Welcome to the final edition of Secret CISO for 2024. As we bid adieu to this year, let's take a look at the major cybersecurity incidents that made headlines. The healthcare sector was hit hard with data breaches, as electronic medical record company PracticeSuite and California Correctional Health Care Services reported significant breaches. The U.S. Treasury also fell victim to a major cyberattack by a Chinese 'threat actor', highlighting the persistent threat to national security. In the corporate world, Cisco confirmed a massive data leak of 4.45GB, and Harley-Davidson was targeted by cybercriminals, leading to a data breach. The year also saw a significant data breach at Patelco, leading to a lawsuit alleging fraudulent charges.

On the legal front, New York introduced six new consumer data protection laws, while the High Court of Kerala stayed police proceedings against a journalist who reported on a data breach. In the realm of research, cybersecurity experts uncovered vulnerabilities in Microsoft's Azure Data Factory Apache Airflow integration and Volkswagen faced a data exposure due to cloud misconfiguration.

As we step into 2025, let's stay vigilant and proactive in our cybersecurity efforts. Remember, the first line of defense is awareness. Stay safe and see you in the New Year!

Data Breaches

1. EMR Vendor Reports Breach of Patient Data: Electronic medical record company PracticeSuite and California Correctional Health Care Services have announced data breaches, potentially compromising patient data. The extent and impact of the breaches are currently under investigation. Source: HIPAA Journal
2. Kerala Police's Data Breach: The High Court of Kerala has stayed the Kerala Police's proceedings related to a data breach. The breach was reported by a journalist who is now being compelled to reveal their sources and surrender their mobile phone. Source: Onmanorama
3. Cisco Data Breach: Cisco has confirmed the authenticity of a 4.45GB data leak posted online by a hacker known as IntelBroker. The company is currently investigating the full extent of the breach and its potential impact. Source: Cyber Security News
4. Harley-Davidson Data Breach: Harley-Davidson has been targeted by cybercriminals, with a data breach being claimed by a threat actor on an underground forum. The details of the alleged breach are currently being investigated. Source: Red Hot Cyber
5. U.S. Treasury Hacked by Chinese 'Threat Actor': The U.S. Treasury Department's computer security has been breached by a Chinese state-sponsored hacker, according to a letter from the department. The breach is being treated as a 'major incident' and is currently under investigation by the Cybersecurity and Infrastructure Security Agency and the FBI. Source: Reuters

Security Research

1. Hackers Can Operate Your Car Remotely: Jay Turla, a principal security researcher at VicOne, discusses the potential for hackers to remotely control vehicles. This highlights the growing need for robust cybersecurity measures in the automotive industry. Source: Deccan Chronicle
2. Kiran Nalla: A Cloud Security Expert Redefining Digital Innovation and Resilience: Kiran Nalla, a seasoned cloud security expert, is addressing the challenges of digital security through innovative solutions. His work emphasizes the importance of resilience in the face of evolving cyber threats. Source: Tech Bullion
3. Misconfigured Kubernetes RBAC in Azure Airflow Could Expose Entire Cluster to Exploitation: Researchers have found three security weaknesses in Microsoft's Azure Data Factory Apache Airflow integration. These vulnerabilities could potentially expose an entire cluster to exploitation if not addressed. Source: The Hacker News
4. A Fuzzy AHP-Based Assessment Framework in the Era of Quantum Computing: This research aims to prioritize security variables using quantum security criteria, providing an innovative viewpoint on software security in the age of quantum computing. Source: PLOS ONE
5. Exposed Cloud Server Tracks 800,000 Volkswagen, Audi and Skoda EVs: Security researchers have discovered that a cloud server tracking 800,000 Volkswagen, Audi, and Skoda EVs was exposed, highlighting the need for improved data security in the automotive industry. Source: Hackread

Top CVEs

1. CVE-2023-48775 - Missing Authorization vulnerability in Gfazioli WP Cleanfix: This vulnerability allows unauthorized access to WP Cleanfix due to incorrectly configured access control security levels. The issue affects all versions of WP Cleanfix. Source: CVE-2023-48775
2. CVE-2023-50850 - Missing Authorization vulnerability in Woo WooCommerce Subscriptions: This vulnerability allows unauthorized access to WooCommerce Subscriptions due to incorrectly configured access control security levels. The issue affects all versions of WooCommerce Subscriptions before the latest update. Source: CVE-2023-50850
3. CVE-2024-56734 - Open redirect vulnerability in Better Auth: This vulnerability allows attackers to redirect users to malicious websites through the verify email endpoint of all versions of Better Auth prior to v1.1.6. The issue affects users relying on email verification links generated by the library. Source: CVE-2024-56734
4. CVE-2024-52294 - Insecure Direct Object Reference (IDOR) vulnerability in Khoj: This vulnerability allows any authenticated user to manipulate other users' Stripe subscriptions by simply modifying the email parameter in the request. The issue was fixed in version 1.29.10. Source: CVE-2024-52294
5. CVE-2024-12828 - CGI Command Injection Remote Code Execution Vulnerability in Webmin: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Webmin. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. Source: CVE-2024-12828

API Security

1. Authentication Bypass in Electronic Official Document Management System from 2100 Technology: The system has a vulnerability that allows unauthenticated remote attackers to deceive the server and obtain tokens of arbitrary users, which can then be used to log into the system. Source: CVE-2024-13061
2. Security Issue in WhatsUp Gold: In versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API. Source: CVE-2024-12108
3. Unauthorized Access in Hunk Companion WordPress Plugin: The plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary plugins from the WordPress.org repo. Source: CVE-2024-11972
4. Public Access to API Routes in Simofa: Prior to version 0.2.7, due to a design mistake in the RouteLoader class, some API routes may be publicly accessible when they should require authentication. This vulnerability has been patched in the latest version. Source: CVE-2024-56799
5. Server-Side Request Forgery in Firecrawl: Versions prior to 1.1.1 contain a server-side request forgery (SSRF) vulnerability. The scraping engine could be exploited by crafting a malicious site that redirects to a local IP address. This allowed exfiltration of local network resources through the API. Source: CVE-2024-56800

Sponsored by Wallarm API Security Solution

Final Words. Really final for 2024

Happy New Year from the Secret CISO team! 🎉

As we wrap up January 2024, we’re excited to mark the milestone of Secret CISO becoming a daily newsletter. Over the past month, we’ve covered critical topics, from healthcare data breaches to government cybersecurity challenges, always aiming to keep you informed and ready to tackle evolving threats.

Your support has been incredible—by sharing this newsletter with colleagues and friends, you’ve helped us grow a community dedicated to staying ahead in cybersecurity.

Starting tomorrow, we’ll be back as usual, delivering the insights you rely on every single day. Thank you for being with us on this journey. Here’s to a secure, informed, and impactful 2024! 🚀