Secret CISO 6/21: Jollibee and LA Unified School District Data Breaches, Dell and Dropbox Under Fire, US Bans Kaspersky, Research on Optus and CertiK

Secret CISO 6/21: Jollibee and LA Unified School District Data Breaches, Dell and Dropbox Under Fire, US Bans Kaspersky, Research on Optus and CertiK

Welcome to today's issue of Secret CISO, your daily dose of cybersecurity news. Today, we're diving into a series of data breaches that have left millions of customers' data exposed. From Jollibee Foods Corporation to Dell and Total Fitness, no industry is safe from the threat of cyberattacks. In the education sector, the Los Angeles Unified School District confirms that vendor data was stolen in a Snowflake cyberattack. Meanwhile, Dropbox is facing a surge of data breach class actions in California. On the regulatory front, the US government has banned the sale of Kaspersky products due to security risks from Russia.

In the world of cybersecurity research, we're looking at a path traversal vulnerability in RAD Data's SecFlow-2 hardware and the fallout from a contentious bug bounty incident involving Kraken and CertiK. Stay tuned for more updates and remember, knowledge is the first line of defense. Stay safe out there!

Data Breaches

  1. Jollibee Customer Data Breach: A cybersecurity group has raised concerns over a large-scale data breach that has potentially exposed the information of millions of Jollibee customers. The company has yet to comment on these circulating reports. Source: Bilyonaryo
  2. Snowflake Cyberattack on LAUSD: The Los Angeles Unified School District has confirmed that data from one of its vendors was stolen in a cyberattack on Snowflake. However, there is currently no evidence that the district's own systems were breached. Source: StateScoop
  3. Dell Data Breach: Dell recently suffered a significant data breach, with a threat actor exploiting API vulnerabilities to steal 49 million customer records. The full extent of the breach is still being investigated. Source: Security Boulevard
  4. Total Fitness Data Leak: UK-based health club chain Total Fitness has suffered a data leak, exposing KYC and card data, including half a million images of men, women, and children. The cause of the leak is still unknown. Source: Hackread
  5. Optus Data Breach: Australian telco Optus has suffered a data breach, exposing the personal information of over nine million customers. The breach has been attributed to a coding error in a forgotten API. Source: The Register

Security Research

  1. SolarWinds Serv-U Vulnerability Under Active Attack - Patch Immediately: Security researcher Hussein Daher of Web Immunify discovered a flaw in SolarWinds Serv-U. The vulnerability is under active attack and users are urged to patch immediately. Source: The Hacker News
  2. Kraken Recovers $3 Million in Missing Funds After Bug Bounty Exploit: Kraken recovered $3 million in missing funds following a bug bounty exploit. The security researcher allegedly extorted the exchange, refusing to return the funds without a reward. Source: Yahoo Finance
  3. NBI arrests 3 over alleged hacking of gov't websites: The National Bureau of Investigation (NBI) arrested three individuals over alleged hacking of government websites. One of the arrested individuals is a security researcher in a company. Source: GMA News Online
  4. What Can Be Done to Improve Cloud Security: Maia Hamin, an associate director with the Atlantic Council's Cyber Statecraft Initiative, discusses ways to improve cloud security under the Digital Forensic Research Lab. Source: Lawfare Daily
  5. New Rust-based malware targets Microsoft Windows, abuses Powershell, and steals sensitive info: A new Rust-based malware is targeting Microsoft Windows, abusing Powershell, and stealing sensitive information. The malware is flexible and receives a target list from the server. Source: TechRadar

Top CVEs

  1. CVE-2024-38082 - Microsoft Edge (Chromium-based) Spoofing: This vulnerability allows attackers to spoof the content displayed in the Edge browser, potentially leading to phishing attacks or misinformation. Microsoft has yet to release a patch. Source: CVE-2024-38082
  2. CVE-2024-37532 - IBM WebSphere Application Server Identity Spoofing: This vulnerability allows authenticated users to spoof their identity due to improper signature validation. IBM has released a patch to address this issue. Source: CVE-2024-37532
  3. CVE-2024-29013 - SonicOS SSL-VPN Heap-based Buffer Overflow: This vulnerability allows authenticated remote attackers to cause a Denial of Service (DoS) via a memcpy function. SonicWall has yet to release a patch. Source: CVE-2024-29013
  4. CVE-2023-25646 - ZTE H388X Unauthorized Access: This vulnerability allows attackers with common user permissions to obtain elevated permissions on the affected device by performing specific operations. ZTE has yet to release a patch. Source: CVE-2023-25646
  5. CVE-2024-5447 - PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress Plugin Stored Cross-Site Scripting: This vulnerability allows high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. The plugin's developers have yet to release a patch. Source: CVE-2024-5447

API Security

  1. Exploit for CVE-2024-30270 - Mailcow XSS and RCE: A script has been designed to exploit vulnerabilities in a Mailcow instance using Cross-Site Scripting (XSS) and Remote Code Execution (RCE). The script injects an XSS payload into a Mailcow web interface and uses it to execute unauthorized actions, achieving RCE by overwriting a server template and executing commands. Source: CVE-2024-30270
  2. Exploit for CVE-2024-28397 - js2py Remote Code Execution: A vulnerability in the js2py Python package allows attackers to obtain references to Python objects in the js2py environment, enabling them to execute arbitrary commands on the host. The vulnerability affects js2py versions up to 0.74 running under Python 3. Source: CVE-2024-28397
  3. CVE-2024-3961 - ConvertKit – Email Newsletter, Email Marketing, Subscribers and Landing Pages: The ConvertKit plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the tag_subscriber function. This allows unauthenticated attackers to subscribe users to tags, potentially causing financial damages to site owners if their API quota is exceeded. Source: CVE-2024-3961

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We hope you found this information valuable in keeping your organization's data secure. Remember, cybersecurity is not a one-time event but a continuous process. Stay vigilant, stay informed, and most importantly, stay secure. If you found this newsletter helpful, please consider sharing it with your colleagues and friends.

Let's work together to create a safer digital world. Until next time, keep those firewalls up and those passwords strong. Stay safe out there.

Read more

'Secret CISO 7/12: AT&T's Massive Data Breach Impacts Nearly All Customers, Ticketmaster's Data Breach Affects Credit Card Info, Research on Optimizing Data Security in Medical Field, 10 Billion Passwords Stolen in Cyber Attack'

'Secret CISO 7/12: AT&T's Massive Data Breach Impacts Nearly All Customers, Ticketmaster's Data Breach Affects Credit Card Info, Research on Optimizing Data Security in Medical Field, 10 Billion Passwords Stolen in Cyber Attack'

Welcome to today's issue of Secret CISO. We're diving into the deep end of data breaches, with AT&T making headlines as their massive data breach impacts nearly all customers. This breach has exposed customer call and text records, leaving millions of users vulnerable. But

By Secret CISO