Welcome to today's issue of Secret CISO, your daily dose of cybersecurity news. Today, we're diving into a series of data breaches that have been making headlines. The UN aviation agency is currently investigating reports of a possible data breach, potentially tied to a threat actor known for targeting international organizations. Meanwhile, Washington Attorney General Bob Ferguson has filed a lawsuit against T-Mobile over a data breach that exposed the data of 79 million customers in 2021. The breach affected at least 2 million Washington state residents and tens of millions more customers around the United States. In other news, South Portland schools are tackling a cyber breach, but officials believe no data was compromised. On the research front, security teams are increasingly relying on Microsoft Defender Experts for XDR for managed detection and response. We also have updates on several settlements related to past data breaches, including an $8 million settlement from Missouri University Health Care over a 2020 data breach. Stay tuned for more updates and remember, knowledge is the best defense against cyber threats. Stay safe and secure!

Data Breaches

1. UN Aviation Agency Investigates Potential Data Breach: The United Nations' civil aviation agency is probing into reports of a possible data breach, potentially linked to a threat actor known for targeting international organizations. The hacker, known as natohub, claimed to have leaked 42k documents of user data. Source: The Straits Times, Cyber Daily
2. Washington AG Files Lawsuit Against T-Mobile Over Data Breach: Washington State Attorney General Bob Ferguson has filed a consumer protection lawsuit against T-Mobile, accusing the company of failing to address cybersecurity concerns for years, leading to a data breach that affected at least 2 million Washington state residents and tens of millions more customers around the United States. Source: FOX 13 Seattle - YouTube, TechCrunch
3. South Portland Schools Tackle Cyber Breach: South Portland school officials are investigating a security breach that forced them to take their network down. While the breach is significant, officials believe no data was compromised. Source: WGME
4. US Treasury Department Breach: The U.S. cyber watchdog agency CISA reported a breach at the U.S. Treasury Department. However, there is currently no indication that the breach affected other federal agencies. Source: Reuters
5. Missouri University Health Care Data Breach Settlement: Missouri University Health Care has agreed to an $8 million class action lawsuit settlement to resolve claims it failed to prevent a 2020 data breach. Source: Top Class Actions

Security Research

1. Veracode acquires Phylum's tech to tackle software threats: Veracode has acquired Phylum's technology to enhance its product suite and strengthen its security research team. This acquisition will add significant capabilities to Veracode's offerings. Source: SecurityBrief Asia
2. EagerBee Backdoor Takes Flight Against Mideast Targets: A new variant of the EagerBee malware has been observed in attacks against Middle Eastern targets. The malware, which was previously associated with Chinese state-aligned actors, has been detailed by security researcher Saurabh Sharma. Source: Dark Reading
3. Nuclei Patches High Severity Flaw in Security Tool: A high severity flaw in the Nuclei security tool has been patched. The flaw could have been exploited by a researcher, according to the National Institute of Standards and Technology (NIST). Source: BankInfoSecurity
4. HackerOne Now Available on the AWS Marketplace, Expands Access Through Channel: HackerOne's security platform, which uses AI-driven and researcher-led continuous testing to target vulnerabilities, is now available on the AWS Marketplace. This expansion will increase access to the platform. Source: Channel Insider
5. Google Security Alert As Backdoor VPN Threat Confirmed: Google security researchers have confirmed a backdoor VPN threat. The threat, which includes keylogging, screen capturing, and audio recording, is bundled with popular VPNs and apps. Source: Forbes

Top CVEs

1. CVE-2024-5594 - OpenVPN PUSH_REPLY Message Vulnerability: OpenVPN versions prior to 2.6.11 have a vulnerability where PUSH_REPLY messages are not properly sanitized, allowing attackers to inject unexpected arbitrary data into third-party executables. Users are advised to update to the latest version. Source: CVE-2024-5594
2. CVE-2024-46981 - Redis Lua Script Manipulation: Redis, an open-source in-memory database, has a vulnerability where an authenticated user can use a specially crafted Lua script to manipulate the garbage collector, potentially leading to remote code execution. The problem is fixed in versions 7.4.2, 7.2.7, and 6.2.17. Source: CVE-2024-46981
3. CVE-2024-21464 - IPA Statistics Memory Corruption: A memory corruption vulnerability exists while processing IPA statistics when there are no active clients. Users are advised to monitor their systems for any unusual activity. Source: CVE-2024-21464
4. CVE-2024-31913 - IBM Sterling B2B Integrator XSS Vulnerability: IBM Sterling B2B Integrator Standard Edition versions 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 are vulnerable to stored cross-site scripting (XSS). This vulnerability allows users to embed arbitrary JavaScript code in the Web UI, potentially leading to credentials disclosure. Source: CVE-2024-31913
5. CVE-2024-31914 - IBM Sterling B2B Integrator XSS Vulnerability: Similar to CVE-2024-31913, IBM Sterling B2B Integrator Standard Edition versions 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 are vulnerable to stored cross-site scripting (XSS). This vulnerability allows users to embed arbitrary JavaScript code in the Web UI, potentially leading to credentials disclosure. Source: CVE-2024-31914

API Security

1. PayU CommercePro Plugin Privilege Escalation: The PayU CommercePro Plugin for WordPress, in all versions up to 3.8.3, is vulnerable to privilege escalation due to insufficient user identity verification in its REST API endpoints. This allows unauthenticated attackers to create new administrative users. Source: CVE-2024-12264
2. ClickDesigns Plugin Unauthorized Data Modification: The ClickDesigns plugin for WordPress, in all versions up to 1.8.0, is vulnerable to unauthorized data modification due to a missing capability check on its API functions. This allows unauthenticated attackers to modify or remove the plugin's API. Source: CVE-2024-12559
3. Guzzle OAuth Subscriber Nonce Entropy: Guzzle OAuth Subscriber, prior to 0.8.1, uses insufficient entropy and a non-cryptographically secure pseudorandom source for nonce generation. This can leave servers vulnerable to replay attacks when TLS is not used. Source: CVE-2025-21617
4. ChestnutCMS File Upload Vulnerability: ChestnutCMS, through 1.5.0, has a file upload vulnerability in its /api/member/avatar API endpoint. The endpoint receives a base64 string as input, which is not validated for file extension, posing significant security risks. Source: CVE-2024-56828
5. tgstation-server Role Authorization: tgstation-server, a tool for BYOND server management, prior to 6.12.3, incorrectly authorizes API methods with roles. This allows enabled users access to most authorized actions regardless of their permissions. Source: CVE-2025-21611

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. From potential data breaches at the UN aviation agency to lawsuits against T-Mobile, it's clear that cybersecurity remains a critical concern across all sectors. Remember, staying informed is the first step towards ensuring your organization's digital safety. If you found today's newsletter helpful, don't keep it to yourself. Share it with your colleagues and friends to help them stay in the loop too. After all, cybersecurity is a team sport, and we're all in this together. Stay safe, stay informed, and see you in the next edition of Secret CISO.