CyberBakery Chronicles

Your Weekly Cybersecurity Update (17 Jan 2025)

• The U.S. plans to prohibit using Chinese and Russian components in connected vehicles.

• A flaw in the W3 Total Cache plugin has risked the security of approximately 1 million WordPress sites.

• FTC Directs GoDaddy to Enhance Weak Security Measures for Better User Protection 

• Telefonica Breach Exposes Jira Tickets, Customer Data

• A TikTok ban is on the horizon: What are the financial implications?

The U.S. plans to prohibit using Chinese and Russian components in connected vehicles.

The U.S. government plans to prohibit the use of components and software made by Chinese and Russian companies in connected vehicles as part of a broader effort to protect national security and prevent potential cyber threats. This ban, initiated by the Department of Homeland Security (DHS), targets components that could expose critical systems in cars—such as navigation, entertainment, and communications networks—to foreign adversaries. The new restrictions align with a growing focus on cybersecurity risks from foreign-made technologies in critical industries, such as telecommunications and energy. The rule will apply to all government and private-sector vehicles deployed within U.S. borders.

This decision highlights the increasing overlap between cybersecurity and national security, particularly as connected vehicles evolve into critical infrastructure. Modern vehicles often rely on software and hardware ecosystems that include third-party components, making them potential cyberattack targets. Compromised components from adversarial nations could enable remote tracking, data exfiltration, or even vehicle control.

Following are some of the key implications for the industry:

• Supply Chain Security: Automakers and suppliers must reassess their supply chains to eliminate high-risk components, which could result in increased costs and production delays.

• Emerging Standards: This move underscores the importance of adhering to supply chain security frameworks like the National Institute of Standards and Technology (NIST) guidelines and Zero Trust principles.

• Increased Regulatory Oversight: Companies may need to navigate stricter regulatory compliance requirements and audits to ensure the integrity of hardware and software in vehicle designs.

• Broader Trends: The ban aligns with ongoing U.S. efforts to decouple from Chinese technology in other sectors, such as telecom (Huawei) and surveillance equipment.

Automakers, particularly those with global operations, must act proactively to insulate their systems from geopolitical risk while prioritizing cybersecurity in their development pipelines. Failure to adapt could not only result in regulatory penalties but also increase the risk of cyber incidents that undermine consumer trust.

A flaw in the W3 Total Cache plugin has risked the security of approximately 1 million WordPress sites.

A vulnerability has been discovered in the W3 Total Cache plugin, a popular performance optimization tool for WordPress sites. The flaw, identified as CVE-2023-45926, is a Cross-Site Scripting (XSS) vulnerability that could allow attackers to inject and execute malicious scripts on websites using the plugin. This issue arises from insufficient input sanitization of user-provided data in the plugin’s settings. While there is no evidence of this vulnerability being exploited in the wild, experts recommend immediate updates to the latest patched version (v2.6.1) to mitigate risks. The vulnerability affects more than 1 million active plugin installations.

This vulnerability highlights a recurring issue in the WordPress ecosystem: third-party plugins often introduce security risks due to improper input validation. Cross-site scripting vulnerabilities like this are particularly dangerous as they can be exploited to perform phishing attacks, steal user data, or take over admin accounts if combined with other flaws. Given the widespread use of the W3 Total Cache plugin, the attack surface is substantial, making it a priority for administrators to update immediately.

Key impacts:

1. For Website Administrators: Always maintain an updated inventory of plugins, prioritize updates, and disable unused plugins to reduce the attack surface.

2. For Developers: Incorporate stricter input validation and sanitization in plugin code to minimize vulnerabilities.

3. For Organisations: Use Web Application Firewalls (WAFs) and monitoring tools to detect and mitigate potential exploitation attempts.

This incident also underscores the importance of proactive vulnerability management and routine security audits for websites relying heavily on third-party integrations.

FTC Directs GoDaddy to Enhance Weak Security Measures for Better User Protection

The Federal Trade Commission (FTC) has ordered GoDaddy, a leading web hosting and domain registration company, to improve its cybersecurity practices following multiple data breaches and security incidents between 2020 and 2023. The incidents reportedly exposed customer data and left the company’s systems vulnerable to attacks. The FTC’s investigation found deficiencies in GoDaddy’s incident response protocols, network security, and employee access controls. Under the order, GoDaddy must implement comprehensive security measures, including third-party audits, improved access management, and regular penetration testing, to prevent future breaches.

This enforcement action underscores the growing regulatory pressure on companies to adopt robust cybersecurity practices. GoDaddy’s high-profile role as a domain registrar makes it a lucrative target for attackers, meaning it must go above and beyond baseline security measures. The FTC’s scrutiny also signals a shift toward holding companies accountable for recurring breaches and for failing to adequately secure customer data. For businesses, this highlights the risks of prioritizing operational convenience over stringent cybersecurity safeguards.

GoDaddy Customers should review their account security by enabling two-factor authentication (2FA), using strong passwords, and monitoring for suspicious activity in their accounts. This case serves as a warning to other hosting and domain companies. They must regularly audit security practices, implement zero-trust access models, and establish comprehensive incident response frameworks. Businesses Using Third-Party Hosting shall conduct a thorough due diligence of their service providers. Companies should implement their own layered security (e.g., encrypted backups and monitoring) rather than relying solely on the provider.

The FTC’s action reflects a broader trend of regulatory bodies worldwide emphasising accountability for cybersecurity failures. It’s likely to encourage further investments in proactive cybersecurity measures, especially in industries managing critical customer data.

Telefonica Breach Exposes Jira Tickets, Customer Data

Spanish telecommunications giant Telefónica has suffered a data breach that exposed sensitive information, including internal Jira tickets and customer data. Security researchers found that the company had misconfigured its Jira project management platform, leaving it accessible online without authentication. The exposed data included customer email addresses, usernames, and details related to internal IT systems. Telefónica has since secured the platform, but it’s unclear how long the data was accessible or if malicious actors exploited the vulnerability before discovery.

Misconfigurations like this are a leading cause of data breaches, particularly in cloud-based tools and platforms. In this case, the exposure of both internal project data and customer information could provide attackers with valuable intelligence for phishing, social engineering, or other targeted attacks. Telefónica’s incident serves as another reminder of the risks associated with poor access controls and insufficient oversight of third-party or cloud-based tools.

This breach involved Jira, a commonly used tool for managing IT workflows and development, which highlights the risks posed by such platforms if mismanaged. Exposed internal tickets often contain sensitive information that can aid attackers in mapping out an organization’s infrastructure, identifying vulnerabilities, or even exploiting disclosed bugs.

Last week, threat actors aggressively posted an exfiltrated Jira database on the BreachForums Dark Web hacking community, asserting that it contains nearly 470,000 lines of internal ticketing data and over 5,000 documents, including PDFs, Word files, and PowerPoints.

Three of the four threat actors are confirmed to be affiliated with the notorious Hellcat ransomware group. Hudson Rock, a prominent cybersecurity vendor that has engaged with the attackers, reported that they deployed infostealer malware to target around 15 Telefónica employees, successfully compromising their credentials to gain unauthorized access to the system.

This major breach has unequivocally exposed the names and email addresses of 24,000 Telefónica employees, along with sensitive Jira issue data. Moreover, the stolen documents are very likely to contain additional confidential information that raises serious security concerns.

This breach demonstrates that even well-established organisations can fall victim to basic security oversights. As attackers increasingly rely on exposed data to craft targeted campaigns, securing internal tools and customer data must be a top priority for all enterprises.

A TikTok ban is on the horizon: What are the financial implications?

The U.S. government is once again moving closer to a potential ban on TikTok, citing national security concerns over its ownership by Chinese tech company ByteDance. Lawmakers argue that TikTok’s access to vast amounts of user data could enable surveillance or data collection by the Chinese government. While TikTok has repeatedly denied these claims and proposed measures such as U.S.-based data storage (via Project Texas), tensions remain high. A ban could have significant financial implications for both TikTok and the broader social media and advertising industries, as the platform currently holds an estimated 170 million U.S. users and generates billions in ad revenue annually.

This ongoing TikTok debate underscores the intersection of cybersecurity, geopolitics, and financial interests. The U.S. government’s concerns about potential data misuse align with broader trends of scrutinising foreign-owned technologies. If enacted, a ban could lead to shifts in user behaviour, with competitors like Instagram Reels, YouTube Shorts, and Snapchat likely to gain market share. However, enforcing a ban presents challenges, including technical hurdles to blocking access and possible backlash from users and creators.

From a cybersecurity perspective, the issue highlights the risks associated with apps that aggregate vast amounts of sensitive user data, particularly when owned by entities in countries with differing legal and regulatory frameworks. The case also emphasizes the importance of transparency in data governance for tech companies operating internationally.

This case serves as a precedent for evaluating other foreign-owned apps, signalling that stricter policies for technology companies with cross-border data access may be imminent. Many Americans will also lose a significant source of free entertainment, which is a form of economic value in itself, said Erik Brynjolfsson, head of Stanford University’s Digital Economy Lab. A study he led, which is based on how much money people said they would need to be paid to voluntarily forgo TikTok, estimated that American consumers got about $73 billion of value out of TikTok in 2023.

It is a different story for TikTok’s creators, who make money from sponsored posts, affiliate marketing, brand partnerships, donations, and goods sold through the TikTok Shop. TikTok also has a rewards program for creators that doles out payments based on factors such as how much time people spend watching their videos.

“If this goes, it means no income, I’m out of a job, and I have to look for a way to make money elsewhere,” said 19-year-old Gift Oluwatoye of Prince George’s County, Md., who for the past year has been earning about $5,000 a month from posting videos to the app that show him playing and commenting on videogames.

Ultimately, the potential ban is not just about TikTok but reflects growing concerns about digital sovereignty and protecting national interests in a hyper-connected world. It may also set the stage for tighter data governance regulations across the tech industry.