Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity challenges and breakthroughs. In this issue, we delve into a series of alarming incidents and vulnerabilities that underscore the ever-evolving landscape of digital threats.

We begin with a startling admission from Panama's Ministry of Economy and Finance, revealing a potential breach that threatens sensitive financial data. This incident sets the stage for a broader narrative of delayed responses and inadequate security measures, as seen in KioSoft's year-long delay in patching a critical NFC card vulnerability and Powerschool's student data leak due to basic security lapses.

Meanwhile, 23andMe's $3.25 million settlement with Canadian users highlights the costly repercussions of data breaches, while Sansone Group's legal woes following a massive data theft remind us of the legal battles that often follow such incidents.

On the technical front, the discovery of HybridPetya ransomware capable of bypassing UEFI Secure Boot raises the specter of more sophisticated attacks, while novel Living-off-the-Land techniques challenge security teams to distinguish between legitimate and malicious activities. The 'Inboxfuscation' technique further complicates detection efforts by hiding malicious inbox rules in Microsoft Exchange.

In the realm of vulnerabilities, OpenSynergy BlueSDK's Bluetooth stack flaws and GitLab's proxy environment issues highlight the critical need for robust input validation and secure configurations. The Palo Alto Networks User-ID Credential Agent's exposure vulnerability serves as a stark reminder of the risks posed by misconfigurations.

Finally, we explore the exploits targeting Liferay Portal's login bypass and Laravel applications' exposed .env files, emphasizing the importance of securing authentication mechanisms and sensitive configurations. The vulnerabilities in MiczFlor RPi-Jukebox-RFID and Flowise's password reset endpoint further illustrate the urgent need for timely patching and vigilant security practices.

Stay informed and vigilant as we navigate these complex challenges together. Your proactive measures today can safeguard against tomorrow's threats.

Data Breaches

1. Data Security Incident Admitted by Panama Ministry of Economy and Finance: Officials at Panama's Ministry of Economy and Finance have disclosed a potential compromise of one of its computers in a cyberattack. The breach has raised concerns about the security of sensitive financial data managed by the ministry. Source: SC Media.
2. Payment System Vendor Took Year+ to Patch Infinite Card Top-Up Hack: KioSoft, a payment system vendor, was notified about a serious NFC card vulnerability that allowed infinite card top-ups. The company took over a year to patch the flaw, highlighting significant delays in addressing critical security issues. Source: SecurityWeek.
3. 23AndMe Inks $3.25M Data Breach Deal With Canadian Users: DNA testing firm 23andMe agreed to a $3.25 million settlement with Canadian customers affected by a 2023 data breach. The breach compromised sensitive genetic and personal information, leading to legal action and a subsequent settlement. Source: Law360.
4. Powerschool Student Data Leak Caused by Lack of Basic Security: A data breach at Powerschool exposed students' personal information, including names, addresses, and Social Security numbers. Experts attribute the leak to inadequate security measures, emphasizing the need for robust data protection in educational institutions. Source: Houston Chronicle.
5. Data Breach at Sansone Group Sparks Proposed Class-Action Lawsuit: A St. Louis real estate firm, Sansone Group, faces a lawsuit over a data breach affecting over 1,563 customers. Hackers claim to have stolen millions of files, prompting legal action from affected individuals. Source: BizJournals.

Security Research

1. HybridPetya Ransomware Dodges UEFI Secure Boot: ESET Research has discovered a new variant of ransomware named HybridPetya, which is UEFI-compatible and capable of bypassing Secure Boot. Although currently not active in the wild, it may represent a proof of concept by a security researcher. This development raises concerns about the potential for more sophisticated ransomware attacks in the future. Source: Fox2Now, The Register
2. Attackers Adopting Novel LOTL Techniques to Evade Detection: Security teams are facing challenges in distinguishing between malicious and legitimate activities as attackers increasingly adopt Living-off-the-Land (LOTL) techniques. These methods allow attackers to use legitimate tools and processes to carry out their operations, making detection more difficult. This trend highlights the need for enhanced detection capabilities and strategies. Source: Infosecurity Magazine
3. CISA Lays Out Roadmap for CVE Program's 'Quality Era': The Cybersecurity and Infrastructure Security Agency (CISA) has announced a roadmap for the CVE Program's next phase, focusing on improving the quality of vulnerability data. This initiative aims to enhance public-private partnerships and streamline vulnerability management processes, ensuring more effective responses to security threats. Source: Security Boulevard
4. From Cyberbullying to AI-Generated Content – McAfee's Research Reveals the Shocking Risks: McAfee's latest research highlights the risks associated with cyberbullying and AI-generated content, emphasizing the importance of maintaining security while fostering trust and communication within families. The findings underscore the need for awareness and proactive measures to protect against these digital threats. Source: McAfee
5. Malicious Exchange Inbox Rules Hidden with 'Inboxfuscation' Technique: A new technique dubbed 'Inboxfuscation' is being used to hide malicious inbox rules in Microsoft Exchange, complicating detection efforts. This method involves using Unicode categories to obscure malicious rules, posing a significant challenge for email security. The discovery calls for improved detection capabilities to counteract such sophisticated evasion tactics. Source: SC Media

Top CVEs

1. CVE-2024-45431: OpenSynergy BlueSDK through version 6.x suffers from improper input validation within its Bluetooth stack. The flaw arises from inadequate validation of remote L2CAP channel IDs, allowing attackers to create an L2CAP channel with a null identifier, potentially leading to unauthorized access or data manipulation. Source: Vulners.
2. CVE-2024-45434: This vulnerability in OpenSynergy BlueSDK through version 6.x involves a use-after-free condition in the Bluetooth stack. The issue stems from failing to validate the existence of an object before operations, enabling attackers to execute remote code under the user account running the Bluetooth process. Source: Vulners.
3. CVE-2024-45432: OpenSynergy BlueSDK through version 6.x has a flaw due to mishandling a function call within its Bluetooth stack. The vulnerability arises from using an incorrect variable as a function argument, which can be exploited to cause unexpected behavior or access sensitive information. Source: Vulners.
4. CVE-2025-6454: A vulnerability in GitLab CE/EE affects versions from 16.11 before 18.1.6, 18.2 before 18.2.6, and 18.3 before 18.3.2. It allows authenticated users to make unintended internal requests through proxy environments by injecting crafted requests, potentially leading to unauthorized access or data leakage. Source: Vulners.
5. CVE-2025-4235: An information exposure vulnerability in the Palo Alto Networks User-ID Credential Agent (Windows-based) can expose the service account password under specific non-default configurations. This allows an unprivileged Domain User to escalate privileges, potentially leading to network compromise or unauthorized domain manipulation. Source: Vulners.

API Security

1. Exploit for CVE-2025-3639: A Proof of Concept (PoC) for CVE-2025-3639 demonstrates a login bypass vulnerability in Liferay Portal and Liferay DXP. By altering a POST request to a GET request, an attacker can bypass multi-factor authentication (MFA) and gain unauthorized access to user accounts. This exploit highlights the importance of securing authentication mechanisms to prevent unauthorized access. Source: Vulners.
2. Exploit for CVE-2025-31125: This toolkit targets Laravel applications with exposed .env files and vulnerable APP_KEYs, using Shodan queries to identify Vite dev servers. The toolkit includes scripts for domain/IP conversion and reverse lookups, aiding pentesters and bug bounty researchers in identifying and exploiting these vulnerabilities. Source: Vulners.
3. CVE-2025-10328: A vulnerability in MiczFlor RPi-Jukebox-RFID allows remote attackers to perform OS command injection via the /htdocs/api/playlist/playsinglefile.php file. This exploit has been publicly disclosed, posing a significant risk to affected systems. Source: Vulners.
4. CVE-2025-10327: Another vulnerability in MiczFlor RPi-Jukebox-RFID involves OS command injection through the /htdocs/api/playlist/shuffle.php file. This remote attack vector has been publicly disclosed, increasing the urgency for patching affected systems. Source: Vulners.
5. Flowise Cloud and Local Deployments Vulnerability: The forgot-password endpoint in Flowise exposes sensitive information, including a valid password reset token, without authentication. This flaw allows attackers to reset passwords and take over accounts, affecting both cloud and self-hosted deployments. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the cybersecurity landscape continues to evolve with both challenges and opportunities. From the Panama Ministry of Economy and Finance's data security incident to the alarming delay in patching vulnerabilities by payment system vendors, these stories remind us of the critical importance of timely and effective security measures.

The settlement by 23andMe and the Powerschool data leak underscore the real-world impact of breaches on individuals and organizations alike. Meanwhile, the discovery of sophisticated threats like HybridPetya ransomware and novel LOTL techniques highlights the need for constant vigilance and innovation in our defense strategies.

As we navigate these complex issues, the role of collaboration and information sharing becomes ever more vital. By staying informed and proactive, we can better protect our digital environments and foster a safer cyber world.

If you found today's insights valuable, please consider sharing this newsletter with your friends and colleagues. Together, we can build a stronger, more informed community ready to tackle the challenges of tomorrow.

Stay secure, and see you in the next edition of Secret CISO!