Secret CISO 10/13: OpenAI Malware, Fidelity and Game Freak Breaches, Research on Gmail Security and Phishing Attacks'

Secret CISO 10/13: OpenAI Malware, Fidelity and Game Freak Breaches, Research on Gmail Security and Phishing Attacks'

Welcome to today's issue of Secret CISO, where we delve into the latest cybersecurity incidents and developments.

First on our list is the data breach at Fidelity, affecting over 77,000 customers. This incident underscores the growing concerns around data security in the financial sector. In the gaming world, Game Freak, the developer behind Pokémon, has also suffered a significant data breach, revealing details about upcoming releases.

Meanwhile, employees of Hawaii Judiciary are being urged to monitor their credit after a data breach exposed personal information of 2,600 current and former staff. In the academic sector, the University of Manchester is enhancing its cybersecurity measures with the Tanium XEM platform following a significant data breach.

OpenAI has confirmed that threat actors are using ChatGPT to write malware, highlighting the potential misuse of AI technologies.

In response to the rising threats, the EU is proposing a controversial CSAM-scanning legal proposal, dubbed 'Chat control', to enhance data security. In Canada, a cybersecurity breach at the Calgary Public Library has raised concerns among customers. Australia is also taking action with three new draft laws published as part of its Cyber Security Strategy.

In the hospitality industry, Marriott has agreed to pay a $52 million settlement for a data breach, emphasizing the financial implications of cybersecurity incidents. Lastly, we'll look at the latest research and expert insights in the field of cybersecurity.

From the use of ChatGPT and LLM tools by Chinese and Iranian hackers to create malware and phishing attacks, to the new malware campaign targeting the finance and insurance sectors using GitHub links, we'll cover it all. Stay tuned for these stories and more in today's issue of Secret CISO.

Data Breaches

  1. Data Breach at Fidelity: Over 77,000 customers' personal information was exposed in a data breach at Fidelity Investments. The breach has raised concerns about the security of financial data and the potential for identity theft. Source: India Herald
  2. Game Freak Leak: Game Freak, the developer behind the popular Pokémon franchise, suffered a major data breach. The leak revealed details about Pokémon Gen 10 and Switch 2, highlighting the potential risks of intellectual property theft in the gaming industry. Source: esports.gg
  3. Hawaii Judiciary Data Breach: A data breach at the Hawaii Judiciary exposed personal information of 2,600 current and former staff. Employees have been urged to monitor their credit, underscoring the personal impact of such breaches. Source: YouTube
  4. University of Manchester Data Breach: The University of Manchester suffered a significant data breach, affecting 40,000 endpoints. In response, the university has implemented the Tanium XEM platform to enhance its cybersecurity. Source: SDxCentral
  5. Calgary Public Library Cybersecurity Breach: The Calgary Public Library was forced to close all of its branches due to a cybersecurity issue. While details are still scarce, the incident highlights the disruptive potential of cyber threats. Source: Calgary Herald

Security Research

  1. New Gmail Security Alert For 2.5 Billion Users As AI Hack Confirmed: Google has partnered with the Global Anti-Scam Alliance and the DNS Research Federation to launch a new initiative aimed at enhancing security. This comes in the wake of an AI hack that has put Gmail users on high alert. Source: Forbes
  2. IT security expert weighs in on Calgary Public Library cybersecurity breach: A cybersecurity breach at the Calgary Public Library has raised concerns, with an IT security expert suggesting that such breaches are typically the result of a phishing email. The details of the breach are still under investigation. Source: MSN
  3. Hackers Advertise Stolen Verizon Push-to-Talk 'Call Logs': Cybercriminals have advertised stolen Verizon Push-to-Talk call logs, a move that security researchers believe is linked to the Scattered Spider cybercrime activity due to its distributed nature. Source: 404 Media
  4. Chinese and Iranian hackers use ChatGPT and LLM tools to create malware and phishing attacks: Security researchers have discovered that hackers from China and Iran are using ChatGPT and LLM tools to create malware and phishing attacks. The researchers are working with internal safety and security teams to address this issue. Source: Tom's Hardware
  5. Bug, $50k how Zendesk left a backdoor in Fortune 500 companies: A security researcher has discovered a bug that left a backdoor in Fortune 500 companies, potentially exposing them to significant security risks. The impact of this bug is yet to be fully understood. Source: Hacker News

Top CVEs

  1. CVE-2024-9592: The Easy PayPal Gift Certificate plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. Unauthenticated attackers can update the plugin's settings and inject malicious JavaScript via a forged request if they can trick a site administrator into performing an action. Source: CVE-2024-9592
  2. CVE-2024-9778: The ImagePress – Image Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. Unauthenticated attackers can update plugin settings, including redirection URLs, via a forged request if they can trick a site administrator into performing an action. Source: CVE-2024-9778
  3. CVE-2024-9776: The ImagePress – Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.2. Authenticated attackers, with administrator-level permissions, can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been enabled. Source: CVE-2024-9776
  4. CVE-2024-9595: The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the table cell content in all versions up to, and including, 2.4.2. Authenticated attackers, with Author-level access, can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Source: CVE-2024-9595
  5. CVE-2024-9696: The Rescue Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rescue_tab' shortcode in all versions up to, and including, 2.8. Authenticated attackers, with contributor-level access, can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Source: CVE-2024-9696

Final Words

And that's a wrap for today's edition of Secret CISO. We've covered a lot of ground, from the data breach at Fidelity affecting over 77,000 customers, to the shocking revelation of threat actors using ChatGPT to write malware. We've also touched on the importance of cybersecurity measures, as seen in the University of Manchester's efforts to enhance their cybersecurity with Tanium.

Remember, in this digital age, staying informed is your first line of defense.

Share this newsletter with your friends and colleagues to keep them in the loop too.

Let's work together to create a safer digital space for everyone. Stay safe, stay informed, and see you in the next edition of Secret CISO.

Read more

Secret CISO 2/15: Americans to get $5k from data breach settlement, USAID accuses DOGE of security breach, PCSO denies data breach, DOGE faces largest data breach lawsuit, Star Solution Services and Fillmore County Hospital announce data breaches

Secret CISO 2/15: Americans to get $5k from data breach settlement, USAID accuses DOGE of security breach, PCSO denies data breach, DOGE faces largest data breach lawsuit, Star Solution Services and Fillmore County Hospital announce data breaches

Welcome to today's edition of Secret CISO, your daily dose of cybersecurity news. Today, we're diving into a series of data breaches that have left hundreds of Americans eligible for a chunk of a multi-million dollar payout. We'll also explore allegations against the Department

By Secret CISO
Secret CISO 2/14: St. Andrew's Senior System & PPL Electric hit by data breaches, Russian ransomware group claims responsibility, 2.7 billion records leaked in Mars Hydro breach, CAPTCHA trick bypasses security scanners

Secret CISO 2/14: St. Andrew's Senior System & PPL Electric hit by data breaches, Russian ransomware group claims responsibility, 2.7 billion records leaked in Mars Hydro breach, CAPTCHA trick bypasses security scanners

Hello there, Secret CISO readers! Today's newsletter is packed with the latest updates on data breaches and security research that you need to know. Firstly, we delve into the ongoing investigation into the data breach at St. Andrew's Resources for Seniors System. The breach has raised

By Secret CISO
Secret CISO 2/12: PowerSchool, DOGE, Mercer University, Duane Morris LLP under investigation for data breaches; Apple warns of security breach; Research reveals false sense of security with online scams

Secret CISO 2/12: PowerSchool, DOGE, Mercer University, Duane Morris LLP under investigation for data breaches; Apple warns of security breach; Research reveals false sense of security with online scams

Welcome to today's issue of Secret CISO, where we bring you the latest news on data breaches and security vulnerabilities. Today, we're looking at a series of data breaches impacting PowerSchool, DOGE, Mercer University, and more. Attorney General Jeff Jackson is investigating a recent data breach

By Secret CISO