Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity breaches and innovations shaping our digital world. In a dramatic turn of events, hackers have unleashed a torrent of data from the Great Firewall of China, marking one of the most significant leaks in the realm of internet censorship. This breach not only exposes the inner workings of China's digital barricade but also sets the stage for a global conversation on privacy and control.

Meanwhile, across the globe, Pakistan grapples with a massive data breach affecting thousands, including high-ranking officials, while West Virginia's financial sector reels from a breach impacting over 187,000 individuals. These incidents underscore the vulnerabilities that persist in our interconnected systems.

In the UK, a staggering 1,055% rise in SIM swap fraud highlights the urgent need to rethink SMS-based security measures. This surge in fraud is mirrored by a sophisticated scam that siphoned $3 million USDC from unsuspecting crypto users, reminding us of the ever-evolving tactics of cybercriminals.

On the technological frontier, the introduction of 'Villager,' an AI-driven pentesting tool, promises to revolutionize security testing by merging the power of AI with traditional tools like Kali Linux. Simultaneously, Apple's new Memory Integrity Enforcement feature aims to fortify the iPhone 17 against hacking attempts, setting a new standard in mobile security.

Amidst these developments, researchers uncover a new Spectre-based CPU vulnerability, posing a significant threat to cloud environments, while vulnerabilities in popular platforms like One Identity OneLogin and Selleo Mentingo highlight the ongoing challenges in securing digital infrastructures.

Join us as we delve deeper into these stories, exploring the implications and strategies to navigate this complex landscape of cybersecurity threats and innovations.

Data Breaches

1. 600 GB of Alleged Great Firewall of China Data Published in Largest Leak Yet: Hackers have reportedly leaked 600 GB of data associated with the Great Firewall of China, revealing documents, code, and operational details. This breach is considered one of the largest leaks related to China's internet censorship infrastructure. Source: Hackread.
2. Pakistan Investigates Major Data Breach Exposing Officials' Personal Information: Pakistani authorities are investigating a significant data breach that has exposed the personal information of thousands of citizens, including federal ministers. The breach reportedly affects data across 1,300 websites. Source: Mobile ID World.
3. 187,038 People Impacted As Hackers Target West Virginia Financial Firm: A data breach at Fairmont Federal Credit Union has compromised the personal information of 187,038 individuals. The breach involved unauthorized access to sensitive data, prompting the firm to notify affected parties. Source: Daily Hodl.
4. Sim Card Scam Can Lead to 'Tidal Wave of Fraud': Nottinghamshire Police have warned about a data breach involving SIM card scams that could lead to widespread fraud. The breach includes login credentials and personal data necessary for impersonating victims. Source: Nottinghamshire Police.
5. Plex Breach: 3 Quick Fixes to Lock Your Account Today: Plex has disclosed a data breach involving emails, usernames, and hashed passwords, though payment information was not affected. Users are advised to take immediate action to secure their accounts. Source: Red94.

Security Research

1. UK SIM Swap Fraud Surges 1,055% in 2024, Causing Major Security Concerns: The UK has seen a dramatic increase in SIM swap fraud, rising by 1,055% in 2024. This surge highlights the vulnerabilities in using SMS for two-factor authentication, as fraudsters exploit these weaknesses to gain unauthorized access to accounts. Source: Mobile ID World.
2. $3M USDC Stolen in Fake Request Finance Scam Explosion: A sophisticated scam targeting users on X (formerly Twitter) resulted in the theft of $3 million USDC. The attack involved a malicious contract that deceived users into approving transactions, showcasing the need for heightened vigilance in crypto transactions. Source: Live Bitcoin News.
3. AI Pentesting Tool 'Villager' Merges Kali Linux with DeepSeek AI for Automated Security Attacks: The STAR team has developed 'Villager,' an AI-native penetration testing tool that combines Kali Linux with DeepSeek AI. This tool automates security attacks, potentially revolutionizing how penetration tests are conducted by leveraging AI capabilities. Source: GBHackers.
4. New Spectre-based CPU vulnerability allows guests to steal sensitive data from the cloud: Researchers at ETH Zurich have discovered a new Spectre-BTI vulnerability that could allow attackers to steal sensitive data from cloud environments. This vulnerability underscores the ongoing challenges in securing CPU architectures against speculative execution attacks. Source: TechRadar.
5. Apple's new Memory Integrity Enforcement makes iPhone 17 harder to hack: Apple's latest security feature, Memory Integrity Enforcement, aims to make the iPhone 17 more resistant to hacking attempts. This enhancement addresses memory corruption vulnerabilities, raising the bar for attackers trying to exploit iOS devices. Source: Moneycontrol.

API Security

1. CVE-2025-59363: A vulnerability in One Identity OneLogin before version 2025.3.0 allows the OIDC client secret to be returned via the GET Apps API v2, which should only occur when an app is first created. This exposure could potentially lead to unauthorized access if exploited. Source.
2. CVE-2025-10388: Selleo Mentingo version 2025.08.27 has a cross-site scripting vulnerability in the /api/course/enroll-course component. This flaw allows remote attackers to manipulate the 'Description' argument, potentially leading to unauthorized script execution. The exploit is publicly available, and the vendor has not responded to the disclosure. Source.
3. Hackingtool-v5.1: This tool provides a comprehensive suite for hackers, including features like reverse engineering, RAT tools, and payload injectors. It allows users to install Kali Linux on Windows 10 without VirtualBox and includes updates for various hacking tools. The tool is designed for both beginners and advanced users, offering a wide range of functionalities for different hacking needs. Source.

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is as dynamic as ever, with new challenges and innovations emerging daily. From the massive leak of the Great Firewall of China data to the alarming rise in SIM swap fraud in the UK, these stories remind us of the importance of staying informed and vigilant.

Whether it's the sophisticated scams targeting crypto users or the cutting-edge AI tools like 'Villager' reshaping penetration testing, the cybersecurity world is constantly evolving. The discovery of new vulnerabilities, such as the Spectre-based CPU flaw, and advancements like Apple's Memory Integrity Enforcement, highlight the ongoing battle between security and exploitation.

We hope today's insights have equipped you with valuable knowledge to navigate these challenges. If you found this newsletter helpful, please consider sharing it with your friends and colleagues. Together, we can build a more secure digital future.

Stay safe, stay informed, and see you in the next edition of Secret CISO!