Good morning, Secret CISO readers! Today's newsletter is packed with the latest cybersecurity news, starting with a major data breach at Amazon. The e-commerce giant confirmed that employee contact details were exposed through a third-party vendor, although it assured that no sensitive data was compromised. This incident underscores the lasting impact of the 2023 MOVEit vulnerability, which was exploited in this breach. In other news, grocery giant Ahold Delhaize's US operations were disrupted by a cyberattack, highlighting the increasing threats faced by the retail industry.

Meanwhile, a data breach at Project Hospitality has led to a lawsuit, with affected individuals potentially able to take action. On the legal front, the Supreme Court is set to rule on a data breach lawsuit against Facebook, filed by a group of shareholders accusing the social media giant of misleading them about misuse of user data.

In the realm of cybersecurity research, the FBI has issued a warning to US organizations about fake emergency data requests made by cybercriminals. This comes as a new UKRI-funded network is set to bolster the UK's cybersecurity research ecosystem.

Finally, we have a slew of new vulnerabilities to report, including a critical bug found in end-of-life NAS devices by D-Link, which the company has decided not to fix. Stay tuned for more detailed coverage of these stories and more in today's Secret CISO newsletter. Stay safe and secure!

Data Breaches

1. Amazon Employee Data Breach: Amazon confirmed a data breach involving employee contact details via a third-party vendor. The company assured that no sensitive data was compromised. The breach was linked to the exploitation of a MOVEit vulnerability. Source: India Today, Digit, Mathrubhumi, Money Control, Tech in Asia
2. Project Hospitality Data Breach: Project Hospitality Inc. experienced a data breach, potentially exposing the information of its clients. Those affected may be able to take legal action. Source: ClassAction.org
3. Ahold Delhaize Cyberattack: Grocery giant Ahold Delhaize's US operations were disrupted by a cyberattack. The company's former information security leader for U.S. operations, Jennifer Watson, is now the global CISO. Source: Cybersecurity Dive
4. Set Forth Data Breach: Set Forth experienced a data breach that exposed personal information, including names, social security numbers, dates of birth, and addresses. Legal claims are being investigated. Source: Globe Newswire
5. Hot Topic Data Breach: Have I Been Pwned warns of an alleged data breach at Hot Topic that exposed the personal information of over 57 million accounts. Source: Bleeping Computer

Security Research

1. Beware This New $2,000 We Know Where You Live Google Maps Scam: Scammers are demanding higher payments by leveraging the reality of threats. Security researchers have uncovered this new scam that uses Google Maps to make threats seem more real. Source: Forbes
2. Google Chrome Warning—New Drive-By Cyber Attack, No 0-Day Needed: A security researcher at Imperva has reported a new drive-by cyber attack that doesn't require a 0-day exploit. This type of attack is typically reserved for spy agencies and state-sponsored entities. Source: Forbes
3. New UKRI-funded network to bolster UK's cyber security research ecosystem: The Cyber Security Research and Networking Environment (CRANE) NetworkPlus, supported by a £6 million investment from the UKRI Engineering, aims to strengthen the UK's cyber security research ecosystem. Source: Oxford University
4. CHERI Alliance Officially Launches, Adds Major Partners including Google, to Tackle Cybersecurity Threats at the Hardware Level: The CHERI Alliance, which includes Google, has officially launched to tackle cybersecurity threats at the hardware level. Source: Pressat
5. New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks: The new Ymir Ransomware exploits memory to carry out stealthy attacks on corporate networks, according to researcher Cristian Souza. Source: The Hacker News

Top CVEs

1. CVE-2024-10179 - Slickstream: Engagement and Conversions plugin for WordPress: This plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping on user supplied attributes. This allows authenticated attackers to inject arbitrary web scripts in pages. Source: vulners.com
2. CVE-2024-10245 - Relais 2FA plugin for WordPress: This plugin is vulnerable to authentication bypass due to incorrect authentication and capability checking. This allows unauthenticated attackers to log in as any existing user on the site. Source: vulners.com
3. CVE-2024-10323 - JetWidgets For Elementor plugin for WordPress: This plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers to inject arbitrary web scripts in pages. Source: vulners.com
4. CVE-2024-45827 - Mesh Wi-Fi router RP562B firmware: This firmware has an Improper neutralization of special elements used in an OS command issue. This allows a network-adjacent authenticated attacker to execute an arbitrary OS. Source: vulners.com
5. CVE-2024-45088 - IBM Maximo Asset Management: This software is vulnerable to stored cross-site scripting. This allows authenticated users to embed arbitrary JavaScript code in the Web UI, potentially leading to credentials disclosure. Source: vulners.com

API Security

1. CVE-2024-46894 - SINEC INS API Authorization Flaw: A vulnerability in SINEC INS (All versions < V1.0 SP2 Update 3) has been discovered. The application does not correctly validate a user's authorization to query the "/api/sftp/users" endpoint. This could allow an authenticated remote attacker to gain knowledge about the list of configured users of the SFTP service and potentially modify that. Source: vulners.com
2. CVE-2024-46890 - SINEC INS Web API Input Validation Flaw: Another vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). The application does not properly validate input sent to specific endpoints of its web API. This could allow an authenticated remote attacker with high privileges on the application to execute arbitrary code on the underlying system. Source: vulners.com
3. CVE-2024-10323 - JetWidgets For Elementor Plugin XSS via REST API SVG File Uploads: The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.0.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG. Source: vulners.com
4. CVE-2024-52532 - GNOME libsoup WebSocket Data Reading Flaw: GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption issue during the reading of certain patterns of WebSocket data. This could potentially lead to a Denial of Service (DoS) attack. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. As we've seen, even giants like Amazon aren't immune to data breaches, and the importance of robust cybersecurity measures cannot be overstated. Remember, security is not a one-time event but a continuous process. Stay vigilant, stay informed, and most importantly, stay secure. If you found this newsletter helpful, please consider sharing it with your colleagues and friends. Let's work together to create a safer digital world. Until next time, keep those firewalls up and those passwords strong!

P.S. Got a tip or a story to share? We'd love to hear from you. Reach out to us by replying to this email!