Good morning, Secret CISO readers! Today's newsletter is packed with some serious security breaches and data leaks that have been making headlines. Starting off with a major security breach linked to China, U.S. wiretap systems have been targeted, compromising the networks of U.S. broadband providers. This sophisticated attack is considered potentially catastrophic and has raised serious concerns about national security. In other news, the genetic testing company 23andMe is under scrutiny following a massive data breach affecting 7 million customers. If you're worried about your data, we've got a guide on how to delete your data from their system.

Meanwhile, a former Colorado county clerk (check yesterday's SC) has been sentenced to 9 years for a data breach scheme related to voting machine fraud in the 2020 presidential race. This case highlights the growing concern over the security of our voting systems. In a significant cybersecurity event of the year, a data breach in Lebanon has led to thousands of injuries and nine fatalities. The breach, linked to Hezbollah, is the latest major data breach recorded. On the legal front, a Texan has sued USAA over a data breach that impacted 32K customers, and a major US brand has agreed to pay customers up to $5000 in settlement fees after a data breach.

In the realm of cloud security, we discuss why security should outrank cost and scalability, and explore the new frontier of Active Data Security Posture Management. Finally, we delve into the latest vulnerabilities and exploits, including a critical iOS update to fix a VoiceOver password vulnerability, and stealthy malware that has been infecting Linux systems for years. Stay tuned for these stories and more in today's edition of Secret CISO. Stay safe and informed!

Data Breaches

1. China-linked security breach targeted U.S. wiretap systems: A sophisticated Chinese hacking group has reportedly breached U.S. broadband providers' networks, specifically targeting wiretap requests. This widespread compromise is considered a potentially catastrophic security breach. Source: CNBC, WSJ
2. 23andMe massive data breach: Last year, genetic testing company 23andMe faced a massive data breach affecting 7 million customers, leading to a class action lawsuit and a $30 million settlement. Source: Fortune
3. USAA data breach impacting 32K customers: A data breach at the United Services Automobile Association (USAA) has impacted 32,000 customers. The breach has already led to instances of identity theft and fraud. Source: MySA
4. Hezbollah data breach: A major data breach in Lebanon linked to Hezbollah has caused thousands of injuries and nine fatalities. This breach is considered one of the biggest cybersecurity events of the year. Source: Digital Journal
5. Comcast subscribers' data stolen from debt collector: Approximately a quarter of a million Comcast subscribers had their data, including names, addresses, Social Security numbers, dates of birth, and account numbers, stolen from a debt collector. Source: The Register

Security Research

1. Google's Pixel 9 Pro XL Faces Criticism Over Privacy Flaws and Data Leaks: A security researcher from Cybernews has found that Google's Pixel 9 Pro XL is transmitting sensitive data such as email addresses, phone numbers, and user details. This has raised serious privacy concerns and criticism over the smartphone's security measures. Source: PUNE.NEWS
2. Stealthy Malware Has Infected Thousands of Linux Systems for Years: Aqua Security researchers have discovered a stealthy malware that has been infecting Linux systems for years. The malware, known as Perfctl, has managed to evade detection by some antivirus software, highlighting the need for more robust security measures. Source: WIRED
3. Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability: Security researcher Bistrit Daha discovered a flaw in Apple's iOS and iPadOS that could allow a user's saved passwords to be read aloud by the VoiceOver feature. Apple has since released critical updates to fix this vulnerability. Source: The Hacker News
4. Bedrock GenAI Infrastructure Subjected to LLM Hijacking: Security researchers have found that Bedrock GenAI Infrastructure was subjected to LLM hijacking. The researchers ignored fundamental security best practices and publicly shared an access key on the internet to carry out this research. Source: MSSP Alert
5. Experts Warn of DDoS Attacks Exploiting Linux Printing Vulnerabilities: Akamai's principal security researcher, Larry Cashdollar, has warned that attackers could exploit Linux printing vulnerabilities to send crafted packets, leading to DDoS attacks. This highlights the need for improved security measures to protect against such attacks. Source: teiss

Top CVEs

1. CVE-2024-47913 - MediaWiki AbuseFilter Extension Vulnerability: An issue was discovered in the AbuseFilter extension for MediaWiki. An API caller can match a filter condition against AbuseFilter logs even if the caller is not authorized to view the log details. This could potentially lead to unauthorized access to sensitive information. Source: CVE-2024-47913
2. CVE-2024-8743 - Bit File Manager Plugin for WordPress Vulnerability: The Bit File Manager plugin for WordPress is vulnerable to Limited JavaScript File Upload due to a lack of proper checks on allowed file types. This makes it possible for authenticated attackers to upload .css and .js files, which could lead to Stored Cross-Site Scripting (XSS) attacks. Source: CVE-2024-8743
3. CVE-2024-47911 - SonarSource SonarQube Vulnerability: In SonarSource SonarQube, a vulnerability was discovered in the authorizations/group-memberships API endpoint that allows SonarQube users with the administrator role to inject blind SQL. This could potentially lead to unauthorized access to sensitive data. Source: CVE-2024-47911
4. CVE-2024-43683 - Microchip TimeProvider 4100 Vulnerability: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Microchip TimeProvider 4100 allows XSS Through HTTP Headers. This could potentially lead to unauthorized access to sensitive information. Source: CVE-2024-43683
5. CVE-2024-41515 - CADClick XSS Vulnerability: A reflected cross-site scripting (XSS) vulnerability in "ccHandlerResource.ashx" in CADClick allows remote attackers to inject arbitrary web script or HTML via the "res_url". This could potentially lead to unauthorized access to sensitive information. Source: CVE-2024-41515

API Security

1. AbuseFilter Extension for MediaWiki API Security Issue (CVE-2024-47913): An issue was discovered in the AbuseFilter extension for MediaWiki, where an API caller can match a filter condition against AbuseFilter logs even if they're not authorized to view the log details. This vulnerability affects versions before 1.39.9, 1.40.x and 1.41.x before 1.41.3, and 1.42.x before 1.42.2. Source: vulners.com
2. SonarSource SonarQube API Vulnerability (CVE-2024-47911): A vulnerability was found in the authorizations/group-memberships API endpoint of SonarSource SonarQube versions 10.4 through 10.5 before 10.6. This allows users with the administrator role to inject blind SQL. Source: vulners.com
3. SonarSource SonarQube GitHub Integration Security Issue (CVE-2024-47910): An issue was discovered in SonarSource SonarQube before 9.9.5 LTA and 10.x before 10.5. A user with the Administrator role can modify an existing configuration of a GitHub integration to exfiltrate a pre-signed. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

That's all for today's edition of Secret CISO. We've covered a lot of ground, from the China-linked security breach targeting U.S. wiretap systems to the data breach affecting 23andMe customers. It's clear that the cyber landscape is ever-evolving, and staying informed is our first line of defense.

Remember, knowledge is power. So, don't keep this power to yourself. Share Secret CISO with your friends and colleagues so they too can stay one step ahead of the cyber threats. Until next time, stay safe and secure.