Check out best practices for preventing mobile communications hacking. Plus, how the U.S. government can improve financial firms’ AI use. Meanwhile, the FBI warns about a campaign to hack vulnerable webcams and DVRs. And get the latest on a Chinese APT’s hack of the Treasury Department; the federal government’s AI use cases; and cyber tips for SMBs.

Dive into six things that are top of mind for the week ending Jan. 3.

1 – CISA: How VIPs – and everyone else – can secure their mobile phone use

In light of the hacking of major telecom companies by China-affiliated cyber spies, “highly targeted” people should adopt security best practices to protect their cell phone communications.

So said the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in the new publication “Mobile Communications Best Practice Guidance,” aimed at high-profile individuals such as senior government officials and political party leaders.

The guidance, which applies to anyone interested in securing their mobile communications, is divided into three categories: general recommendations; best practices for iPhone users; and best practices for Android users.

“While no single solution eliminates all risks, implementing these best practices significantly enhances protection of sensitive communications against government-affiliated and other malicious cyber actors,” the guidance reads.

General recommendations include:

• Use messaging applications that offer end-to-end encrypted communications – for text messages, and for voice and video calls – and that are compatible with both iPhone and Android operating systems.
• Don’t use SMS as your second authentication factor because SMS messages aren’t encrypted. Instead, enable Fast Identity Online (FIDO) authentication for multi-factor authentication. Another good MFA option: authenticator codes.
• Regularly update your phone’s operating system and your mobile applications to their latest versions. Get your phone manufacturer’s newest cell phone model to get the latest hardware-dependent security features.

To get all the details, read the full, five-page document “Mobile Communications Best Practice Guidance.”

For more information about how to protect your mobile phone from hackers:

VIDEO

How to remove a hacker from your phone? (Cybernews)

2 – Unambiguous regulations, consumer protections sought in banks’ AI use

More precise definitions of AI models and systems. Clarification on AI data privacy standards. Enhanced AI regulatory frameworks. 

Those are just some of the requests that the Treasury Department received after it asked for feedback about artificial intelligence (AI) use in the financial industry.

Financial firms, consumer groups, technology vendors, trade associations and others sent the agency 103 comment letters in response to its “Uses, Opportunities, and Risks of Artificial Intelligence (AI) in the Financial Services Sector” request for information.

“The respondents commented on existing use cases, expansive opportunities, and associated risks, underscoring the potential for AI to broaden opportunities while amplifying certain risks,” reads the report “Artificial Intelligence in Financial Services.”

At a high level, requests from respondents included:

• Align definitions of AI models and systems applicable to the financial services sector to make collaboration and coordination among agencies and stakeholders easier.
• Further clarify standards for data privacy, security, and quality for financial firms developing and deploying AI.
• Expand consumer protections.
• Explain how financial firms can comply with current consumer protection laws that apply to existing and emerging technologies.
• Offer guidance to assist financial firms as they assess AI models and systems for compliance.
• Enhance regulatory frameworks and develop consistent federal-level standards. 
• Facilitate domestic and international collaboration among governments, regulators, and the financial services sector.

For more information about the risks and opportunities of AI in the financial industry:

3 – FBI: HiatusRAT campaign targets webcams and DVRs

Hackers are unleashing the HiatusRAT malware against web cameras and digital video recorders (DVRs) made by several Chinese vendors whose devices may have unpatched vulnerabilities.

That’s the warning from the FBI, which added that the cybercrooks are looking to exploit weak vendor-supplied password and vulnerabilities including CVE-2017-7921, CVE-2018-9995,

CVE-2020-25078, CVE-2021-33044 and CVE-2021-36260.

The hackers have been observed targeting devices from vendors Xiongmai and Hikvision, and using webcam scanning tool Ingram and authentication-cracking tool Medusa.

“The FBI recommends limiting the use of the devices mentioned in this PIN and/or isolating them from the rest of your network,” reads the FBI alert titled “HiatusRAT Actors Targeting Web Cameras and DVRs.”

Other FBI recommendations include:

• Promptly patch and update operating systems, software and firmware.
• Consider removing devices from your network that are no longer supported by their manufacturer.
• Regularly change passwords for network systems and accounts, and don’t use default and weak passwords.
• Require multi-factor authentication.
• Segment your network.
• Back up critical assets and store the backups offline.
• Use monitoring tools that log network traffic and alert you about anomalous network activity.

For more information about securing internet-of-things (IoT) devices, check out these Tenable resources:

4 – Federal government using AI for wide variety of tasks

Is your business in the midst of figuring out how to leverage AI to improve its operations and services? If so, you might be interested in how Uncle Sam is attempting to do the same.

As of mid-December, U.S. federal government agencies had launched 1,700-plus AI use cases, including for evaluating patent applications; analyzing extreme weather; and determining disability benefits.

Specifically, 37 federal agencies submitted their AI uses as of mid-December 2024 to the Office of Management and Budget (OMB), which tallied 1,757 use cases, including almost 230 that can impact people’s rights and safety.

Most AI use cases fell into these three categories:

• Helping agencies fulfill their missions
• Providing health and medical services
• Delivering government services

The agency with the most AI use cases is the Department of Health and Human Services (271), followed by the Department of Veteran Affairs (229) and the U.S. Agency for International Development (137).

Veteran Affairs is by far the agency with the most safety- and rights-impacting use cases (145). For these use cases, agencies must document how they’re implementing safeguards to mitigate the rights and safety risks.

To get more information about the federal government’s AI use, check out:

For more information about responsible usage and AI security, check out these Tenable blogs:

5 – Treasury Department discloses hack by China-linked APT group

An advanced persistent threat (APT) hacking group sponsored by the Chinese government breached a Treasury Department system, an incident the agency describes as “major.”

In a letter sent this week to the U.S. Senate, the Treasury Department said the hackers accessed a key used by a third-party vendor to protect a cloud-based service. That breached system is used to provide remote tech support to Treasury Departmental Offices (DO) users.

“With access to the stolen key, the threat actor was able (to) override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users,” the letter reads.

News agency Reuters posted a copy of the letter, which was penned by Aditi Hardikar, Assistant Secretary for Management at the Treasury Department, and sent to Sen. Sherrod Brown, Chairman of the Committee on Banking, Housing and Urban Affairs; and to Sen. Tim Scott, the committee’s Ranking Member.

The compromised service from the third-party vendor was taken offline and the agency has no evidence that the APT hackers have continued accessing Treasury Department data. It will provide more details in a supplemental report, according to the letter.

For more information about how to protect your organization from APT attacks:

6 – CRI: Cyber resolutions for SMBs in the new year

It’s “resolutions” time again.

Now that the new year has begun, we take stock of what we could be doing better and pledge to modify certain practices and habits.

So how can small-and-medium sized businesses (SMBs) enhance their cybersecurity posture in 2025? Here are five suggested cyber resolutions from the Cyber Readiness Institute, a non-profit organization created to offer free cyber tools and resources for SMBs.

• Use multi-factor authentication to protect online accounts.
• Designate a “cyber leader” who’ll be tasked with monitoring cyberthreats, share best practices and foster cyber awareness.
• Offer cybersecurity awareness training to your staff.
• Draft a business continuity plan outlining how your SMB will maintain operations if it suffers a cyberattack.
• Acquire cyberinsurance.

For more cybersecurity resolutions to act upon in 2025, check out: