Hello there, Secret CISO readers! Today's newsletter is packed with some serious cybersecurity news.

First, we delve into the Marriott's $52M data breach settlement, a case that's setting a precedent for future data security practices in the hospitality industry. We'll discuss the implications of this settlement and what it means for businesses and consumers alike. Next, we turn our attention to the recent Fidelity data breach, where personal information of 77,000 customers was compromised. We'll explore how this breach occurred, its impact, and what steps Fidelity is taking to address the issue.

We also have updates on the MSSP Market, focusing on the question of liability in data breaches. This comes in the wake of Marriott International and its subsidiary Starwood Hotels agreeing to pay $52 million to resolve data breach claims. In other news, the Internet Archive suffered a major data breach and DDoS attack, impacting 31 million users. We'll look at the aftermath of this breach and the steps the Internet Archive is taking to enhance its security measures.

Lastly, we'll touch on the latest research and developments in the cybersecurity field, including a discussion on multifactor authentication implementation, new phishing attack methods, and the impact of disrupting ransomware operators. Stay tuned for these stories and more in today's edition of Secret CISO. Stay safe and informed!

Data Breaches

1. Marriott's $52M Data Breach Settlement: Marriott International and its subsidiary Starwood Hotels have agreed to pay $52 million to resolve data breach claims. The settlement comes after a multi-year investigation into a data breach of one of its guest reservation databases. The Federal Trade Commission will ensure that Marriott improves its data security practices in hotels around the world. Source: Law.com
2. Fidelity Data Breach: Thousands of Fidelity Investments customers may have had their personal information stolen in a data breach that occurred in August. The breach exposed sensitive information such as Social Security numbers and driver's licenses. Fidelity has confirmed the breach and is taking steps to address the issue. Source: WKRN
3. Internet Archive Data Breach: The Internet Archive suffered a major data breach and DDoS attack, impacting 31 million users. The breach raised concerns about data privacy and the security of the popular digital library. The source of the breach has been disabled and security measures have been upgraded. Source: The Record
4. Data Breach Settlement After BigLaw Firm Hack: Bryan Cave and Mondelez have agreed to a settlement in a data breach suit. Both companies have implemented security improvements to protect against another security breach. The details of the settlement have not been disclosed. Source: ABA Journal
5. National Public Data Files for Bankruptcy Following Massive Data Breach: National Public Data, a subsidiary of Jerico Pictures, has filed for bankruptcy following a massive data breach that exposed the personal information of numerous individuals. The extent of the breach and its impact on the company's financial situation is still under investigation. Source: YourErie.com

Security Research

1. Qualcomm patches DSP vulnerability affecting devices: Qualcomm has patched a DSP vulnerability that impacts dozens of chipsets. The flaw was reported by researchers from Google's Project Zero and security researcher Conghui Wang. Source: Direct Marketing News
2. GitHub, Telegram Bots, and QR Codes Abused in New Wave of Phishing Attacks: Security researcher Ashitosh Deshnur has reported a new wave of phishing attacks that abuse GitHub, Telegram bots, and QR codes. The attacks use Blob URIs to work with binary data directly within web applications. Source: The Hacker News
3. Ransomware Task Force Details Impact of Disrupting Operators: A report by the Ransomware Task Force details the impact of disrupting ransomware operators. The report is part of a broader conversation and research around cyberdefense. Source: BankInfoSecurity
4. Internet Archive data breach exposes more than 31 million user accounts: A data breach at the Internet Archive has exposed more than 31 million user accounts. The breach was reported by security expert Troy Hunt, who created HIBP. Source: KXAN
5. Apple's New MacBook Pro M4 Gets First Security Scare Before Release: Russian security researchers have issued a security warning for Apple's new M4 MacBook Pro. The warning came after a Russian YouTuber reviewed what appears to be an M4 MacBook Pro. Source: Forbes

Top CVEs

1. CVE-2024-9487: GitHub Enterprise Server had a vulnerability that allowed SAML SSO authentication to be bypassed, leading to unauthorized user provisioning and access. The issue required the encrypted assertions feature to be enabled and the attacker to have direct network access and a signed SAML response or metadata document. The vulnerability has been fixed in versions 3.11.16, 3.12.10, 3.13.5, and 3.14.2. Source: vulners.com
2. CVE-2024-47871: Gradio, an open-source Python package, had a vulnerability involving insecure communication between the FRP client and server when the share=True option was used. This allowed attackers to intercept and read files uploaded to the Gradio server and modify responses or data sent between the client and server. Users are advised to upgrade to gradio>=5 to address this issue. Source: vulners.com
3. CVE-2024-47869: Gradio had another vulnerability involving a timing attack in the way it compares hashes for the analytics_dashboard function. An attacker could exploit this by measuring the response time of different requests to infer the correct hash byte-by-byte, leading to unauthorized access to the analytics dashboard. Users are advised to upgrade to gradio>=4.44 to mitigate this issue. Source: vulners.com
4. CVE-2024-47872: Gradio had a vulnerability involving Cross-Site Scripting (XSS) on any server that allows file uploads. Authenticated users could upload files containing malicious scripts, which would execute when other users download or view these files. Users are advised to upgrade to gradio>=5 to address this issue. Source: vulners.com
5. CVE-2024-9818: SourceCodester Online Veterinary Appointment System 1.0 had a vulnerability in an unknown function of the file /admin/categories/manage_category.php. The manipulation of the argument id led to SQL injection. The exploit has been disclosed to the public. Source: vulners.com

API Security

1. Codeclysm Extract v4: A security flaw was found in Codeclysm Extract versions prior to 4.0.0, where the software did not perform sufficient checks, allowing an attacker to create symlinks outside the extraction directory. Users are advised to upgrade to version 4.0.0 or later to mitigate this vulnerability. Source: Vulners
2. CVE-2024-6985: A path traversal vulnerability has been discovered in the api open_personality_folder endpoint of parisneo/lollms-webui. This vulnerability allows an attacker to read any folder in the personality_folder on the victim's computer, even though sanitize_path is set. The issue arises due to improper sanitization of the personality_folder parameter. Source: Vulners
3. CVE-2024-39534: An Incorrect Comparison vulnerability in the local address verification API of Juniper Networks Junos OS Evolved allows an unauthenticated network-adjacent attacker to create sessions or send traffic to the device using the network and broadcast address of the subnet assigned to an interface. This can allow an attacker to bypass certain compensating controls, such as stateless firewall filters. Source: Vulners
4. CVE-2024-9707: The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution. Source: Vulners
5. CVE-2024-9234: The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins, or utilize the functionality to upload arbitrary files. Source: Vulners

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. As we've seen, data breaches continue to be a significant concern for businesses of all sizes. Marriott's hefty settlement and Fidelity's data breach are stark reminders of the importance of robust data security practices. Remember, it's not just about protecting your own data, but also about safeguarding the information of your customers and clients.

As we move forward, let's continue to prioritize security and stay informed about the latest threats and solutions. If you found today's newsletter helpful, please consider sharing it with your colleagues and friends.

Let's work together to create a safer digital world. Until next time, stay safe and secure!