Welcome to today's edition of Secret CISO, your daily dose of cybersecurity news, insights, and trends. Today, we're diving into the rising cost of data breaches, particularly in the healthcare industry. We'll also explore the recent Cash App data breach settlement, the targeted attack on 23andMe users, and the legal action against Northern Ireland's Department of Education due to a data breach. In the retail sector, Australian furniture retailer Early Settler has confirmed a data breach, with the data of over a million customers reportedly up for sale on a hacking forum.

Meanwhile, Ticketmaster's delayed data breach notice has sparked public anger, and a lawsuit claims that a breach at National Public Data exposed personal data of nearly three billion people. We'll also look at seven data security systems and products driving value, and the implications of a data breach at Calibrated that exposed medical and financial records. Plus, we'll discuss what you need to know about scaling data security solutions.

In legal news, learn about the Peterson Holding Company data breach lawsuit, and the investigation into Allcare Medical Management for a data breach. On the research front, we'll delve into the increased payouts to security researchers by Microsoft, the major flaw allowing cyber criminals to target Android phones, and the role of AI in cybercrime. Finally, we'll cover the latest data breaches and vulnerabilities, including those affecting the healthcare industry, Ticketmaster, and more.

Stay tuned for all this and more in today's Secret CISO newsletter.

Data Breaches

1. Cash App Data Breach Settlement: Cash App is expected to pay up to $15 million in a class action settlement due to two data security incidents and company practices around data security. The mobile banking app is paying for failing to protect its users from security breaches. Source: PCMag and Mashable
2. 23andMe Data Breach: Hackers targeted Jewish and Chinese users' data in a breach at 23andMe. The breach has been reported by ACCESSWIRE. Source: KTLA
3. Early Settler Data Breach: Australian furniture retailer Early Settler confirmed a data breach. A threat actor claims to have the data of more than one million customers, with the dataset for sale on a hacking forum. Source: Cyber Daily
4. Ticketmaster Data Breach: Ticketmaster's data has been breached, and the company's data breach notification letters have become a focal point for criticism. Source: The Cyber Express and SILive.com
5. National Public Data Breach: A breach at background check company National Public Data allegedly left billions of individuals' personal data exposed on the dark web. The news of this massive new data breach was revealed as part of a class action lawsuit. Source: IT Pro and Tom's Guide

Security Research

1. Microsoft Bug Bounty Payouts Increased to $16.6 Million in Past Year: Microsoft has significantly increased its bug bounty payouts, rewarding over 340 security researchers with a total of $16.6 million in the past year. This move highlights the tech giant's commitment to strengthening its security infrastructure through crowd-sourced vulnerability detection. Source: SecurityWeek
2. Google Patches Actively Exploited Android Kernel Zero-Day: Google's Threat Analysis Group has patched an actively exploited Android Kernel zero-day vulnerability. The flaw was discovered and reported by security researcher Clément Lecigne, underscoring the importance of proactive security research in preventing cyber attacks. Source: Cyber Security News
3. New Android Spyware LianSpy Evades Detection Using Yandex Cloud: Security researcher Dmitry Kalinin has discovered a new Android spyware, LianSpy, that evades detection by using Yandex Cloud. The spyware is capable of capturing screencasts, exfiltrating user files, and harvesting call logs and app lists, highlighting the increasing sophistication of mobile malware. Source: The Hacker News
4. New Zero-Day Flaw in Apache OFBiz ERP Allows Remote Code Execution: A new zero-day flaw in Apache OFBiz ERP has been discovered by security researcher Hasib Vhora. The flaw allows for remote code execution, emphasizing the critical need for regular security updates and patches in enterprise software. Source: The Hacker News
5. Critical Apache OFBiz pre-auth RCE flaw fixed, update ASAP! (CVE-2024-38856): A critical pre-authentication remote code execution (RCE) flaw in Apache OFBiz has been fixed. The flaw, discovered by a researcher at SonicWall's Capture Labs, affected all Apache OFBiz versions up to and including v18.12.14, highlighting the importance of timely software updates. Source: Help Net Security

Top CVEs

1. CVE-2024-6915 - Improper Input Validation in JFrog Artifactory: Versions below 7.90.6, 7.84.20, 7.77.14, 7.71.23, 7.68.22, 7.63.22, 7.59.23, 7.55.18 of JFrog Artifactory are vulnerable to Improper Input Validation, potentially leading to cache poisoning. Source: CVE-2024-6915
2. CVE-2024-7409 - DoS Attack in QEMU NBD Server: A flaw in the QEMU NBD Server allows a denial of service (DoS) attack due to improper synchronization during socket closure when a client keeps a socket open as the server is taken down. Source: CVE-2024-7409
3. CVE-2024-42352 - SSRF Vulnerability in Nuxt: Nuxt, a free and open-source framework to create full-stack web applications and websites with Vue.js, has a vulnerability in its /api/_nuxt_icon/[name] endpoint that allows an attacker to change the scheme and host of the request, leading to Server Side Request Forgery (SSRF) and potential sensitive data exposure. Source: CVE-2024-42352
4. CVE-2024-7519 - Memory Corruption in Firefox: Insufficient checks when processing graphics shared memory in Firefox versions below 129, Firefox ESR below 115.14 could lead to memory corruption and potential sandbox escape. Source: CVE-2024-7519
5. CVE-2024-23657 - Path Traversal and Potential RCE in Nuxt Devtools: Nuxt Devtools is missing authentication on the getTextAssetContent RPC function which is vulnerable to path traversal. Combined with a lack of Origin checks on the WebSocket handler, an attacker can interact with a locally running devtools instance and exfiltrate data. In certain configurations, an attacker could leak the devtools authentication token and then abuse other RPC functions to achieve Remote Code Execution (RCE). Source: CVE-2024-23657

API Security

1. PrivX REST API Data Exfiltration and Denial of Service: PrivX versions before 34.0 have a vulnerability that allows data exfiltration and denial of service via the REST API. The issue has been fixed in minor versions 33.1, 32.3, 31.3, and later, and in major version 34.0. Source: CVE-2024-30170
2. gRPC Client Communication Vulnerability: A flaw in gRPC client communication with a HTTP/2 proxy can poison the HPACK table between the proxy and the backend, causing other clients to see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values. This bug has been fixed in multiple versions of gRPC. Source: CVE-2024-7246
3. Flowise Reflected Cross-site Scripting Vulnerabilities: Flowise, a drag & drop user interface to build a customized large language model flow, has multiple reflected cross-site scripting vulnerabilities in various API endpoints. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. No known patches are available at the time of publication. Source: GHSA-WXM4-9F8P-GGGV, GHSA-FCCX-2PWJ-HRQ7, GHSA-2JCH-QC96-9F5G
4. Meshery SQL Injection Vulnerability: Meshery, an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications, has a SQL injection vulnerability that may lead to arbitrary file write and data modification. The issue has been fixed in version 0.7.22. Source: GHSA-H7CM-JVPP-69XF, GHSA-9F24-JRV4-F8G5
5. Owncast Path Traversal Vulnerability: Owncast, an open source, self-hosted, decentralized, single user live video streaming and chat server, has a path traversal vulnerability in its administrator API. Attackers with administrative privileges can exploit this endpoint to delete arbitrary files on the system, outside of the emoji directory. The vulnerability has been fixed in the latest version. Source: GHSA-9355-27M8-H74V

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, we're reminded of the ever-evolving landscape of cybersecurity. From the rising cost of data breaches in the healthcare industry to the legal actions following breaches in various sectors, it's clear that the stakes are high. We've also seen how companies are stepping up their game with data security systems and products, and how security researchers are playing a crucial role in identifying vulnerabilities and enhancing security measures.

But the fight against cyber threats is far from over. It's a daily battle that requires constant vigilance, innovation, and collaboration.

So, let's keep the conversation going. Share this newsletter with your colleagues and friends, and let's work together in making our digital world safer and more secure. Stay safe and see you in the next edition of Secret CISO!