Hello there, Welcome to today's issue of Secret CISO. We have a lot to unpack today, so let's dive right in.

First up, a shocking report from SecurityScorecard reveals that a staggering 97% of leading U.S. banks have been impacted by third-party data breaches. The report calculates an overall security score for each bank, grading them from A to F based on ten predictive factors of a security breach.

Next, we turn our attention to ParkMobile, which has agreed to a $32.8 million settlement following a 2021 data breach that impacted about 21 million users. If you're a ParkMobile user in Michigan, you might be eligible for a settlement payment. In other news, Bitcoin ATM giant Byte Federal has reported a significant data breach, potentially affecting 58,000 customers. The personal data of thousands of customers may have been compromised, highlighting the urgent need for robust security measures in the cryptocurrency sector.

Meanwhile, authorities from Türkiye's postal service PTT have dismissed allegations of data leakage following the hacking of a nationwide highway system. As we approach the end of 2024, we're also taking a look back at some of the most significant security breaches of the year and what we can learn from them moving forward.

Finally, we're rounding up the latest research in cybersecurity, including a study from HP Wolf that reveals alarming security gaps threatening organizations. Stay tuned for more updates and remember, knowledge is power when it comes to cybersecurity.

Data Breaches

1. SecurityScorecard Threat Intel Report: 97% of Leading U.S. Banks Impacted by Third-Party Data Breaches: A report by SecurityScorecard reveals that 97% of leading U.S. banks have been impacted by third-party data breaches. The company calculates an overall security score based on ten predictive factors of a security breach. Source: BusinessWire
2. ParkMobile Data Breach Settlement: ParkMobile, a popular parking app, has agreed to a $32.8 million settlement following a data breach in 2021 that impacted about 21 million users. Source: Detroit Free Press
3. Byte Federal Data Breach: Byte Federal, one of the largest Bitcoin ATM operators in the U.S., reported a data breach compromising the personal data of 58,000 customers. Source: TechCrunch
4. Türkiye's Highway Transit App Breach: Authorities from Türkiye's postal service PTT have dismissed allegations of data leakage following the hacking of a nationwide highway system. Source: Hürriyet Daily News
5. Center for Vein Restoration Data Breach Investigation: Edelson Lechtzin LLP is investigating claims on behalf of Center for Vein Restoration customers whose data may have been compromised. Source: GlobeNewswire

Security Research

1. Researchers Uncover Symlink Exploit Allowing TCC Bypass in iOS and macOS: A security vulnerability in Apple's iOS and macOS was discovered that could sidestep the security measures if successfully exploited. The vulnerability has since been patched. Source: The Hacker News
2. HP Wolf Security Study Reveals Platform Security Gaps That Threaten Organizations: HP Inc. conducted a security study that revealed significant gaps in platform security, posing threats to organizations. The study was conducted by the company's Business Information Security Officer and Principal Threat Researcher. Source: HP Newsroom
3. Security roundup: Top AI stories in 2024: IBM X-Force researchers conducted an experiment to determine if parts of a conversation can be detected using a relatively easy method. The results of the experiment were part of the top AI stories in 2024. Source: Security Intelligence
4. Cequence Security Research Reveals $2.58M Per Hour at Risk: Cequence, a leader in API security and bot management, revealed new insights from its CQ Prime threat research. The findings show that $2.58 million per hour is at risk due to cybercrime during the holiday shopping season. Source: GlobeNewswire
5. US Sanctions Member of China's Cyber Hacker Army: The US Justice Department has sanctioned a member of China's cyber hacker army, citing court documents that reveal the individual worked as a security researcher for Sichuan Silence Technology Company. Source: Newsweek

Top CVEs

1. CVE-2024-53677: A flaw in the file upload logic of Apache Struts, affecting versions from 2.0.0 to 6.4.0, could potentially be exploited. Users are advised to upgrade to version 6.4.0 to fix the issue. Source: vulners.com
2. CVE-2024-49112: A vulnerability in Windows Lightweight Directory Access Protocol (LDAP) could potentially allow remote code execution. Users are advised to apply the necessary patches. Source: vulners.com
3. CVE-2024-49138: A flaw in Windows Common Log File System Driver could potentially allow privilege escalation. Users are advised to apply the necessary patches. Source: vulners.com
4. CVE-2024-49122: A vulnerability in Microsoft Message Queuing (MSMQ) could potentially allow remote code execution. Users are advised to apply the necessary patches. Source: vulners.com
5. CVE-2024-49102: A flaw in Windows Routing and Remote Access Service (RRAS) could potentially allow remote code execution. Users are advised to apply the necessary patches. Source: vulners.com

API Security

1. GitLab CE/EE Open Redirect Vulnerability (CVE-2024-9387): GitLab CE/EE, versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2, have a vulnerability that could allow an attacker to perform an open redirect against a given releases API. Source: CVE-2024-9387
2. GitLab CE/EE GraphQL Mutations Vulnerability (CVE-2024-12292): GitLab CE/EE, versions starting from 11.0 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, have a vulnerability where sensitive information passed in GraphQL mutations may have been retained. Source: CVE-2024-12292
3. Web3 Crypto Payments Unauthorized Access Vulnerability (CVE-2024-12265): The Web3 Crypto Payments by DePay for WooCommerce plugin for WordPress, versions up to and including 2.12.17, is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/depay/wc/debug REST API endpoint. Source: CVE-2024-12265
4. AI Engine WordPress Plugin SQL Injection Vulnerability (CVE-2024-10499): The AI Engine WordPress plugin, versions before 2.6.5, does not sanitize and escape a parameter from one of its RESP API endpoint before using it in a SQL statement, allowing admins to perform SQL injection. Source: CVE-2024-10499
5. Planaday API Plugin for WordPress XSS Vulnerability (CVE-2024-11804): The Planaday API plugin for WordPress, versions up to and including 11.4, is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter due to insufficient input sanitization and output escaping. Source: CVE-2024-11804

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the landscape of cybersecurity is ever-evolving. From the alarming statistic that 97% of leading U.S. banks have been impacted by third-party data breaches, to the unsettling news of personal data breaches affecting thousands of Bitcoin ATM users, it's evident that no sector is immune to these threats. But it's not all doom and gloom.

With each breach, we gain valuable insights and lessons that help us fortify our defenses and strategies. As we look back to move forward, we're reminded of the importance of robust security measures and the role each one of us plays in maintaining them. Remember, cybersecurity is not a destination, but a journey. It requires constant vigilance, learning, and adaptation.

So, let's continue this journey together, staying informed and proactive in the face of these challenges. If you found today's newsletter helpful, please consider sharing it with your friends and colleagues. After all, in the world of cybersecurity, knowledge is our best defense. Stay safe and see you in the next edition of Secret CISO!