Good morning, Secret CISO readers! Today's newsletter is packed with critical updates from the cybersecurity world. First up, we have a shocking security breach at the Cleveland Water plant, where a guard was caught sleeping on the job. This incident underscores the importance of proactive security measures, a topic we delve into later in the newsletter.

In the healthcare sector, another 947K patient records were found to be leaked in the MOVEit breach, highlighting the ongoing ripple effects of data breaches. In a similar vein, the USAA data breach has impacted more than 32K members, demonstrating the far-reaching consequences of such security lapses. On a more positive note, security leaders are responding to the White House's internet routing guide, aimed at improving the security of the Border Gateway Protocol.

We also have tech icon Steve Wozniak headlining SentinelOne's OneCon 2024, a global leader in AI-powered security. In other news, the PA Attorney General's Office is taking proactive steps to educate about data breaches and identity theft, a timely initiative given the increasing number of companies experiencing data compromises. Finally, we wrap up with a slew of data breach updates, including a major breach at car rental company Avis and a lawsuit against Advance Auto Parts over data breach allegations. Stay tuned for more updates and remember, knowledge is the first line of defense. Stay safe, stay informed.

Data Breaches

1. Cleveland Water Plant Security Breach: A security guard was caught sleeping during a security breach at the Cleveland Water Plant. The incident, captured on camera, has raised concerns about the security measures in place. Source: Fox8
2. MOVEit Data Breach: An additional 947K patient records have been found to be leaked in the MOVEit data breach. The healthcare entities and patients are still dealing with the aftermath of this breach. Source: HealthExec
3. USAA Data Breach: Over 32K members have been impacted by a data breach at USAA. The breach occurred in April and affected customers have been notified by mail. Source: MRT
4. Medicare Beneficiaries Data Breach: Almost a million Medicare beneficiaries could be affected by a data breach announced by the Centers for Medicare & Medicaid Services. The extent of the breach is still being investigated. Source: McKnightsSeniorLiving
5. Avis Data Breach: Car rental company Avis has disclosed a data breach that impacted one of its business applications, compromising customers' personal information. The extent of the breach is still being investigated. Source: Security Affairs

Security Research

1. New And Dangerous Android Attack—12 Words Are Targeted By Hackers: Security researchers have discovered a unique Android hacking campaign that targets a 12-word passphrase. This inventive approach poses a significant threat to Android users. Source: Forbes
2. Cybersecurity Report: Advanced Persistent Threat Campaign Carried Out By Tropic Trooper: Tropic Trooper, a notorious hacking group, has launched an advanced persistent threat campaign against a Middle Eastern governmental entity. The group's diverse skill set is particularly noteworthy. Source: Crowdfund Insider
3. GeoServer Vulnerability Targeted by Hackers to Deliver Backdoors and Botnet Malware: Hackers are exploiting a GeoServer vulnerability to deliver backdoors and botnet malware. The primary targets are distributed across South America, Europe, and Asia. Source: The Hacker News
4. Feds Warn Health Sector to Patch Apache Tomcat Flaws: The Federal government has issued a warning to the health sector to patch Apache Tomcat flaws. The rise in weaponization of new zero-day vulnerabilities against organizations is alarming. Source: BankInfoSecurity
5. GitHub Actions Vulnerable to Typosquatting, Exposing Developers to Hidden Malicious Code: GitHub Actions are vulnerable to typosquatting, which exposes developers to hidden malicious code. This attack is possible because anyone can publish a GitHub Action. Source: The Hacker News

Top CVEs

1. CVE-2024-7652: A type confusion error in the ECMA-262 specification relating to Async Generators could lead to memory corruption and an exploitable crash. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13. Source: CVE-2024-7652
2. CVE-2024-34156: Calling Decoder.Decode on a message containing deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to a previous vulnerability. Source: CVE-2024-34156
3. CVE-2024-45039: gnark, a fast zk-SNARK library, has a soundness issue in versions prior to 0.11.0. In case of multiple commitments used inside the circuit, the prover can choose all but the last commitment, potentially impacting the soundness of the whole circuit. Source: CVE-2024-45039
4. CVE-2023-52915: In the Linux kernel, a vulnerability has been resolved related to media: dvb-usb-v2: af9035. Malicious data could reach af9035_i2c_master_xfer, potentially causing a null pointer dereference. Source: CVE-2023-52915
5. CVE-2024-34155: Calling any of the Parse functions on Go source code containing deeply nested literals can cause a panic due to stack exhaustion. Source: CVE-2024-34155

API Security

1. Synthetic Monitoring Agent Exposes Sensitive Information: Users running the Synthetic Monitoring agent in their local network are at risk as the authentication token used to communicate with the Synthetic Monitoring API is exposed through a debugging endpoint. This token can be used to retrieve Synthetic Monitoring checks created by the user. A fixed version (v0.12.0) is available and users are advised to rotate the agent tokens. Source: Vulners
2. Gnark Commitments Break Zero-Knowledge Property: The Groth16 prover, when used with commitments in gnark, breaks the perfect zero-knowledge property, causing the Groth16 scheme to fail as a zk-SNARK. This issue is present whenever commitments are used that include private witnesses. Source: Vulners
3. CVE-2024-45040: Gnark, a fast zk-SNARK library, has a vulnerability that breaks the zero-knowledge property in Groth16 proofs with commitments. This vulnerability affects the zero-knowledge property of the proofs and has been fixed in version 0.11.0. Source: Vulners
4. CVE-2024-45039: Gnark has a soundness issue in versions prior to 0.11.0. In case of multiple commitments used inside the circuit, the prover can choose all but the last commitment. This could impact the soundness of the whole circuit. The issue has been patched in version 0.11.0. Source: Vulners

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We've covered a lot of ground, from the security breach at the Cleveland Water plant to the latest data breaches affecting healthcare entities and USAA members. We've also delved into the importance of proactive security measures and the ongoing surge in security investments.

Remember, staying informed is the first step in maintaining a robust security posture. Share this newsletter with your colleagues and friends to help them stay up-to-date with the latest in cybersecurity news. Stay safe, stay secure, and see you in the next edition of Secret CISO.