Welcome to today's issue of Secret CISO, your daily dose of the most impactful cybersecurity news. Today, we're diving into the debate of whether it's worse to go without MFA or data backups as regulatory scrutiny around data security intensifies.

We're also discussing the alarming reality that your Social Security number is likely already leaked, and how consumers are left dealing with the aftermath of data breaches while companies seemingly face little accountability. In the wake of the UnitedLex data breach, affected Americans have just a few days left to claim their share of the $1.3m settlement. Meanwhile, a malicious PyPI package has been downloaded over 37,000 times, stealing AWS keys and causing havoc.

We'll also explore how quantum technology could be the key to avoiding an IoT nightmare, and why Safaricom is under fire from MPs over the security of subscriber data. In other news, the UK's privacy watchdog calls for empathy and action for data breach victims, and we'll look at why cybersecurity is a key pillar of business resilience.

Stay tuned for all this and more in today's issue of Secret CISO. Stay safe, stay informed.

Data Breaches

1. Malicious PyPI package with 37,000 downloads steals AWS keys: A malicious package on Python's official third-party software repository, PyPI, has been downloaded over 37,000 times, potentially compromising AWS keys. The package executes platform-specific scripts that steal AWS keys and sends them to a remote server. Source: Bleeping Computer
2. UnitedHealth Breach Exposes data of 100 Million Americans: UnitedHealth, a major healthcare provider, has suffered a data breach affecting over 100 million people. The breach exposed medical, personal details, and social security records of the victims. Source: Infoemplea2
3. U.S. agency cautions employees to limit phone use due to Salt Typhoon hack of telco providers: The US Consumer Financial Protection Bureau (CFPB) has warned its employees to avoid work-related mobile calls and texts following a hack by China-linked group Salt Typhoon. The hack targeted telco providers, raising security concerns. Source: Security Affairs
4. Why Safaricom is under fire from MPs: Kenyan telecom company Safaricom is under scrutiny from lawmakers over the security of subscriber data. The concerns arise from the potential vulnerability of Subscriber Identity Module (SIM) data. Source: Daily Nation (Kenya)
5. Cloudflare Advocates for Broader Adoption of security.txt Standard for Vulnerability Reporting: To address the issue of unreported security vulnerabilities, Cloudflare has launched a dashboard to help create and manage a security.txt file. This initiative aims to standardize the process of vulnerability reporting. Source: InfoQ

Security Research

1. Cloudflare Advocates for Broader Adoption of security.txt Standard for Vulnerability Reporting: Cloudflare is advocating for the broader adoption of the security.txt standard for vulnerability reporting. This standard provides a systematic method for security research teams to report vulnerabilities. Source: InfoQ
2. A hidden iOS 18.1 upgrade made it harder to extract data from iPhones: Apple has made it more difficult to extract data from iPhones with a hidden upgrade in iOS 18.1. This upgrade is part of Apple's ongoing efforts to enhance the security of its devices. Source: Bundle
3. Inside Intelligence University, the region's pioneer security and research institution: The National Intelligence and Research University, a pioneer in security and research in the region, has been granted a charter. The institution is expected to play a crucial role in addressing complex security challenges. Source: Standard Media
4. North Korean criminals target crypto companies with Mac malware: Security researchers have identified a macOS malware campaign targeting crypto companies, suspected to be the work of North Korean attackers. This highlights the increasing cyber threats faced by the cryptocurrency industry. Source: heise online
5. D-Link refuses to patch a security flaw on over 60000 NAS devices: Security researcher Netsecfish discovered a critical flaw in several popular D-Link NAS models. Despite this, D-Link has refused to patch the flaw, highlighting the ongoing challenges in ensuring device security. Source: Tom's Hardware

Top CVEs

1. CVE-2024-42000 - Mattermost Unauthorized Channel Access: Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9 and 10.0.x <= 10.0.0 have a vulnerability that allows users or system managers with "Read Groups" permission to retrieve details about private channels they are not a member of. Source: CVE-2024-42000
2. CVE-2024-52032 - Mattermost ElasticSearch Query Failure: Mattermost versions 10.0.x <= 10.0.0 and 9.11.x <= 9.11.2 have a vulnerability that allows an attacker to get private channel names they are not a member of when Elasticsearch v8 is used. Source: CVE-2024-52032
3. CVE-2024-36250 - Mattermost MFA Code Replay Attack: Mattermost versions 9.11.x <= 9.11.2, and 9.5.x <= 9.5.10 have a vulnerability that fails to protect the MFA code against replay attacks, allowing an attacker to reuse the MFA code within ~30 minutes. Source: CVE-2024-36250
4. CVE-2024-51598 - Kendysond Selar.Co Widget XSS Vulnerability: Kendysond Selar.Co Widget has a vulnerability that allows DOM-Based XSS. This issue affects Selar.Co Widget versions from n/a through the latest. Source: CVE-2024-51598
5. CVE-2024-51599 - Russell Albin Simple Business Manager XSS Vulnerability: Russell Albin Simple Business Manager has a vulnerability that allows Stored XSS. This issue affects Simple Business Manager versions from n/a through the latest. Source: CVE-2024-51599

API Security

1. CVE-2024-42000 - Mattermost Unauthorized Access to Private Channels: Mattermost versions 9.10.x <= 9.10.2, 9.11.x <= 9.11.1, 9.5.x <= 9.5.9, and 10.0.x <= 10.0.0 have a security flaw that fails to properly authorize requests to /api/v4/channels. This allows a User or System Manager with "Read Groups" permission but without access to channels to retrieve details about private channels they are not a member of. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. From the intensifying regulatory scrutiny around data security to the alarming reality of leaked Social Security numbers, we've covered a lot of ground. We've also delved into the potential of quantum technology in avoiding IoT nightmares and the importance of MFA and data backups in maintaining security compliance.

Remember, in the world of cybersecurity, knowledge is power. So, don't keep this valuable information to yourself. Share this newsletter with your friends and colleagues to keep them in the loop. After all, cybersecurity is a collective effort.

Stay safe, stay informed, and see you in the next edition of Secret CISO.