Hello Secret CISO readers, Today's newsletter is packed with critical updates on data breaches and security risks that have been making headlines. In Hong Kong, two prominent hearing and speech centers have confirmed a data breach, impacting approximately 150,000 individuals.

Meanwhile, Saint Xavier University is notifying over 210,000 individuals of a personal information compromise in a July 2023 data breach. As companies become increasingly reliant on cloud technology, Forbes discusses a strategic approach to cloud security automation, highlighting the serious security risks that come with the benefits of cloud technology.

A new report from RSA reveals significant challenges and changing dynamics in the realm of identity breaches, which are proving to be more costly than typical incidents. In a major data breach, over 1.8 million patients at Summit Pathology Laboratories have been affected. Investigations are also underway into data breaches impacting the private personal and health information of over 800,000 individuals at Landmark Admin and OnePoint Patient Care.

On the technical front, Google's AI has found an SQLite vulnerability that fuzzing missed, demonstrating the offensive security capabilities of LLMs. We'll also delve into the latest research in cybersecurity, including a comprehensive study on maritime security research in Sabah and the hiring guide for cybersecurity researchers.

Stay tuned for more updates and insights in today's edition of Secret CISO.

Data Breaches

1. Data breach at Hong Kong hearing centres affects nearly 150,000 individuals: Two prominent hearing and speech centres in Hong Kong have confirmed a data breach impacting approximately 150,000 individuals. The nature of the compromised data is yet to be disclosed. Source: Dimsum Daily
2. 210,000 Impacted by Saint Xavier University Data Breach: Saint Xavier University has notified over 210,000 individuals about a data breach that occurred in July 2023. The breach led to the compromise of personal information, the specifics of which are yet to be revealed. Source: SecurityWeek
3. Major data breach affects over 1.8 million patients at Summit Pathology Laboratories: Colorado-based Summit Pathology Laboratories reported a significant data breach affecting over 1.8 million patients. The nature of the compromised data is yet to be disclosed. Source: Teiss
4. PRIVACY ALERT: Landmark Admin Under Investigation for Data Breach of Over 806,000 Records: Schubert Jonckheer & Kolbe LLP is investigating a data breach impacting the private personal and health information of over 806,000 life insurance policyholders. The specifics of the compromised data are yet to be revealed. Source: PR Newswire
5. PRIVACY ALERT: OnePoint Patient Care Under Investigation for Data Breach of Over 795,000 Patient Records: Schubert Jonckheer & Kolbe LLP is investigating a data breach impacting the private personal and health information of over 795,000 patients. The specifics of the compromised data are yet to be revealed. Source: PR Newswire

Security Research

1. UMS leads blue economy, maritime security research initiative in Sabah: The University Malaysia Sabah (UMS) has initiated a comprehensive study on the seas surrounding Sabah to enhance maritime security and promote the blue economy. The research aims to provide data that will inform policy and decision-making. Source: The Star
2. Shawn Whiteside Joins Sam Houston State University's Critical Infrastructure Research: Shawn Whiteside has joined the Critical Infrastructure Research Forum (CIRF) at Sam Houston State University's Institute for Homeland Security. His role in the Steering Committee will contribute to the development of security research and strategies. Source: HSToday
3. Australia partners with the Philippines for 'cyber boot program': The Australian Cyber Security Cooperative Research Centre is partnering with the Philippines to launch a 'cyber boot program'. The initiative aims to enhance cybersecurity skills and awareness. Source: Cyber Daily
4. Kaspersky Uncovers Global Cybercrime Campaign Targeting Fintech Users via Telegram: Kaspersky's security researchers have discovered a global cybercrime campaign that targets fintech users through Telegram. The campaign highlights the need for vigilance against suspicious emails and links. Source: Fintech News
5. What is IDOR, the cyber security threat that has CERT-In worried: A security researcher has highlighted the threat of Insecure Direct Object References (IDOR), a security flaw that allows unauthorized users to access private data. The issue has raised concerns at the Indian Computer Emergency Response Team (CERT-In). Source: Moneycontrol

Top CVEs

1. CVE-2024-10736 - Codezips Free Exam Hall Seating Management System 1.0 Vulnerability: A critical vulnerability was found in Codezips Free Exam Hall Seating Management System 1.0, affecting the file /student.php. The manipulation of the 'email' argument can lead to SQL injection, with the attack potentially initiated remotely. Source: Vulners
2. CVE-2024-10741 - E-Health Care System 1.0 Vulnerability: A critical vulnerability was found in code-projects E-Health Care System 1.0, affecting the file /Users/registration.php. The manipulation of the 'f_name' argument can lead to SQL injection, with the attack potentially initiated remotely. Source: Vulners
3. CVE-2024-10745 - PHPGurukul Online Shopping Portal 2.0 Vulnerability: A problematic vulnerability was found in PHPGurukul Online Shopping Portal 2.0, affecting the file /admin/assets/plugins/DataTables/media/unit_testing/templates/deferred_table.php. The manipulation of the 'scripts' argument can lead to cross-site scripting, with the attack potentially initiated remotely. Source: Vulners
4. CVE-2024-10742 - Wazifa System 1.0 Vulnerability: A critical vulnerability was found in code-projects Wazifa System 1.0, affecting the file /controllers/control.php. The manipulation of the 'to' argument can lead to SQL injection, with the attack potentially initiated remotely. Source: Vulners
5. CVE-2024-10758 - Content Management System and News-Buzz 1.0 Vulnerability: A critical vulnerability was found in code-projects/anirbandutta9 Content Management System and News-Buzz 1.0, affecting the file /index.php. The manipulation of the 'user_name' argument can lead to SQL injection, with the attack potentially initiated remotely. Source: Vulners

API Security

1. CVE-2024-51560: A vulnerability in Wave 2.0 allows an authenticated remote attacker to exploit improper exception handling for invalid inputs at a certain API endpoint. The attacker can generate an error message containing sensitive information by providing invalid inputs for the “userId” parameter in the API request. Source: vulners.com
2. CVE-2024-51558: Wave 2.0 has a vulnerability due to missing restrictions for excessive failed authentication attempts on its API-based login. A remote attacker could exploit this vulnerability by conducting a brute force attack against legitimate user OTP, MPIN, or password, potentially gaining unauthorized access. Source: vulners.com
3. CVE-2024-51559: Another vulnerability in Wave 2.0 is due to a missing authorization check on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating the “user_id” parameter through API request URLs, leading to unauthorized creation, modification, and deletion of alerts. Source: vulners.com
4. CVE-2024-51557: Wave 2.0 has a vulnerability due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP requests through the vulnerable API endpoint, leading to OTP bombing/flooding. Source: vulners.com
5. CVE-2024-51561: Aero has a vulnerability due to improper implementation of OTP validation mechanism in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by intercepting and manipulating the responses exchanged during the second factor authentication process, potentially bypassing OTP verification. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We've covered a lot of ground, from data breaches affecting hundreds of thousands of individuals to strategic approaches to cloud security automation. We've also delved into the cost of identity breaches and the ongoing investigations into major data breaches. Remember, in the world of cybersecurity, knowledge is power. The more we know, the better we can protect ourselves and our organizations.

So, don't keep this valuable information to yourself.

Share Secret CISO with your friends and colleagues so they can stay informed too.

Stay safe, stay informed, and keep an eye out for tomorrow's edition of Secret CISO. Until then, remember - the secret to cybersecurity is constant vigilance.