Good morning! In today's edition of Secret CISO, we delve into a series of data breaches that have rocked the tech world. Maxicare, a health insurance provider in the Philippines, has reported a data breach to the National Privacy Commission, compromising the data of 1,000 firms. In the US, Truist Bank has confirmed a data breach following a hack last year. Meanwhile, hackers are increasing pressure on Snowflake customers to make ransom payments, and Finland has seen a record number of data breach reports in 2023.

In other news, a $1.5 million class action settlement has been reached following a CGM data breach. In the realm of cybersecurity research, a new TikTag attack targets Arm CPU security features, and Gigamon research reveals that global security leaders are losing ground in the race against cybercrime. Stay tuned for more updates and remember, knowledge is the best defense against cyber threats. Stay safe!

Data Breaches

1. Maxicare Data Breach: Health insurance provider Maxicare has reported a data breach to the National Privacy Commission, potentially exposing the data of 1,000 firms. The breach was first reported by Deep Web Konek, who identified that hackers under the name OPCODE-90 secured personal and booking data. Source: Philstar, Bilyonaryo
2. Truist Bank Data Breach: US-based Truist Bank has confirmed a data breach following a hack in October 2023. The breach was confirmed after a threat actor posted some of the bank's data online. Source: CIO News
3. CGM Data Breach Settlement: Consumers are set to receive payments and credit monitoring benefits from a $1.5 million settlement following a data breach at CGM. Source: Top Class Actions
4. Data Breach Reports in Finland: Finland's Data Protection Ombudsman received a record 6900 data breach reports in 2023, marking an increase of 1400 from the previous year. Source: Yle News
5. Los Angeles County DPH Data Breach: A phishing attack led to a data breach at the Los Angeles County Department of Public Health (DPH), exposing the login credentials of 53 DPH employees. Source: The Cyber Express

Security Research

1. Sealed Legal And Medical Court Records Exposed In Massive Breach: Security researcher Jason Parker discovered a massive breach that exposed sealed legal and medical court records. The breach, which was disclosed following standard responsible disclosure protocols, has raised serious concerns about the security of sensitive information. Source: Forbes
2. New TikTag Attack Targets Arm CPU Security Feature: Researchers have found a new security vulnerability, dubbed "TikTag", that targets the MTE security feature in Arm CPUs. The attack demonstrates how attackers could bypass protections, posing a significant threat to devices using Arm CPUs. Source: SecurityWeek
3. Cyber Threat Intelligence Pros Assess AI Threats Readiness: Security researchers are warning about the rise of "deep scams", which involve the automation of sophisticated cyberattacks. These scams are becoming more frequent and pose a significant threat to cybersecurity. Source: Infosecurity Magazine
4. Gigamon Research Reveals Global Security Leaders Are Losing Ground: A new study by Gigamon reveals that global security leaders are losing ground in the fight against cybercrime, with undetected breaches rising by 20%. The research highlights the increasing challenges faced by security professionals in detecting and preventing cyberattacks. Source: Intelligent CISO
5. New Malware Targets Exposed Docker APIs for Cryptocurrency Mining: Security researcher Matt Muir has discovered a new malware that targets exposed Docker APIs for cryptocurrency mining. The malware overwrites existing shell scripts, posing a significant threat to systems with exposed Docker APIs. Source: The Hacker News

Top CVEs

1. CVE-2024-37079 - vCenter Server Heap-Overflow Vulnerability: vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution. Source: CVE-2024-37079
2. CVE-2024-3276 - Lightbox & Modal Popup WordPress Plugin XSS: The Lightbox & Modal Popup WordPress Plugin before 2.7.28 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. Source: CVE-2024-3276
3. CVE-2024-37081 - vCenter Server Local Privilege Escalation: The vCenter Server contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server. Source: CVE-2024-37081
4. CVE-2024-37080 - vCenter Server Heap-Overflow Vulnerability: vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution. Source: CVE-2024-37080
5. CVE-2024-37902 - DeepJavaLibrary(DJL) Path Traversal: DeepJavaLibrary(DJL) versions 0.1.0 through 0.27.0 do not prevent absolute path archived artifacts from inserting archived files directly into the system, overwriting system files. This is fixed in DJL 0.28.0 and patched in DJL Large Model Inference containers version 0.27.0. Users are advised to upgrade. Source: CVE-2024-37902

API Security

1. Divi Theme for WordPress Stored Cross-Site Scripting: The Divi theme for WordPress, up to and including version 4.25.1, is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Source: CVE-2024-5533
2. Rancher's RKE1 Encryption Config kept in plain-text within cluster AppliedSpec: A vulnerability has been identified in clusters provisioned using RKE1 with secrets encryption configuration enabled. The Kube API secret values are written in plaintext on the AppliedSpec, potentially allowing unauthorized users to gain access to the entire secrets encryption config specific for the cluster. Source: GHSA-Q6C7-56CQ-G2WM
3. Lobe Chat API Key Leak: If an attacker can successfully authenticate through SSO/Access Code in Lobe Chat, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request. Source: GHSA-P36R-QXGX-JQ2V
4. Firefly III MFA Bypass in OAuth Flow: A MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check, potentially allowing them to gain access to Firefly III data using passwords stolen from other sources. This issue has been patched in Firefly III v6.1.17 and up. Source: GHSA-4GM4-C4MH-4P7W
5. LNbits Improper Handling of Network and Payment Failures: Paying invoices in LNbits that do not get settled within the internal timeout (about 30s) lead to a payment being considered failed, even though it may still be in flight. This vulnerability can lead to a total loss of funds. Source: GHSA-3J4H-H3FP-VWWW

Sponsored by Wallarm API Security Solution

Final Words

That's it for today's edition of Secret CISO. We've covered a lot of ground, from the data breaches at Maxicare and Truist Bank, to the increasing pressure on Snowflake customers to make ransom payments. Remember, cybersecurity is a shared responsibility. Stay vigilant, stay informed, and most importantly, stay safe.

If you found this newsletter helpful, please consider sharing it with your colleagues and friends. Let's work together to create a safer digital world. Until next time, keep those systems secure!