Good Morning, Secret CISO readers! Today's newsletter is packed with the latest cybersecurity news, breaches, and updates. First up, Rogers and Yahoo account holders can now claim hundreds of dollars in settlement due to inadequate data security measures. In other news, a data breach at one of the country's largest car wash chains has exposed personal data from 52,000 employees.

Small businesses are also under the spotlight, with an increasing number falling victim to security attacks. However, they're not going down without a fight. Meanwhile, the fallout continues from the Colorado Secretary of State security breach, with calls for an outside investigation growing louder. In a significant data security incident, Summit Pathology has revealed that over 1.8 million patients were impacted. On the brighter side, KnowBe4 has released its 2025 Security Awareness Training module across all subscription levels, and the Privacy and Data Security Department is working hard to protect Connecticut residents' personal information and data.

Lastly, don't miss out on the final chance to score $4200 from a $900k data breach settlement. Stay tuned for more updates and remember, knowledge is power when it comes to data security. Stay safe out there!

Data Breaches

1. Rogers and Yahoo Account Holders Settlement: Rogers and Yahoo account holders can claim hundreds of dollars in settlement due to data breaches caused by inadequate data security measures. The breaches occurred between 2013 and 2016. Source: blogTO
2. Car Wash Employees Data Exposed: A data breach at one of the country's largest car wash chains exposed personal data of 52,000 employees. The company allegedly failed to keep the information secure as promised. Source: Westlaw Today
3. Colorado Secretary of State Security Breach: Colorado's Secretary of State's office experienced a security breach, leading to calls for an outside investigation. The extent of the breach and the data compromised are yet to be determined. Source: YouTube
4. Summit Pathology Data Security Incident: Summit Pathology and Summit Pathology Laboratories suffered a significant data security incident that impacted over 1.8 million patients. The nature of the compromised data is not yet clear. Source: teiss
5. LA Housing Authority Breach: The Los Angeles Housing Authority confirmed a breach claimed by Cactus ransomware. The organization has yet to disclose when the attack was detected and if any sensitive data was exposed or stolen during the incident. Source: Bleeping Computer

Security Research

1. Everfox Deepens Cyber Case Management Expertise with Yakabod: Everfox is enhancing its cyber case management capabilities by partnering with Yakabod. This collaboration aims to provide advanced security solutions to tackle emerging cyber threats. Source: GovInfoSecurity
2. This Week In Security: Playing Tag, Hacking Cameras, And More: Security researchers have been discovering vulnerabilities and using these findings to attack real-world targets. This highlights the importance of continuous security updates and monitoring. Source: Hackaday
3. Google's 'Big Sleep' AI Project Uncovers Real Software Vulnerabilities: Google's AI project, Big Sleep, has been designed to mimic the workflow of a human security researcher, successfully identifying real software vulnerabilities. This represents a significant advancement in automated security analysis. Source: PCMag
4. The API Security Landscape 2024: According to Forrester's research, API security software has become a necessity rather than a luxury. This highlights the increasing importance of secure API design and implementation in today's digital landscape. Source: Forrester
5. New Stealthy Strela Stealer Evades Security Tools: Cyble: Cyble researchers have discovered a new variant of the Strela Stealer that evades security defenses using obfuscated JavaScript and PowerShell commands. This underlines the need for advanced detection and mitigation strategies against evolving cyber threats. Source: The Cyber Express

Top CVEs

1. CVE-2024-44019 - Missing Authorization in Renzo Johnson Contact Form 7 Campaign Monitor Extension: This vulnerability allows unauthorized access to functionality not properly constrained by ACLs. Users of Contact Form 7 Campaign Monitor Extension should update to the latest version to mitigate this issue. Source: Vulners
2. CVE-2024-51492 - SVG File Vulnerability in Zusam: Prior to version 0.5.6, specially crafted SVG files uploaded to the service as images allow for unrestricted script execution on (raw) image load. This could potentially lead to theft of the target user’s long-lived session token. Users are advised to update to version 0.5.6 to fix the issue. Source: Vulners
3. CVE-2024-49770 - Hidden Files Transfer Vulnerability in Oak Middleware Framework: By default, Oak does not allow transferring of hidden files with Context.send API. However, prior to version 17.1.3, this can be bypassed by encoding / as its URL encoded form %2F. This could potentially lead to unauthorized access to sensitive user data or server secrets. Users are recommended to update to version 17.1.3 to fix the issue. Source: Vulners
4. CVE-2024-41741 - Username Disclosure Vulnerability in IBM TXSeries for Multiplatforms 10.1: This vulnerability could allow an attacker to determine valid usernames due to an observable timing discrepancy which could be used in further attacks against the system. IBM has not yet released a fix for this issue. Source: Vulners
5. CVE-2024-41744 - Cross-Site Request Forgery in IBM CICS TX Standard 11.1: This vulnerability could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM has not yet released a fix for this issue. Source: Vulners

API Security

1. Tenda AC6 15.03.05.19 API Endpoint Vulnerability (CVE-2024-10697): A critical vulnerability has been discovered in Tenda AC6 15.03.05.19's API Endpoint. The flaw lies in the function formWriteFacMac, which can be manipulated to lead to command injection. The attack can be launched remotely, and the exploit is publicly known. Source: vulners.com
2. Path Traversal in Oak: Oak, a middleware framework, has a flaw in its Context.send API that allows the transfer of hidden files within the served root directory. This can be bypassed by encoding / as its URL encoded form %2F, potentially exposing sensitive user data or server secrets. Source: vulners.com
3. Zusam SVG File Vulnerability (CVE-2024-51492): Zusam, a self-hosted private forum platform, has a vulnerability in its handling of SVG files. Specially crafted SVG files can lead to unrestricted script execution on image load, potentially leading to theft of the user’s long-lived session token. Source: vulners.com
4. oak Context.send API Vulnerability (CVE-2024-49770): oak, a middleware framework, has a flaw in its Context.send API that allows the transfer of hidden files. This can be bypassed by encoding / as its URL encoded form %2F, potentially exposing sensitive user data or server secrets. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We've covered a lot of ground, from the potential cash reimbursements for Rogers and Yahoo account holders due to data breaches, to the increasing security attacks on small businesses. We've also highlighted the ongoing fallout from the Colorado Secretary of State security breach and the significant data security incident that impacted over 1.8 million patients at Summit Pathology. Remember, staying informed is the first step in keeping your data secure.

Share this newsletter with your friends and colleagues to help them stay in the loop too.

Let's work together to create a safer digital world. Stay safe and see you tomorrow for more updates from the world of cybersecurity.