Subject: Secret CISO Daily: Data Breach Epidemic and the Rising Tide of Security Concerns Hello there, In today's issue of Secret CISO, we're diving deep into a wave of data breaches that have swept across various sectors, from state governments to dating websites, and even doughnut chains.

Washington state has hit an all-time high with 11.6 million data breaches, according to a report by Attorney General Bob Ferguson. Meanwhile, a senior dating website has leaked the information of 765,000 users, putting victims at risk of identity theft. In the corporate world, companies like Ames Goldsmith and PRGX Global are facing potential class-action lawsuits over data breaches, while ParkMobile has negotiated a $32.8 million settlement over a similar issue. The tech sector isn't safe either.

US Bitcoin ATM operator Byte Federal suffered a data breach due to a GitLab flaw, exposing the data of 58,000 customers. Even the beloved Krispy Kreme wasn't spared, disclosing a network data breach recently. In other news, a rise in employee data leaks, highlighted by Amazon's exposure of over 100 million records, reveals significant security gaps in companies.

On the research front, we explore how AI is reshaping the security landscape, the vulnerability of metaverse platforms to cyber attacks, and the discovery of new malware used by nation-states to attack industrial systems. We also delve into the world of cybersecurity, with a focus on phishing as the silent precursor to data breaches, and the recent sanctioning of a Chinese cyber firm for a critical infrastructure attack. Stay tuned for more updates on these stories and a whole lot more in today's issue of Secret CISO.

Data Breaches

1. Data breaches in WA at all-time high: The annual data breach report released by Attorney General Bob Ferguson reveals a record high of 11.6 million data breaches in Washington. The report underscores the growing threat of data breaches in the digital age. Source: Columbia Basin Herald
2. Data breach at Senior Dating website spills info of 765,000 users: Two dating sites owned by the same entity have suffered significant data leaks, affecting over 850,000 users. The victims' data, including personal and sensitive information, are now at risk of identity theft. Source: TechRadar
3. Leakage of job applicants' data raises concerns, solutions expensive: A surge in employee data leaks, highlighted by Amazon's exposure of over 100 million records, reveals significant security gaps in companies. The cost of implementing solutions to these breaches is proving to be a challenge. Source: Mint
4. US Bitcoin ATM operator Byte Federal suffered a data breach: Byte Federal, a US Bitcoin ATM operator, has suffered a data breach. Attackers gained unauthorized access to a server via a GitLab flaw, highlighting the vulnerabilities in cryptocurrency-related operations. Source: Security Affairs
5. Krispy Kreme hit with a bellyache of a data breach: Pastry giant Krispy Kreme disclosed a network data breach on Dec. 11. The retail chain stated that normal operations were not affected, but the breach underscores the need for robust security measures even in non-tech industries. Source: SC Media

Security Research

1. 400 Million Microsoft Users Put At Risk From No Interaction 2FA Bypass: Security researchers have exposed a Microsoft 2FA bypass attack that required no user interaction and took only an hour to execute, without triggering any alarms. This vulnerability puts a significant number of Microsoft users at risk. Source: Forbes
2. BCG Global Cyber Leader: How Gen AI Breaks Security Defences: Boston Consulting Group's latest cybersecurity research highlights a growing gap between threat and defense as AI continues to reshape the security landscape. The research underscores the need for organizations to adapt and evolve their security strategies. Source: Cyber Magazine
3. Researchers Discover Malware Used by Nation-States to Attack Industrial Systems: Researchers at industrial cybersecurity provider Claroty have discovered a new tool used by nation-state cyber threat actors to attack civilian industrial systems. The discovery underscores the increasing sophistication of cyber threats. Source: Infosecurity Magazine
4. Study reveals vulnerability of metaverse platforms to cyber attacks: A recent study has revealed the vulnerability of metaverse platforms to cyber attacks. The researcher's goal was to identify potential security flaws in these emerging digital spaces, highlighting the need for robust security measures. Source: IDW Online
5. Researchers crack Microsoft Azure MFA within an hour: Researchers at Oasis Security discovered a vulnerability in Microsoft Azure's multifactor authentication that allowed them to crack it within an hour. This discovery highlights potential weaknesses in widely used security measures. Source: Techzine Global

Top CVEs

1. CVE-2023-39920 WordPress Redirection for Contact Form 7 plugin <= 2.9.2: A Broken Access Control vulnerability has been identified in the WordPress Redirection for Contact Form 7 plugin. This issue allows exploitation of incorrectly configured access control security levels. Source: Vulners.
2. CVE-2023-40334 WordPress HUSKY – Products Filter for WooCommerce Professional plugin <= 1.3.4.2: The HUSKY plugin for WordPress has a Missing Authorization vulnerability, allowing exploitation of incorrectly configured access control security levels. Source: Vulners.
3. CVE-2023-33998 WordPress Easy Social Icons plugin <= 3.2.5: The Easy Social Icons plugin for WordPress has a Broken Access Control vulnerability. This issue allows exploitation of incorrectly configured access control security levels. Source: Vulners.
4. CVE-2023-39305 WordPress Yet Another Stars Rating plugin <= 3.4.3: The Yet Another Stars Rating plugin for WordPress has a Missing Authorization vulnerability, allowing exploitation of incorrectly configured access control security levels. Source: Vulners.
5. CVE-2023-33215 WordPress Taggbox plugin <= 3.3: The Taggbox plugin for WordPress has a Broken Access Control vulnerability. This issue allows exploitation of incorrectly configured access control security levels. Source: Vulners.

API Security

1. CVE-2024-12042: The MStore API plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to insufficient file type validation in the profile picture upload functionality. This allows authenticated attackers to upload HTML files with arbitrary web scripts. Source: vulners.com
2. CVE-2024-11275: The WP Timetics plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the REST API endpoint. This allows authenticated attackers to delete arbitrary data. Source: vulners.com
3. CVE-2024-11838: PlexTrac has an External Control of File Name or Path vulnerability that allows Local Code Inclusion through use of an undocumented API endpoint. Source: vulners.com
4. CVE-2024-11835: PlexTrac has an Uncontrolled Resource Consumption vulnerability that allows WebSocket DoS. Source: vulners.com
5. CVE-2024-9387: GitLab CE/EE has an issue that could potentially allow an attacker to perform an open redirect against a given releases API. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, we're reminded that data breaches continue to be a significant concern across various sectors. From the alarming rise in data breaches in Washington to the unsettling data leak at senior dating websites, it's clear that no industry is immune. In the midst of these challenges, we see companies like ParkMobile and USAA taking steps towards resolution through substantial settlements. However, the question remains: are we doing enough to prevent these breaches in the first place?

As we delve into the world of cybersecurity, we also explore the role of AI in reshaping the security landscape and the potential vulnerabilities of metaverse platforms. We also highlight the importance of security research in understanding and combating these threats. Remember, knowledge is power. Sharing this newsletter with your friends and colleagues not only helps them stay informed but also contributes to a more secure digital landscape. Let's continue to learn, share, and work towards a safer cyber world.

Stay safe and see you in the next edition of Secret CISO!