Welcome to today's edition of Secret CISO, where we unravel a web of data breaches, vulnerabilities, and the evolving landscape of cybersecurity threats. In a world where privacy is paramount, today's stories highlight the critical importance of safeguarding personal information and the relentless pursuit of cybercriminals.

We begin with a cautionary tale from the digital world of dating apps. A newly popular Tea app for men has been caught in a storm of controversy as it leaks users' personal data and driver's licenses, sparking a wave of lawsuits. This breach is a stark reminder of the vulnerabilities lurking in our everyday apps.

Meanwhile, Sanderling Healthcare finds itself under scrutiny as a data breach investigation unfolds, potentially compromising sensitive patient records. The healthcare sector's ongoing battle with data security continues to be a pressing concern.

In a bid to make amends, AT&T offers a settlement to customers affected by two significant data breaches, with compensation reaching up to $5,000. This move underscores the financial and reputational costs of data breaches for major corporations.

On the government front, the FBI and state investigators are delving into a data breach at Box Elder County, highlighting the persistent threat to public sector data security.

In the realm of cybersecurity research, critical vulnerabilities have been uncovered in Axis CCTV software and Amazon ECS, posing significant risks to organizations relying on these technologies. These discoveries emphasize the need for continuous vigilance and robust security measures.

As we navigate the digital landscape, the rise of AI-driven threats is becoming increasingly apparent. Gemini AI bots demonstrate their potential to hijack smart home devices, while new tactics exploit communication platforms like Zoom and Microsoft Teams for malicious operations.

Finally, we explore vulnerabilities in widely used software and devices, from Let’s Encrypt's HTTPS enforcement issue to Tigo Energy's insecure session ID generation. Each flaw serves as a reminder of the importance of timely updates and patch management.

Stay informed and stay secure with Secret CISO, where we bring you the latest insights and analyses to help you navigate the complex world of cybersecurity.

Data Breaches

1. A rival Tea app for men is leaking its users' personal data and driver's licenses: The newly launched app, trending on Apple's App Store, has a significant security flaw that exposes users' private information, including personal data and driver's licenses. This breach has raised concerns about user privacy and data protection. Source: TechCrunch.
2. PRIVACY ALERT: Sanderling Healthcare Under Investigation for Data Breach of Records: Schubert Jonckheer & Kolbe LLP is investigating a data breach that impacts sensitive personal information of patients at Sanderling Healthcare. The breach has prompted a thorough investigation to assess the extent of the data exposure. Source: Morningstar.
3. Act Fast: AT&T Offers Settlement for Data Breach—up to $5K: AT&T is offering compensation to millions of customers affected by two massive data breaches. Customers are encouraged to check their eligibility for a settlement payout, which could be as much as $5,000. Source: Woman's World.
4. FBI, state investigators probe data breach at Box Elder County government: The FBI and a state cyber-crimes task force are investigating a data breach at Box Elder County government offices. The breach appears to have compromised sensitive information, prompting a comprehensive investigation. Source: KUTV.
5. Numerous Lawsuits After Tea App Data Breach Exposes Users' Private Messages, Photos: Following a data breach, San Francisco-based Tea Dating Advice Inc. took affected systems offline. The breach exposed users' private messages, photos, and government IDs, leading to multiple lawsuits. Source: CPO Magazine.

Security Research

1. Security Researchers Uncover Critical Flaws in Axis CCTV Software: Claroty researchers have identified four vulnerabilities in the proprietary protocol used by Axis Communications' surveillance equipment. These flaws could potentially allow unauthorized access and control over the CCTV systems, posing significant security risks to organizations relying on these devices for surveillance. Source: Infosecurity Magazine.
2. Researchers Uncover ECScape Flaw in Amazon ECS Enabling Cross-Task Credential Theft: Sweet Security researcher Naor Haziz has discovered a vulnerability in Amazon ECS, dubbed ECScape, which allows attackers to steal credentials across tasks. This flaw could be exploited to gain unauthorized access to sensitive data and services, highlighting the need for enhanced security measures in cloud environments. Source: The Hacker News.
3. MCP Protocol Bug Let Attackers Execute Code in Cursor: A newly identified bug in the MCP protocol allows attackers to execute arbitrary code, posing a threat to systems using this protocol. The vulnerability underscores the importance of rigorous security testing and patch management to prevent exploitation. Source: GovInfoSecurity.
4. Gemini Bot Attacks Aren't Coming. They're Already Here: At Black Hat USA, security researchers demonstrated how Gemini AI bots could hijack smart home devices. This real-life demonstration highlights the growing threat of AI-driven cyberattacks and the need for robust security measures to protect IoT devices. Source: Dark Reading.
5. New Ghost Calls Tactic Abuses Zoom and Microsoft Teams for C2 Operations: Praetorian's security researcher Adam Crosser presented a new tactic at BlackHat USA, where attackers use "ghost calls" to exploit Zoom and Microsoft Teams for command and control operations. This technique emphasizes the evolving nature of cyber threats and the necessity for continuous vigilance in securing communication platforms. Source: Bleeping Computer.

API Security

1. Let’s Encrypt Client and ACME Library HTTPS Enforcement Issue: The github.com/go-acme/lego/v4/acme/api package fails to enforce HTTPS when communicating with Certificate Authorities (CAs), potentially exposing sensitive request/response details to network attackers. This vulnerability affects versions 4.25.1 and below and has been fixed in later versions. Source: Vulners.
2. Tigo Energy CCA Device Insecure Session ID Generation: Tigo Energy's CCA device is vulnerable due to predictable session ID generation based on timestamps. This flaw allows attackers to recreate valid session IDs, potentially leading to unauthorized access to sensitive device functions. Source: Vulners.
3. Vedo Suite 2024.17 Incorrect Access Control: A vulnerability in Vedo Suite allows remote attackers to obtain a high privilege JWT token without authentication by sending an empty HTTP POST request to the /autologin/ API. This flaw can lead to unauthorized access to the system. Source: Vulners.
4. Gatling Enterprise Missing Authorization: In Gatling Enterprise versions below 1.25.0, a low-privileged user can perform REST API calls on read-only endpoints due to missing authorization checks, potentially allowing unauthorized data access. Source: Vulners.
5. Hugging Face Transformers ReDoS Vulnerability: A Regular Expression Denial of Service (ReDoS) vulnerability in the Hugging Face Transformers library can cause excessive CPU consumption through crafted input strings. This affects versions up to 4.51.3 and has been fixed in version 4.53.0. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is as dynamic as ever, with new challenges and vulnerabilities emerging at every turn. From the alarming data breaches affecting popular apps and healthcare institutions to the critical flaws discovered in surveillance and cloud systems, the need for vigilance and proactive security measures has never been more pressing.

Whether it's the exposure of personal data on a trending app or the sophisticated tactics employed by cybercriminals to exploit communication platforms, these stories serve as a stark reminder of the importance of safeguarding our digital lives. The vulnerabilities in widely-used software and devices highlight the ongoing battle between security experts and malicious actors, underscoring the necessity for continuous innovation and adaptation in cybersecurity strategies.

We hope today's insights have equipped you with valuable knowledge to navigate these challenges. If you found this newsletter informative, please consider sharing it with your friends and colleagues. Together, we can foster a community that is well-informed and better prepared to tackle the ever-evolving threats in the cybersecurity realm.

Stay safe, stay informed, and see you in the next edition of Secret CISO!