Welcome to today's issue of Secret CISO, your daily dose of cybersecurity news. Today, we're looking at a series of data breaches that have impacted organizations across the globe. In Hong Kong, the South China Athletic Association has been criticized for its lackluster cybersecurity measures, which led to a data leak affecting over 72,000 individuals.

Meanwhile, Marriott International has reached a settlement over data breaches at Starwood Hotels, highlighting the importance of robust data security in the hospitality industry. In the healthcare sector, Johnson & Johnson disclosed a data breach impacting thousands of people, while a dental center chain has agreed to a $2.7M settlement over a data breach lawsuit.

In the world of cryptocurrency, CoinSwitch has accused WazirX of moving $73 million worth of crypto following a data breach, raising concerns about the security of digital assets. In other news, the Internet Archive was breached twice in a month, and Trust Wallet temporarily suspended Transak's fiat-to-crypto payment service following a data breach. On the research front, a new attack method targeting AI systems has been uncovered, potentially leading to misinformation and manipulation of AI systems.

Stay tuned for more updates and remember, knowledge is the best defense against cyber threats. Stay safe and secure!

Data Breaches

1. Hong Kong watchdog slams sports club for sloppy cybersecurity ahead of data breach: The South China Athletic Association was criticized by a Hong Kong watchdog for its lackadaisical approach to cybersecurity, leading to a data leak affecting 72,315 individuals in March. Source: SCMP
2. FTC And State AGs Settle With Marriott Over Starwood Data Breaches: Marriott International has reached a settlement with the Federal Trade Commission and state attorneys general over data breaches at Starwood Hotels, highlighting the importance of robust data security strategies. Source: Mondaq
3. Pharma Giant Johnson & Johnson Discloses Data Breach: Johnson & Johnson, a leading pharmaceutical company, has disclosed a data breach that has impacted the personal information of thousands of individuals. Source: SecurityWeek
4. CoinSwitch Alleges WazirX Moved Crypto Worth $73 Mn Post Data Breach: CoinSwitch has accused WazirX of mishandling a data breach situation, raising concerns about the transfer of $73 million worth of cryptocurrency to other exchanges. Source: Inc42
5. 'Lack of care led to sports association data breach' - RTHK: The Office of the Privacy Commissioner for Personal Data accused the South China Athletic Association of negligence leading to a data breach. Source: RTHK

Security Research

1. Research Uncovers New Attack Method, Security Leaders Share Insights: This research reveals a new attack method that targets Retrieval Augmented Generation (RAG) based AI systems, allowing for the manipulation of these systems and potentially leading to misinformation. Source: Security Magazine
2. Scientists Join Growers in Cantaloupe Food Safety Research in Indiana: Researchers at Purdue University are collaborating with the FDA and Indiana officials on a study to enhance the safety of cantaloupe. Source: Food Safety News
3. Hackers Have Uploaded Thousands Of Malicious Models To AI's Biggest Online Repository: Security researchers from Protect AI have discovered that hackers have uploaded thousands of malicious models to the largest online AI repository, highlighting the need for improved security practices in the field. Source: Forbes
4. Autonomous Security Robots in Airports, Events, and BFSI Research Report 2024: This research report discusses how advanced AI and robotics are transforming security operations across various industries, with a focus on airports, events, and the BFSI sector. Source: Yahoo Finance
5. Researchers Discover Flaws in 5 End-to-End Encrypted Cloud Services: A recent study found serious flaws in four out of five end-to-end encrypted cloud services, highlighting the need for improved security measures in cloud storage. Source: SC Media

Top CVEs

1. CVE-2024-49368: Nginx UI, a web user interface for the Nginx web server, has a vulnerability in versions prior to 2.0.0-beta.36. The issue arises when Nginx UI configures logrotate without verifying the input, leading to arbitrary command execution. The issue is fixed in version 2.0.0-beta.36. Source: CVE-2024-49368
2. CVE-2024-8901: AWS ALB Route Directive Adapter For Istio has a vulnerability in its OIDC authentication mechanism. The adapter uses JWT for authentication but lacks proper signer and issuer validation. This can allow an actor to spoof OIDC-federated sessions and bypass authentication in certain deployments. Source: CVE-2024-8901
3. CVE-2024-10125: Amazon.ApplicationLoadBalancer.Identity.AspNetCore repo has a vulnerability in its JWT handling code. It validates the signature but fails to validate the JWT issuer and signer identity. This can allow an actor to mimic valid OIDC-federated sessions to the ALB. Source: CVE-2024-10125
4. CVE-2024-49367: Nginx UI has another vulnerability in versions prior to 2.0.0-beta.36. The log path of nginxui is controllable, and this issue can be combined with the directory traversal at /api/configs to read directories and file contents on the server. The issue is fixed in version 2.0.0-beta.36. Source: CVE-2024-49367
5. CVE-2024-45309: OneDev, a Git server with CI/CD, kanban, and packages, has a vulnerability in versions prior to 11.0.9. This vulnerability allows unauthenticated users to read arbitrary files accessible by the OneDev server process. The issue is fixed in version 11.0.9. Source: CVE-2024-45309

API Security

1. AWS ALB Route Directive Adapter For Istio Vulnerability (CVE-2024-8901): The AWS ALB Route Directive Adapter for Istio has a security flaw in its OIDC authentication mechanism. The adapter uses JWT for authentication but lacks proper signer and issuer validation, potentially allowing an actor to spoof OIDC-federated sessions. Source: CVE-2024-8901
2. Amazon.ApplicationLoadBalancer.Identity.AspNetCore Vulnerability (CVE-2024-10125): The Amazon.ApplicationLoadBalancer.Identity.AspNetCore repo contains Middleware that fails to validate the JWT issuer and signer identity. This could allow an actor to mimic valid OIDC-federated sessions to the ALB. Source: CVE-2024-10125
3. Linux Kernel Driver Core Bus Register Vulnerability (CVE-2024-50055): A vulnerability in the Linux kernel's driver core bus register could lead to a double free error, potentially causing system instability or crashes. Source: CVE-2024-50055
4. Linux Kernel SMB Client Async Decryption Vulnerability (CVE-2024-50047): A use-after-free vulnerability in the Linux kernel's SMB client could lead to crashes during async decryption. Source: CVE-2024-50047
5. Mitel MiCollab AWV Component SQL Injection Vulnerability (CVE-2024-47189): The API Interface of the AWV component of Mitel MiCollab could allow an unauthenticated attacker to conduct SQL injection due to insufficient sanitization of user input. Source: CVE-2024-47189

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, we're reminded of the importance of staying vigilant and proactive in the face of ever-evolving cybersecurity threats. From Hong Kong's sports club data breach to the settlement with Marriott over Starwood data breaches, it's clear that no sector is immune to these challenges. In the world of cryptocurrency, CoinSwitch's allegations against WazirX following a data breach highlight the need for robust security measures in this rapidly growing industry. Meanwhile, the data breach disclosed by Johnson & Johnson serves as a stark reminder of the potential risks to personal information in the healthcare sector.

We also delve into the realm of research, uncovering new attack methods and sharing insights from security leaders. As AI continues to play a significant role in our digital landscape, it's crucial to stay informed about potential vulnerabilities and the latest protective strategies. Remember, knowledge is power in the fight against cyber threats. So, don't keep this valuable information to yourself.

Share Secret CISO with your friends and colleagues to help them stay one step ahead of the hackers. Stay safe and see you in the next edition!