Welcome to today's issue of Secret CISO, your daily dose of cybersecurity news. Today, we're diving into the world of data breaches and fines, with Meta taking center stage. The tech giant has been slapped with a whopping €251 million fine for mishandling a 2018 data breach that affected millions of Facebook accounts. But Meta isn't the only one under fire.

We're also looking at a massive healthcare data breach that saw half a million patients' personal info stolen. And it doesn't stop there - Texas Tech University, Cisco, and Regional Care have all been hit with breaches, impacting millions of individuals. In other news, we're exploring the world of cybersecurity research, with insights from experts like Jai Sharma at GoDaddy's Security Team and Martin Lee at Cisco Talos. We're also taking a look at the latest cybersecurity threats for businesses in 2025 and the new Gmail and Calendar attack warning for millions of users.

Finally, we're rounding up the latest vulnerabilities, with a focus on Meta, WordPress, and more. Stay tuned for all this and more in today's Secret CISO newsletter.

Data Breaches

1. Meta Fined $263 Million for 2018 Data Breach: Meta has been fined $263 million by Ireland's Data Protection Commission for a 2018 data breach that affected over 50 million Facebook accounts. The breach affected approximately 29 million Facebook accounts globally, with around three million based in the EU/EEA. Source: PCWorld, Yahoo Finance
2. Half a Million Patients' Personal Info Stolen in Massive Health Care Data Breach: Hackers have leaked the personal data of around 500,000 Americans in a massive healthcare data breach. These breaches can be very damaging and haunt people for life. Source: Fox News
3. Hacker Leaks Cisco Data: A hacker has leaked data stolen recently from a Cisco DevHub instance. The hacker claims the leaked data is only a fraction of the total amount stolen. Source: SecurityWeek
4. Regional Care Data Breach Impacts 225,000 People: Healthcare insurance firm Regional Care has disclosed a data breach impacting more than 225,000 individuals. The extent of the data exposed in the breach has not been specified. Source: SecurityWeek
5. Phishing Scammers Spoof Ledger's Email to Send Bogus Data Breach Notice: Phishing scammers have spoofed Ledger's email to send a bogus data breach notice. The bogus email claims Ledger suffered a “recent data breach” and encourages recipients to verify their private seed phrase under the guise of needing to secure their accounts. Source: Cointelegraph

Security Research

1. Counterfeit ESLint and Node 'types' libraries downloaded thousands of times abuse Pastebin: Counterfeit versions of popular JavaScript libraries, ESLint and Node 'types', have been downloaded thousands of times, potentially compromising the security of numerous projects. The counterfeit libraries were found to be abusing Pastebin for malicious activities. Source: Sonatype
2. HubPhish Exploits HubSpot Tools to Target 20,000 European Users for Credential Theft: A phishing campaign dubbed 'HubPhish' has been exploiting HubSpot's Free Form Builder service to target around 20,000 European users for credential theft. The peak of the phishing attempts was observed in June 2024. Source: The Hacker News
3. Cybersecurity threats for businesses in 2025: What to look out for: A cybersecurity expert predicts the four leading cybersecurity risks in 2025, ranging from traditional hacking methods to breakthroughs in computer security. Businesses are advised to stay vigilant and proactive in their cybersecurity measures. Source: Global Security Mag
4. New Google Gmail And Calendar Attack Warning For Millions Of Users: Check Point security researchers have revealed a new attack method that uses a combination of Google Calendar, Drawings, Forms, and Gmail. Millions of users are potentially at risk and are advised to stay alert. Source: Forbes
5. Hackers Use Fake PoCs on GitHub to Steal WordPress Credentials, AWS Keys: A malicious year-long campaign from a threat actor identified as MUT-1244 has been discovered by Datadog Security Labs' cybersecurity researchers. The campaign uses fake Proof of Concepts (PoCs) on GitHub to steal WordPress credentials and AWS keys. Source: Hackread

Top CVEs

1. CVE-2024-55496 - Vulnerability in 1000projects Bookstore Management System PHP MySQL Project 1.0: A vulnerability has been found in the 1000projects Bookstore Management System PHP MySQL Project 1.0. This issue affects some unknown functionality of add_company.php. Actions on the delete parameter result in SQL. Source: vulners.com
2. CVE-2024-49818 - IBM Security Guardium Key Lifecycle Manager Vulnerability: IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. Source: vulners.com
3. CVE-2024-49820 - IBM Security Guardium Key Lifecycle Manager Vulnerability: IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. Source: vulners.com
4. CVE-2024-51479 - Next.js Vulnerability: Next.js, a React framework for building full-stack web applications, has a vulnerability that could allow an attacker to bypass authorization in middleware based on pathname. This issue is patched in Next.js 14.2.15 and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. Source: vulners.com
5. CVE-2024-42194 - HCL BigFix Inventory Vulnerability: An improper handling of insufficient permissions or privileges affects HCL BigFix Inventory. An attacker having access via a read-only account can possibly change certain configuration parameters by crafting a specific REST API. Source: vulners.com

API Security

1. Device Takeover Vulnerability in Rockwell Automation Power Monitor 1000: A device takeover vulnerability has been identified in the Rockwell Automation Power Monitor 1000. This vulnerability allows the configuration of a new Policyholder user without any authentication via API. The Policyholder user is the most privileged user that can perform edit operations, create admin users, and perform factory operations. Source: CVE-2024-12371
2. Astro CSRF Middleware Bypass: A bug in Astro’s CSRF-protection middleware allows requests to bypass CSRF checks. This vulnerability exists when the security.checkOrigin configuration option is set to true. A request with a semicolon after the Content-Type can bypass this security. Source: GHSA-C4PW-33H3-35XW
3. Incorrect Implementation of Authentication Algorithm in Apache Kafka's SCRAM: Apache Kafka's implementation of the Salted Challenge Response Authentication Mechanism (SCRAM) did not fully adhere to the requirements of RFC 5802. The server must verify that the nonce sent by the client in the second message matches the nonce sent by the server in its first message. However, Kafka's SCRAM implementation did not perform this validation. Source: CVE-2024-56128
4. Arbitrary Command Execution in ThreatQuotient ThreatQ: In ThreatQuotient ThreatQ before 5.29.3, authenticated users are able to execute arbitrary commands by sending a crafted request to an API. Source: CVE-2024-39703
5. SQL Injection in Collapsing Categories Plugin for WordPress: The Collapsing Categories plugin for WordPress is vulnerable to SQL Injection via the 'taxonomy' parameter of the /wp-json/collapsing-categories/v1/get REST API in all versions up to, and including, 3.0.8. This vulnerability allows unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information. Source: CVE-2024-12025

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the cyber landscape is as dynamic as ever. From Meta's hefty fine for mishandling a data breach to the massive healthcare data breach affecting half a million patients, it's evident that no sector is immune to cyber threats.

In the education sector, Texas Tech University is grappling with a data breach impacting 1.4 million patients' medical records. Meanwhile, the tech industry isn't safe either, with Cisco falling victim to a data leak. These incidents underscore the importance of robust cybersecurity measures and the need for continuous vigilance. As we continue to navigate this complex cyber terrain, let's remember to share insights, learn from each other, and work together to fortify our defenses.

If you found today's newsletter informative, please share it with your friends and colleagues. Let's spread the word and help create a safer cyber world for all. Stay safe and see you in the next edition of Secret CISO!