Welcome to today's issue of Secret CISO, your daily dose of cybersecurity news. Today, we're diving into a series of data breaches affecting companies across the globe. First up, Baw Baw Shire Council is contacting residents following a cyber security incident involving an after-hours service provider. Meanwhile, First American Financial Corporation is facing a potential class action lawsuit after sending out data breach notices. In tech news, Life360, the company behind the popular Tile trackers, has confirmed a data breach, with hackers successfully breaching its systems and stealing customer data. The company has assured customers that it is taking steps to improve its cybersecurity posture in the wake of the incident.

On the legislative front, the Consumer Protection Committee has approved bills aimed at improving fee transparency and helping data breach victims. In retail, two New Jersey Aldi stores and three California Aldi stores have been affected by a data breach that occurred from December 2024 through January 2024. In the world of research, Forbes highlights the importance of robust data security measures in reducing the risk of data breaches, while Semiconductor Engineering explores why temperature is becoming a growing concern for chip security experts.

Finally, we have a series of updates on various data breaches, including those at Pure Storage, Ashley Furniture, and Desjardins. Stay tuned for more updates and remember, knowledge is the first line of defense in cybersecurity. Stay safe out there!

Data Breaches

1. Baw Baw Data Security Breach: Baw Baw Shire Council is alerting residents of a cyber security incident involving an after-hours service provider. The extent of the breach and the data involved are yet to be disclosed. Source: IDM Magazine
2. First American Financial Corporation Data Breach: First American Financial Corp. is facing potential class action lawsuits following a data breach. The company has started sending out data breach notices to affected individuals. Source: ClassAction.org
3. Tile's Security Breach: Life360, the company that owns Tile trackers, has confirmed a data breach. A hacker managed to infiltrate the company's systems and steal customer data. The extent of the breach is currently under investigation. Source: How-To Geek
4. UnitedHealth Data Breach: The U.S. Department of Health and Human Services has allowed UnitedHealth Group Inc. to notify individuals whose data was exposed in a recent breach. The details of the breach and the number of affected individuals are yet to be disclosed. Source: Business Insurance
5. Pure Storage Data Breach: Pure Storage has confirmed a data breach in its Snowflake Workspace. The exposed data includes customer names, usernames, and email addresses. The company is currently investigating the incident. Source: The Cyber Express

Security Research

1. Microsoft's Profit Over Security Decision: Microsoft's decision to prioritize profit over security has left the U.S. government vulnerable to Russian hackers. After months of research, a serious flaw was discovered in a product used by millions for logging in. Source: ProPublica.
2. Auto Giant Data Leak: A data leak has revealed that an auto giant and others have been harvesting user data to train AI models. This serves as a reminder of the risks present in traditional online tools. Source: Cybernews.
3. Global Identity Verification Research: The global identity verification industry is expanding and being adopted more widely due to increased security and user trust in the digital age. Source: Yahoo Finance.
4. Temperature and Chip Security: Temperature has become a significant concern for security researchers due to its impact on the performance of chips. Source: Semiconductor Engineering.
5. New Research Security Measures by NSF: The National Science Foundation is adopting new research security measures to balance bold investment with principled collaboration. Source: Research Professional News.

Top CVEs

1. CVE-2023-47828 - Missing Authorization in Mandrill wpMandrill: A missing authorization vulnerability has been identified in the wpMandrill plugin. The issue affects all versions up to the latest release. An attacker could potentially exploit this vulnerability to gain unauthorized access to sensitive information or functionality. Source: CVE-2023-47828
2. CVE-2023-48280 - Missing Authorization in Consensu.IO: Consensu.IO has a missing authorization vulnerability that affects all versions. This could allow an attacker to access sensitive information or functionality without the necessary permissions. Source: CVE-2023-48280
3. CVE-2023-47845 - Cross-Site Request Forgery in Grab & Save: A Cross-Site Request Forgery (CSRF) vulnerability has been found in the Grab & Save plugin. This issue affects all versions and could allow an attacker to trick a victim into performing actions they did not intend to. Source: CVE-2023-47845
4. CVE-2023-44234 - Missing Authorization in WP GPX Map: WP GPX Map plugin has a missing authorization vulnerability that affects all versions. An attacker could exploit this vulnerability to gain unauthorized access to sensitive information or functionality. Source: CVE-2023-44234
5. CVE-2023-51413 - Missing Authorization in Piotnet Forms: Piotnet Forms plugin has a missing authorization vulnerability that affects all versions. This could allow an attacker to access sensitive information or functionality without the necessary permissions. Source: CVE-2023-51413

API Security

1. Exploit for CVE-2024-29855: An authentication bypass vulnerability (CVE-2024-29855) has been discovered in Veeam Recovery Orchestrator. The vulnerability is not as severe as it might sound, but the mechanics of this vulnerability are a bit interesting. The vulnerability was resolved starting in Veeam Recovery Orchestrator 7.1.0.230 and 7.0.0.379. Source: vulners.com
2. HashiCorp Vault Incorrectly Validated JSON Web Tokens (JWT) Audience Claims: Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected. This vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3. Source: vulners.com
3. CVE-2024-3468: A vulnerability in AVEVA PI Web API could allow malicious code to execute on the PI Web API environment under the privileges of an interactive user that was socially engineered to use API XML import functionality with content supplied by an attacker. Source: vulners.com
4. @strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass: By combining two vulnerabilities (an Open Redirect and session token sent as URL query parameter) in Strapi framework, it's possible for an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click). Source: vulners.com
5. Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient restrictions: It was identified that if a cross-cluster API key restricts search for a given index using the query or the field_security parameter, and the same cross-cluster API key also grants replication for the same index, the search restrictions are not enforced during cross cluster search operations and search results may include documents and terms that should not be returned. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We've covered a range of data breaches, from Baw Baw Shire Council to First American Financial Corporation, and even touched on the recent security breach at Tile. It's clear that no organization is immune to cyber threats, and it's our job to stay informed and prepared. Remember, knowledge is power. The more we understand about these incidents, the better equipped we are to prevent them in our own organizations.

So, don't keep this valuable information to yourself. Share this newsletter with your colleagues and friends, and let's work together to create a safer digital world. Stay safe, stay informed, and see you in the next edition of Secret CISO.