Welcome to today's edition of Secret CISO, where we unravel the latest in cybersecurity breaches and vulnerabilities. In a world where data is the new gold, today's stories highlight the fragility of our digital fortresses and the relentless pursuit of those who seek to exploit them.

We begin with a deep dive into the alarming data breaches affecting major organizations. From the News-Press & Gazette Company's ongoing investigation to the exposure of 92,845 patients' records at NS Pharma, the narrative of compromised data continues. The adult content platform Pornhub is not spared either, with a staggering 200 million user records stolen, raising questions about the security of such platforms.

Healthcare facilities in remote regions are not immune, as seen in the cyberattack on Nunavik Health Centre, while 700Credit's breach update reminds us of the vulnerabilities in the credit check sector. Meanwhile, a WhatsApp vulnerability allows for invisible user tracking, and Cisco email security appliances face a zero-day threat, underscoring the need for vigilance in communication tools.

In the realm of software, Chrome's critical update addresses remote code execution vulnerabilities, while BitsLab's MoveBit introduces 'Belobog' to fortify Move language applications. However, the discovery of the "Lies-in-the-Loop" attack on AI safety dialogs signals a new frontier in cybersecurity challenges.

Finally, we explore the technical intricacies of recent CVEs, from Apple's use-after-free issue to memory corruption in ELF images, and vulnerabilities in NGINX Ingress Controller and Step CA ACME. The nbconvert tool in Jupyter also presents a risk, highlighting the ongoing battle to secure our digital ecosystems.

Stay informed, stay secure, and join us as we navigate the ever-evolving landscape of cybersecurity threats and defenses.

Data Breaches

1. News-Press & Gazette Company Data Breach Investigation: Strauss Borrelli PLLC is investigating a data breach involving News-Press & Gazette Company (NPG). The breach has raised concerns about the security of sensitive information handled by the company. Source: Strauss Borrelli PLLC.
2. NS Pharma Data Breach Affects 92,845 Patients: A data breach at NS Support, LLC has exposed the personal information of 92,845 patients, including names and medical notes. This incident highlights the vulnerabilities in healthcare data management. Source: Claim Depot.
3. Hackers Steal 200 Million Personal Records of Pornhub Users: A significant data breach has compromised the personal records of 200 million Pornhub users. The breach has raised alarms about the security measures of adult content platforms. Source: The Times.
4. Cyberattack of Nunavik Health Centre Results in Data Breach: A cyberattack on a Kuujjuaq health centre has potentially exposed clinical records, raising concerns about the security of healthcare facilities in remote regions. Source: Montreal Gazette.
5. Credit Check Giant Gives Update on Data Breach: 700Credit, a major player in the automotive industry, has provided an update on a data breach that occurred in late October. The breach has affected numerous partners and highlights the risks in the credit check sector. Source: WKBN.com.

Security Research

1. WhatsApp Vulnerability Enables Invisible User Tracking via Phone Numbers: Security researcher Tal Be'ery has discovered a vulnerability in WhatsApp that allows for invisible tracking of users through their phone numbers. This exploit leverages WhatsApp's delivery receipts to monitor online activity, potentially draining device batteries and inferring user behavior. Source: WebProNews.
2. Cisco Email Security Appliances Rooted and Backdoored via Still Unpatched Zero-Day: Cisco Talos researchers have identified a zero-day vulnerability in Cisco email security appliances that has been exploited to root and backdoor systems. The attack involves specific IP addresses and tool hashes, though the full details remain undisclosed. Source: Help Net Security.
3. Chrome Security Update Patches Critical Remote Code Execution Vulnerabilities: Security researcher Shaheen Fazim reported critical vulnerabilities in Chrome that could allow remote code execution. Google has issued a security update to address these issues, highlighting the importance of keeping browsers up to date. Source: Cyber Press.
4. BitsLab's MoveBit Releases Research: Belobog, a Move Fuzzing Framework Oriented Toward Real-World Attacks: BitsLab's MoveBit has introduced 'Belobog,' a fuzzing framework designed to test the security of Move language applications against real-world attacks. This research aims to enhance the robustness of applications by identifying vulnerabilities before they can be exploited. Source: PRNewswire.
5. New “Lies-in-the-Loop” Attack Undermines AI Safety Dialogs: Researchers have uncovered a new attack method called "Lies-in-the-Loop," which manipulates AI safety dialogs by exploiting human approval prompts to execute malicious code. This discovery raises concerns about the integrity of AI systems and the need for improved security measures. Source: Infosecurity Magazine.

Top CVEs

1. CVE-2025-43529: A use-after-free issue in Apple's operating systems, including watchOS, Safari, iOS, iPadOS, macOS, visionOS, and tvOS, was addressed with improved memory management. This vulnerability could lead to arbitrary code execution when processing maliciously crafted web content. Apple has acknowledged reports of this issue being exploited in sophisticated attacks targeting specific individuals. Source: Vulners.
2. CVE-2025-47372: A memory corruption vulnerability occurs when a corrupted ELF image with an oversized file size is read into a buffer without authentication. This flaw could potentially allow attackers to execute arbitrary code. Source: Vulners.
3. CVE-2025-14727: A vulnerability in NGINX Ingress Controller's nginx.org/rewrite-target annotation validation could lead to security issues. This vulnerability affects software versions that have reached End of Technical Support (EoTS) and are not evaluated. Source: Vulners.
4. CVE-2025-44005: An attacker can bypass authorization checks in Step CA ACME or SCEP provisioners, allowing them to create certificates without completing certain protocol authorization checks. This vulnerability poses a significant risk to the integrity of certificate issuance processes. Source: Vulners.
5. CVE-2025-53000: The nbconvert tool in Jupyter, up to version 7.16.6 on Windows, has a vulnerability that allows unauthorized code execution when converting a notebook with SVG output to a PDF. This is due to the potential execution of a malicious inkscape.bat file. No known patches exist as of the time of publication. Source: Vulners.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is as dynamic as ever, with new challenges emerging at every turn. From the data breaches affecting major companies like News-Press & Gazette and NS Pharma, to vulnerabilities in platforms as diverse as WhatsApp and Cisco's email security appliances, the need for vigilance and proactive measures is more pressing than ever.

We've also seen how critical updates, like those from Google Chrome, play a vital role in safeguarding our digital environments. Meanwhile, innovative research such as BitsLab's MoveBit and the discovery of the "Lies-in-the-Loop" attack remind us of the ongoing battle to secure AI and application frameworks against evolving threats.

In the realm of vulnerabilities, the recent CVEs highlight the importance of staying informed and prepared. Whether it's Apple's operating systems or tools like Jupyter's nbconvert, understanding these risks is crucial for maintaining robust security postures.

We hope you found today's insights valuable and encourage you to share this newsletter with friends and colleagues who might benefit from staying informed about the latest in cybersecurity. Together, we can build a more secure digital future.

Until next time, stay safe and vigilant!