Good morning! In today's edition of Secret CISO, we're diving into a series of data breaches that have been making headlines. First up, North Dakota accounting firm Brady Martz & Associates PC is facing a proposed class action lawsuit over allegations of breaching its duty to protect personal data. Meanwhile, the Federal Housing Administration is tightening data breach reporting requirements for lenders, requiring incidents to be reported within 12 hours of detection. In the healthcare sector, pharmaceutical company AbbVie has filed a notice of a data breach impacting tens of thousands, and CentroMed has suffered its second healthcare data breach due to unauthorized access to its IT network.

Across the pond, the Police Service of Northern Ireland is facing a hefty £750,000 fine over a data breach that exposed the personal information of all serving officers and staff. In the corporate world, a data breach at Interactive Brokers touched 600 client accounts, and the Federal Trade Commission has finalized an order against Blackbaud Inc. in response to a data breach. We'll also be discussing the fallout from ransomware attacks, with 94% of organizations experiencing downtime and 40% facing work stoppage. Stay tuned for more updates on these stories and other cybersecurity news. Stay safe and secure!

Data Breaches

1. North Dakota Accountants Data Breach Lawsuit: Brady Martz & Associates PC, a North Dakota accounting firm, is facing a proposed class action lawsuit for allegedly failing to protect personal data. Source: Bloomberg Law News
2. FHA Tightens Data Breach Reporting Requirements: The Federal Housing Administration has announced that all lenders must report system breaches within 12 hours of detection. Source: National Mortgage News
3. AbbVie Data Breach: Pharmaceutical company AbbVie, Inc. has filed a notice of data breach with the Attorney General of Texas after discovering that confidential information was compromised. Source: JD Supra
4. PSNI Data Breach: The Police Service of Northern Ireland (PSNI) is facing a £750,000 fine over a data breach that exposed the personal information of all serving officers and staff. Source: Scottish Legal News
5. Interactive Brokers Data Breach: Brokerage firm Interactive Brokers has suffered a data breach that affected 600 client accounts. Source: Citywire

Security Research

1. Ransomware Attacks Exploit VMware ESXi Vulnerabilities: Security researcher Tyler McGraw has highlighted an alarming pattern of ransomware attacks exploiting VMware ESXi vulnerabilities. Successful execution of the malware provides the threat actor with elevated privileges. Source: The Hacker News
2. Spyware Found Checking Out Personal Info on Hotel Chain's Computers: Security researcher Eric Daigle discovered spyware on hotel chain computers that was accessing customers' personal information, including partial numbers from payment cards. Source: Inc.com
3. Active Chinese Cyberespionage Campaign Rifling Email Servers: Security researchers warn of an active Chinese global cyberespionage campaign targeting at least nine different governments. The campaign is rifling through email servers, potentially accessing sensitive information. Source: GovInfoSecurity
4. A Leak of Biometric Police Data Is a Sign of Things to Come: Last month, security researcher Jeremiah Fowler spotted sensitive files on an exposed web server linked to ThoughtGreen Technologies. The files contained biometric data from police, indicating a potential future trend in data leaks. Source: WIRED
5. The End of an Era: Microsoft Phases Out VBScript for JavaScript and PowerShell: Security researcher Kevin Beaumont described Microsoft's new 'Recall' feature as a "keylogger baked into Windows". The lack of safety guardrails could potentially allow unauthorized access. Source: The Hacker News

Top CVEs

1. CVE-2024-29849 - Veeam Backup Enterprise Manager Authentication Bypass: Unauthenticated users can log in as any user to the enterprise manager web, potentially gaining unauthorized access to sensitive data. Patch is yet to be released. Source: CVE-2024-29849
2. CVE-2024-35223 - Dapr gRPC Proxy Vulnerability: Dapr sends the app token of the invoker app instead of the invoked app, leading to a potential leak of the application token. This vulnerability impacts users who use Dapr as a gRPC proxy for remote service invocation. Patched in the latest version. Source: CVE-2024-35223
3. CVE-2024-32969 - vantage6 Collaboration Vulnerability: Collaboration administrators can add extra organizations to their collaboration, potentially extending their influence and creating new users for which they know the passwords. This vulnerability was patched in the latest version. Source: CVE-2024-32969
4. CVE-2024-4835 - GitLab XSS Vulnerability: A XSS condition exists within GitLab, allowing an attacker to craft a malicious page to exfiltrate sensitive user data. Patched in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. Source: CVE-2024-4835
5. CVE-2024-3917 - Pet Manager WordPress Plugin XSS Vulnerability: The Pet Manager WordPress plugin does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users. Patch is yet to be released. Source: CVE-2024-3917

API Security

1. Tauri API Access Control iFrames Bypass Origin Checks: Tauri applications have been found to allow remote origin iFrames to access the Tauri IPC endpoints without explicit permission. This bypasses the origin check and allows iFrames to access the IPC endpoints exposed to the parent window. Patches have been released to address this issue. Source: Vulners
2. Jupyter-scheduler's Endpoint Missing Authentication: Jupyter_scheduler is missing an authentication check in Jupyter Server on an API endpoint which lists the names of the Conda environments on the server. This allows an unauthenticated user to obtain the list of Conda environment names on the server. Patches have been released to address this issue. Source: Vulners
3. Prodys' Quantum Audio Codec Improper Access Control (CVE-2024-5168): An improper access control vulnerability has been discovered in Prodys' Quantum Audio codec affecting versions 2.3.4t and below. This vulnerability could allow an unauthenticated user to bypass authentication entirely and execute arbitrary API requests. Source: Vulners
4. GitLab CE/EE Denial of Service (DoS) Condition (CVE-2024-1947): A DoS condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. An attacker could create a DoS condition by sending crafted API requests. Source: Vulners
5. Dapr API Token Exposure: A vulnerability has been found in Dapr that causes a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This issue arises because Dapr sends the app token of the invoker app instead of the app token of the invoked app. This issue has been fixed in Dapr version 1.13.3. Source: Vulners

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. As we can see, data breaches continue to be a major concern across various sectors, from accounting firms in North Dakota to healthcare providers like CentroMed. It's a stark reminder of the importance of robust cybersecurity measures in protecting sensitive data. Remember, the fallout from a data breach isn't just about immediate financial loss. The downtime, work stoppage, and reputational damage can have long-term effects on your organization. So, stay vigilant, stay informed, and most importantly, stay secure.

If you found today's newsletter helpful, please consider sharing it with your colleagues and friends. Let's work together to create a safer digital world. Until next time, stay safe out there.