This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Shaun Marion, vp, CSO, Xcel Energy
Missed the live show? Check it out on YouTube
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Tik Tok is back, but with strings attached
After shutting down in the U.S. late Saturday night, Tik Tok appears to be back up and running after President Elect Trump on announced on Sunday that he would that he would extend a 90-day deadline for the company to find a U.S. purchaser. This would come in the form of an Executive Order today. The app now works again for its existing users although it is still unavailable on the Google and Apple app stores. In a post sent to Truth Social on Sunday morning, Trump suggested that the U.S. take 50% ownership of the company.
Meanwhile over the weekend, millions of Tik Tok users headed over to REDNote, declaring themselves as Tik Tok refugees. Some sent messages saying they were doing so to spite the U.S. government for blocking Tik Tok in the first place. According to Dark Reading, REDnote is “based in Shanghai, and it’s one of the few social media platforms allowed to operate on both sides of the Great Firewall, making spying on Americans seemingly much easier. REDnote’s servers are primarily located in China, meaning that user data is subject to Chinese cybersecurity laws that require companies to grant government access upon request. Prior to Tik Tok’s 90-day lifeline, numerous experts stated that this resulting exodus made “U.S. national security over TikTok even more problematic.”
(Dark Reading, BleepingComputer, and BBC News)
Noem promises to curtail CISA
As quoted in Cyberscoop, “Department of Homeland Security secretary nominee Kristi Noem stated, in testimony before the Homeland Security and Governmental Affairs Committee on Friday, that if confirmed she would keep the department out of efforts to combat disinformation and misinformation, and pledged to make CISA “smaller, and more nimble.” She added that CISO has gone “far off mission, which is to hunt and to help harden our nation’s critical infrastructure.”
Employees of failed startups at risk of stolen personal data
Dylan Ayrey, co-founder and CEO of Truffle Security, discovered that malicious hackers could potentially buy the defunct domains of failed startups and use them to log into employee cloud accounts. To test the flaw, Ayrey bought one failed startup’s domain and from it was able to log in to ChatGPT, Slack, Notion, Zoom, and an HR system containing Social Security numbers. Ayrey used former employee emails to take advantage of the “Sign in with Google” option to access the apps. Startup employees are more vulnerable because startups tend to use Google’s apps and cloud software to run their businesses. Google does have tech in its OAuth configuration called a “sub-identifier,” that should prevent the risks outlined by Ayrey, but only if the SaaS cloud provider uses it. While an employee might have multiple email addresses attached to their Google account, the account should only ever have one sub-identifier. Google says the ultimate fix is for founders shuttering a company to ensure they properly close all of their cloud services.
Attackers impersonate Ukraine’s CERT-UA
Ukraine’s computer emergency response team, CERT-UA, released a report documenting how threat actors used the remote desktop tool AnyDesk to infiltrate their network. These attackers would send connection requests from a compromised AnyDesk account, claiming to do a “security audit.” CERT-UA does use AnyDesk for some cyber incident response procedures but said these are always done with prior agreement over secure communication channels. The organization did not provide details about what the campaign obtained or who operated the attacks. Ukraine’s State Service for Special Communications and Information Protection said cyber incidents increased by 70% in 2024 to 4,300 incidents, mostly from suspected Russian state-backed threat groups.
Thanks to today’s episode sponsor, Vanta
Now that’s…a new way to GRC. Get started at Vanta.com/headlines.
Subaru security flaws expose tracking system for millions of cars
Sam Curry, researcher with a long history of discovering vulnerabilities in automotive brands, has now revealed vulnerabilities in a web portal belonging to Subaru that allowed him to unlock a car, start its ignition, and reassign control of those features to a different phone or computer. He also discovered that the portal was able to track the physical movements of a Subaru down to a single parking space in front of any building, with data stretching back a full year. This was occurring within a Subaru feature called Starlink intended for use by employees at Subaru of America. Subaru stated that the individuals authorized to use the technology “receive proper training and are required to sign appropriate privacy, security, and NDA agreements as needed,” and that the systems have “security monitoring solutions in place which are continually evolving to meet modern cyber threats.” A link to Curry’s blog post is available in the show notes to this episode.
CISOs gain boardroom traction but still lack soft skills, says Splunk
This is mentioned in a report by research company Splunk, now a subsidiary of Cisco. It is based on responses from 500 CISOs or equivalent as well as 100 board members globally and is presented as part of its CISO Report 2025. The report says that “82% of security leaders now report directly to the CEO, up from 47% in 2023. A further 83% said they participate in board meetings “somewhat often” or “most of the time,” with many executives reporting “excellent or very good working relationships with the CISO in areas like setting and aligning on strategic cybersecurity goals and communicating progress against milestones.” Some of the areas where skills gaps are perceived to exist are in business acumen, emotional intelligence, and communication. As expected, the two camps remain distanced with regard to a belief that enough money is or is not being spent on cybersecurity efforts.
Microsoft Teams used in IT support campaign
Sophos researchers documented a campaign by a threat actor, STAC5143, that used email bombing to set up a call from IT support. The attacks initially hammer a potential victim with up to thousands of messages over several minutes. Then, they place an external Teams call acting as a “Help Desk Manager” to resolve the issue with a remote screen control session. In this session, the attackers drop a ProtonVPN executable with a malicious DLL to create a C2 communication channel and install the pentest tool RPivot to create a SOCKS4 proxy. While Sophos researchers stopped the attack, it’s believed the final goal was to steal data and deploy ransomware. The group FIN7 has used RPivot in attacks in the past, but Sophos didn’t have high confidence in attaching these attacks to the more significant threat group.