Welcome to today's issue of Secret CISO, where we delve into the latest cybersecurity incidents and developments.

First on our list is the data breach at Fidelity, affecting over 77,000 customers. This incident underscores the growing concerns around data security in the financial sector. In the gaming world, Game Freak, the developer behind Pokémon, has also suffered a significant data breach, revealing details about upcoming releases.

Meanwhile, employees of Hawaii Judiciary are being urged to monitor their credit after a data breach exposed personal information of 2,600 current and former staff. In the academic sector, the University of Manchester is enhancing its cybersecurity measures with the Tanium XEM platform following a significant data breach.

OpenAI has confirmed that threat actors are using ChatGPT to write malware, highlighting the potential misuse of AI technologies.

In response to the rising threats, the EU is proposing a controversial CSAM-scanning legal proposal, dubbed 'Chat control', to enhance data security. In Canada, a cybersecurity breach at the Calgary Public Library has raised concerns among customers. Australia is also taking action with three new draft laws published as part of its Cyber Security Strategy.

In the hospitality industry, Marriott has agreed to pay a $52 million settlement for a data breach, emphasizing the financial implications of cybersecurity incidents. Lastly, we'll look at the latest research and expert insights in the field of cybersecurity.

From the use of ChatGPT and LLM tools by Chinese and Iranian hackers to create malware and phishing attacks, to the new malware campaign targeting the finance and insurance sectors using GitHub links, we'll cover it all. Stay tuned for these stories and more in today's issue of Secret CISO.

Data Breaches

1. Data Breach at Fidelity: Over 77,000 customers' personal information was exposed in a data breach at Fidelity Investments. The breach has raised concerns about the security of financial data and the potential for identity theft. Source: India Herald
2. Game Freak Leak: Game Freak, the developer behind the popular Pokémon franchise, suffered a major data breach. The leak revealed details about Pokémon Gen 10 and Switch 2, highlighting the potential risks of intellectual property theft in the gaming industry. Source: esports.gg
3. Hawaii Judiciary Data Breach: A data breach at the Hawaii Judiciary exposed personal information of 2,600 current and former staff. Employees have been urged to monitor their credit, underscoring the personal impact of such breaches. Source: YouTube
4. University of Manchester Data Breach: The University of Manchester suffered a significant data breach, affecting 40,000 endpoints. In response, the university has implemented the Tanium XEM platform to enhance its cybersecurity. Source: SDxCentral
5. Calgary Public Library Cybersecurity Breach: The Calgary Public Library was forced to close all of its branches due to a cybersecurity issue. While details are still scarce, the incident highlights the disruptive potential of cyber threats. Source: Calgary Herald

Security Research

1. New Gmail Security Alert For 2.5 Billion Users As AI Hack Confirmed: Google has partnered with the Global Anti-Scam Alliance and the DNS Research Federation to launch a new initiative aimed at enhancing security. This comes in the wake of an AI hack that has put Gmail users on high alert. Source: Forbes
2. IT security expert weighs in on Calgary Public Library cybersecurity breach: A cybersecurity breach at the Calgary Public Library has raised concerns, with an IT security expert suggesting that such breaches are typically the result of a phishing email. The details of the breach are still under investigation. Source: MSN
3. Hackers Advertise Stolen Verizon Push-to-Talk 'Call Logs': Cybercriminals have advertised stolen Verizon Push-to-Talk call logs, a move that security researchers believe is linked to the Scattered Spider cybercrime activity due to its distributed nature. Source: 404 Media
4. Chinese and Iranian hackers use ChatGPT and LLM tools to create malware and phishing attacks: Security researchers have discovered that hackers from China and Iran are using ChatGPT and LLM tools to create malware and phishing attacks. The researchers are working with internal safety and security teams to address this issue. Source: Tom's Hardware
5. Bug, $50k how Zendesk left a backdoor in Fortune 500 companies: A security researcher has discovered a bug that left a backdoor in Fortune 500 companies, potentially exposing them to significant security risks. The impact of this bug is yet to be fully understood. Source: Hacker News

Top CVEs

1. CVE-2024-9592: The Easy PayPal Gift Certificate plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. Unauthenticated attackers can update the plugin's settings and inject malicious JavaScript via a forged request if they can trick a site administrator into performing an action. Source: CVE-2024-9592
2. CVE-2024-9778: The ImagePress – Image Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. Unauthenticated attackers can update plugin settings, including redirection URLs, via a forged request if they can trick a site administrator into performing an action. Source: CVE-2024-9778
3. CVE-2024-9776: The ImagePress – Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.2. Authenticated attackers, with administrator-level permissions, can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been enabled. Source: CVE-2024-9776
4. CVE-2024-9595: The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the table cell content in all versions up to, and including, 2.4.2. Authenticated attackers, with Author-level access, can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Source: CVE-2024-9595
5. CVE-2024-9696: The Rescue Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rescue_tab' shortcode in all versions up to, and including, 2.8. Authenticated attackers, with contributor-level access, can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Source: CVE-2024-9696

Final Words

And that's a wrap for today's edition of Secret CISO. We've covered a lot of ground, from the data breach at Fidelity affecting over 77,000 customers, to the shocking revelation of threat actors using ChatGPT to write malware. We've also touched on the importance of cybersecurity measures, as seen in the University of Manchester's efforts to enhance their cybersecurity with Tanium.

Remember, in this digital age, staying informed is your first line of defense.

Share this newsletter with your friends and colleagues to keep them in the loop too.

Let's work together to create a safer digital space for everyone. Stay safe, stay informed, and see you in the next edition of Secret CISO.