Welcome to today's edition of Secret CISO, your daily dose of the latest in cybersecurity news. Today, we're diving into a series of data breaches and security issues that have been making headlines.

First up, the Department of Information and Communications Technology (DICT) in the Philippines has denied a data leak in the government's eGovPH app. Meanwhile, Massachusetts has reported over 2000 data breaches this year, affecting various industries from banking to healthcare. In other news, Oak Valley Hospital in California has reached a settlement over a data breach that occurred in 2023. On a similar note, Americans affected by a data breach at Ardagh Glass in 2021 could receive up to $11k as part of a class action settlement.

Cisco's network has allegedly been breached for the second time in a matter of weeks, with company data being advertised for sale online. TEAM Software also suffered a data breach, exposing personal information of its users. In the realm of cloud security, we explore how businesses are harnessing the power of AI for a secure future in AWS. We also delve into the questions Georgetown University still hasn't answered about its data leak, and the ongoing data breach coverage fight at Home Depot.

Lastly, we look at the challenges the Department of Health and Human Services (HHS) continues to face in carrying out its cybersecurity responsibilities, and the legal claims being investigated in relation to the data breach at Thompson Coburn. Stay tuned for more updates and remember, knowledge is the first line of defense in cybersecurity. Stay safe and secure!

Data Breaches

1. DICT denies data leak in eGovPH app: The Department of Information and Communications Technology (DICT) has refuted claims of a data breach on the government's one-stop app, eGovPH. The department has assured users that their data remains secure. Source: GMA News Online
2. More than 2000 data breaches reported in Massachusetts so far in 2024: Data breaches have hit various industries in Massachusetts, with over 2000 reported cases in 2024 alone. The affected sectors include banking, healthcare, education, retail, manufacturing, and hospitality. Source: Milford Daily News
3. Oak Valley Hospital Reaches Settlement in Class Action over Data Breach: Oak Valley Hospital in California has reached a settlement in a class action related to a 2023 data breach. The details of the settlement have not been disclosed. Source: JD Supra
4. Second threat actor claims Cisco data breach: Cisco's network has reportedly been breached a second time in a matter of weeks, with company data being advertised for sale online. The identity of the threat actor remains unknown. Source: Cyber Daily
5. Data breach exposes 122M records from DemandScience following initial denials: A data breach at DemandScience has exposed 122 million records. The company initially denied the breach, but security researcher Troy Hunt has confirmed the data's authenticity. Source: SiliconANGLE

Security Research

1. 'Gen Z workers: values matter, and so does financial security': New research from Ateneo de Manila University suggests that Gen Z workers place a high value on financial security, a factor that employers should consider when recruiting and retaining talent. Source: Asia Research News
2. 'HackerOne urges U.S. to advocate for research protections in UN cybercrime treaty': HackerOne has written a letter to top U.S. officials warning that the vague language in the UN cybercrime treaty could undermine ethical security research. Source: CyberScoop
3. 'Data breach exposes 122M records from DemandScience following initial denials': Security researcher Troy Hunt has confirmed that a data breach at DemandScience is authentic and has exposed 122 million records. Source: SiliconANGLE
4. 'Canada urged to cut government-funded research collaborations with China: report': A new report suggests that the Canadian government should cut its research collaborations with China in order to prioritize the safety and security of Canadians. Source: CTV News
5. 'Iranian Threat Actors Mimic North Korean Job Scam Techniques': Iranian state hackers are reportedly using tactics similar to those of North Korean hackers to trick job seekers into downloading malware. Source: GovInfoSecurity

Top CVEs

1. Incorrect control of environment variables in PostgreSQL PL/Perl (CVE-2024-10979): An unprivileged database user can change sensitive process environment variables (e.g. PATH), enabling arbitrary code execution. This affects versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. Source: CVE-2024-10979
2. DomPDF before version 2.0.0 vulnerable to PHAR deserialization (CVE-2021-3838): Lack of checking on the protocol before passing it into the file_get_contents() function allows an attacker to unserialize the uploaded file and instantiate arbitrary PHP objects, leading to remote code execution. Source: CVE-2021-3838
3. Keycloak package flaw allows LDAP injection (CVE-2022-2232): An attacker can utilize an LDAP injection to bypass the username lookup or potentially perform other malicious activities. Source: CVE-2022-2232
4. Remote command execution vulnerability in gogs/gogs (CVE-2022-1884): Improper validation of the tree_path parameter during file uploads allows an attacker to upload a file into the .git directory, potentially leading to remote command execution. This affects gogs/gogs versions <=0.12.7 when deployed on a Windows server. Source: CVE-2022-1884
5. Stored Cross-site Scripting (XSS) vulnerability in Pricing Rules of pimcore/pimcore (CVE-2023-2332): The vulnerability is present in the From and To fields of the Date Range section, allowing an attacker to inject malicious scripts. This can lead to the execution of arbitrary JavaScript code in the user's browser, potentially stealing cookies or redirecting users to malicious sites. The issue is fixed in version 10.5.19. Source: CVE-2023-2332

API Security

1. CVE-2024-10924: The Really Simple Security plugins for WordPress versions 9.0.0 to 9.1.1.1 are vulnerable to authentication bypass due to improper user check error handling in the two-factor REST API actions. This allows unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled. Source: CVE-2024-10924
2. Missing ratelimit on password resets in zenml: zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to take over the user's account. Source: Missing ratelimit on password resets in zenml
3. CVE-2024-3501: In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of GET /v1/users/me and GET /v1/users/me/org API endpoints. These tokens, intended for sensitive operations such as password resets or account verification, are exposed to unauthorized actors. Source: CVE-2024-3501
4. CVE-2024-52505: matrix-appservice-irc, a Node.js IRC bridge for the Matrix messaging protocol, contains a vulnerability which can lead to arbitrary IRC command execution as the bridge IRC bot. The vulnerability has been patched in matrix-appservice-irc version 3.0.2. Source: CVE-2024-52505
5. CVE-2024-52302: common-user-management, a robust Spring Boot application featuring user management services, has a critical security vulnerability in the application endpoint /api/v1/customer/profile-picture. This endpoint allows file uploads without proper validation or restrictions, enabling attackers to upload malicious files that can lead to Remote Code Execution. Source: CVE-2024-52302

Sponsored by Wallarm API Security Solution

Final Words

That's it for today's edition of the Secret CISO newsletter. We've covered a lot of ground, from the DICT denying data leaks in the eGovPH app, to the unsettling rise of data breaches in Massachusetts, and the ongoing investigations into the data breaches at Oak Valley Hospital and TEAM Software. In the cloud, we looked at how AI is being harnessed for a more secure future, while on the ground, we delved into the questions Georgetown still hasn't answered about their data leak.

We also touched on the potential $11k payout for Americans as part of a data breach settlement, and the second threat actor claiming a Cisco data breach. In the world of research, we explored the values and financial security concerns of Gen Z workers, and the call for research protections in the UN cybercrime treaty. We also highlighted the alarm sounded by a national security expert on Tulsi Gabbard, and the ongoing challenges faced by the HHS in carrying out its cybersecurity responsibilities. Remember, staying informed is the first step in staying secure.

If you found this newsletter helpful, please consider sharing it with your colleagues and friends to help them stay informed as well. Stay safe, stay secure, and see you in the next edition of Secret CISO.