Good morning, Secret CISO readers! Today's newsletter is packed with the latest updates on cybersecurity incidents and investigations. First up, we have Federman & Sherwood investigating Student Transportation of America and Evening Post Publishing Inc. for data breaches. The breaches potentially exposed sensitive information, including social security numbers and financial account details. Next, we have Netflix breaking its silence on a massive data breach that led to the leak of shows like Heartstopper Season 3 and Arcane Season 2.

Cash App users, you might be eligible for a piece of a $15 million settlement following data breaches. The class-action complaint cited two incidents where unauthorized access led to data breaches. In other news, Colorado has been included in a data breach affecting 3 billion people.

The hackers, known as USDoD, stole names, social security numbers, and addresses from Jerico Pictures. We also have a report revealing a 10% increase in the exploitation of old CVEs, suggesting the need for proper security measures.

Lastly, we have a series of updates on security research, including the launch of a regional research security center by Northeastern in partnership with the National Science Foundation, and the discovery of potentially catastrophic exploits present in AMD chips. Stay tuned for more updates and remember, stay alert and stay secure.

Data Breaches

1. Federman & Sherwood Investigates Student Transportation of America for Data Breach: Student Transportation of America (STA) experienced an unauthorized cybersecurity incident on their network, prompting an immediate investigation. Source: Morningstar
2. Netflix breaks silence on huge data breach: Netflix has finally spoken out about a recent data breach that resulted in leaks of shows like Heartstopper Season 3, Arcane Season 2, and many anime series. Source: Dexerto
3. Federman & Sherwood Investigates Evening Post Publishing Inc. for Data Breach: Evening Post Publishing Inc. experienced a data breach, potentially exposing full names, Social Security numbers, financial account information, and driver's license numbers. Source: Business Wire
4. Cash App Users May Claim Up to $2,500 in Data Breach Settlement: Cash App users affected by a data breach that included portfolio value, holdings, trading activity, usernames, passwords, and Social Security numbers may claim up to $2,500 in a lawsuit settlement. Source: The New York Times
5. STAY ALERT: Colorado Included In Data Breach, Affects 3 Billion - K99: Jerico Pictures was recently hacked by a group called USDoD, resulting in the theft of names, social security numbers, and addresses. Source: K99

Security Research

1. Northeastern partners with National Science Foundation to launch regional research security center: A new research security center, backed by a $4.9M investment from the NSF, will serve as an information clearinghouse for the research community. Source: Northeastern News
2. South Korea's HD HHI to build Large Test Vessel: Security researcher Eunhyuk Cha is contributing to the research and development of a large test vessel in South Korea, demonstrating a strong interest in international relations and security studies. Source: Naval News
3. How a cybersecurity researcher befriended, then doxed, the leader of LockBit ransomware gang: Security researcher Jon DiMaggio managed to befriend and subsequently expose the leader of the LockBit ransomware gang, demonstrating the potential of social engineering in cybersecurity. Source: TechCrunch
4. Aqua Security Researchers Disclose Series of AWS Flaws: Aqua Security has revealed six vulnerabilities in Amazon Web Services' cloud services, highlighting the ongoing need for robust cloud security measures. Source: Security Boulevard
5. Black Hat 2024: AI in Security, Microsoft Vulnerabilities, and More: Security researchers warn of the growing threat of AI attacks, which could potentially become lethal. Cybersecurity company HiddenLayer recently highlighted this issue at Black Hat 2024. Source: Spiceworks

Top CVEs

1. NVIDIA GPU Display Driver for Windows Vulnerability (CVE-2024-0107): A vulnerability in NVIDIA's GPU Display Driver for Windows allows an unprivileged user to cause an out-of-bounds read, potentially leading to code execution, denial of service, escalation of privileges, and data disclosure. Source: CVE-2024-0107
2. Microsoft Office Spoofing Vulnerability (CVE-2024-38200): Microsoft Office has a spoofing vulnerability that could be exploited by attackers. Further details are not available at this time. Source: CVE-2024-38200
3. NVIDIA Jetson Linux Vulnerability (CVE-2024-0108): NVIDIA's Jetson Linux contains a vulnerability in NvGPU where error handling paths in GPU MMU mapping code fail to clean up a failed mapping attempt. This could lead to denial of service, code execution, and escalation of privileges. Source: CVE-2024-0108
4. NVIDIA CUDA Toolkit Vulnerability (CVE-2024-0102): NVIDIA's CUDA Toolkit contains a vulnerability in nvdisasm, where an attacker can cause an out-of-bounds read issue by deceiving a user into reading a malformed ELF file. This could lead to denial of service. Source: CVE-2024-0102
5. Microsoft Edge (HTML-based) Memory Corruption Vulnerability (CVE-2024-38218): Microsoft Edge (HTML-based) has a memory corruption vulnerability. Further details are not available at this time. Source: CVE-2024-38218

API Security

1. CVE-2024-43167 Unbound: null pointer dereference in unbound: A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in Unbound. This issue could allow an attacker who can invoke specific sequences of API calls to cause a segmentation fault, leading to a crash. This issue can result in a denial of service by causing the application to terminate. Source: CVE-2024-43167
2. CVE-2024-39287 Dorsett Controls Central Server: Dorsett Controls Central Server update server has potential information leaks with an unprotected file that contains passwords and API. This could lead to unauthorized access and potential data breaches. Source: CVE-2024-39287
3. CVE-2024-42366 VRCX: Over-permission and cross-site scripting: VRCX, an assistant/companion application for VRChat, has a vulnerability in versions prior to 2024.03.23. A CefSharp browser with over-permission and cross-site scripting via overlay notification can be combined to result in remote command execution. Users are advised to update their installation to continue using. Source: CVE-2024-42366

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We hope you found these updates insightful and helpful in staying ahead of the curve in this ever-evolving cybersecurity landscape. Remember, knowledge is power, and sharing is caring. So, don't forget to pass this newsletter along to your friends and colleagues to keep them in the loop too. In the world of cybersecurity, it's always better to be proactive than reactive. From the data breaches at Student Transportation of America and Netflix to the security incidents at Cash App and Colorado, it's clear that no one is immune.

But by staying informed and vigilant, we can all play a part in making the digital world a safer place. So, until next time, stay safe, stay informed, and remember - the secret to great cybersecurity is never a secret. It's about staying alert, informed, and ready to act.

Share the knowledge, spread the word, and let's secure our digital world together.

Stay tuned for more updates in our next edition of Secret CISO.