Secret CISO 6/21: Jollibee and LA Unified School District Data Breaches, Dell and Dropbox Under Fire, US Bans Kaspersky, Research on Optus and CertiK

Secret CISO 6/21: Jollibee and LA Unified School District Data Breaches, Dell and Dropbox Under Fire, US Bans Kaspersky, Research on Optus and CertiK

Welcome to today's issue of Secret CISO, your daily dose of cybersecurity news. Today, we're diving into a series of data breaches that have left millions of customers' data exposed. From Jollibee Foods Corporation to Dell and Total Fitness, no industry is safe from the threat of cyberattacks. In the education sector, the Los Angeles Unified School District confirms that vendor data was stolen in a Snowflake cyberattack. Meanwhile, Dropbox is facing a surge of data breach class actions in California. On the regulatory front, the US government has banned the sale of Kaspersky products due to security risks from Russia.

In the world of cybersecurity research, we're looking at a path traversal vulnerability in RAD Data's SecFlow-2 hardware and the fallout from a contentious bug bounty incident involving Kraken and CertiK. Stay tuned for more updates and remember, knowledge is the first line of defense. Stay safe out there!

Data Breaches

  1. Jollibee Customer Data Breach: A cybersecurity group has raised concerns over a large-scale data breach that has potentially exposed the information of millions of Jollibee customers. The company has yet to comment on these circulating reports. Source: Bilyonaryo
  2. Snowflake Cyberattack on LAUSD: The Los Angeles Unified School District has confirmed that data from one of its vendors was stolen in a cyberattack on Snowflake. However, there is currently no evidence that the district's own systems were breached. Source: StateScoop
  3. Dell Data Breach: Dell recently suffered a significant data breach, with a threat actor exploiting API vulnerabilities to steal 49 million customer records. The full extent of the breach is still being investigated. Source: Security Boulevard
  4. Total Fitness Data Leak: UK-based health club chain Total Fitness has suffered a data leak, exposing KYC and card data, including half a million images of men, women, and children. The cause of the leak is still unknown. Source: Hackread
  5. Optus Data Breach: Australian telco Optus has suffered a data breach, exposing the personal information of over nine million customers. The breach has been attributed to a coding error in a forgotten API. Source: The Register

Security Research

  1. SolarWinds Serv-U Vulnerability Under Active Attack - Patch Immediately: Security researcher Hussein Daher of Web Immunify discovered a flaw in SolarWinds Serv-U. The vulnerability is under active attack and users are urged to patch immediately. Source: The Hacker News
  2. Kraken Recovers $3 Million in Missing Funds After Bug Bounty Exploit: Kraken recovered $3 million in missing funds following a bug bounty exploit. The security researcher allegedly extorted the exchange, refusing to return the funds without a reward. Source: Yahoo Finance
  3. NBI arrests 3 over alleged hacking of gov't websites: The National Bureau of Investigation (NBI) arrested three individuals over alleged hacking of government websites. One of the arrested individuals is a security researcher in a company. Source: GMA News Online
  4. What Can Be Done to Improve Cloud Security: Maia Hamin, an associate director with the Atlantic Council's Cyber Statecraft Initiative, discusses ways to improve cloud security under the Digital Forensic Research Lab. Source: Lawfare Daily
  5. New Rust-based malware targets Microsoft Windows, abuses Powershell, and steals sensitive info: A new Rust-based malware is targeting Microsoft Windows, abusing Powershell, and stealing sensitive information. The malware is flexible and receives a target list from the server. Source: TechRadar

Top CVEs

  1. CVE-2024-38082 - Microsoft Edge (Chromium-based) Spoofing: This vulnerability allows attackers to spoof the content displayed in the Edge browser, potentially leading to phishing attacks or misinformation. Microsoft has yet to release a patch. Source: CVE-2024-38082
  2. CVE-2024-37532 - IBM WebSphere Application Server Identity Spoofing: This vulnerability allows authenticated users to spoof their identity due to improper signature validation. IBM has released a patch to address this issue. Source: CVE-2024-37532
  3. CVE-2024-29013 - SonicOS SSL-VPN Heap-based Buffer Overflow: This vulnerability allows authenticated remote attackers to cause a Denial of Service (DoS) via a memcpy function. SonicWall has yet to release a patch. Source: CVE-2024-29013
  4. CVE-2023-25646 - ZTE H388X Unauthorized Access: This vulnerability allows attackers with common user permissions to obtain elevated permissions on the affected device by performing specific operations. ZTE has yet to release a patch. Source: CVE-2023-25646
  5. CVE-2024-5447 - PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress Plugin Stored Cross-Site Scripting: This vulnerability allows high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. The plugin's developers have yet to release a patch. Source: CVE-2024-5447

API Security

  1. Exploit for CVE-2024-30270 - Mailcow XSS and RCE: A script has been designed to exploit vulnerabilities in a Mailcow instance using Cross-Site Scripting (XSS) and Remote Code Execution (RCE). The script injects an XSS payload into a Mailcow web interface and uses it to execute unauthorized actions, achieving RCE by overwriting a server template and executing commands. Source: CVE-2024-30270
  2. Exploit for CVE-2024-28397 - js2py Remote Code Execution: A vulnerability in the js2py Python package allows attackers to obtain references to Python objects in the js2py environment, enabling them to execute arbitrary commands on the host. The vulnerability affects js2py versions up to 0.74 running under Python 3. Source: CVE-2024-28397
  3. CVE-2024-3961 - ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages: The ConvertKit plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the tag_subscriber function. This allows unauthenticated attackers to subscribe users to tags, potentially causing financial damages to site owners if their API quota is exceeded. Source: CVE-2024-3961

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We hope you found this information valuable in keeping your organization's data secure. Remember, cybersecurity is not a one-time event but a continuous process. Stay vigilant, stay informed, and most importantly, stay secure. If you found this newsletter helpful, please consider sharing it with your colleagues and friends.

Let's work together to create a safer digital world. Until next time, keep those firewalls up and those passwords strong. Stay safe out there.

Read more

Secret CISO 4/3: Canvas LMC and Highline Public Schools Data Breaches, Zoll and Lockton Companies Class Action, Hamilton County Government's Response, GitHub's Security Expansion, Kaspersky Patches Chrome Flaw

Secret CISO 4/3: Canvas LMC and Highline Public Schools Data Breaches, Zoll and Lockton Companies Class Action, Hamilton County Government's Response, GitHub's Security Expansion, Kaspersky Patches Chrome Flaw

Welcome to today's edition of Secret CISO, where we delve into the latest happenings in the world of cybersecurity. Today, we're unpacking a series of data breaches that have sent shockwaves across various sectors. First up, we're looking at a data breach involving a

By Secret CISO
Secret CISO 4/2: Lucid PhaaS Targets 88 Countries, Data Breaches at AOD Federal Credit Union and Lee University, Oracle Denies Massive Breach, Twitter Faces Historic Data Leak, Researchers Warn of North Korea's Cyber Tactics

Secret CISO 4/2: Lucid PhaaS Targets 88 Countries, Data Breaches at AOD Federal Credit Union and Lee University, Oracle Denies Massive Breach, Twitter Faces Historic Data Leak, Researchers Warn of North Korea's Cyber Tactics

Hello there, In today's issue of Secret CISO, we're diving into the world of data breaches and cyber security incidents that have been making headlines. First off, we're looking at the Lucid PhaaS that has hit 169 targets in 88 countries using iMessage and

By Secret CISO
Secret CISO 4/1: Oracle's Patient Data Breach, APIsec's Security Lapse, Cherokee School District and PowerSchool Data Breaches, Hi-School Pharmacy's Settlement, Security Research on WordPress and Oracle Cloud

Secret CISO 4/1: Oracle's Patient Data Breach, APIsec's Security Lapse, Cherokee School District and PowerSchool Data Breaches, Hi-School Pharmacy's Settlement, Security Research on WordPress and Oracle Cloud

Welcome to today's issue of Secret CISO, your daily dose of the most impactful cybersecurity news. Today, we're diving into a series of data breaches and security lapses that have left companies and institutions scrambling to secure their systems. First on our list is API testing

By Secret CISO
Secret CISO 3/31: Signal Chat Leak Exposes US Military Info, Nine Entertainment and Sam's Club Face Data Breaches, 23andMe Bankruptcy Leaves Genetic Data in Limbo, Oracle Health Warns of Info Leak

Secret CISO 3/31: Signal Chat Leak Exposes US Military Info, Nine Entertainment and Sam's Club Face Data Breaches, 23andMe Bankruptcy Leaves Genetic Data in Limbo, Oracle Health Warns of Info Leak

Welcome to today's issue of Secret CISO, your daily dose of the most impactful cybersecurity news. Today, we're diving into the recent Signal chat leak that exposed sensitive US military information. A RUSI expert weighs in on the implications of this breach and raises questions about

By Secret CISO