Welcome to today's issue of Secret CISO. We're diving into the deep end of data breaches, with AT&T making headlines as their massive data breach impacts nearly all customers. This breach has exposed customer call and text records, leaving millions of users vulnerable. But AT&T isn't the only one in the hot seat.

Ticketmaster has also reported a data breach, with customers' credit card information at risk. On the research front, we're looking at the role of AI in defense and public safety, and how researchers are optimizing data security in the medical field. We'll also touch on the latest security regulations, the theft of 10 billion passwords, and the ongoing NuGet supply chain attack. Stay tuned for all this and more in today's issue of Secret CISO.

Data Breaches

1. Massive AT&T Data Breach Impacts Nearly All Customers: AT&T has suffered a significant data breach, impacting almost all of its customers. The breach exposed call and text records, but did not include the content of calls or texts, or any personally identifiable information such as Social Security numbers or dates of birth. AT&T has launched an investigation and engaged cybersecurity experts to understand the scope of the breach. Source: Channel Futures, The New York Times, PBS News

Security Research

1. Optimizing Research Data – Tools and Techniques for Medical Professionals: Researchers are implementing stringent security measures to protect sensitive patient information and comply with regulatory requirements in the medical field. Source: medicalresearch.com
2. Security regulations attacked, OpenAI secrets theft, 10 billion passwords stolen: A hacker named “ObamaCare” has allegedly posted a database of almost 10 billion unique passwords, according to Cybernews security researchers. Source: cisoseries.com
3. AI's role in defense and public safety: The development of AI-driven security solutions is set to transform both the defense sector and civilian policing. Source: timesofindia.indiatimes.com
4. DarkGate Malware Exploits Samba File Shares in Short-Lived Campaign: Cybersecurity researchers have shed light on a short-lived DarkGate campaign that exploits Samba file shares. Source: thehackernews.com
5. Ongoing NuGet supply chain attack involves dozens new malicious packages: Security researcher Karlo Zanki highlights new ways in which malicious actors are scheming to fool developers in the latest NuGet supply chain attack. Source: scmagazine.com

Top CVEs

1. CVE-2024-6677: A privilege escalation vulnerability has been discovered, potentially allowing unauthorized users to gain higher-level permissions. The impact and severity of this vulnerability are yet to be determined. Source: CVE-2024-6677
2. CVE-2024-6468: A flaw in Vault and Vault Enterprise could lead to a denial of service when receiving a request from an unauthorized IP address. The issue has been fixed in Vault and Vault Enterprise 1.17.2, 1.16.6. Source: CVE-2024-6468
3. CVE-2024-40690: IBM InfoSphere Server 11.7 is vulnerable to cross-site scripting, potentially leading to credentials disclosure within a trusted session. The vulnerability can only be exploited by an authenticated user. Source: CVE-2024-40690
4. CVE-2024-36435: A vulnerability in Supermicro BMC firmware could allow an unauthenticated user to trigger a stack buffer overflow, potentially leading to arbitrary remote code execution. Source: CVE-2024-36435
5. CVE-2024-6531: A vulnerability in Bootstrap exposes users to Cross-Site Scripting (XSS) attacks due to inadequate sanitization in the carousel component. Attackers could potentially execute arbitrary JavaScript within the victim's browser. Source: CVE-2024-6531

API Security

1. SQL Injection Vulnerability in my-springsecurity-plus: The my-springsecurity-plus software before v2024.07.03 was discovered to contain a SQL injection vulnerability via the dataScope parameter. This vulnerability could allow an attacker to manipulate the database and potentially gain unauthorized access to sensitive data. Source: CVE-2024-40539
2. SQL Injection in KubeClarity REST API: KubeClarity, a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems, was found to have a time/boolean SQL Injection vulnerability in its REST API. This could potentially allow an attacker to gain unauthorized access to the KubeClarity database. Source: CVE-2024-39909
3. Authentication Bypass in MStore API: The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. This vulnerability could allow unauthenticated attackers to log in as any existing user on the site, potentially gaining unauthorized access to sensitive data. Source: CVE-2024-6328
4. Improper Check or Handling of Exceptional Conditions in Hashicorp Vault: Hashicorp Vault did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. This could potentially result in denial of service. Source: CVE-2024-6468
5. Incorrect Authorization in Red-DiscordBot commands API: Due to a bug in Red's Core API, 3rd-party cogs using the @commands.can_manage_channel() command permission check without additional permission controls may authorize a user to run a command even when that user doesn't have permissions to manage a channel. This could potentially allow unauthorized users to execute commands. Source: CVE-2024-39905

Sponsored by Wallarm API Security Solution

Final Words

That's a wrap for today's edition of Secret CISO. We've covered a lot of ground, from the massive AT&T data breach impacting nearly all customers, to the latest security research and vulnerabilities. Remember, in this ever-evolving digital landscape, staying informed is your first line of defense.

If you found this newsletter helpful, please consider sharing it with your colleagues and friends. They might find it just as useful as you do. Let's work together to create a safer digital world. Until next time, stay safe and secure!