Secret CISO 5/24: London Drugs' Data Leak, Optus' Legal Battle, and Police Service's £750k Fine
Welcome to today's edition of Secret CISO, your daily dose of cybersecurity news. In today's newsletter, we delve into the world of data breaches, security fines, and the ever-evolving landscape of cybersecurity. A software firm recently faced a hefty fine of $74k due to a data breach caused by a weak password, affecting half a million users. The commission found that the company had failed to implement reasonable security arrangements to protect the personal data of its students.
In Hong Kong, preparations are underway for a potential data breach incident. The Privacy Commissioner has given illustrative examples of data breaches, such as unauthorized third-party access to personal data. In a deeply distressing incident, hackers leaked corporate data from London Drugs. The company confirmed that some of its data related to its corporate head office had been leaked online. The Police Service has been issued a preliminary enforcement notice, requiring the service to improve the security of personal information following a data breach.
Meanwhile, Optus is facing legal action over its 2022 data breach, which affected more than 10 users. Our empirical analysis of data breaches in publicly listed US firms from 2005 to 2017 indicates that compared to the forms of CSI that violate broader norms, data breaches have a more significant negative impact on firm value. In a bid to protect organizations from data leaks, Code42 has partnered with Mimecast. The partnership aims to help joint customers detect and respond to threats while providing essential visibility to work protected.
In other news, the European Parliament is notifying its staff that a threat actor breached its systems and exfiltrated sensitive data. Meanwhile, Trionfo Solutions has announced a data breach affecting the Social Security Numbers of 65,787 individuals. Stay tuned for more updates on the latest developments in the cybersecurity world. Stay safe and secure!
Data Breaches
- Software firm fined $74k for data breach caused by weak password: A software company has been fined $74,000 for a data breach that affected half a million users. The breach was caused by inadequate security measures, specifically a weak password. The commission found that the company failed to implement reasonable security arrangements to protect its students' personal data. Source: Strait Times
- 'Deeply distressing': Hackers leak corporate London Drugs data: London Drugs confirmed that some of its corporate head office data has been leaked online. The Canadian company described the incident as 'deeply distressing'. The nature of the leaked data is not specified. Source: CHEK News
- Optus sued by watchdog over 2022 data breach: The Australian Communications and Media Authority (ACMA) has launched legal action against Optus over a 2022 data breach. The breach reportedly affected more than 10 individuals, but the exact number and nature of the data exposed are not specified. Source: Information Age | ACS
- Staff documents stolen in EU Parliament data breach: The European Parliament is notifying its staff that a threat actor breached its systems and exfiltrated sensitive data. The nature of the stolen documents and the number of affected individuals are not specified. Source: Cyber Daily
- Singapore Mustafa group reports massive data leak: Singapore's data protection agency is investigating a massive data leak at the Mustafa group of companies. The group, which runs a shopping mall in Little India, has not specified the nature of the leaked data or the number of affected individuals. Source: Indian Express
Security Research
- Three-year-old Apache Flink flaw under active attack: Security researchers have discovered an active attack on a three-year-old flaw in Apache Flink. Apache addressed the issue with versions 1.11.3 and 1.12.0, but exploit code was published shortly after. Source: The Register
- Google fixes yet another Chrome zero-day exploited in the wild (CVE-2024-5274): Google's Threat Analysis Group has reported another zero-day vulnerability in Chrome that was being exploited in the wild. The vulnerability, identified as CVE-2024-5274, has now been fixed. Source: Help Net Security
- Ransomware Attacks Exploit VMware ESXi Vulnerabilities in Alarming Pattern: Security researcher Tyler McGraw has highlighted an alarming pattern of ransomware attacks exploiting vulnerabilities in VMware ESXi. Successful execution of the malware provides the threat actor with elevated privileges. Source: The Hacker News
- CISA Warns of Actively Exploited Apache Flink Security Vulnerability: The Cybersecurity and Infrastructure Security Agency (CISA) has warned of an actively exploited security vulnerability in Apache Flink. Security researchers Lei Xu, Yue Guan, and Vaibhav Singhal first noted the issue in April 2021. Source: The Hacker News
- Active Chinese Cyberespionage Campaign Rifling Email Servers: Security researchers have warned of an active Chinese global cyberespionage campaign targeting at least nine different governments. The campaign continues to rifle through email servers. Source: GovInfoSecurity
Top CVEs
- CVE-2024-1947: A denial of service (DoS) vulnerability was found in GitLab CE/EE affecting all versions from 13.2.4 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. An attacker could exploit this vulnerability to create a DoS condition by sending crafted API requests. Source: CVE-2024-1947
- CVE-2023-6502: A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. An attacker could cause a denial of service using a crafted wiki. Source: CVE-2023-6502
- CVE-2024-5258: An authorization vulnerability exists within GitLab from versions 16.10 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. An authenticated attacker could exploit this vulnerability to bypass pipeline authorization using a crafted naming convention. Source: CVE-2024-5258
- CVE-2023-7045: A CSRF vulnerability exists within GitLab CE/EE from versions 13.11 before 16.10.6, from 16.11 before 16.11.3, from 17.0 before 17.0.1. An attacker could exploit this vulnerability to exfiltrate anti-CSRF tokens via the Kubernetes Agent Server. Source: CVE-2023-7045
- CVE-2024-4378: The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's menu and shape widgets in all versions up to, and including, 4.10.30. This vulnerability allows authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Source: CVE-2024-4378
API Security
- Pug 3.0.2 JavaScript Code Execution Vulnerability (CVE-2024-36361): Pug, up to version 3.0.2, allows JavaScript code execution if an application accepts untrusted input for the name option of certain functions. These functions are typically used for compiling Pug templates into JavaScript, making them a potential security risk if misused. Source: vulners.com
- D-Link DIR-2150 Remote Code Execution Vulnerability (CVE-2024-5291): This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-2150 routers. The flaw exists within the SOAP API interface, which lacks proper validation of user-supplied strings before executing a system call. Source: vulners.com
- Tauri API Access Control Bypass (iFrames Bypass Origin Checks): Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed. This bypasses the origin check and allows iFrames to access the IPC endpoints exposed to the parent window, potentially leading to security risks. Source: vulners.com
- jupyter-scheduler Missing Authentication (CVE-2024-5168): jupyter_scheduler is missing an authentication check in Jupyter Server on an API endpoint. This allows an unauthenticated user to obtain the list of Conda environment names on the server, potentially revealing sensitive information. Source: vulners.com
- GitLab CE/EE Denial of Service Vulnerability (CVE-2024-1947): A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. An attacker could create a DoS condition by sending crafted API requests. Source: vulners.com
Sponsored by Wallarm API Security Solution
Final Words
And that's a wrap for today's edition of Secret CISO. As we've seen, the digital landscape is a battlefield, and the war on data breaches is far from over. From software firms fined for weak passwords to hackers leaking corporate data, the need for robust security measures has never been more critical. Remember, knowledge is power. Stay informed, stay vigilant, and most importantly, stay secure.
If you found this newsletter helpful, please consider sharing it with your friends and colleagues. Let's work together to create a safer digital world.
Until next time, keep those passwords strong and those systems secure.