Hello Secret CISO readers, In today's issue, we're diving into a whirlwind of security breaches and vulnerabilities that have been making headlines. First up, we're looking at severe flaws in E2EE cloud storage platforms that could expose user data to malicious entities. This is a serious concern for millions of users who rely on these platforms for secure storage.

Next, we're exploring the Al-Qard al-Hassan association, a bank that provides Hezbollah with money laundering services and is now a target of IDF. A 2021 data breach has shed light on its operations, revealing how it's one of the terror group's main financial assets. The Internet Archive has confirmed a third security breach this month, marking a series of escalating cyberattacks.

Meanwhile, Western Digital is facing a hefty fine of US$315.7 million for infringing a data security patent. In gaming news, Pokémon developer Game Freak has issued an apology after confirming a data breach that occurred in August. And in political news, the U.S. is investigating a leak of classified documents on Israel's attack plans. We're also covering the AI edge in cybersecurity, with predictive tools aiming to slash response times. But it's not all good news in the world of AI, as over 600 million cyberattacks target Windows users every day.

Finally, we're looking at a range of other topics, from a Bitcoin sextortion scam to a $30 million settlement following a data breach at 23andMe. Stay tuned for all this and more in today's issue of Secret CISO. Stay safe, stay informed.

Data Breaches

1. Severe flaws in E2EE cloud storage platforms used by millions: A set of security issues have been discovered in several end-to-end encrypted (E2EE) cloud storage platforms, potentially exposing user data to malicious entities. The vulnerabilities could have a significant impact on millions of users worldwide. Source: Bleeping Computer
2. Al-Qard al-Hassan association, a target of IDF: The Al-Qard al-Hassan association, a bank providing Hezbollah with money laundering services and one of the terror group's main financial assets, was targeted in a 2021 data breach. The breach has shed light on the association's operations and its ties to Hezbollah. Source: Ynetnews
3. Internet Archive Breached Again: Third Cyber Attack In October 2024: The Internet Archive confirmed a third security breach on October 20, 2024, marking a series of escalating cyberattacks on the platform. The impact and extent of the breach are yet to be determined. Source: Forbes
4. Western Digital owes US$315.7m for infringing data security patent: Data storage provider Western Digital has been ordered to pay US$315.7 million in damages for violating a patent owner's rights in data security. The ruling could have significant implications for other companies in the data storage and security sector. Source: iTnews
5. Pokémon developer Game Freak data breach: On October 14, 2024, Game Freak, the developer of Pokémon, confirmed a data breach that occurred in August. The breach has led to unauthorized access to sensitive information, prompting the company to issue an official apology. Source: RetailWire

Security Research

1. Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials: Threat actors have been exploiting a patched security vulnerability in Roundcube Webmail to steal login credentials. Users are advised to update their systems to the latest version to avoid falling victim to this exploit. Source: The Hacker News
2. RM30 MILLION ALLOCATION WILL BOLSTER CYBER SECURITY, COMBAT FRAUD: A significant allocation of RM30 million is set to enhance cybersecurity and combat fraud, according to AI expert Associate Prof Dr Selvakumar Manickam. This proactive measure will protect individuals and organizations from cyber threats. Source: Bernama
3. Security Priorities Study - Foundry: The annual CSO research aims to understand the security projects that organizations are focusing on currently and in the coming year. The study provides valuable insights into the evolving cybersecurity landscape. Source: Foundry
4. Researchers unveil LLM tool to find Python zero-days: A new tool, LLM, has been unveiled by researchers to find Python zero-days. The tool can reveal complex, multi-step vulnerabilities, providing a more comprehensive approach to Python security. Source: The Register
5. USENIX NSDI '24 - Crescent: Emulating Heterogeneous Production Network at Scale: The USENIX NSDI '24 research paper presents Crescent, a tool for emulating heterogeneous production networks at scale. This research contributes to the understanding and enhancement of network security. Source: Security Boulevard

Top CVEs

1. CVE-2024-10159 - SQL Injection in PHPGurukul Boat Booking System 1.0: A critical vulnerability has been discovered in PHPGurukul Boat Booking System 1.0, affecting an unknown functionality of the file /admin/profile.php. The manipulation of certain arguments leads to SQL injection, with the attack being launched remotely. The exploit has been publicly disclosed. Source: vulners.com
2. CVE-2024-10158 - Session Fixation in PHPGurukul Boat Booking System 1.0: A problematic vulnerability has been found in PHPGurukul Boat Booking System 1.0, affecting the function session_start. The manipulation leads to session fixation, with the possibility of a remote attack. The exploit has been publicly disclosed. Source: vulners.com
3. CVE-2024-49290 - CSRF Vulnerability in Gora Tech LLC Cooked Pro: A Cross-Site Request Forgery (CSRF) vulnerability has been found in Gora Tech LLC Cooked Pro. This issue affects versions of Cooked Pro before a certain update. Source: vulners.com
4. CVE-2024-10157 - SQL Injection in PHPGurukul Boat Booking System 1.0: A critical vulnerability has been discovered in PHPGurukul Boat Booking System 1.0, affecting some unknown processing of the file /admin/password-recovery.php. The manipulation of the argument username leads to SQL injection, with the attack being initiated remotely. The exploit has been publicly disclosed. Source: vulners.com
5. CVE-2024-49274 - CSRF Vulnerability in Infomaniak Staff VOD Infomaniak: A Cross-Site Request Forgery (CSRF) vulnerability has been found in Infomaniak Staff VOD Infomaniak. This issue affects versions of VOD Infomaniak up to a certain update. Source: vulners.com

API Security

1. Unrestricted Upload of File with Dangerous Type in WP REST API FNS (CVE-2024-49329): A new vulnerability has been discovered in Vivek Tamrakar's WP REST API FNS that allows unrestricted upload of files with dangerous types. This could potentially allow an attacker to upload a web shell to a web server, posing a serious security risk. The issue affects all versions of WP REST API FNS. Source: Vulners.
2. Authentication Bypass Using an Alternate Path in WP REST API FNS (CVE-2024-49328): Another vulnerability in Vivek Tamrakar's WP REST API FNS has been identified, this time allowing for authentication bypass using an alternate path or channel. This could potentially allow unauthorized users to gain access to protected resources. The issue affects all versions of WP REST API FNS. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We've delved into the world of E2EE cloud storage vulnerabilities, the financial ties of terror groups, and the escalating cyberattacks on the Internet Archive. We've also explored the hefty price of patent infringement, the fallout from gaming data breaches, and the potential of AI in cybersecurity.

Remember, in this digital age, staying informed is your first line of defense. So, don't keep this valuable information to yourself.

Share Secret CISO with your friends and colleagues, and let's create a safer cyber world together.

Until next time, stay vigilant and keep your data secure.