New order mandates securing the federal software supply chain and communications networks, as well as deploying AI tools to protect critical infrastructure from cyberattacks — but will the Trump administration follow through?

Source: UPI via Alamy Stock Photo

As President Biden prepares to hand over the government to the incoming Trump administration, he has issued a new cybersecurity executive order (EO) outlining an aggressive cyber-defense plan for today's most dangerous national cyber threats — including China, and rampant software supply chain vulnerabilities across government and the private sector.

Sweeping and ambitious, the EO reads like a detailed US cybersecurity status report from the Biden administration, focused on laying groundwork for the incoming team. And with threats on the rise across the world, party affiliation and partisan predilections aside, America and Americans' cybersecurity relies on a smooth handoff from Biden to Trump, experts say.

The signs are positive so far. The order is a reflection of a forthright and responsible transition to the Trump administration, according to Tom Cross, a cybersecurity strategist at WitFoo.

"Cybersecurity is not a partisan issue — everyone in the United States has a shared interest in protecting our nation against foreign cyber threats, such as spying and network disruption," Cross wrote in a statement responding to the new Biden cybersecurity executive order. "By issuing this EO now, the Biden administration is able to put its best thinking on these topics in motion, giving the Trump administration time to put new leaders in place and develop its strategy going forward.”

The EO is a bookend to Biden's 2021 cybersecurity executive order, issued early in his term, and reflects a country plagued by a new set of geopolitical adversaries armed with increasingly sophisticated technology, including generative artificial intelligence (GenAI).

The order acknowledges the brazen rise in malicious cyber activity from China, including breaches of the US Treasury and at least nine telecommunications networks in a vast espionage operation carried out by Salt Typhoon and other advanced persistent threats (APTs) sponsored by the Chinese government. While the EO only covers federal agencies, the Biden administration has long used federal cybersecurity policies and resources as a way to push the private sector into adopting more secure standards in turn.

"The Biden administration’s latest cyber executive order is focused on securing critical infrastructure, adopting AI for defense, and transitioning to post-quantum cryptography with an ambitious agenda," Andrew Borene, executive director of global security for Flashpoint and a former Office of the Director of National Intelligence (ODNI) senior official, tells Dark Reading. "However, the real power of this executive order may lie in its ability to institutionalize some best practices as American multinational businesses and government agencies face a new Cold War's dangerous digital environment."

**Securing the Federal Software Supply Chain, Cloud, Space**

Biden's latest EO starts with the federal software supply chain, mandating that agencies develop secure software acquisition standards and only do business with software vendors that can attest to secure development practices and provide evidence of compliance with those standards. Within the next 60 days, a consortium is ordered to be convened, including the cecretary of commerce and National Institute of Standards and Technology (NIST) officials, to develop those standards, which will include practices, procedures, controls, and implementation examples, according to the EO.

Federal agencies were also ordered to implement NIST supply chain risk management practices. The Cybersecurity and Infrastructure Security Agency (CISA) and the General Services Administration (GSA) will evaluate how to securely manage open source software inside federal networks.

Biden's order additionally addresses emerging attack surfaces across the federal government, including cloud and space/satellite systems, and calls for the implementation of identity and access management (IAM) practices across agencies.

On the cloud front, the order mandates that FedRAMP marketplace service providers such as Google or Amazon provide federal agencies with recommendations on cloud configuration.

"I am particularly happy to see that cloud providers will be required to publish information to clients on how to operate securely," Chris Hauk, consumer privacy champion at Pixel Privacy, wrote in a statement. "Too many data breaches have been due to misconfigured cloud data buckets, many times leaving the data stored in those buckets open to anyone with an Internet connection and a little bit of knowledge."

Space systems meanwhile are ordered to receive continuous analysis to ensure US systems are keeping up with the latest threats, the EO explained.

"As cybersecurity threats to space systems increase, these systems and their supporting digital infrastructure must be designed to adapt to evolving cybersecurity threats and operate in contested environments," the EO reads. "In light of the pivotal role space systems play in global critical infrastructure and communications resilience, and to further protect space systems and the supporting digital infrastructure vital to our national security, including our economic security, agencies shall take steps to continually verify that federal space systems have the requisite cybersecurity capabilities through actions including continuous assessments, testing, exercises, and modeling and simulation."

**Securing Federal Communications**

China's espionage activities have highlighted the need to secure federal communications networks, according to the EO. The Biden administration thus has established guidelines for shoring up communications network cybersecurity, including implementing identity controls, encrypting DNS traffic, and encrypting all emails, voice, video, and messaging.

Regarding cryptography, the Biden EO said new rules for protecting and auditing cryptographic keys will be developed by NIST. Further, agencies should require post-quantum cryptography, where applicable, the EO states.

These cryptography and authentication controls requirements are also applicable to other critical national security systems, Flashpoint's Borene points out.

"From energy grids to satellites, the directive emphasizes the need to secure the systems that underpin our national security and daily life," he adds. "The push for universal encryption and authentication protocols is particularly timely, given the frequency and scale of recent attacks."

**Unleashing AI to Secure Critical Infrastructure**

Artificial Intelligence must be deployed to protect US critical infrastructure from cyberattack, according to the Biden EO. The order establishes a program to explore the use of AI to bolster US cyber defenses and push for additional research.

And indeed, AI will place an increasing role in protecting the US from cyberattacks in the future, according to Christian Geyer, CEO and founder of Actfore.

"While it's crucial to recognize the expanding attack surface that AI may bring, we can be optimistic about the incredible potential it holds for enhancing security and efficiency," Geyer wrote in a statement. "The main challenge lies in navigating the complexities of government processes, but with the right approach, these challenges can be overcome, ensuring that technology initiatives are both effective and secure."

Ransomware and the development of digital identification for secure online transactions are also included in the Biden administration's cybersecurity wish list.

The EO is clearly comprehensive and wide-ranging. But without buy-in from Trump's cyber team, many of the EO's efforts could be stymied, researchers warn. It's unclear for now how it will go.

The Trump administration has already signaled a distaste for regulation, and put it into practice throughout Trump's first term, according to Coleman Mehta, head of global public policy and strategy at Infoblox. Yet, he was willing to build on previous cybersecurity policies from the Obama administration.

"Similarly, President Biden often built on policies set by Trump," Mehta tells Dark Reading. "The fundamentals of that continuity should stay the same; focus on the threat from Chinese cyber adversaries, strengthen supply chain security, and continue to build public-private collaboration."

During his recent Senate confirmation hearings for secretary of state, Sen. Marco Rubio (R-Fla.) indicated an interest in seeing policy changes that address the global cyber supply chain threat, Flashpoint's Borene points out.

"Looking ahead, the new administration inherits a world of rapidly escalating state threats from adversaries like China, Russia, Iran, along with a growing network of cyber proxies and even transnational criminal extortion groups," Borene says. "A well-executed handoff of some of the executive order’s provisions could bolster US cyber defenses at a time when proactive information security has never been more critical."

Biden's Cybersecurity EO Leaves Trump a Comprehensive Blueprint for Defense

### Impact
Gomatrixserverlib is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions.

### Patches

c4f1e01eab0dd435709ad15463ed38a079ad6128 fixes this issue.


### Workarounds
Use a local firewall to limit the network segments and hosts the service using gomatrixserverlib can access.

### References
N/A


Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-4ff6-858j-r822: Gomatrixserverlib Server-Side Request Forgery (SSRF) on redirects and federation

PRESS RELEASE

BRENTWOOD, Tenn., Jan. 14, 2025 /PRNewswire/ -- Fortified Health Security (Fortified), a Best in KLAS managed security services provider (MSSP) specializing in healthcare cybersecurity, today released the 2025 Horizon Report, a semiannual publication on cybersecurity news, trends, guidance and solutions for healthcare organizations.

Analyzing data from the Office for Civil Rights (OCR), the Horizon Report has served as a free resource for healthcare professionals since 2017. The 2025 edition includes contributions from experts—including internationally recognized cybersecurity expert Paul Connelly—on solutions for some of the acute cybersecurity issues facing healthcare organizations today. These include budget and talent challenges, the growing role of AI in hospitals, the evolution of threat actors and third-party risk management. 

"As we enter 2025, the healthcare sector will be confronted with a rise in cyberattacks, strict legislative regulations and the ongoing enhancement of AI, all while navigating financial pressures," wrote Dan Dodson, chief executive officer at Fortified, in the report. "There are no 'one-size-fits-all' answers to confronting these challenges. That is why collaboration is critical to safeguarding cybersecurity risks."

The report also provides important data breach statistics, building on those published in Fortified's mid-year report last summer. Key insights from the report include:

*   The total number of patient records exposed in 2024 rose 9%, from 168 million to 183 million
    
*   Business Associates accounted for a smaller percentage of cyber attacks in 2024 than the year prior, yet these attacks comprised 67% of total exposed patient records
    
*   Healthcare Clearing Houses saw an increase in cyber attacks of more than 2,000%, indicating growing vulnerability among entities that manage massive volumes of patient data
    
*   While network servers remained the most common breach location, phishing was reinforced as a go-to tactic for threat actors, with email breaches growing by 18% in 2024
    

"2024 was a challenging year for cybersecurity among healthcare organizations, with mega breaches like Change Healthcare—the largest ever reported in the United States—making national news and sending shockwaves through the healthcare industry," said Dodson. "With the Horizon Report, we aim to chart a path forward for healthcare organizations by gathering the latest expert insights and best practices for cyber resilience."

The full report is available for download here.

About Fortified Health Security   
Fortified is Healthcare's Cybersecurity Partner® – protecting patient data and reducing risk throughout the healthcare ecosystem. A managed security service provider that has been awarded numerous industry accolades, Fortified works alongside healthcare organizations to build customized programs that help clients leverage their prior security investments and current processes while implementing new solutions that reduce risk and increase their security posture over time. Led by a team of industry-recognized cyber experts, Fortified's high-touch engagements and client-specific process maximize value and deliver an actionable, scalable approach to help reduce the risk of cyber events. To learn more, visit www.fortifiedhealthsecurity.com.

You May Also Like

183M Patient Records Exposed: Fortified Health Security Releases 2025 Healthcare Cybersecurity Report

PRESS RELEASE

SALT LAKE CITY — January 13, 2025 — Ivanti, the software company that breaks down barriers between IT and security so that Everywhere Work can thrive, has appointed seasoned tech leader, Karl Triebes, as Chief Product Officer. In his new role, Triebes will focus on ensuring that Ivanti’s product strategy aligns with the company’s long-term goals, drives innovation, and enhances customer satisfaction.

Triebes’ appointment comes at a pivotal time for Ivanti, as the company continues to expand its footprint in the IT management and security landscape. His extensive experience and visionary approach are expected to ensure the company remains at the forefront of delivering high-quality technology solutions.

“I am thrilled to join Ivanti at such an exciting time in the company’s journey,” said Karl Triebes. “Ivanti's commitment to innovation and customer-centric approach align perfectly with my vision for product development. I look forward to working with the talented team at Ivanti to drive our product strategy forward, enhance our engineering capabilities, and deliver exceptional solutions to our customers.”

He joins Ivanti with over 30 years of extensive experience in technology leadership and product development. Throughout his career, Karl has held pivotal roles in several high-profile technology companies such as F5, Amazon and Imperva. In these positions, he has consistently demonstrated a strong prowess in engineering, product strategy, and driving business growth. His seasoned leadership and innovative vision have been instrumental in advancing technology solutions and enhancing product portfolios.

His strategic oversight will ensure that Ivanti’s products not only meet but exceed the expectations of customers, driving sustained business growth and solidifying Ivanti’s position as a leader in the industry.

“Customer satisfaction is at the heart of everything we do,” Triebes added. “By focusing on innovation and maintaining a customer-centric approach, we can develop products that not only solve current challenges but also anticipate future needs. I am eager to lead Ivanti in this direction and contribute to the company’s continued success.”

Ivanti’s CEO, Dennis Kozak, stated, “We are delighted to welcome Karl to the Ivanti team. His extensive experience and proven track record in technology leadership make him the perfect fit for our organization. We are confident that under his guidance, Ivanti will continue to innovate and deliver exceptional solutions to our customers.”

About Ivanti

Ivanti breaks down barriers between IT and security so that Everywhere Work can thrive. Ivanti has created the first purpose-built technology platform for CIOs and CISOs – giving IT and security teams comprehensive software solutions that scale with their organizations’ needs to enable, secure and elevate employees' experiences. The Ivanti platform is powered by Ivanti Neurons - a cloud-scale, intelligent hyper automation layer that enables proactive healing, user-friendly security across the organization, and provides an employee experience that delights users. Over 35,000 customers, including 85 of the Fortune 100, have chosen Ivanti to meet challenges head-on with its end-to-end solutions. At Ivanti, we strive to create an environment where all perspectives are heard, respected and valued and are committed to a more sustainable future for our customers, partners, employees and the planet. For more information, visit www.ivanti.com and follow @GoIvanti.

Karl Triebes Joins Ivanti as Chief Product Officer

PRESS RELEASE

Today, CISA — along with U.S. and international partners — released joint guidance Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products. As part of CISA’s Secure by Demand series, this guidance focuses on helping customers identify manufacturers dedicated to continuous improvement and achieving a better cost balance, as well as how Operational Technology (OT) owners and operators should integrate secure by design elements into their procurement process.

Critical infrastructure and industrial control systems are prime targets for cyberattacks. The authoring agencies warn that threat actors, when compromising OT components, target specific OT products rather than specific organizations. Many OT products are not designed and developed with Secure by Design principles and often have easily exploited weaknesses. When procuring products, OT owners and operators should select products from manufacturers who prioritize security elements identified in this guidance.

For more information on questions to consider during procurement discussions, see CISA's Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem. To learn more about secure by design principles and practices, visit Secure by Design.

CISA and US and International Partners Publish Guidance for OT Owners and Operators

PRESS RELEASE

Riyadh, Saudi Arabia, Jan. 13, 2025 (GLOBE NEWSWIRE) -- SEALSQ Corp (NASDAQ: LAES) ("SEALSQ" or "Company"), a company specializing in Semiconductors, PKI, and Post-Quantum technology hardware and software products, today announced that in partnership with its parent company, WISeKey International Holding (“WISeKey”) (SIX: WIHN, NASDAQ: WKEY), is scaling its presence in Saudi Arabia to support the Kingdom’s digital transformation and cybersecurity advancements. Through their joint venture, WISeKey Arabia, in collaboration with the Juffali Group, SEALSQ and WISeKey aim to gradually introduce groundbreaking technology innovations tailored to Saudi Arabia’s unique needs.

In 2019, WISeKey Arabia, in partnership with the Juffali Group, a leading Saudi business conglomerate, is committed to fostering a secure digital ecosystem in alignment with Vision 2030. The collaboration focuses on providing state-of-the-art solutions, including Public Key Infrastructure (PKI), digital identity management, and IoT security, enhanced with SEALSQ’s quantum-resistant cryptographic technologies. This initiative ensures a robust foundation for Saudi businesses and government entities to thrive in an increasingly digital world.

Gradual Deployment of Cutting-Edge Technologies  
SEALSQ and WISeKey plan to gradually introduce innovative solutions to Saudi Arabia’s technology landscape, including advancements in satellite communication and IoT security through the WISeSat.Space ecosystem. WISeSat.Space, WISeKey’s pioneering low-power, secure satellite solution, enables real-time data processing for IoT devices in remote locations.

The system is designed to provide:

*   End-to-End Security: Utilizing quantum-resistant encryption to protect critical IoT data.
    
*   Cost-Efficiency: Reducing the barriers to satellite communication for businesses and government projects.
    
*   Scalability: Supporting diverse applications, including environmental monitoring, smart cities, and supply chain optimization.
    

WISeSat.Space’s integration into the Saudi market represents a strategic step in equipping local industries with the tools needed to excel in the Fourth Industrial Revolution.

Partnership with Hedera and The Hashgraph Association  
In addition to WISeSat.Space’s deployment, SEALSQ and WISeKey are collaborating with Hedera, leveraging its enterprise-grade distributed ledger for blockchain-based applications. These efforts align with The Hashgraph Association’s five-year partnership with the Saudi Ministry of Investment Association, which includes the launch of the $250M DeepTech Venture Studio. The DeepTech Venture Studio is designed to support startups operating within Saudi Arabia in areas such as blockchain, AI, IoT, robotics, and quantum computing.

Funded with $50M from The Hashgraph Association and $200M from the Saudi Ministry of Investment Association, the DeepTech Venture Studio provides significant opportunities for Saudi-based companies leveraging Hedera’s hashgraph network. WISeKey Arabia will serve as a trusted technology partner, empowering startups with secure and scalable solutions.

Aligning with Vision 2030  
WISeKey and SEALSQ’s plans align with Saudi Arabia’s Vision 2030, which emphasizes innovation, digital transformation, and economic diversification. The partnership supports key national initiatives, including the Centre for the Fourth Industrial Revolution (C4IR) Saudi Arabia and the Quantum Economy project, ensuring that the Kingdom remains a global leader in advanced technologies.

“Our commitment to Saudi Arabia extends beyond cybersecurity,” said Carlos Moreira, CEO of SEALSQ. “By introducing groundbreaking technologies like WISeSat and collaborating with key partners such as the Juffali Group, Hedera, and The Hashgraph Association, we aim to empower the Kingdom’s businesses and government with the tools they need to succeed in a rapidly evolving digital landscape.”

About SEALSQ:  
SEALSQ focuses on selling integrated solutions based on Semiconductors, PKI and Provisioning services, while developing Post-Quantum technology hardware and software products. Our solutions can be used in a variety of applications, from Multi-Factor Authentication tokens, Smart Energy, Smart Home Appliances, Medical and Healthcare and IT Network Infrastructure, to Automotive, Industrial Automation and Control Systems.

Post-Quantum Cryptography (PQC) refers to cryptographic methods that are secure against an attack by a quantum computer. As quantum computers become more powerful, they may be able to break many of the cryptographic methods that are currently used to protect sensitive information, such as RSA and Elliptic Curve Cryptography (ECC). PQC aims to develop new cryptographic methods that are secure against quantum attacks. For more information, please visit www.sealsq.com.

Forward-Looking Statements  
This communication expressly or implicitly contains certain forward-looking statements concerning SEALSQ Corp and its businesses. Forward-looking statements include statements regarding our business strategy, financial performance, results of operations, market data, events or developments that we expect or anticipates will occur in the future, as well as any other statements which are not historical facts. Although we believe that the expectations reflected in such forward-looking statements are reasonable, no assurance can be given that such expectations will prove to have been correct. These statements involve known and unknown risks and are based upon a number of assumptions and estimates which are inherently subject to significant uncertainties and contingencies, many of which are beyond our control. Actual results may differ materially from those expressed or implied by such forward-looking statements. Important factors that, in our view, could cause actual results to differ materially from those discussed in the forward-looking statements include the expected success of our technology strategy and solutions for IoMT Security for Medical and Healthcare sectors, SEALSQ's ability to implement its growth strategies, SEALSQ's ability to continue beneficial transactions with material parties, including a limited number of significant customers; market demand and semiconductor industry conditions; and the risks discussed in SEALSQ's filings with the SEC. Risks and uncertainties are further described in reports filed by SEALSQ with the SEC.

SEALSQ Corp is providing this communication as of this date and does not undertake to update any forward-looking statements contained herein as a result of new information, future events or otherwise.

SEALSQ in Cooperation With WISeKey Expands Post-Quantum Footprint in Saudi Arabia

Mattermost versions 10.2.x <= 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly handle posts with attachments containing fields that cannot be cast to a String, which allows an attacker to cause the webapp to crash via creating and sending such a post to a channel.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-20621

**Mattermost webapp crash via a crafted post**

Moderate severity GitHub Reviewed Published Jan 16, 2025 to the GitHub Advisory Database • Updated Jan 16, 2025

**Package**

gomod github.com/mattermost/mattermost/server/v8 (Go)

**Affected versions**

\>= 10.2.0, < 10.2.1

\>= 10.1.0, <= 10.1.3

\>= 10.0.0, <= 10.0.3

\>= 9.11.0, <= 9.11.5

< 8.0.0-20241127161322-25ff7a3779a5

**Patched versions**

10.2.1

10.1.4

10.0.4

9.11.6

8.0.0-20241127161322-25ff7a3779a5

Published to the GitHub Advisory Database

Jan 16, 2025

Last updated

Jan 16, 2025

GHSA-w6xh-c82w-h997: Mattermost webapp crash via a crafted post

Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid. Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China that makes it simple to set up convincing lures spoofing toll road operators in multiple U.S. states.

Residents across the United States are being inundated with text messages purporting to come from toll road operators like **E-ZPass**, warning that recipients face fines if a delinquent toll fee remains unpaid. Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China that makes it simple to set up convincing lures spoofing toll road operators in multiple U.S. states.

Last week, the **Massachusetts Department of Transportation** (MassDOT) warned residents to be on the lookout for a new SMS phishing or “smishing” scam targeting users of **EZDriveMA**, MassDOT’s all electronic tolling program. Those who fall for the scam are asked to provide payment card data, and eventually will be asked to supply a one-time password sent via SMS or a mobile authentication app.

Reports of similar SMS phishing attacks against customers of other U.S. state-run toll facilities surfaced around the same time as the MassDOT alert. People in Florida reported receiving SMS phishing that spoofed **Sunpass**, Florida’s prepaid toll program.

This phishing module for spoofing MassDOT’s EZDrive toll system was offered on Jan. 10, 2025 by a China-based SMS phishing service called “Lighthouse.”

In Texas, residents said they received text messages about unpaid tolls with the **North Texas Toll Authority**. Similar reports came from readers in California, Colorado, Connecticut, Minnesota, and Washington. This is by no means a comprehensive list.

A new module from the Lighthouse SMS phishing kit released Jan. 14 targets customers of the North Texas Toll Authority (NTTA).

In each case, the emergence of these SMS phishing attacks coincided with the release of new phishing kit capabilities that closely mimic these toll operator websites as they appear on mobile devices. Notably, none of the phishing pages will even load unless the website detects that the visitor is coming from a mobile device.

**Ford Merrill** works in security research at SecAlliance, a CSIS Security Group company. Merrill said the volume of SMS phishing attacks spoofing toll road operators skyrocketed after the New Year, when at least one Chinese cybercriminal group known for selling sophisticated SMS phishing kits began offering new phishing pages designed to spoof toll operators in various U.S. states.

According to Merrill, multiple China-based cybercriminals are selling distinct SMS-based phishing kits that each have hundreds or thousands of customers. The ultimate goal of these kits, he said, is to phish enough information from victims that their payment cards can be added to mobile wallets and used to buy goods at physical stores, online, or to launder money through shell companies.

A component of the Chinese SMS phishing kit Lighthouse made to target customers of The Toll Roads, which refers to several state routes through Orange County, Calif.

Merrill said the different purveyors of these SMS phishing tools traditionally have impersonated shipping companies, customs authorities, and even governments with tax refund lures and visa or immigration renewal scams targeting people who may be living abroad or new to a country.

“What we’re seeing with these tolls scams is just a continuation of the Chinese smishing groups rotating from package redelivery schemes to toll road scams,” Merrill said. “Every one of us by now is sick and tired of receiving these package smishing attacks, so now it’s a new twist on an existing scam.”

In October 2023, KrebsOnSecurity wrote about a massive uptick in SMS phishing scams targeting **U.S. Postal Service** customers. That story revealed the surge was tied to innovations introduced by “**Chenlun**,” a mainland China-based proprietor of a popular phishing kit and service. At the time, Chenlun had just introduced new phishing pages made to impersonate postal services in the United States and at least a dozen other countries.

SMS phishing kits are hardly new, but Merrill said Chinese smishing groups recently have introduced innovations in deliverability, by more seamlessly integrating their spam messages with Apple’s **iMessage** technology, and with RCS, the equivalent “rich text” messaging capability built into **Android** devices.

“While traditional smishing kits relied heavily on SMS for delivery, nowadays the actors make heavy use of iMessage and RCS because telecom operators can’t filter them and they likely have a higher success rate with these delivery channels,” he said.

It remains unclear how the phishers have selected their targets, or from where their data may be sourced. A notice from MassDOT cautions that “the targeted phone numbers seem to be chosen at random and are not uniquely associated with an account or usage of toll roads.”

Indeed, one reader shared on Mastodon yesterday that they’d received one of these SMS phishing attacks spoofing a local toll operator, when they didn’t even own a vehicle.

Targeted or not, these phishing websites are dangerous because they are operated dynamically in real-time by criminals. If you receive one of these messages, just ignore it or delete it, but please do not visit the phishing site. The FBI asks that before you bin the missives, consider filing a complaint with the agency’s Internet Crime Complaint Center (IC3), including the phone number where the text originated, and the website listed within the text.

Chinese Innovations Spawn Wave of Toll Phishing Via SMS

The FTC claims that the Web hosting company's security failures led to several major breaches in the past few years.

Source: M4OS Photos via Alamy Stock Photo

NEWS BRIEF

Having found GoDaddy's security policies inadequate, the Federal Trade Commission (FTC) is requiring the Web hosting company to implement a more rigorous set of security practices.

According to the FTC's complaint, "GoDaddy has failed to implement reasonable and appropriate security measures to protect and monitor its website-hosting environments for security threats, and misled customers about the extent of its data security protections on its website hosting services" since 2018, the agency said in a statement.

The FTC found GoDaddy failed to manage assets and software updates, assess risks to shared hosting services, adequately log and monitor any security-related events, and segment its shared hosting from insecure environments.

These cybersecurity failures led to several security breaches between 2019 and 2022, where hackers were able to gain unauthorized access to customers' websites and data, putting consumers of these websites at risk, according to the FTC. 

All this while GoDaddy claimed on its websites, social media, and emails that it "deployed reasonable security and that it was in compliance with the EU-US and Swiss-US Privacy Shield Frameworks," ultimately misleading its customers.

Going forward, GoDaddy is required to establish and implement a comprehensive information-security program, and must hire an independent third-party to perform biennial reviews of its security program.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

FTC Orders GoDaddy to Fix Inadequate Security Practices

### Impact

If SVG or JPEGXL thumbnailers are enabled (they are disabled by default), a user may upload a file which claims to be either of these types and request a thumbnail to invoke a different decoder in ImageMagick. In some ImageMagick installations, this includes the capability to run Ghostscript to decode the image/file.

If MP4 thumbnailers are enabled (also disabled by default), the same issue as above may occur with the ffmpeg installation instead.

MMR uses a number of other decoders for all other file types when preparing thumbnails. Theoretical issues are possible with these decoders, however in testing they were not possible to exploit.

### Patches

This is fixed in [MMR v1.3.8](https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8). MMR now inspects the mimetype of media prior to thumbnailing, and picks a thumbnailer based on those results instead of relying on user-supplied values. This may lead to fewer thumbnails when obscure file shapes are used. This also helps narrow scope of theoretical issues with all decoders MMR uses for thumbnails.

### Workarounds

Disabling the SVG, JPEGXL, and MP4 thumbnail types in the MMR config prevents the decoders from being invoked. Further disabling uncommon file types on the server is recommended to limit risk surface. 

Containers and other similar technologies may also be used to limit the impact of vulnerabilities in external decoders, like ImageMagick and ffmpeg. 

Some installations of ImageMagick may disable "unsafe" file types, like PDFs, already. This option can be replicated to other environments as needed. ffmpeg may be compiled with limited decoders/codecs. The Docker image for MMR disables PDFs and similar formats by default.

### References

A similar issue was discovered in Synapse: https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g


**Impact**

If SVG or JPEGXL thumbnailers are enabled (they are disabled by default), a user may upload a file which claims to be either of these types and request a thumbnail to invoke a different decoder in ImageMagick. In some ImageMagick installations, this includes the capability to run Ghostscript to decode the image/file.

If MP4 thumbnailers are enabled (also disabled by default), the same issue as above may occur with the ffmpeg installation instead.

MMR uses a number of other decoders for all other file types when preparing thumbnails. Theoretical issues are possible with these decoders, however in testing they were not possible to exploit.

**Patches**

This is fixed in MMR v1.3.8. MMR now inspects the mimetype of media prior to thumbnailing, and picks a thumbnailer based on those results instead of relying on user-supplied values. This may lead to fewer thumbnails when obscure file shapes are used. This also helps narrow scope of theoretical issues with all decoders MMR uses for thumbnails.

**Workarounds**

Disabling the SVG, JPEGXL, and MP4 thumbnail types in the MMR config prevents the decoders from being invoked. Further disabling uncommon file types on the server is recommended to limit risk surface.

Containers and other similar technologies may also be used to limit the impact of vulnerabilities in external decoders, like ImageMagick and ffmpeg.

Some installations of ImageMagick may disable "unsafe" file types, like PDFs, already. This option can be replicated to other environments as needed. ffmpeg may be compiled with limited decoders/codecs. The Docker image for MMR disables PDFs and similar formats by default.

**References**

A similar issue was discovered in Synapse: GHSA-vp6v-whfm-rv3g

**References**

*   GHSA-rcxc-wjgw-579r
*   https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8

Latest News