Good Morning Secret CISO readers, In today's issue, we're diving into a whirlpool of data breaches and security blunders that have been making headlines. Disney is facing legal troubles as a lawsuit led by Scott Margel alleges negligence, breach of contract, and inadequate data protection measures.

Meanwhile, former Mesa County Clerk Tina Peters has been sentenced to 9 years in prison over a security breach tied to election equipment. Across the pond, the UK's Sellafield nuclear waste processing plant has been fined £333K for infosec blunders, violating the UK's Nuclear Industries Security Regulations 2003. In the world of telecommunications, a quarter-million Comcast subscribers had their data stolen from a debt collector, raising concerns about the security of personal financial information.

We also delve into the increasing threats against the judiciary, with a Colorado judge who sentenced election denier Tina Peters to prison receiving threats, leading to beefed-up security at the courthouse. In the realm of genetics, as 23andMe struggles, concerns surface about its handling of genetic data. And finally, we'll look at the latest cybersecurity best practices for businesses, and how to protect yourself from credit card fraud. Stay tuned for more updates and insights in the world of cybersecurity.

Data Breaches

1. Disney's Legal Troubles Grow with Employee Data Breach Lawsuit: Disney is facing a lawsuit led by plaintiff Scott Margel, alleging negligence, breach of implied contract, and inadequate data protection measures. The lawsuit could potentially impact the company's reputation and financial standing. Source: DisneyDining
2. Former Mesa County Clerk Tina Peters sentenced to 9 years in prison, county jail: Tina Peters, the former Mesa County Clerk, has been sentenced to 9 years in prison due to a security breach for elections equipment at the Mesa County Clerk and Recorder's office in May 2021. This case highlights the importance of maintaining security in public offices. Source: Colorado Politics
3. UK's Sellafield nuke waste processing plant fined £333K for infosec blunders: The Sellafield nuclear waste processing plant in the UK has been fined £333K due to poor infosec practices. This incident underlines the importance of robust security measures in sensitive industries. Source: The Register
4. A Quarter Million Comcast Subscribers Had Data Stolen From Debt Collector: Comcast is informing subscribers about a security breach where their information was stolen. This breach underscores the need for strong data protection measures across all sectors, including debt collection. Source: Slashdot
5. China-linked security breach targeted U.S. wiretap systems: U.S. broadband providers were targeted in a cyberattack tied to the Chinese government that targeted wiretap requests. This incident highlights the ongoing cybersecurity threats posed by state actors. Source: CNBC

Security Research

1. Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast: A severe Remote Code Execution (RCE) vulnerability in Zimbra, an open-source email platform, has been exploited. Simone Margaritelli, the researcher who discovered the vulnerability, warns of potential security breaches and malicious insider threats. Source: Help Net Security
2. iOS and Android Security Scare: Two Apps Found Supporting 'Pig Butchering' Scheme: Group-IB researchers have discovered two apps on iOS and Android platforms that support a 'Pig Butchering' scheme, a type of advanced fee fraud. The iOS app remained on the App Store despite the report. Source: Slashdot
3. Apple Releases Urgent iOS 18 Patch To Fix Major Password Vulnerability: Apple has released an urgent patch for iOS 18 to fix a major password vulnerability. The issue was discovered and reported by security researcher Bistrit Dahal. Source: HotHardware
4. Google Pixel smartphone busted sending private user data back to Google every 15 minutes: Security researcher Aras Nazarovas has found that the Google Pixel 9 Pro XL periodically sends private user data back to Google. The smartphone also attempts to download and run new code. Source: TweakTown
5. New Snapekit Rootkit Malware Targeting Arch Linux Users: Gen Threat Labs researchers have discovered a new sophisticated rootkit, named Snapekit, targeting Arch Linux users. The rootkit is considered highly sophisticated and poses a significant threat to the security of Arch Linux systems. Source: Cyber Security News

Top CVEs

1. CVE-2024-47374 - LiteSpeed Technologies LiteSpeed Cache XSS Vulnerability: An XSS vulnerability has been identified in LiteSpeed Technologies LiteSpeed Cache, allowing for Stored XSS. The improper neutralization of input during web page generation is the root cause. Source: CVE-2024-47374.
2. CVE-2024-47375 - Ashraf XLTab XSS Vulnerability: Ashraf XLTab – Accordions and Tabs for Elementor Page Builder has a Stored XSS vulnerability due to improper neutralization of input during web page generation. Source: CVE-2024-47375.
3. CVE-2024-47372 - ThemeNcode LLC TNC PDF Viewer XSS Vulnerability: ThemeNcode LLC TNC PDF viewer is affected by a Stored XSS vulnerability, caused by improper neutralization of input during web page generation. Source: CVE-2024-47372.
4. CVE-2024-47369 - WPWeb Social Auto Poster XSS Vulnerability: WPWeb Social Auto Poster has a Reflected XSS vulnerability due to improper neutralization of input during web page generation. Source: CVE-2024-47369.
5. CVE-2024-9536 - ESAFENET CDG V5 SQL Injection Vulnerability: A critical vulnerability has been found in ESAFENET CDG V5, leading to SQL injection through the manipulation of the argument fileId in the file /MultiServerBackService?path=1. The attack can be launched remotely. Source: CVE-2024-9536.

Final Words

And that's a wrap for today's edition of Secret CISO. From Disney's legal woes to the sentencing of former Mesa County Clerk Tina Peters, it's clear that data breaches and security issues continue to be a pressing concern across various sectors. As we navigate this digital landscape, let's remember to stay vigilant and proactive in our cybersecurity measures.

Share this newsletter with your friends and colleagues to keep them in the loop too. After all, in the world of cybersecurity, knowledge is our best defense. Stay safe, stay informed, and see you in the next edition of Secret CISO.