Welcome to today's edition of Secret CISO, your daily dose of cybersecurity updates. Today, we're diving into a series of data breaches that have recently hit the headlines. UnitedHealth Group suffered a data breach due to a lack of multifactor authentication, resulting in ransomware being released after a password was stolen. Meanwhile, Dropbox Sign experienced a security incident involving user data, prompting a password reset for affected users.

Qantas and Panda Restaurants also fell victim to data breaches, with unauthorized individuals gaining access to confidential information. In a surprising twist, the ClubsNSW and OutABox data breach turned out not to be a hack, with NSW Police making an arrest in connection with the incident. Verizon's 2024 Data Breach Investigations Report highlights the rapid exploitation of zero-day vulnerabilities and the effectiveness of ransomware attacks.

In another case, a man was arrested after a data breach exposed club visitor data, potentially necessitating the replacement of hundreds of thousands of driver's licenses. Virginia Union University experienced a data security incident involving Social Security numbers, offering complimentary identity monitoring and protection services to those affected. In other news, UnitedHealthcare's CEO revealed that a third of US citizens were likely affected by a recent hack, while a data breach involving over 1 million NSW clubs customer records led to an arrest in Sydney.

On the research front, a comparison between Android and iOS app security revealed a clear loser, while insights on essential controls for SMBs were shared by a Verizon security expert. Stay tuned for more updates and remember, knowledge is the first line of defense. Stay safe!

Data Breaches

1. UnitedHealth Data Breach: UnitedHealth Group experienced a data breach after hackers infiltrated their computer system using stolen passwords and released ransomware. The breach was reportedly due to a lack of multifactor authentication. Source: Yahoo
2. Dropbox Security Incident: Dropbox recently faced a security incident involving unauthorized access to user data. The company's security team has reset user passwords and logged users out of all connected devices as a precautionary measure. Source: Dropbox Sign
3. Qantas Data Breach: Qantas Airways suffered a data breach, potentially exposing confidential information of its customers. The airline is currently investigating the extent of the breach. Source: Herald Sun
4. Panda Restaurants Data Breach: Panda Restaurant Group, the parent company of Panda Express and Hibachi-San, was hit by a data breach. The extent of the breach and the number of affected customers are currently unknown. Source: SC Media
5. ClubsNSW and OutABox Data Breach: ClubsNSW and OutABox experienced a data breach, potentially exposing the personal details of over one million people. The breach is currently under investigation by the Cybercrime Squad. Source: Cyber Daily

Security Research

1. Security for SMBs: Insights for Essential Controls: Verizon security expert shares insights on how small and medium-sized businesses (SMBs) can defend against rising security threats. Source: SiliconANGLE
2. Banks Moving into the Cloud Prompt Forecasts of Security Risk: Security researcher at Russian antivirus software company Kaspersky discusses the potential security risks as banks transition to cloud-based systems. Source: Financial Times
3. LastPass Separates From Parent After Security Incidents: Following several security incidents, password manager LastPass has separated from its parent company. Security researchers had previously indicated that these hacks could have been used to steal over $35 million. Source: Silicon UK
4. Researcher Compares Android and iOS for App Security: A security researcher compared the app security of Android and iOS, finding a clear loser in terms of security. Source: TechRadar
5. Protect AI CISO Invited to Explain How to Build Security into ML Pipelines at RSA Conference: Diana Kelley, CISO at Protect AI, has been invited to the RSA Conference to present a hands-on track session on building security into machine learning pipelines. Source: Yahoo Finance

Top CVEs

1. CVE-2024-4058 - Heap Corruption in Google Chrome: A type confusion vulnerability in ANGLE in Google Chrome versions prior to 124.0.6367.78 could potentially allow a remote attacker to exploit heap corruption via a crafted HTML page. Users are advised to update to the latest version. Source: CVE-2024-4058
2. CVE-2024-4368 - Use After Free in Google Chrome: A use-after-free vulnerability in Dawn in Google Chrome versions prior to 124.0.6367.118 could potentially allow a remote attacker to exploit heap corruption via a crafted HTML page. Users are advised to update to the latest version. Source: CVE-2024-4368
3. CVE-2024-3591 - PHP Object Injection in Geo Controller WordPress Plugin: A PHP object injection vulnerability has been identified in the Geo Controller WordPress Plugin. The vulnerability could allow an attacker to execute arbitrary PHP code within the context of the application. Users are advised to update to the latest version. Source: CVE-2024-3591
4. CVE-2024-26331 - Authentication Bypass in ReCrystallize Server: An authentication bypass vulnerability has been identified in ReCrystallize Server. The vulnerability could allow an attacker to gain unauthorized access to the system. Users are advised to update to the latest version. Source: CVE-2024-26331
5. CVE-2023-38002 - Session Hijacking in IBM Storage Scale: IBM Storage Scale versions 5.1.0.0 through 5.1.9.2 could allow an authenticated user to steal or manipulate an active session to gain access to the system. Users are advised to update to the latest version. Source: CVE-2023-38002

API Security

1. Apache ActiveMQ 6.x API Security Issue (CVE-2024-32114): The default configuration in Apache ActiveMQ 6.x does not secure the API web context, potentially allowing anyone to interact with the broker or produce/consume messages without any required authentication. Users are advised to update the default configuration file to add authentication or upgrade to Apache ActiveMQ 6.1.2 where the default configuration has been updated with authentication. Source: vulners.com
2. SSRF in Oxwall 1.8.7 (CVE-2021-36594): Oxwall 1.8.7 is vulnerable to Server Side Request Forgery (SSRF), allowing an attacker to execute arbitrary commands via Phar deserialization or internal API server. Source: vulners.com
3. Incorrect Authorization in Pydio Cells (CVE-2023-32749): Pydio Cells has an incorrect authorization vulnerability. A proof-of-concept exploit shows that a new user account with all available roles can be created when provided with valid credentials. Users are advised to ensure that the script is used in compliance with all applicable laws. Source: vulners.com
4. Insecure Defaults in XMLUnit for Java: XMLUnit for Java has insecure defaults when processing XSLT stylesheets. Depending on the XSLT processor used, this could allow arbitrary code to be executed when XMLUnit is used to transform data with a stylesheet whose source cannot be trusted. Users are advised to upgrade to XMLUnit for Java 2.10.0 where the default has been changed. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

That's it for today's edition of the Secret CISO newsletter. We've covered a wide range of security incidents, from the UnitedHealth data breach caused by lack of multifactor authentication to the recent security incident involving Dropbox Sign. Remember, staying informed is the first step in protecting your data and systems.

If you found this information useful, please consider sharing this newsletter with your friends and colleagues. They might find it helpful too. Stay safe, stay secure, and see you in the next edition of Secret CISO.