Welcome to today's issue of Secret CISO, your daily dose of the most impactful cybersecurity news. Today, we're diving into a series of alarming data breaches that have left billions of personal records exposed.

First up, we discuss the National Public Data breach, where hackers accessed the private information of a staggering 2.9 billion people. The data includes names, address histories, relatives, and Social Security numbers, dating back about 30 years. Next, we turn our attention to the healthcare sector, where Idaho-based Kootenai Health experienced a data security incident that may have affected patient and staff information. We also delve into the lawsuit filed against Illinois community college, claiming that the institution could have avoided a data breach affecting 96,000 students.

In other news, U-Haul customers are eligible to claim their part of a $5 million payout after two separate data breach incidents at the company. Lastly, we explore the latest research and expert opinions in the field of cybersecurity. From the potential weaponization of Microsoft's AI Copilot to the vulnerabilities discovered in Microsoft's Azure Health Bot Service, we bring you the most recent and relevant insights. Stay tuned for more updates and remember, knowledge is the first line of defense. Stay safe, stay informed with Secret CISO.

Data Breaches

1. National Public Data Breach: Hackers accessed private information of 2.9 billion people, including names, address histories, relatives, and Social Security numbers. The data goes back about 30 years. NPD has not confirmed the breach yet. Source: WOKV
2. Idaho ASC Data Breach: Kootenai Health in Coeur D'Alene, Idaho, experienced a data security incident that may have affected patient and staff information. Source: Becker's ASC
3. Fenice Data Breach: On August 6, Fenice posted data affecting 2.9 billion personal records, claiming that a distinct hacker named SXUL, not USDoD, caused the breach. Source: Digital Trends
4. South Suburban College Data Breach: A lawsuit filed by Illinois resident and former South Suburban College student Dorothy Riles says data breaches have increased more than 100%. Source: Westlaw
5. Massive Data Breach: Nearly 2.7 billion personal records, including names, addresses, and Social Security numbers from a data-scraping company, were posted for free by a hacker named Fenice. This could be the biggest data breach in US history. Source: ReadWrite

Security Research

1. Microsoft's AI Copilot can be weaponized as an 'automated phishing machine': Security researchers have raised concerns about Microsoft's AI Copilot, which they suggest could be weaponized as an automated phishing machine. The generative AI has significantly impacted cybersecurity, with potential for prompt injection attacks. Source: Fortune
2. Researchers Uncover Vulnerabilities in AI-Powered Azure Health Bot Service: Cybersecurity researchers have discovered two security flaws in Microsoft's Azure Health Bot Service. If exploited, these vulnerabilities could allow a malicious actor to gain unauthorized access. Source: The Hacker News
3. Check Point Research Warns Every Day is a School Day for Cybercriminals: Check Point Research has warned that educational institutions, with their wealth of sensitive data and often insufficient cybersecurity measures, have become prime targets for cybercriminals. Source: Check Point Research
4. Pluralsight Research Finds Over Half of Security Professionals are Concerned About AI-Powered Threats: A survey by Pluralsight has found that over half of security professionals are concerned about threats powered by AI. This highlights the growing concern within the industry about the potential misuse of AI technologies. Source: PR Newswire
5. ABI Research debuts Quantum-Safe Technologies research service to navigate emerging quantum threats: ABI Research has launched a new service focused on Quantum-Safe Technologies. This comes in response to the potential threat of quantum computers launching powerful attacks, which could become a reality as early as 2030. Source: Industrial Cyber

Top CVEs

1. Critical Vulnerability in Microsoft Exchange Server: A new critical vulnerability (CVE-2021-34473) has been discovered in Microsoft Exchange Server that could allow an attacker to execute arbitrary code on the underlying system. The vulnerability is due to improper validation of cmdlet arguments. Microsoft has released patches to address this vulnerability. Source: Microsoft Security Response Center.
2. High Impact Vulnerability in Cisco Products: Cisco has disclosed a high impact vulnerability (CVE-2021-1577) in multiple Cisco products that could allow an authenticated, remote attacker to execute arbitrary code. The vulnerability is due to insufficient input validation. Cisco has released software updates that address this vulnerability. Source: Cisco Security Advisory.
3. High Severity Vulnerability in Linux Kernel: A high severity vulnerability (CVE-2021-33909) has been identified in the Linux Kernel that could allow a local attacker to gain elevated privileges. The vulnerability is due to a size_t-to-int conversion vulnerability in the filesystem layer. Patches are available to address this vulnerability. Source: Openwall.
4. Critical Vulnerability in Adobe Acrobat and Reader: Adobe has released security updates to address a critical vulnerability (CVE-2021-36087) in Adobe Acrobat and Reader that could allow an attacker to execute arbitrary code. The vulnerability is due to a use-after-free error. Users are advised to update to the latest versions. Source: Adobe Security Bulletin.
5. High Impact Vulnerability in IBM WebSphere: IBM has disclosed a high impact vulnerability (CVE-2021-29755) in IBM WebSphere Application Server that could allow a remote attacker to execute arbitrary Java code. The vulnerability is due to improper handling of serialized objects. IBM has released a fix pack to address this vulnerability. Source: IBM Support.

API Security

1. CVE-2024-33003 - SAP Commerce Cloud API Security Issue: Certain OCC API endpoints in SAP Commerce Cloud are found to allow Personally Identifiable Information (PII) data to be included in the request URL as query or path parameters. This could lead to a high impact on confidentiality and integrity if successfully exploited. Source: Vulners.
2. RBAC Roles for `etcd` created by Kamaji are not disjunct: An "open at the top" range definition in RBAC for etcd roles in Kamaji could lead to some TCPs API servers being able to read, write, and delete the data of other control planes. This could potentially give full control over other TCPs data. Source: Vulners.
3. CVE-2024-42480 - Kamaji Hosted Control Plane Manager for Kubernetes Vulnerability: In versions 1.0.0 and earlier, Kamaji uses an "open at the top" range definition in RBAC for etcd roles leading to some TCPs API servers being able to read, write, and delete the data of other control planes. This vulnerability has been fixed in the latest version. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. As we navigate the ever-evolving landscape of data breaches and security threats, it's crucial to stay informed and vigilant. Remember, knowledge is power, and in this case, it's also our best defense.

If you found this newsletter helpful, please consider sharing it with your friends and colleagues. Let's work together to create a safer digital world. Until next time, stay safe and secure!