January 2025
Thank you to those who submitted answers for the pen giveaways. We went through the answers, created lists and added them into a randomizer. There were 42 submissions in total for both pens! There were a few ~inaccurate answers to the questions, and I would like to address that for folks to clear up some confusion…. and announce the pen winners. Aside from that this month’s newsletter will discuss some of the 2024 major cybersecurity threats, what to expect for 2025 and what actions you should take to protect yourself and information!
Incongruity
“What is one risk of sharing sensitive information with an AI chatbot?”
One response that was received was: “When an AI chatbot is hacked, sensitive information will be spread.” Although this is true, it is important to note that the AI chatbot itself may also share the information. For example: It could use the data in response to a query by another user who is using the AI chatbot or a direct answer depending on how the chatbot is programmed and trained to respond.
“What is one benefit of periodically rebooting your computer?”
One response that we received was: “To update your computer and clear out any viruses.” While there is some truth to it, to be more accurate, periodically rebooting your computer does allow updates to install, especially if they require a restart to take effect. That action helps keep our system secure and running efficiently. Additionally, rebooting can clear out temporary files, refresh system processes, and resolve minor glitches or performance issues. However, rebooting alone does not remove viruses. Virus removal typically requires antivirus software or specific security tools to detect and eliminate it. A computer virus typically attaches itself to a program, spreads to other systems/devices and can remain dormant on a system until triggered by an action.
And the pen winners are…
2024 Major Cybersecurity Threats
2024 was filled with many threats and here is a listing of the major incidents that occurred:
Critical Infrastructure Attacks
AT&T, Verizon, and T-Mobile telecommunications were hacked by the China-linked cyber threat group “Salty Typhoon,” who gained access to communications across these networks. The infiltration allowed access to sensitive customer data (personally identifiable information, call records, account details), which impacted millions of users. Investigation and mitigation is still ongoing and as a result the FBI issued several advisories urging:
• Use of encrypted messaging applications, such as WhatsApp and Signal, for both text and voice communications
• Avoid unencrypted messaging, which could be intercepted
• Keep your device updated
• Encouraged the use of two-factor authentication to reduce the risk of access even if login credentials are compromised.
United Healthcare Group faced a ransomware attack by threat actor ALPHV, which is also known as the BlackCat ransomware group, and ended up paying $22 million to the attackers. The breach impacted the data of a third of Americans.
Lurie Children’s Hospital suffered a data breach and operational disruption that started in January. The hospital only returned to full functionality in March. Lurie did not pay a ransom and instead focused on recovering data and restoring systems. The Rhysida ransomware group was allegedly behind the attack and reportedly made over $3 million from selling the pediatric hospitals stolen data on the dark web while the hospital struggled to recover its IT systems.
AI-Driven Threats - Nation-State Hack
JumpCloud, a cloud-based company used to help streamline IT operations, was targeted in a supply chain attack leveraging AI. An attacker named “UNC4899” (linked to North Korea) used AI techniques to enhance their spear-phishing efforts to make their phishing e-mails more convincing and harder to detect. Once the attacker was able to get a foothold into JumpCloud’s systems, it injected malicious data into JumpCloud systems that targeted specific customers. Once detected, JumpCloud responded by changing all of its credentials and rebuilding a majority of its infrastructure. JumpCloud also worked with law enforcement/cybersecurity experts to mitigate the impact for both themselves and their customers.
Airbus, an aerospace corporation that makes and sells planes, helicopters, defense systems and space-related tech, was hacked by a threat actor “USDoD” (Brazil based) that leveraged AI to automate parts of their attack to make it more difficult to detect and respond to in real-time. The malware that was developed could adapt and evade traditional security measures. In the end, the threat actor was able to capture sensitive information for over 3,200 vendors (names, phone numbers, emails and addresses). They managed to do this using the compromised credentials of a regular user account, which was used to bypass security measures. Airbus responded to this by using its own enhanced AI-driven security measures to detect and respond to the threat. It collaborated with law enforcement and cybersecurity experts to mitigate the impact. The threat actor was later arrested by federal police.
Zero-Day Exploits 
The term zero day refers to security flaws in software or hardware that are unknown to a vendor or developer. Since they have been undiscovered, there are no patches or fixes available at the time they are found - which means they are immediately exploitable by malicious actors. So… who experienced these the most in 2024?
Cleo experienced a zero-day flaw in its file transfer software that allowed a Russian-based threat actor group named “Cl0p” to infiltrate its software, which was being used by many organizations globally. The flaw was used to upload malicious files that were automatically executed by the software (resulting in ransomware) and granted unauthorized access to sensitive data. At least 66 organizations were compromised.
Ivanti, Citrix, Fortinet, Palo Alto Networks and Cisco all experienced zero-day vulnerabilities in 2024 that affected various sectors from government, healthcare, finance, and many critical industries.
Zero days are difficult to defend against, but users can mitigate their impact by remaining informed of their discovery. If a user hears of a discovered zero day with a product they use, then they can take steps to defend themselves by following the advice given by the product maker until a patch is released and install that patch as soon as possible.
Nation-State Cyber Espionage
The U.S. Treasury Department was breached by a China-linked cyber threat group named “Salt Typhoon.” Access was gained by a vulnerability in a third-party application that allowed the hackers to access several workstations with unclassified documents within the Treasury Department. Once detected, services were taken offline to prevent further access. The Cybersecurity and Infrastructure Security Agency along with the FBI investigated the incident. The targeted documents were related to high-profile political figures and sensitive data.
CrowdStrike experienced a significant outage due to a faulty update, and nation-state groups were quick to take advantage of this situation. Never let a good crisis go to waste, right? During the outage, threat actors launched phishing campaigns that impersonated CrowdStrike and tried to trick users into downloading malicious content. CrowdStrike, along with other cybersecurity organizations, made folks aware of these threats and responded by issuing warnings and provided guidance to folks... All the while they also worked on fixing the issue that affected systems and developed a process to prevent similar incidents in the future.
Supply Chain Attacks 
It’s important to remember that a system is only as secure as its weakest link: all it takes is one entity in a chain of trust to be vulnerable to compromise a system. A supply chain attack occurs when a third party service is used in order to infiltrate an organization.
Hulu, Warner Bros. and Mercedes were affected by a problem with a part of their websites called a JavaScript library. This library was hacked and changed so that when people visited their websites, they were sent to harmful websites instead. To protect against this kind of attack, it’s important to only use reputable third-party services. However, if even a trusted service is hacked, you can limit the damage by giving the website or tool only the minimum access it needs to function. This approach is part of a security strategy called the "Zero Trust" model, which is useful for both businesses and individuals to stay safe online.
Threat Expectation for 2025 
Many threat actors (with special note of state-affiliated groups from Russia, China, North Korea and Iran) are increasingly leveraging AI to enhance their malicious activities. I am expecting:
• AI will be used to create polymorphic automated cyberattacks, where an attack will go through the stages of a cyber-attack starting with: o Reconnaissance – Identifying target information, interests and vulnerabilities.
o Delivery of payloads – phishing emails, injecting of data through websites or other means with AI-created content (Deep Fake videos and synthetic voice impersonations).
o Installation – Automated malware or other tools to gain access to a target
o Exploitation – Automated data exfiltration, service disruption or data injection/poisoning to cause damage or implement ransomware for financial gains.
o Evasion – Use of AI to prevent current defensive tools from detecting malware.
• Creation of more sophisticated phishing content that is nearly indistinguishable from legitimate content.
• Prompts to inject code involving manipulating instructions produced by AI.
• Threat actors will find ways to poison AI data models so that they can manipulate data outputs.
While the threats of 2024 and those anticipated in 2025 may seem daunting, here are 7 actionable steps you can take to protect yourself and the organization:
1. Adopt a Zero Trust Mindset:
• Least Privilege Access: Limit permissions to only what's necessary for tools, services, and users.
• Continuous Monitoring: Regularly audit systems and activities to detect suspicious behavior.
• Verify Before Trusting: Always confirm the legitimacy of requests, especially those involving sensitive data or access.
2. Strengthen Authentication Practices:
• Use multi-factor authentication (MFA) for all accounts.
• Avoid SMS-based authentication; instead, use hardware security keys or authenticator apps.
• Regularly update passwords and avoid reusing them across platforms.
3. Stay Updated:
• Install security patches and updates immediately after release to protect against zero-day vulnerabilities.
• Keep antivirus and endpoint protection software up to date.
4. Practice Cyber Hygiene:
• Educate yourself about phishing tactics, suspicious emails, and secure browsing.
• Regularly reboot devices to apply updates and clear temporary files.
• Back up critical data in secure, offline locations.
5. Secure Communications:
• Use encrypted messaging platforms like Signal or WhatsApp for sensitive communications.
• Avoid sharing confidential information via unencrypted channels like standard text or email.
6. Plan for the Worst:
• Have an incident response plan in place, detailing steps to take if a breach occurs.
• Request a tabletop exercise to ensure everyone knows their role in a crisis.
• Ensure backups are available and functioning as planned.
7. Be Wary of AI Limitations:
• Understand the risks of sharing sensitive information with AI tools.
• Avoid putting confidential data into chatbots unless the platform is approved for secure use.
• Monitor AI-generated outputs for accuracy and potential vulnerabilities.
By implementing these strategies, you can reduce risk, limit potential damage and ensure resilience in the face of evolving cybersecurity threats. Stay vigilant, informed and proactive to keep your digital environment secure.
If you have any topics you would like us to write about in our newsletter, please feel free to drop us a line and let us know by e-mailing security@bsd.uchicago.edu