Welcome to today's edition of Secret CISO, where we unravel the latest in cybersecurity incidents and vulnerabilities, weaving them into a narrative that underscores the ever-evolving landscape of digital threats.

In a world where data breaches are becoming alarmingly frequent, institutions like Penn are taking decisive action by mandating information security training for all employees, a move prompted by a recent breach. Meanwhile, The Washington Post finds itself under scrutiny as Lynch Carpenter investigates claims related to another data breach, highlighting the legal ramifications of such incidents.

Across the globe, Coupang faces the fallout of exposing 4,500 customers' personal information, while Daytona Beach grapples with both financial mismanagement and a data breach involving city credit cards. In South Africa, Lancet Laboratories' multiple breaches have resulted in a hefty fine, raising questions about data protection in the healthcare sector.

On the technological front, a critical vulnerability in WhatsApp's contact discovery mechanism threatens the privacy of 3.5 billion users, while a new Android malware intercepts messages from popular apps, posing a significant threat to user security. Fortinet FortiWeb's command injection flaw is under active exploitation, and Palo Alto Networks faces a surge in malicious activity linked to a mysterious traffic flood.

In the realm of vulnerabilities, GitHub Copilot and Visual Studio Code face improper access control issues, BASIS BBj's directory traversal flaw exposes sensitive files, and WordPress plugins are vulnerable to Stored Cross-Site Scripting, each posing unique risks to developers and users alike.

As we delve into these stories, the message is clear: vigilance, timely updates, and robust security measures are paramount in safeguarding our digital world.

Data Breaches

1. Penn institutes mandatory information security training for all employees following data breach: In response to a recent data breach, Penn has mandated that all faculty, staff, student workers, and postdoctoral students complete information security training. This move aims to bolster the university's cybersecurity posture and prevent future incidents. Source: The Daily Pennsylvanian.
2. The Washington Post Data Breach Claims Investigated by Lynch Carpenter: Lynch Carpenter, LLP is investigating claims against The Washington Post concerning a data breach. The investigation seeks to determine the breach's impact and potential legal actions for affected individuals. Source: National Law Review.
3. Coupang Data Breach Exposes 4,500 Customers' Information: Coupang has reported a data breach that exposed the personal information of 4,500 customers, including names, emails, addresses, and order records. The company is taking steps to address the breach and enhance its security measures. Source: The Chosun Ilbo.
4. Daytona Beach commissioners debate alleged misspending and data breach concerns: Daytona Beach city commissioners are addressing concerns over alleged misspending and a recent data breach involving city credit cards. The discussions aim to improve transparency and security within city operations. Source: WFTV.
5. Large medical lab in South Africa suffers multiple data breaches: Lancet Laboratories in South Africa has experienced multiple data breaches, resulting in a fine of R100,000 for failing to adequately respond to the incidents. The breaches have raised concerns about data protection practices in the healthcare sector. Source: DataBreaches.Net.

Security Research

1. WhatsApp Security Flaw Exposes 3.5 Billion People's Phone Numbers: Security researchers from the University of Vienna and SBA Research have uncovered a critical vulnerability in WhatsApp's contact discovery mechanism. This flaw potentially exposes the phone numbers of over 3 billion users worldwide, raising significant privacy concerns. The vulnerability highlights the need for robust security measures in widely used communication platforms. Source: Yahoo Finance.
2. New Android Malware Can Capture Private Messages: Security researchers have identified a new Android banking trojan that can intercept messages from popular apps like WhatsApp and Telegram. This malware poses a significant threat to user privacy and security, as it can access sensitive information and potentially lead to financial fraud. The discovery underscores the importance of vigilance and security updates for mobile devices. Source: The Record.
3. Researchers Warn Command Injection Flaw in Fortinet FortiWeb is Under Exploitation: Trend Micro researchers have discovered a command injection vulnerability in Fortinet FortiWeb, which is currently being exploited. This flaw allows attackers to execute arbitrary commands on the affected systems, posing a severe risk to organizations using this product. The discovery emphasizes the need for timely patching and security measures to protect critical infrastructure. Source: Cybersecurity Dive.
4. Palo Alto Kit Sees Massive Surge in Malicious Activity Amid Mystery Traffic Flood: A significant increase in malicious activity has been observed in Palo Alto Networks' security kit, linked to a mysterious traffic flood. Security researchers have identified connections between this surge and previous related campaigns, indicating a coordinated effort by threat actors. This incident highlights the evolving nature of cyber threats and the need for continuous monitoring and response strategies. Source: The Register.
5. Cute but Deadly: Kaspersky Reveals the Tsundere Botnet: Kaspersky's Global Research and Analysis Team has uncovered the Tsundere botnet, which targets Windows users with a unique "hot-and-cold" attack strategy. This botnet demonstrates sophisticated evasion techniques, making it challenging to detect and mitigate. The discovery underscores the importance of advanced threat intelligence and proactive security measures to combat emerging cyber threats. Source: Kaspersky.

Top CVEs

1. CVE-2025-64660: Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature over a network. This vulnerability could potentially expose sensitive information or allow unauthorized actions within these platforms, posing a significant risk to developers relying on these tools for secure coding practices. Source.
2. CVE-2025-34320: BASIS BBj versions prior to 25.00 contain a Jetty-served web endpoint that fails to properly validate or canonicalize input path segments. This flaw allows unauthenticated directory traversal sequences, enabling attackers to read arbitrary system files and potentially gain administrative access. The exposure of sensitive files could lead to further exploitation and compromise of the host system. Source.
3. CVE-2025-5092: Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library version 2.8.3. Due to insufficient input sanitization, authenticated attackers with Contributor-level access can inject arbitrary web scripts, which execute whenever a user accesses an injected page. This vulnerability poses a threat to website integrity and user data security. Source.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is as dynamic as ever, with new challenges and lessons emerging daily. From universities like Penn taking proactive steps to secure their networks, to global giants like WhatsApp facing vulnerabilities that affect billions, the need for robust cybersecurity measures has never been more pressing.

We've also seen how legal investigations, like those involving The Washington Post, and data breaches in companies such as Coupang, highlight the importance of transparency and accountability in handling sensitive information. Meanwhile, the ongoing debates in Daytona Beach and the fines imposed on Lancet Laboratories remind us that no sector is immune from the scrutiny of data protection practices.

On the technical front, the discovery of vulnerabilities in widely used platforms like Fortinet FortiWeb and GitHub Copilot underscores the critical need for timely updates and vigilant security practices. The emergence of new threats, such as the Tsundere botnet and Android malware, further emphasizes the importance of staying informed and prepared.

As we continue to navigate these complex issues, remember that sharing knowledge is one of the most powerful tools we have. If you found today's insights valuable, please consider sharing this newsletter with your friends and colleagues. Together, we can foster a more secure digital environment for everyone.

Thank you for being a part of our community. Stay safe, stay informed, and see you in the next edition of Secret CISO!