Good morning, Secret CISO readers! Today's newsletter is packed with critical updates from the world of cybersecurity.

Firstly, we delve into the major security breach that saw blueprints for English prisons leaked online, a serious violation of IT security that has raised alarm bells across the UK's Ministry of Justice. In other news, genetic testing company 23andMe is granting settlement money to individuals affected by a data breach, with some recipients receiving as much as $10,000. Meanwhile, Ford has denied recent allegations of a data breach, assuring customers that their data remains safe and that the information circulating online belongs to a third party.

We also look at the latest developments in China's data security regulations, the acquisition of Adlumin by N-able to unify IT operations and security operations, and new approaches to cybersecurity training that aim to empower the human firewall. Lastly, we explore a series of recent data breaches, including a shocking leak from a helpline for Yakuza victims, a ransomware attack on Change Healthcare, and a breach at Humboldt IPA affecting an unknown number of individuals. Stay tuned for more updates and remember, knowledge is the best defense against cyber threats. Stay safe!

Data Breaches

1. Blueprints for English prisons leaked online in major security breach: In a significant security breach, blueprints for English prisons were leaked online, potentially compromising the security of these institutions. The breach has been described as a "very serious breach of IT security". Source: The Independent
2. 23andMe granting settlement money to people whose information was affected by data breach: Genetic testing company 23andMe is granting settlement money to individuals whose information was compromised in a data breach. Some affected individuals could receive as much as $10,000. Source: kens5.com
3. Ford denies it was hit by data breach, says customer data is safe: Ford has denied recent allegations of a data breach, asserting that the information circulating online belongs to a third party and that customer data remains secure. Source: Yahoo
4. UMC Health System provides timeline of data security incident: UMC Health System has provided a timeline of a recent data security incident, although specific details about the nature and impact of the incident have not been disclosed. Source: KCBD
5. Lazarus Naturals to Pay $300,000 to Settle Data Breach Suit: Lazarus Naturals, a CBD product manufacturer, has agreed to pay $300,000 to settle a class action lawsuit alleging it failed to protect the personal information of over 42,000 people exposed in a 2023 data breach. Source: Bloomberg Law News

Security Research

1. NCITE Welcomes Three Research-to-Practice Fellows: The National Counterterrorism, Innovation, Technology, and Education (NCITE) Center at the University of Nebraska Omaha has welcomed three Research-to-Practice Fellows. The fellows, including national security expert Jenna Hopkins, will contribute their expertise to NCITE's mission of developing effective counterterrorism solutions. Source: University of Nebraska Omaha
2. 2024 saw a surge in malicious free VPN apps: Security Expert Vasily Kolesnikov warns of a significant increase in malicious free VPN apps in 2024. Users are often lured into these traps, thinking they are getting a free service, but instead, they are exposing themselves to potential security threats. Source: TechRadar
3. Push Security Highlights Cross-IdP Impersonation Threat to SSO Security: Security researchers at Push Security have identified a new technique called “Cross-IdP Impersonation” that allows attackers to hijack single sign-on (SSO) sessions. This discovery highlights the need for robust security measures in SSO systems. Source: SDxCentral
4. This popular Windows utility for ZIP files has a dangerous vulnerability: A dangerous vulnerability has been discovered in a popular Windows utility for ZIP files by Trend Micro's Zero Day Initiative. The vulnerability was first discovered by Trend Micro Security researcher Nicholas Zubrisky back in June of this year. Source: Tom's Guide
5. Google AI Tool Finds 26 Bugs in Open-Source Projects: Google's AI tool has successfully identified 26 bugs in various open-source projects. This achievement underscores the potential of AI in enhancing cybersecurity measures and the importance of continuous vulnerability scanning in software development. Source: GovInfoSecurity

Top CVEs

1. NVIDIA Delegated Licensing Service Vulnerability (CVE-2024-0122): This vulnerability could allow an attacker to cause an unauthorized action, potentially leading to partial denial of service and confidential information disclosure. Source: CVE-2024-0122
2. Microsoft Edge Spoofing Vulnerability (CVE-2024-49054): This vulnerability could allow an attacker to spoof the UI of Microsoft Edge, potentially leading to phishing attacks or other security breaches. Source: CVE-2024-49054
3. NVIDIA Base Command Manager Vulnerability (CVE-2024-0138): This vulnerability could allow an attacker to execute code, cause denial of service, escalate privileges, disclose information, and manipulate data. Source: CVE-2024-0138
4. IBM Db2 Denial of Service Vulnerability (CVE-2024-41761): This vulnerability could allow an attacker to crash the server under certain conditions with a specially crafted request, leading to a denial of service. Source: CVE-2024-41761
5. BlueZ HID over GATT Profile Vulnerability (CVE-2024-8805): This vulnerability could allow network-adjacent attackers to execute arbitrary code on affected installations of BlueZ, potentially leading to unauthorized access or data breaches. Source: CVE-2024-8805

API Security

1. Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability (CVE-2024-9665): A vulnerability in Zimbra allows remote attackers to disclose sensitive information from affected installations. The flaw lies in the implementation of the graphql endpoint and its lack of protections against CSRF attacks. User interaction, such as opening a malicious email, is required to exploit this vulnerability. Source: CVE-2024-9665
2. Macrozheng Mall JWT Token Handler Vulnerability (CVE-2024-11619): A problematic vulnerability has been found in Macrozheng Mall up to version 1.0.3. The issue lies in the JWT Token Handler component, which can be manipulated to use a default cryptographic key. The vendor has been unresponsive to this disclosure. Source: CVE-2024-11619
3. Sentry Application Integration Client Secret Leak (GHSA-V5H2-Q2W4-GPCX): During routine testing, it was found that a specific error message generated by Sentry could include a plaintext Client ID and Client Secret for an application integration. The ID and Secret pair alone does not provide direct access to any data, but if abused, an attacker would also need to obtain a valid API token for a Sentry application. Source: GHSA-V5H2-Q2W4-GPCX
4. Logsign Unified SecOps Platform Missing Authentication Remote Code Execution Vulnerability (CVE-2024-5721): This vulnerability allows remote attackers to execute arbitrary code on affected installations of Logsign Unified SecOps Platform. The flaw exists within the implementation of the cluster HTTP API, which lacks authentication prior to allowing access to functionality. Source: CVE-2024-5721
5. Logsign Unified SecOps Platform HTTP API Hard-coded Cryptographic Key Remote Code Execution Vulnerability (CVE-2024-5722): This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Logsign Unified SecOps Platform. The issue results from using a hard-coded cryptographic key within the HTTP API. Source: CVE-2024-5722

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. From prison blueprints leaking online to 23andMe granting settlement money for a data breach, we've covered a lot of ground. It's clear that the world of cybersecurity is as dynamic as ever, with new threats and challenges emerging daily. But remember, knowledge is power. By staying informed and vigilant, we can all play a part in safeguarding our digital landscape.

If you found this newsletter helpful, please consider sharing it with your colleagues and friends. Together, we can make a difference in the world of cybersecurity.

Stay safe, stay informed, and see you in the next edition of Secret CISO.