Welcome to today's issue of Secret CISO, your daily dose of the most impactful cybersecurity news.

Today, we're diving into a series of data breaches affecting various sectors, from senior living operators to school districts, and even a cannabis company. A senior living operator has settled a lawsuit following a data breach in 2023 that exposed the personal information of over 61,000 residents. Meanwhile, Professional Finance Co. has agreed to a $2.5 million settlement after failing to prevent a 2022 data breach. In the education sector, a data breach at a northern Kentucky school district has potentially exposed student and staff information. PowerSchool, an education technology platform, is also facing a lawsuit over a data breach that compromised the data of 60 million students, educators, and administrators.

Healthcare isn't safe either, with a third-party breach affecting Allegheny Health Network home care patients and Enzo Biochem settling a ransomware data breach class action for $7.5 million. In the tech world, HPE is investigating a hacker claim involving a trove of sensitive company data, and a data breach at the North Pole Company has exposed details on half a million users. On the legal front, cannabis distributor Stiiizy Inc. is facing a class action over a data breach that exposed customer information in October. In research news, new findings from Abnormal Security reveal a surge in email attacks across the APAC region, and a roundtable event highlights faculty research in national security. Finally, in the realm of vulnerabilities, Mercedes-Benz owners are warned of hacking dangers due to 13 security issues found, and many VPNs are reportedly vulnerable to hackers and hijackers.

Stay tuned for more updates and remember, knowledge is the key to cybersecurity. Stay safe out there!

Data Breaches

1. Senior Living Operator Data Breach: A senior living operator has settled a class action lawsuit after a 2023 data breach exposed the personal information of over 61,000 residents. The details of the settlement have not been disclosed. Source: McKnight's Senior Living
2. Professional Finance Co. Data Breach: Professional Finance Co. has agreed to a $2.5 million class action lawsuit settlement to resolve claims it failed to prevent a 2022 data breach. The breach exposed sensitive customer information, leading to the lawsuit. Source: Top Class Actions
3. Northern Kentucky School District Data Breach: A data breach at a northern Kentucky school district has potentially exposed student and staff information. The extent of the breach and the number of individuals affected are currently unknown. Source: Yahoo News
4. Allegheny Health Network Data Breach: A third-party breach has affected Allegheny Health Network home care patients. Between October 11 and November 19, attackers accessed sensitive patient data, including names, birthdates, addresses, Social Security numbers, and financial information. Source: Becker's Hospital Review
5. Stiiizy Inc. Data Breach: Cannabis distributor Stiiizy Inc. is facing a class action lawsuit over a data breach in October. The company is accused of negligently failing to protect the personal information of customers. Source: Bloomberg Law News

Security Research

1. 13,000 MikroTik Routers Hijacked by Botnet for Malspam and Cyberattacks: A botnet has hijacked 13,000 MikroTik routers, bypassing SPF protections on 20,000 domains to fuel malware, DDoS, and phishing attacks. Source: The Hacker News
2. Phantom Defends Wallet Safety Amid Allegations of 'Vulnerability' Endangering User Funds: Cryptocurrency wallet Phantom has addressed security concerns, stating that a reported vulnerability does not pose a risk to user funds. Source: CryptoSlate
3. Unsecured Database Exposes 240k Records of Willow Customers: Willow Pay, a fintech that allows consumers to split bills into four weekly payments, has exposed customers' names, addresses, and copies of their bills due to an unsecured database. Source: Westlaw Today
4. Mirai Botnet Spinoffs Unleash Global Wave of DDoS Attacks: Two separate campaigns are targeting flaws in various IoT devices globally, with the goal of compromising them and propagating malware worldwide. Source: Dark Reading
5. ChatGPT API Vulnerability Could Enable Large-Scale DDoS Attacks: A security flaw in OpenAI's ChatGPT application programming interface could be used to initiate a distributed denial of service attack on websites. Source: SiliconANGLE

Top CVEs

1. CVE-2024-43096 - Out of Bounds Write in gatt_sr.cc: In build_read_multi_rsp of gatt_sr.cc, a missing bounds check could lead to a possible out of bounds write. This could result in remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Source: CVE-2024-43096
2. CVE-2024-49724 - Bypass Permissions in AccountManagerService.java: In multiple functions of AccountManagerService.java, a race condition could allow bypassing permissions and launching protected activities. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Source: CVE-2024-49724
3. CVE-2024-49749 - Out of Bounds Write in dgif_lib.c: In DGifSlurp of dgif_lib.c, an integer overflow could lead to a possible out of bounds write. This could result in remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Source: CVE-2024-49749
4. CVE-2024-49732 - Missing Permission Check in CompanionDeviceManagerService.java: In multiple functions of CompanionDeviceManagerService.java, a missing permission check could allow granting permissions without user consent. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Source: CVE-2024-49732
5. CVE-2024-49747 - Logic Error in gatt_sr.cc: In gatts_process_read_by_type_req of gatt_sr.cc, a logic error could lead to a possible out of bounds write. This could result in remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Source: CVE-2024-49747

API Security

1. Umbraco User Enumeration Vulnerability: A vulnerability in Umbraco 14+ management API allows user enumeration based on response codes and timing. The issue will be patched in versions 14.3.2 and 15.1.2. There are currently no known workarounds. Source: Vulners
2. Cross-Site Request Forgery in CodeChecker API: CodeChecker API has a cross-site request forgery vulnerability that allows an unauthenticated attacker to hijack the authentication of a logged-in user. The attacker can use the web API with the same permissions, including adding, removing, or editing products. Source: Vulners
3. Vite Development Server Vulnerability: Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. Users should upgrade to a newer version of Vite that fixes the vulnerability. Source: Vulners
4. Umbraco Management API Vulnerability (CVE-2025-24011): Umbraco versions 14.0.0 to 14.3.1 and 15.1.1 have a vulnerability that allows an attacker to determine whether an account exists based on response codes and timing. The issue is patched in versions 14.3.2 and 15.1.2. Source: Vulners
5. CodeChecker API Cross-Site Request Forgery (CVE-2024-53829): CodeChecker has a cross-site request forgery vulnerability that allows an unauthenticated attacker to hijack the authentication of a logged-in user and use the web API with the same permissions. The attacker needs to know the ID of the available products to modify or delete them. Source: Vulners

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that data breaches continue to be a pressing issue across various sectors. From senior living operators to school districts and finance companies, no one is immune. The importance of robust authentication and access control security measures cannot be overstated. Remember, staying informed is the first step towards ensuring your organization's security.

Share this newsletter with your colleagues and friends to keep them in the loop too. Stay safe, stay secure.

See you in the next edition of Secret CISO!