Good day, Secret CISO readers! Today's newsletter is packed with some noteworthy updates from the cybersecurity world. Firstly, we have Janet Peyton, a McGuireWoods Partner, being honored among Virginia Leaders in the Law for her focus on intellectual property and data privacy and security. She's been instrumental in dealing with preventive data security and compliance issues post data breaches. Speaking of breaches, AT&T, Toshiba, and ProPark Mobility have all been hit with lawsuits following significant data breaches. AT&T's breach, announced in July, has spurred action from Washington, while Toshiba is facing a lawsuit over a months-long cyberattack that was announced this year. ProPark Mobility, a company specializing in parking management and mobility solutions, has also filed a notice of a data breach. In other news, a massive Disney data breach has exposed financial secrets and personal information, highlighting the importance of robust data security protocols.

The National Public Data breach has also been causing frustration for those trying to opt-out after their personal information was exposed. On the brighter side, UChicago Medicine is consolidating its cybersecurity operations following a data breach, indicating a growing recognition of the importance of robust cybersecurity in the healthcare sector. In the realm of technology, MIT Technology Review discusses the integration of security from code to cloud, highlighting the potential vulnerabilities that can be introduced by open-source software (OSS). Lastly, we delve into the question of whether fingerprints are considered personally identifiable information (PII) in the context of multi-factor authentication and database security. Stay tuned for more updates and remember, stay safe out there!

Data Breaches

1. AT&T Data Breach Spurs Lawsuit and Action from Washington: AT&T has been hit by a data breach, which was discovered in April but only announced in July. The delay in disclosure has spurred legal action and increased scrutiny from Washington. Source: Lexology
2. Toshiba Facing Data Breach Lawsuit Over Months-Long Cyberattack: Toshiba is facing a lawsuit over a "massive and preventable" cyberattack that occurred due to lax data security protocols. The breach was announced in 2024 after a months-long cyberattack. Source: ClassAction.org
3. ProPark Mobility suffers data breach: ProPark Mobility, a company specializing in parking management and mobility solutions, has filed a notice of data breach. Consumer information may have been compromised in the breach. Source: teiss
4. Massive Disney Data Breach Exposes Financial Secrets and Personal Info: Disney suffered a massive data breach earlier this summer, exposing financial secrets and personal information. This breach is considered one of the largest corporate data breaches in recent years. Source: WebProNews
5. Frustration Trying to Opt-Out After the National Public Data Breach: The National Public Data breach has exposed a vast amount of personal information, including names, addresses, birthdates, emails, phone numbers, and Social Security Numbers. The breach has caused frustration among those trying to opt-out. Source: Security Boulevard

Security Research

1. Therapy Sessions Exposed by Mental Health Care Firm's Unsecured Database: Security researcher Jeremiah Fowler discovered an unsecured database linked to a virtual mental health care firm, exposing sensitive patient information. The incident underscores the importance of robust data security measures in the healthcare sector. Source: WIRED
2. Critical Apache OFBiz RCE Vulnerability Patched: Security researcher Ryan Emmons reported a critical Remote Code Execution (RCE) vulnerability in Apache OFBiz. The flaw could allow an attacker to exploit the system by crafting a specific request, emphasizing the need for regular patching and updates. Source: The Cyber Express
3. A new malware named “Voldemort” may be a cyber espionage campaign: Security Research Manager Mayuresh Dani at Qualys Threat Research Unit reported a new malware named "Voldemort". The malware utilizes Google Sheets for command and control, highlighting the innovative methods used by cybercriminals. Source: Security Magazine
4. Security Budgets Continue to Outpace IT Budgets: A report by IANS Research and Artico Search revealed that security budgets have grown from 0.50% to 0.69% of revenue, outpacing IT budgets. This trend indicates the increasing importance businesses are placing on cybersecurity. Source: Traders Magazine
5. Critical Security Flaw Found in LiteSpeed Cache Plugin for WordPress: Researcher Rafie Muhammad discovered a critical security flaw in the LiteSpeed Cache Plugin for WordPress. The discovery underscores the need for thorough security analysis of plugins and other third-party software. Source: The Hacker News

Top CVEs

1. CVE-2024-7591 - Progress LoadMaster OS Command Injection: A vulnerability in Progress LoadMaster allows for OS Command Injection due to improper input validation. This affects versions 7.2.40.0 and above of LoadMaster, all versions of ECS, and Multi-Tenancy version 7.1.35.4 and above. Source: CVE-2024-7591
2. CVE-2024-44082 - OpenStack Ironic Image Processing Vulnerability: In OpenStack Ironic before 26.0.1 and ironic-python-agent before 9.13.1, a vulnerability in image processing could allow an authenticated user to exploit undesired behaviors in qemu-img, potentially leading to unauthorized access to sensitive data. Source: CVE-2024-44082
3. CVE-2024-45107 - Acrobat Reader Use After Free Vulnerability: Acrobat Reader versions 20.005.30636, 24.002.20964, 24.001.30123, 24.002.20991 and earlier are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Source: CVE-2024-45107
4. CVE-2024-42495 - Unencrypted Protocol Credential Transmission: Device configuration access credentials were transmitted using an unencrypted protocol, potentially allowing read-only access to network configuration information and terminal configuration. Source: CVE-2024-42495
5. CVE-2024-42491 - Asterisk SIP Request Vulnerability: In Asterisk, an open-source private branch exchange (PBX), if Asterisk attempts to send a SIP request to a URI whose host portion starts with .1 or [.1], and res_resolver_unbound is loaded, Asterisk will crash with a SEGV. This affects versions prior to 18.24.3, 20.9.3, and 21.4.3 of Asterisk and versions 18.9-cert12 and 20.7-cert2 of certified-asterisk. Source: CVE-2024-42491

API Security

1. API Security Vulnerability in gnark library (CVE-2024-45040): Gnark, a fast zk-SNARK library, had a vulnerability in versions prior to 0.11.0 where commitments to private witnesses in Groth16 broke the zero-knowledge property. This could allow an attacker to deduce the actual value of small witness values. The vulnerability has been fixed in version 0.11.0. Source: CVE-2024-45040
2. Soundness Issue in gnark library (CVE-2024-45039): Gnark library versions prior to 0.11.0 had a soundness issue where the prover could choose all but the last commitment in case of multiple commitments used inside the circuit. This could impact the soundness of the whole circuit. The issue has been patched in version 0.11.0. Source: CVE-2024-45039
3. Insufficient Access Control in SuiteCRM (CVE-2024-45392): SuiteCRM, an open-source customer relationship management system, had a vulnerability in versions prior to 7.14.5 and 8.6.2 where insufficient access control checks allowed a threat actor to delete records via the API. The issue has been patched in versions 7.14.5 and 8.6.2. Source: CVE-2024-45392
4. Improper Input Validation in Kubernetes (CVE 2023-2728 and CVE 2024-3177): Kubernetes had vulnerabilities related to bypassing the imposition of the mountable secrets policy imposed by the ServiceAccount admission plugin. The vulnerabilities could be exploited to obtain desired secrets and present them in the environment variables. Source: CVE 2023-2728 and CVE 2024-3177
5. Excessive Authentication Attempts in Windmill (CVE-2024-8462): Windmill 1.380.0 had a vulnerability where an unknown function of the file backend/windmill-api/src/users.rs of the component HTTP Request Handler led to improper restriction of excessive authentication attempts. The issue has been addressed in version 1.390.1. Source: CVE-2024-8462

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We've covered a lot of ground, from the recognition of McGuireWoods Partner Janet Peyton for her work in data security, to the data breaches faced by AT&T, Toshiba, and Disney, and the ongoing efforts to integrate security from code to cloud.

Remember, in this rapidly evolving digital landscape, staying informed is your first line of defense. Share this newsletter with your colleagues and friends to help them stay ahead of the curve too. Stay safe, stay secure, and see you tomorrow for more insights from the world of cybersecurity.