Welcome to today's issue of Secret CISO, your daily dose of cybersecurity insights. Today, we're diving into the world of health data breaches, with a special focus on the top 10 breaches of the first half of 2024. We'll also be discussing the recent hacking attack on the Alabama Education Department, which resulted in a significant data breach. In AI news, we're looking at the recent OpenAI breach, reminding us that AI companies are indeed treasure troves for hackers. We'll also be discussing the Authy data breach, which compromised 33 million linked phone numbers, and the denial of a massive data breach claim by Bharti Airtel.

In the realm of cybersecurity research, we'll be exploring the discovery of a cache of a billion stolen passwords and the urgent call for the government to set up a nodal body to confirm breaches. Lastly, we'll be examining the latest vulnerabilities and patches, including a critical security breach in OpenAI that was not revealed in 2023. Stay tuned for these stories and more in today's issue of Secret CISO. Stay safe, stay informed.

Data Breaches

1. Healthcare Data Breaches: Numerous health systems and healthcare companies have suffered cyberattacks in the first half of 2024, leading to significant data breaches. The exact impact and details of these breaches are yet to be disclosed. Source: Chief Healthcare Executive
2. Alabama Education Department Hacked: The Alabama Education Department fell victim to a hacking attack, resulting in a data breach. The extent of the breach and the data compromised are currently under investigation. Source: WBRC
3. Authy Data Breach: Twilio, the company behind the two-factor authentication app Authy, reported a security breach that exposed 33 million Authy-linked phone numbers. The company has not disclosed any other user data being compromised. Source: GizmoChina
4. Airtel Data Breach: Bharti Airtel has denied claims of a massive data breach, which alleged that the data of 375 million Indian users was up for sale on the dark web. The company is currently investigating these claims. Source: BizzBuzz
5. Ticketmaster Data Breach: The hacking group behind the Ticketmaster data breach has revealed a slew of Eras Tour ticketing data, increasing the ransom ask. The exact impact of the breach is still under investigation. Source: Digital Music News

Security Research

1. Researchers Discover Cache of Billion Stolen Passwords: Security researchers have reportedly uncovered the largest cache of stolen credentials ever discovered. The implications of this discovery are vast, as it highlights the extent of data breaches and the potential for misuse of personal information. Source: Security Boulevard
2. Data Security Experts Urge Government to Set Up Nodal Body to Confirm Breaches: In light of allegations of a data breach involving 37.5 crore users, security researchers are emphasizing the need for a centralized body to confirm and address such breaches. This highlights the importance of transparency and accountability in data security. Source: Times of India
3. GootLoader Malware Employs Time-Based Delay Techniques: Security researchers have identified a new technique employed by the GootLoader malware, which uses time-based delays to evade detection in sandbox testing environments. This discovery underscores the need for continuous innovation in malware detection methods. Source: The Cyber Express
4. New Intel CPU Side-Channel Attack Indirector Can Leak Sensitive Data: Recent security research has revealed a new side-channel attack, dubbed Indirector, that can leak sensitive data from Intel CPUs. This discovery highlights the ongoing challenges in securing hardware against sophisticated attacks. Source: CSO Online
5. To Guard Against Cyberattacks in Space, Researchers Ask “What If?”: Security researchers are exploring potential cyberattack scenarios in space, highlighting the growing importance of cybersecurity in this new frontier. A successful hack on satellites could have far-reaching implications for our digital infrastructure. Source: Ars Technica

Top CVEs

1. CVE-2024-39021 - idccms v1.35 CSRF Vulnerability: idccms v1.35 has been discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability. This could potentially allow attackers to trick end users into executing unwanted actions on a web application in which they're authenticated. Source: CVE-2024-39021
2. CVE-2024-39696 - Evmos Unauthorized Fund Transfer: Evmos, a decentralized Ethereum Virtual Machine chain on the Cosmos Network, has a vulnerability that allows a user to fund a vesting account with a 3rd party account without its permission. This could potentially lead to unauthorized fund transfers. The issue has been patched in the latest version. Source: CVE-2024-39696
3. CVE-2024-37903 - Mastodon Unauthorized Post Access: Mastodon, a self-hosted, federated microblogging platform, has a vulnerability that allows an attacker to extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. The issue has been patched in the latest versions. Source: CVE-2024-37903
4. CVE-2024-39689 - Certifi Root Certificates Issue: Certifi, a curated collection of Root Certificates for validating the trustworthiness of SSL certificates, recognized root certificates from GLOBALTRUST which are being removed due to compliance issues. The issue has been addressed in Certifi 2024.07.04. Source: CVE-2024-39689
5. CVE-2024-37767 - 14Finger v1.1 Insecure Permissions: 14Finger v1.1 has insecure permissions in the component /api/admin/user, allowing attackers to access all user information via a crafted GET request. Source: CVE-2024-37767

API Security

1. Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL: An unauthenticated attacker can make an HTTP GET request from the Privacy Center that discloses the value of this server-side URL. This vulnerability has been patched in Fides version 2.39.2. Source: Vulners
2. vanna-ai/vanna version v0.3.4 SQL Injection Vulnerability: This vulnerability allows unauthenticated remote users to read arbitrary local files on the victim server, including sensitive files like /etc/passwd, by exploiting the exposed SQL queries via a Python Flask. Source: Vulners
3. Server Side Request Forgery (SSRF) attack in Fedify: An attacker can send requests to resources internal to the Fedify server's network, leading to a potential Server Side Request Forgery attack. Source: Vulners
4. Private tokens could appear in logs if context containing gRPC metadata is logged in github.com/grpc/grpc-go: This issue represents a potential PII concern. If applications were printing or logging a context containing gRPC metadata, the affected versions will contain all the metadata, which may include private information. Source: Vulners
5. ZITADEL Vulnerable to Session Information Leakage: ZITADEL provides users the ability to list all user sessions of the current user agent (browser) by API and in the Console UI. Due to a missing check, user sessions without that information were incorrectly listed exposing potentially other user's sessions. Source: Vulners

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We've covered everything from empowering diabetes patients with over-the-counter glucose monitors to the top 10 health data breaches of 2024. We've also delved into the hacking attack on the Alabama Education Department and the security breach at OpenAI. Remember, in this digital age, no security breach should be treated as trivial. Whether it's a data leak from a major telecom company or a breach compromising millions of phone numbers, staying informed is your first line of defense.

If you found today's newsletter helpful, don't keep it to yourself. Share it with your friends, colleagues, and anyone else who could benefit from staying in the loop with the latest in technical security.

Stay safe, stay secure, and stay tuned for more updates from the world of cybersecurity. Until tomorrow, this is Secret CISO, signing off.