Secret CISO 8/3: APT41 Targets Taiwan, Illinois Voter Data Exposed, Ticketmaster Breach Affects Millions, AT&T and Google Face Data Leaks

Secret CISO 8/3: APT41 Targets Taiwan, Illinois Voter Data Exposed, Ticketmaster Breach Affects Millions, AT&T and Google Face Data Leaks

Welcome to today's issue of Secret CISO. We've got a lot to unpack today, so let's dive right in. First up, we're looking at a major data breach in Illinois where sensitive voter data was exposed due to unsecured databases by a contractor. This highlights the importance of securing databases and the potential risks of third-party contractors. Next, we're covering the Ticketmaster breach that may have affected millions of customers. Encrypted credit card information and date of birth were among the data affected. In other news, a home-delivery pharmacy service has agreed to pay $1 million to settle a class action brought by plaintiffs following a data breach in 2021.

AT&T is also in the spotlight as two women have filed data breach lawsuits against the telecom company, asking for a consolidation of cases. Google Merchant Center has also experienced a data breach due to a Google Ads glitch, and Neiman Marcus is facing a customer suit over a data breach that exposed the personal information of about 31 million customers. In international news, Optus and Medibank are facing legal cases brought by Australian regulators following data breaches in 2022, and the UK's Department of Education is investigating a data leak involving a spreadsheet sent in error to 174 people.

We'll also be discussing the rising costs of data breaches, as highlighted by a recent IBM report, and the potential for compensation for Xfinity-Comcast customers affected by a recent data breach.

On the research front, we're looking at the latest cybersecurity and emerging technology priorities in federal government, the use of over 3000 GitHub accounts for malware distribution, and China's APT41 targeting a Taiwanese research institute for cyber espionage.

Finally, we'll be covering the latest vulnerabilities and security issues, including a potential security overhaul in the FedRAMP cloud procurement program, a data breach within Google Merchant Center, and a data breach at Neiman Marcus. Stay tuned for these stories and more in today's Secret CISO newsletter.

Data Breaches

  1. Illinois Voter Data Exposed by Contractor's Unsecured Databases: Sensitive data including Social Security numbers, death certificates, and voter applications were exposed on the internet due to unsecured databases. This incident highlights the importance of secure data storage. Source: WIRED
  2. Millions of Customers Affected by Ticketmaster Breach: Encrypted credit card information and date of birth details were among the personal data affected in a breach at Ticketmaster. The extent of the breach and its impact on customers is currently under investigation. Source: The Beatrice Daily Sun
  3. Pharmacy Data-Breach Claims Settled for $1M: A home-delivery pharmacy service that suffered a data breach in 2021 has agreed to pay $1 million to settle a class action brought by plaintiffs. The breach underlines the financial implications of data security incidents. Source: Law360
  4. AT&T Data Breach May Lead to Separate MDL for Wireless Phone Records Leak: Two women who filed AT&T phone record data breach lawsuits against the telecom company have requested a panel of federal judges to consolidate the cases. The outcome could set a precedent for future data breach lawsuits. Source: AboutLawsuits
  5. Google Ads Glitch Likely Triggered Data Breach Within Google Merchant Center: A data leakage within the Google Merchant Center was likely caused by a glitch in Google Ads. The incident was easy to miss, highlighting the need for vigilant monitoring of data security systems. Source: AdExchanger

Security Research

  1. The Software Extinction Event That Wasn't: Security researchers at JFrog prevented a potential software extinction event, highlighting the importance of dedicated work and investment in cybersecurity. Source: DevOps.com
  2. FedRAMP Gets Security, Automation Overhaul in OMB Memo: The cloud procurement program has been updated to focus on new cybersecurity and emerging technology priorities in the federal government. Source: GovCIO Media & Research
  3. Threat Actor Stargazer Goblin Uses Over 3000 GitHub Accounts for Malware Distribution: Security researchers discovered a network of over 3000 GitHub accounts involved in an extensive malware distribution campaign. Source: CPO Magazine
  4. China's APT41 Targets Taiwan Research Institute for Cyber Espionage: APT41, a Chinese threat actor, has targeted a Taiwanese research institute for cyber espionage, highlighting the ongoing cybersecurity threats in the region. Source: Dark Reading
  5. Incorporating “One Health” into the health-security agenda: The integration of human, animal, and environmental health can enhance responses to outbreaks like the Nipah virus and improve overall health security. Source: Observer Research Foundation

Top CVEs

  1. CVE-2024-40721: The TCBServiSign Windows Version from CHANGING Information Technology has a vulnerability in its API that doesn't validate server-side input properly. This allows unauthenticated remote attackers to cause the TCBServiSign to load a DLL from a spoofed website. Source: vulners.com
  2. CVE-2024-22169: WD Discovery versions prior to 5.0.589 contain a misconfiguration in the Node.js environment settings that could allow code execution by utilizing the 'ELECTRON_RUN_AS_NODE' environment variable. Any malicious application operating with standard user permissions can exploit this vulnerability, enabling code execution within WD Discovery application's context. Source: vulners.com
  3. CVE-2024-40722: Similar to CVE-2024-40721, the TCBServiSign Windows Version from CHANGING Information Technology has another vulnerability in its API that doesn't validate the length of server-side input properly. This can cause a stack-based buffer overflow in the TCBServiSign when a user visits a spoofed website. Source: vulners.com
  4. CVE-2024-7291: The JetFormBuilder plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.4.1. This is due to improper restriction on user meta fields, allowing authenticated attackers with administrator-level permissions to register as super-admins on the sites configured as such. Source: vulners.com
  5. CVE-2024-6477: The UsersWP WordPress plugin before 1.2.12 uses predictable filenames when an admin generates an export, which could allow unauthenticated attackers to download them and retrieve sensitive information such as IP, username, and email. Source: vulners.com

API Security

  1. Reposilite Artifacts Vulnerability: Reposilite v3.5.10 is affected by Stored Cross-Site Scripting (XSS) when displaying artifact's content in the browser. The artifact's content is served via the same origin as the Admin UI, which can lead to potential security issues if the artifact contains HTML content with JavaScript inside. This is particularly dangerous when Reposilite is configured to mirror third-party repositories. Source: Vulners
  2. REXML DoS Vulnerability: The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. This vulnerability can impact you if you need to parse untrusted XMLs with SAX2 or pull parser API. The REXML gem 3.3.3 or later includes the patch to fix the vulnerability. Source: Vulners
  3. CVE-2024-40721: The specific API in TCBServiSign Windows Version from CHANGING Information Technology does not properly validate server-side input. When a user visits a spoofed website, unauthenticated remote attackers can cause the TCBServiSign to load a DLL from an arbitrary location. Source: Vulners
  4. CVE-2024-40722: The specific API in TCBServiSign Windows Version from CHANGING Information Technology does not properly validate the length of server-side input. This can lead to a stack-based buffer overflow in the TCBServiSign, temporarily disrupting its operation. Source: Vulners
  5. CVE-2024-40723: The specific API in HWATAIServiSign Windows Version from CHANGING Information Technology does not properly validate the length of server-side inputs. This can cause a stack-based buffer overflow in the HWATAIServiSign, temporarily disrupting its operation. Source: Vulners

Stickers at Black Hat, Booth #3122: https://wallarm.webflow.io/blackhat-2024 (secure your stickers pack among 100 unique pieces)

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, we're reminded of the importance of vigilance in our digital world. From unsecured databases exposing sensitive voter data in Illinois to the massive data breach affecting millions of Ticketmaster customers, it's clear that cybersecurity threats are pervasive and persistent. But remember, knowledge is power. By staying informed about these incidents, we can better protect ourselves and our organizations from similar threats.

So, let's continue to learn, share, and support each other in this ever-evolving cybersecurity landscape. If you found today's newsletter helpful, please consider sharing it with your friends and colleagues. Together, we can make the digital world a safer place. Stay secure and see you tomorrow!

Read more

Secret CISO 12/10: Unprecedented Data Breaches at HealthAlliance, Irish University, and Highgate Hotels; Deloitte and Cipla Deny Hacks; Research Reveals OpenWrt Vulnerability and Arctic Security Shifts

Secret CISO 12/10: Unprecedented Data Breaches at HealthAlliance, Irish University, and Highgate Hotels; Deloitte and Cipla Deny Hacks; Research Reveals OpenWrt Vulnerability and Arctic Security Shifts

Good morning, Secret CISO readers! Today's newsletter is packed with critical updates from the cybersecurity world. We're seeing a concerning trend of firms failing to grasp the financial impact of cyber breaches, with HealthAlliance paying a hefty $550,000 for neglecting a known vulnerability. In Ireland,

By Secret CISO