Welcome to today's issue of Secret CISO, your daily dose of the most impactful cybersecurity news.

Today, we're diving into a series of data breaches that have hit major companies and institutions, including Fidelity Bank, Toyota, and the National Public Data Breach. Fidelity Bank is currently responding to accusations of a data breach, while Toyota has confirmed a data leak of 240 GB, exposing customer and employee data. The National Public Data Breach has consumers on high alert as their Social Security numbers and other personal information may be at risk. In the education sector, Troy schools have returned without devices following a data breach over the summer.

Meanwhile, Change Healthcare has been sending out notices of a data breach that impacted a substantial amount of Americans. On the tech front, Microsoft has patched a critical vulnerability in its Copilot Studio that could expose sensitive data. The Florida Department of Health is offering credit monitoring after its data breach, and a lawsuit alleges a data breach compromised records of up to 2.9 billion people. In Europe, complaints have been filed against the EU Parliament over a massive data breach, and a privacy group is fighting the European Parliament over a major human resources data breach. In other news, a simple typing mistake could crash your iPhone, and hackers could dupe Slack's AI features to expose private channel messages. Stay tuned for more updates and remember, knowledge is the first line of defense.

Data Breaches

1. Troy Schools Data Breach: Troy area students started the new school year without tablet computers due to a data breach over the summer. The extent of the breach and the impact on the students' education is still under investigation. Source: The Daily Review
2. Change Healthcare Data Breach: Change Healthcare has sent out notices of a data breach that impacted a substantial number of Americans. The exact number of affected individuals and the type of data exposed are yet to be disclosed. Source: whas11.com
3. Microsoft Copilot Studio Vulnerability: Cybersecurity researchers have disclosed a critical security flaw impacting Microsoft's Copilot Studio that could be exploited to access sensitive data. Microsoft has since patched the vulnerability. Source: The Hacker News
4. Florida Department of Health Data Breach: The Florida Department of Health has offered credit monitoring after a security breach in their network resulted in unauthorized access of personal identifying and/or protected health information. The number of affected individuals is still unknown. Source: WMNF
5. European Parliament Data Breach: The European Parliament suffered a major human resources data breach earlier this year. The breached files included specially protected sensitive data, such as employees' sexual orientation. Source: POLITICO.eu

Security Research

1. Google Play bug bounty program shutdown imminent: The termination of Google Play's bug bounty program, as noted by security researcher Sean Pesce, could significantly impact the profitability of Android hacking. This move might leave Android more vulnerable to security threats. Source: SC Magazine
2. Security team management: Top 4 findings from discussions with CISOs: IDC's tech buyer analysts have identified key insights from discussions with CISOs. The findings emphasize the importance of effective security team management in maintaining robust cybersecurity defenses. Source: CIO
3. Critical industries top ransomware hitlist, attacks dwindle: The Register reports that critical industries remain the primary target for ransomware attacks, despite an overall decrease in attacks. The future trend of these attacks remains uncertain. Source: The Register
4. Typing just four characters could crash your iPhone: A security researcher has discovered a bug that can crash an iPhone's home screen by typing just four characters. The bug does not pose a security threat but can be annoying for users. Source: ZDNet
5. Hackers could dupe Slack's AI features to expose private channel messages: Security researchers have found that hackers could exploit Slack's AI features to reveal private channel messages. This discovery highlights the potential security risks associated with AI technologies. Source: ITPro

Top CVEs

1. CVE-2024-21690 - Confluence Data Center and Server XSS and CSRF Vulnerability: A high severity Reflected XSS and CSRF vulnerability has been found in multiple versions of Confluence Data Center and Server. The vulnerability allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser and force an end user to execute unwanted actions on a web application. Atlassian recommends upgrading to the latest version or to a specified supported fixed version. Source: CVE-2024-21690
2. CVE-2024-28987 - SolarWinds Web Help Desk Hardcoded Credential Vulnerability: The SolarWinds Web Help Desk software is affected by a hardcoded credential vulnerability, allowing a remote unauthenticated user to access internal functionality and modify data. Source: CVE-2024-28987
3. CVE-2024-20375 - Cisco Unified Communications Manager SIP Call Processing Vulnerability: A vulnerability in the SIP call processing function of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. Source: CVE-2024-20375
4. CVE-2024-7971 - Google Chrome V8 Type Confusion Vulnerability: A type confusion vulnerability in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. Source: CVE-2024-7971
5. CVE-2024-7885 - Undertow ProxyProtocolReadListener Vulnerability: A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This could lead to information leakage between requests or responses and potentially lead to unintended data exposure. Source: CVE-2024-7885

API Security

1. CVE-2024-42490 - authentik API Security Issue: Several API endpoints in authentik, an open-source Identity Provider, can be accessed without proper authentication/authorization. The issue affects endpoints that require knowledge of an object's ID, which is not easily accessible or guessable. The issue has been fixed in authentik 2024.4.4, 2024.6.4, and 2024.8.0. Source: vulners.com
2. CVE-2024-3127 - GitLab EE API Security Issue: A security issue in GitLab EE allows unauthorized users to bypass IP restrictions for groups through GraphQL under certain conditions. The issue affects all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, and all versions starting from 17.3 before 17.3.1. Source: vulners.com
3. CVE-2024-43398 - REXML API Security Issue: REXML, an XML toolkit for Ruby, has a DoS vulnerability when parsing an XML with many deep elements that have the same local name attributes. The issue affects the tree parser API and has been fixed in REXML gem 3.3.6. Source: vulners.com
4. CVE-2024-42411 - Mattermost API Security Issue: Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to restrict input in POST /api/v4/users, allowing a user to manipulate the creation date and trick the admin into believing their account is older. Source: vulners.com
5. CVE-2024-42056 - Retool API Security Issue: Retool (self-hosted enterprise) through 3.40.0 inserts resource authentication credentials into sent data. Credentials for users with "Use" permissions can be discovered by an authenticated attacker via the /api/resources endpoint. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of the Secret CISO newsletter. We've covered a lot of ground, from Fidelity Bank's response to data breach accusations to the exposure of customer and employee data at Toyota.

We've also examined the risks for data brokers following the National Public data breach and the implications of the Change Healthcare data breach. In the tech world, Microsoft has patched a critical vulnerability in its Copilot Studio, and the Florida Department of Health is offering credit monitoring following its own data breach.

By staying informed about these issues, we can all play a part in enhancing our collective cybersecurity. If you found today's newsletter useful, please consider sharing it with your friends and colleagues. Stay safe, stay secure, and see you next time.