Good morning, Secret CISO readers! Today's newsletter is packed with important updates from the world of cybersecurity. First up, we delve into the recent data breach at Twilio's Authy app, which exposed millions of phone numbers. While the breach might seem harmless at first glance, it could potentially open doors for phishing attacks. Next, we turn our attention to the Alabama State Department of Education, which is grappling with the aftermath of a cyber attack. The specifics of the data potentially taken during the attack are still unknown, but we'll keep you updated as more information comes to light. In other news, CentroMed has regained access to its systems after a month-long data breach. The healthcare provider is now urging users to update their apps and stay vigilant against potential threats.

Meanwhile, Australian mining software firm Opaxe is facing an unconfirmed data breach, with a threat actor claiming to have breached sensitive data of 16,000 users. In the research and AI safety sector, Anthropic is calling for proposals to evaluate advanced models, while Ontario has released new research security guidelines. Lastly, we'll discuss the latest vulnerabilities and patches, including a significant data breach for New Mexico Public Defenders and a new security disclosure policy announced by Bitcoin Core. Stay tuned for these stories and more in today's edition of Secret CISO.

Data Breaches

1. Twilio's Authy App Data Breach: Hackers have identified the cell phone numbers of users of Twilio's two-factor authentication app, Authy. Although the breach only exposed phone numbers, it could potentially lead to phishing attacks. Users are urged to update the app and remain vigilant. Source: TechCrunch, The Hacker News.
2. Alabama State Department of Education Data Breach: The Alabama State Department of Education has suffered a data breach during a cyber attack. The specifics of the data potentially taken are still unknown. An investigation is ongoing. Source: YouTube, WAFF.
3. CentroMed Data Breach: CentroMed has regained access to its systems after a month-long data breach that occurred on April 30. The extent of the data compromised during the breach is not specified. Source: KSAT.
4. Australian Mining Software Firm Opaxe Data Breach: A threat actor has claimed to have breached sensitive data of Australian mining software firm Opaxe, including the personal identifiable information (PII) of 16,000 users. The breach is currently unconfirmed. Source: The Cyber Express.
5. HealthEquity Data Breach: Health tech services provider HealthEquity has disclosed a data breach in a filing with federal regulators. The company has described the breach as an 'isolated incident'. Source: TechCrunch.

Security Research

1. AI safety and research company Anthropic calls for proposals to evaluate advanced models: Anthropic, a company that specializes in AI safety research, is calling for proposals to evaluate advanced models. This initiative aims to source new evaluations for measuring the safety and effectiveness of AI systems. Source: readwrite.com
2. Ontario releases research security guidelines: The Government of Ontario has introduced new research security guidelines. These guidelines are intended for researchers applying for Ontario research funding programs, aiming to ensure the security and integrity of their work. Source: queensu.ca
3. Bitcoin Core Announces New Security Disclosure Policy: Bitcoin Core has announced a new security disclosure policy. This process allows security researchers or ethical hackers to report vulnerabilities they discover in software or systems, improving the overall security of the Bitcoin Core system. Source: bitcoinmagazine.com
4. Different makes us stronger: American diversity is a national security asset: In an op-ed featured in DefenseScoop, Jaret C. Riddick provides expert analysis on the Great Power Competition. He argues that American diversity is a national security asset, contributing to the country's strength and resilience. Source: cset.georgetown.edu
5. Free Malware Research with ANY.RUN Sandbox: Now Windows 10 Access for All Users: ANY.RUN Sandbox, a tool for malware research, is now offering Windows 10 access for all users. The company believes that everyone should have access to good security analysis tools, regardless of their plan. Source: cybersecuritynews.com

Top CVEs

1. CVE-2024-39884 Apache HTTP Server: A regression in Apache HTTP Server 2.4.60 may lead to source code disclosure of local content due to some ignored configurations of handlers. Users are advised to upgrade to version 2.4.61. Source: CVE-2024-39884
2. CVE-2024-29510 Artifex Ghostscript: Artifex Ghostscript versions before 10.03.1 are vulnerable to memory corruption and SAFER sandbox bypass via format string injection. Source: CVE-2024-29510
3. CVE-2024-33871 Artifex Ghostscript: A vulnerability in Artifex Ghostscript before 10.03.1 allows arbitrary code execution via a custom Driver library, exploitable via a crafted PostScript document. Source: CVE-2024-33871
4. CVE-2024-33869 Artifex Ghostscript: Artifex Ghostscript before 10.03.1 is vulnerable to path traversal and command execution via a crafted PostScript document. Source: CVE-2024-33869
5. CVE-2024-37082 HAProxy in Cloud Foundry: A security check loophole in HAProxy release in combination with routing release in Cloud Foundry prior to v40.17.0 potentially allows bypass of mTLS authentication to applications hosted on Cloud. Source: CVE-2024-37082

API Security

1. Exploit for CVE-2024-34102: This exploit script targets a Server-Side Request Forgery (SSRF) vulnerability in Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier. The vulnerability allows for arbitrary code execution by sending a crafted XML document that references external entities. No user interaction is required for exploitation. Source: vulners.com
2. CVE-2024-6426: This vulnerability is found in MESbook 20221021.03 version. It exposes information and could allow a local attacker, with user privileges, to access different resources by changing the API value. Source: vulners.com
3. CVE-2024-38453: This vulnerability is present in the Avalara for Salesforce CPQ app before version 7.0 for Salesforce. It allows attackers to read an API key. The current version is 11 as of the time of reporting. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

That's it for today's edition of Secret CISO. We've covered a lot of ground, from the data breaches at Twilio and the Alabama State Department of Education to the latest research in AI safety and cybersecurity. Remember, staying informed is the first step in staying secure.

If you found this newsletter helpful, please consider sharing it with your colleagues and friends. They might find it just as enlightening.

And remember, in the world of cybersecurity, knowledge is the best defense. Stay safe, stay informed, and see you in the next edition of Secret CISO.