-2024-41713, affects Mitel’s MiCollab platform and allows attackers to perform unauthorized administrative actions and access user and network information without authentication. Another flaw, CVE-2020-2883, targeting Oracle WebLogic Server, enables remote exploitation of unpatched servers and was originally patched in 2020. Additionally, Mitel’s MiCollab system faces another path traversal vulnerability, CVE-2024-55550, which allows authenticated admin users to read arbitrary files, though without privilege escalation or access to sensitive system information.

Maine School Districts Hit by Cyberattacks

Yet more news of small public schools being hit with cyberattacks, this time it’s two separate districts in Maine. Both were detected over the weekend.

The first was a breach in the internet network in the South Portland School District coming from an attacker in Bulgaria. Director of Technology Andy Wallace said to the Portland Press Herald, “It didn’t feel personal. It felt like ‘Oh darn, we got unlucky,' We’re schools. We’re not Fortune 500 companies.”

The claim is that no sensitive data was stolen, and internet service was restored to the school before classes on Monday morning.

The breach was identified by Blue Spruce Technologies, Inc. Their services were hired through a grant by the Department of Education awarded last year.

During that same weekend, another Maine school district, this time Cumberland, saw a student’s email address hacked and used in a phishing scam by someone outside the country. They sent emails out to around 1,400 different district accounts. 

Upgrade your subscription for exclusive access to member-only insights and services.

Upgrade to paid

Telegram Increases Data Sharing with Authorities

More headlines from Telegram to start off the new year. Telegram has reported a significant rise in sharing user data with law enforcement agencies over the past year, according to newly released transparency data. The messaging app provided phone numbers and IP addresses to U.S. authorities 900 times in 2024, impacting 2,253 users. This marks a sharp increase compared to earlier in the year, when Telegram fulfilled only 14 requests affecting 108 users.

The shift follows the arrest of Telegram CEO Pavel Durov by French authorities in August for refusing to provide user data during a child exploitation investigation. After Durov’s arrest, Telegram appeared to ease its approach to handling abuse reports.

India accounted for the highest volume of fulfilled requests, with Telegram sharing user data 14,641 times in 2024, affecting 23,535 users. In the U.K., the app responded to 142 data requests, impacting 293 users, a sharp rise from single-digit figures in previous reports.

Telegram’s transparency data, available only via an account tied to the requester’s region, highlights a growing trend of cooperation with authorities. While these actions reflect increased scrutiny on abuse and safety, they also raise questions about Telegram’s previously strong stance on user privacy.

Chinese Hackers Target Japan in Cyberattacks

On Wednesday, Japanese authorities claimed that over 200 cyberattacks in the country over the past five years were attributable to the Chinese hacking group MirrorFace. The group supposedly attacked government agencies and prominent individuals to collect data on national security and advanced technology.

Email-based attacks included inviting politicians to study panels, and vulnerabilities in virtual private networks were exploited to attack organizations like the Japan Aerospace and Exploration Agency.

Japan has suffered a spate of recent major attacks, including a Christmas Day hack that grounded many Japan Airlines flights for hours.

Indian Government Websites Redirect to Scams

This one comes as a bit of an odd end—TechCrunch is reporting several Indian government websites continue to redirect users to scam sites, months after TechCrunch initially reported the issue. Over 90 compromised “gov.in” links, including those from major agencies like India Post and the Indian Council of Agricultural Research, now lead to online betting and investment scams.

Indexed by search engines, these links pose risks to internet users. Experts suggest the issue stems from vulnerabilities in content management systems or server configurations. While CERT-In was alerted and some links were disabled, the root cause remains unresolved, leaving websites vulnerable to recurring attacks. Efforts to fix the issue appear insufficient.

Interesting Read

The Hacker News makes its predictions for the top 5 malware threats for the year to come—how do you think they did?

1. Lumma: Used for capturing things like login credentials, this is widely used thanks to being available for sale on the dark web for going on three years.

2. XWorm: Copies keystrokes, webcam images, audio, and more. Terrifying stuff.

3. AsyncRAT: This is a relatively old remote access trojan, but it continues to be updated and has seen something of a renaissance as its been used in AI-generated scripts.

4. Remcos: A remote access tool that remains a major player.

5. LockBit: This makes up an enormous slice of the Ransomware-as-a-Service pie. And despite a crackdown on its development team by law enforcement, it still plans on releasing a 2025 update.

Weekly Arora-Inspired Opinion & Analysis

This weekly column has been created based on a deep analysis of how Nikesh Arora, CEO of Palo Alto Networks, strategizes in the cybersecurity space, drawing inspiration from his leadership style, forward-thinking approach, and innovative insights. While not an exact representation, the column embodies key elements of his strategic mindset and vision for the future of cybersecurity.

-

This week’s cybersecurity updates reinforce something we already know: we’re still far too reactive when it comes to addressing the most fundamental risks. Whether it’s consumer devices, data protection, or patch management, organizations are still lagging behind, and I believe we’re reaching a tipping point. If we don’t act now, the consequences will be severe.

Take the U.S. Cyber Trust Mark program, set to launch in 2025. On the surface, this seems like a great initiative. It has the potential to help consumers make more informed decisions about device security, which is long overdue. However, I’m skeptical about whether it will make a real impact. If manufacturers simply do the bare minimum to get certified, we will see little change. The program needs to push manufacturers to prioritize security at every level: default strong passwords, secure firmware, automatic updates. This is the only way it will move the needle. If we don’t see widespread, meaningful changes in the products being offered, I estimate that this program will fail to gain traction and will be just another government initiative that fails to resonate with consumers.

The GDPR fine against the European Commission is another stark reminder of the importance of continuous vigilance in data protection. Compliance cannot be treated as a box to check, it’s an ongoing process. I think this breach will be the catalyst for companies to finally wake up and realize that the stakes have never been higher. If businesses aren’t already embedding privacy and security into their core processes, they will soon be left behind. In my opinion, this will lead to more stringent regulations in the coming years, and organizations that don’t get ahead of the curve will find themselves paying the price, literally.

Then there’s patch management. The fact that vulnerabilities in Oracle WebLogic and Mitel MiCollab are still being exploited, despite having been known for years, is inexcusable. I strongly believe that the slow pace of patching is a critical blind spot for many organizations, and if this continues, we will see more high-profile breaches in the next 12 months. Organizations need to act quickly. A proactive patching strategy is no longer a suggestion; it’s a requirement. Waiting for an attack to happen before fixing a vulnerability is no longer an option. If organizations don’t change their mindset, they will continue to find themselves constantly behind the curve, struggling to keep up.

In conclusion, we need to stop accepting incremental change in cybersecurity. The risks are too high, and the threats are evolving faster than we can react. My recommendation to every organization reading this is simple: prioritize security at every level, invest in proactive defenses, and treat compliance as a continuous process, not a checkbox. The time to act is now, or we will pay a much steeper price down the line.

Until next week,

Arora Avatar

Twitter Highlights

Stay Safe, Stay Secure.

The CybersecurityHQ Team