Good morning, Secret CISO readers! Today's newsletter is packed with the latest updates on data breaches and security research.

We start with a critique of a clinic's response to a data breach that exposed patients' personal and financial data. In India, ride-hailing platform Rapido has fixed a security flaw that exposed users' and drivers' personal data.

Meanwhile, Monument Health was informed of a data breach that could affect approximately 26,000 individuals. In other news, a data breach has left over 240,000 credit union members exposed and vulnerable to potential identity theft and financial fraud. Duke Energy Corporation is also under scrutiny for a data breach that has led to concerns over the security of sensitive personal information.

On the research front, we have updates from Microsoft Research on building AI agents for autonomous clouds. Also, a renowned security expert from USPA analyzes escalating violence against CEOs and urges proactive measures. Lastly, we have a series of CVE updates, including a critical vulnerability in Onyxia, a web app that provides a working environment for data scientists, which allows authenticated users to remotely execute code within the Onyxia-API. Stay tuned for more updates and remember, knowledge is the best defense against cyber threats. Stay safe!

Data Breaches

1. Clinic's response to data breach could have been better - Union-Bulletin.com: A data breach was discovered on February 21, 2024, compromising the personal and financial data of individual patients. The response of the clinic to the breach has been criticized. Source: Union-Bulletin.com
2. Monument Health informed of data breach - bhpioneer.com: Monument Health was informed of a data breach by one of its vendors, Change Healthcare, potentially affecting approximately 26,000 individuals. Source: bhpioneer.com
3. Data Breach—240,000 Credit Union Members Exposed - Forbes: A data breach has left over 240,000 credit union members exposed and vulnerable to potential identity theft and financial fraud. Source: Forbes
4. Duke Energy Corporation Data Breach - Levi & Korsinsky, LLP: A data breach at Duke Energy Corporation has raised concerns over the security of sensitive personal information. The breach was reported in May 2024. Source: accesswire.com
5. Ascension: Health data of 5.6 million stolen in ransomware attack - bleepingcomputer.com: Ascension, a healthcare provider, suffered a ransomware attack resulting in the theft of health data of 5.6 million individuals. The Health Information Sharing and Analysis Center (Health-ISAC) has warned of accelerated attacks by the group responsible, Black Basta. Source: bleepingcomputer.com

Security Research

1. New Microsoft Hack Warning As Windows Backdoor Attackers Strike: Securonix security researchers Den Luzvyk and Tim Peck have identified a new hacking campaign targeting Windows systems. The attack, dubbed FLUX#CONSOLE, is unique in its approach and has raised concerns about potential backdoor attacks. Source: Forbes
2. SnapAttack to be acquired by Cisco: Horizon3.ai security researcher Zach Hanley reported a vulnerability in SnapAttack, a company soon to be acquired by Cisco. The details of the vulnerability have not been disclosed, but it has raised concerns about the security of the acquisition. Source: SC Media
3. McDonald's API Hacking: A security researcher has discovered API flaws in the McDonald's McDelivery system in India. The flaws could potentially expose customer data, highlighting the need for improved security measures in online food delivery systems. Source: Security Week
4. AIOpsLab: Building AI agents for autonomous clouds: Microsoft researchers Minghua Ma and Gagan Somashekar are working on a project to build AI agents for autonomous clouds. The project adheres to Microsoft's security standards and aims to improve cloud security. Source: Microsoft Research
5. Researchers warn of active exploitation of critical Apache Struts 2 flaw: Security researchers have warned of an actively exploited vulnerability in Apache Struts 2. Users are urged to upgrade to Struts 6.4.0 or greater and use the Action File Upload Interceptor to mitigate the risk. Source: Cybersecurity Dive

Top CVEs

1. TOCTOU Race Condition vulnerability in Apache Tomcat (CVE-2024-56337): A Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability has been discovered in Apache Tomcat. This issue affects versions from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, and from 9.0.0.M1 through 9.0.97. Users running Tomcat on a case insensitive file system with the default servlet write enabled may need additional configuration to fully mitigate this vulnerability. Source: vulners.com
2. AirVantage online Warranty Checker tool vulnerability (CVE-2023-31280): A vulnerability in the AirVantage online Warranty Checker tool could allow an attacker to perform bulk enumeration of IMEI and Serial Numbers pairs. The AirVantage Warranty Checker has been updated to no longer return the IMEI and Serial Number in addition to the warranty status when the Serial Number or IMEI is used to look up warranty. Source: vulners.com
3. Remote code execution vulnerability in Onyxia (CVE-2024-56333): Onyxia, a web app for data scientists, has a critical vulnerability that allows authenticated users to remotely execute code within the Onyxia-API. This could lead to unauthorized access to other user environments and denial of service attacks. This issue has been patched in api versions 4.2.0, 3.1.1, and 2.8.2. Users are advised to upgrade. Source: vulners.com
4. Command injection vulnerability in oMG2000 and MG90 (CVE-2020-13712): A command injection vulnerability has been discovered in oMG2000 and MG90, allowing arbitrary command execution as the root user. oMG2000 running MGOS 3.15.1 or earlier and MG90 running MGOS 4.2.1 or earlier are affected. Source: vulners.com
5. Group manipulation vulnerability in vaultwarden (CVE-2024-56335): vaultwarden, an unofficial Bitwarden compatible server, has a vulnerability that allows an attacker to update or delete groups from an organization under certain conditions. This attack can lead to denial of service or privilege escalation. This vulnerability is patched in Vaultwarden 1.32.7, and users are recommended to update as soon as possible. Source: vulners.com

API Security

1. Onyxia API Critical Vulnerability (CVE-2024-56333): A critical vulnerability has been identified in Onyxia, a web app designed for data scientists. This vulnerability allows authenticated users to remotely execute code within the Onyxia-API, potentially leading to unauthorized access and denial of service attacks. The issue has been patched in api versions 4.2.0, 3.1.1, and 2.8.2. Users are advised to upgrade. Source: vulners.com
2. Improper Authentication in Google Android (CVE-2023-45866): A Proof of Concept (PoC) project has demonstrated Bluetooth keystroke injection in Google Android, linked to CVE-2023-45866. This exploit takes advantage of keystroke injection vulnerabilities in BlueZ on the Linux operating system. The author of the PoC warns against unauthorized, illegal, or unethical use of this project. Source: vulners.com
3. Socialstream Account Takeover Vulnerability (GHSA-3Q97-VJPP-C8RP): A potential account takeover vulnerability has been identified in Socialstream due to missing user consent after OAuth callback. When linking a social account to an already authenticated user, the lack of a confirmation step introduces a security risk. Developers are advised to ensure users explicitly confirm account linking and avoid configurations that skip critical security checks. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of the Secret CISO newsletter. We hope you found this information valuable in your quest to stay ahead of the curve in the ever-evolving world of cybersecurity.

Remember, in this digital age, knowledge is your best defense. If you found this newsletter helpful, please consider sharing it with your colleagues and friends. Let's work together to create a safer digital world for everyone. Stay safe and see you in the next edition!