Cybersecurity Snapshot: After Telecom Hacks, CISA Offers Security Tips for Cell Phone Users, While Banks Seek Clearer AI Regulations

Check out best practices for preventing mobile communications hacking. Plus, how the U.S. government can improve financial firms’ AI use. Meanwhile, the FBI warns about a campaign to hack vulnerable webcams and DVRs. And get the latest on a Chinese APT’s hack of the Treasury Department; the federal government’s AI use cases; and cyber tips for SMBs.

Dive into six things that are top of mind for the week ending Jan. 3.

1 - CISA: How VIPs – and everyone else – can secure their mobile phone use

In light of the hacking of major telecom companies by China-affiliated cyber spies, “highly targeted” people should adopt security best practices to protect their cell phone communications.

So said the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in the new publication “Mobile Communications Best Practice Guidance,” aimed at high-profile individuals such as senior government officials and political party leaders.

The guidance, which applies to anyone interested in securing their mobile communications, is divided into three categories: general recommendations; best practices for iPhone users; and best practices for Android users.

“While no single solution eliminates all risks, implementing these best practices significantly enhances protection of sensitive communications against government-affiliated and other malicious cyber actors,” the guidance reads.

General recommendations include:

• Use messaging applications that offer end-to-end encrypted communications – for text messages, and for voice and video calls – and that are compatible with both iPhone and Android operating systems.
• Don’t use SMS as your second authentication factor because SMS messages aren’t encrypted. Instead, enable Fast Identity Online (FIDO) authentication for multi-factor authentication. Another good MFA option: authenticator codes.
• Regularly update your phone’s operating system and your mobile applications to their latest versions. Get your phone manufacturer’s newest cell phone model to get the latest hardware-dependent security features.

To get all the details, read the full, five-page document “Mobile Communications Best Practice Guidance.”

For more information about how to protect your mobile phone from hackers:

• “Ten Steps to Smartphone Security” (U.S. Federal Communications Commission)
• “Mobile Device Best Practices” (U.S. National Security Agency)
• “8 simple ways to protect your smartphone from hackers” (PC World)
• “Stop hackers cold: Tech tips to secure your phone's data and location” (USA Today)

VIDEO

How to remove a hacker from your phone? (Cybernews)

2 - Unambiguous regulations, consumer protections sought in banks’ AI use

More precise definitions of AI models and systems. Clarification on AI data privacy standards. Enhanced AI regulatory frameworks. 

Those are just some of the requests that the Treasury Department received after it asked for feedback about artificial intelligence (AI) use in the financial industry.

Financial firms, consumer groups, technology vendors, trade associations and others sent the agency 103 comment letters in response to its “Uses, Opportunities, and Risks of Artificial Intelligence (AI) in the Financial Services Sector” request for information.

“The respondents commented on existing use cases, expansive opportunities, and associated risks, underscoring the potential for AI to broaden opportunities while amplifying certain risks,” reads the report “Artificial Intelligence in Financial Services.”

At a high level, requests from respondents included:

• Align definitions of AI models and systems applicable to the financial services sector to make collaboration and coordination among agencies and stakeholders easier.
• Further clarify standards for data privacy, security, and quality for financial firms developing and deploying AI.
• Expand consumer protections.
• Explain how financial firms can comply with current consumer protection laws that apply to existing and emerging technologies.
• Offer guidance to assist financial firms as they assess AI models and systems for compliance.
• Enhance regulatory frameworks and develop consistent federal-level standards. 
• Facilitate domestic and international collaboration among governments, regulators, and the financial services sector.

For more information about the risks and opportunities of AI in the financial industry:

• “Artificial Intelligence and Machine Learning in Financial Services” (U.S. Congressional Research Service)
• “Artificial Intelligence: Opportunities and Risks for the Financial Sector” (International Banker)
• “The Financial Stability Implications of Artificial Intelligence” (Financial Stability Board)
• “The AI Revolution: Opportunities and Challenges for the Finance Sector” (The Alan Turing Institute)
• “The rise of artificial intelligence: benefits and risks for financial stability” (European Central Bank)

3 - FBI: HiatusRAT campaign targets webcams and DVRs

Hackers are unleashing the HiatusRAT malware against web cameras and digital video recorders (DVRs) made by several Chinese vendors whose devices may have unpatched vulnerabilities.

That’s the warning from the FBI, which added that the cybercrooks are looking to exploit weak vendor-supplied password and vulnerabilities including CVE-2017-7921, CVE-2018-9995,

CVE-2020-25078, CVE-2021-33044 and CVE-2021-36260.

The hackers have been observed targeting devices from vendors Xiongmai and Hikvision, and using webcam scanning tool Ingram and authentication-cracking tool Medusa.

“The FBI recommends limiting the use of the devices mentioned in this PIN and/or isolating them from the rest of your network,” reads the FBI alert titled “HiatusRAT Actors Targeting Web Cameras and DVRs.”

Other FBI recommendations include:

• Promptly patch and update operating systems, software and firmware.
• Consider removing devices from your network that are no longer supported by their manufacturer.
• Regularly change passwords for network systems and accounts, and don’t use default and weak passwords.
• Require multi-factor authentication.
• Segment your network.
• Back up critical assets and store the backups offline.
• Use monitoring tools that log network traffic and alert you about anomalous network activity.

For more information about securing internet-of-things (IoT) devices, check out these Tenable resources:

• “How to Unlock Advanced IoT Visibility for Cyber-Physical Systems” (blog)
• “Unlock advanced IoT visibility to better secure your OT environment” (on-demand webinar)
• “How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)
• “How to Effectively Communicate OT/IoT Risk Across the Enterprise” (on-demand webinar)
• “Discover, Measure, and Minimize the Risk Posed by Your Interconnected IT/OT/IoT Environments” (on-demand webinar)

4 - Federal government using AI for wide variety of tasks

Is your business in the midst of figuring out how to leverage AI to improve its operations and services? If so, you might be interested in how Uncle Sam is attempting to do the same.

As of mid-December, U.S. federal government agencies had launched 1,700-plus AI use cases, including for evaluating patent applications; analyzing extreme weather; and determining disability benefits.

Specifically, 37 federal agencies submitted their AI uses as of mid-December 2024 to the Office of Management and Budget (OMB), which tallied 1,757 use cases, including almost 230 that can impact people’s rights and safety.

Most AI use cases fell into these three categories:

• Helping agencies fulfill their missions
• Providing health and medical services
• Delivering government services

The agency with the most AI use cases is the Department of Health and Human Services (271), followed by the Department of Veteran Affairs (229) and the U.S. Agency for International Development (137).

Veteran Affairs is by far the agency with the most safety- and rights-impacting use cases (145). For these use cases, agencies must document how they’re implementing safeguards to mitigate the rights and safety risks.

To get more information about the federal government’s AI use, check out:

• The OMB’s Github page “2024 Federal Agency AI Use Case Inventory”
• CIO.gov’s writeup about the AI use case inventory
• AI.gov’s AI use cases page

For more information about responsible usage and AI security, check out these Tenable blogs:

• “AI Security Roundup: Best Practices, Research and Insights”
• “How to Discover, Analyze and Respond to Threats Faster with Generative AI”
• “Never Trust User Inputs — And AI Isn't an Exception: A Security-First Approach”
• “Securing the AI Attack Surface: Separating the Unknown from the Well Understood”
• “Do You Think You Have No AI Exposures? Think Again”

5 - Treasury Department discloses hack by China-linked APT group

An advanced persistent threat (APT) hacking group sponsored by the Chinese government breached a Treasury Department system, an incident the agency describes as “major.”

In a letter sent this week to the U.S. Senate, the Treasury Department said the hackers accessed a key used by a third-party vendor to protect a cloud-based service. That breached system is used to provide remote tech support to Treasury Departmental Offices (DO) users.

“With access to the stolen key, the threat actor was able (to) override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users,” the letter reads.

News agency Reuters posted a copy of the letter, which was penned by Aditi Hardikar, Assistant Secretary for Management at the Treasury Department, and sent to Sen. Sherrod Brown, Chairman of the Committee on Banking, Housing and Urban Affairs; and to Sen. Tim Scott, the committee’s Ranking Member.

The compromised service from the third-party vendor was taken offline and the agency has no evidence that the APT hackers have continued accessing Treasury Department data. It will provide more details in a supplemental report, according to the letter.

For more information about how to protect your organization from APT attacks:

• “Advanced Persistent Threat Security: 5 Modern Strategies” (IEEE Computer Society)
• “Understanding Advanced Persistent Threats and How to Stop Them” (Biz Tech Magazine)
• “How To Defend Against APT Attacks: What You Need To Know” (Endpoint Security for Small Business)
• “Nation-State Cyber Actors” (CISA)
• “What is an advanced persistent threat?” (TechTarget)

6 - CRI: Cyber resolutions for SMBs in the new year

It’s “resolutions” time again.

Now that the new year has begun, we take stock of what we could be doing better and pledge to modify certain practices and habits.

So how can small-and-medium sized businesses (SMBs) enhance their cybersecurity posture in 2025? Here are five suggested cyber resolutions from the Cyber Readiness Institute, a non-profit organization created to offer free cyber tools and resources for SMBs.

• Use multi-factor authentication to protect online accounts.
• Designate a “cyber leader” who’ll be tasked with monitoring cyberthreats, share best practices and foster cyber awareness.
• Offer cybersecurity awareness training to your staff.
• Draft a business continuity plan outlining how your SMB will maintain operations if it suffers a cyberattack.
• Acquire cyberinsurance.

For more cybersecurity resolutions to act upon in 2025, check out:

• “New Year’s cybersecurity resolutions that every startup should keep” (TechCrunch)
• “Cybersecurity Resolutions: Skill Sets to Prioritize in 2025” (Bank Infosecurity)
• “Cyber Resolutions for 2025: Because Hackers Won't Take a Day Off” (CyberPeace)
• “5 cybersecurity habits to take into 2025” (TechRadar)
• “8 Cybersecurity Trends and Opportunities for 2025” (MSSP Alert)