Welcome to today's edition of Secret CISO, where we unravel the tangled web of cybersecurity breaches and vulnerabilities that continue to challenge our digital defenses. In this issue, we delve into a series of alarming incidents that underscore the persistent threats facing organizations and individuals alike.

Boyd Gaming finds itself in the spotlight as a data breach exposes employee information, revealing critical gaps in corporate data protection. Meanwhile, car giant Stellantis grapples with a breach linked to the notorious ShinyHunters, highlighting the vulnerabilities of third-party platforms.

The digital landscape proves unforgiving as an app targeting Charlie Kirk critics leaks user data, and Brightstar Lottery's breach affects hundreds in Connecticut, raising questions about the security of lottery systems. Across the globe, South Korea investigates a massive credit card data breach impacting millions, a stark reminder of the importance of robust security measures.

In the realm of software vulnerabilities, SolarWinds issues yet another patch for its Web Help Desk, while Supermicro faces scrutiny over BMC bugs that threaten system integrity. The threat landscape expands with Iranian actors targeting European aerospace engineers and an AI-powered app exposing user data, amplifying the risk of supply chain attacks.

Finally, Rapid7 uncovers a critical flaw in OnePlus smartphones, allowing unauthorized access to SMS data, a vulnerability lurking since 2021. As we navigate these challenges, today's stories serve as a crucial reminder of the ever-evolving cybersecurity landscape and the need for vigilance and proactive defense strategies.

Data Breaches

1. Boyd Gaming hit by data breach, employee info stolen in SEC disclosure: Boyd Gaming disclosed a cybersecurity breach in an SEC filing, revealing that hackers stole employee data from internal IT systems. The breach highlights vulnerabilities in corporate data protection strategies. Source: KTNV
2. Car giant Stellantis confirms data breach after third-party hit by cyberattack: Stellantis confirmed a data breach via a third-party platform supporting North American customer services. The attack is linked to ShinyHunters, indicating a broader cybersecurity threat. Source: TechRadar
3. App targeting Charlie Kirk critics leaks user data in huge privacy breach: A security flaw in an app targeting Charlie Kirk critics exposed user data, including emails and phone numbers. Founder Jason Sheppard, who promoted the app as an accountability tool, faces scrutiny over the breach. Source: Economic Times
4. Brightstar data breach impacts over 500 Connecticut residents: A security breach at Brightstar Lottery affected over 500 Connecticut residents, prompting the CT Department of Consumer Protection to issue warnings. This incident underscores the importance of securing lottery systems. Source: NBC Connecticut
5. South Korea probes credit card company data breach affecting 3 million customers: A data breach at a South Korean credit card company affected 3 million customers. Despite a security fix being released, one server remained vulnerable, leading to significant data exposure. Source: The Record

Security Research

1. SolarWinds releases third Web Help Desk patch to address known flaw: SolarWinds has issued a third patch for a critical Java deserialization vulnerability in its Web Help Desk software. Despite previous attempts, the flaw continues to be actively exploited, prompting concerns from security experts about the effectiveness of the patches. Source: Cybersecurity Connect.
2. Two New Supermicro BMC Bugs Allow Malicious Firmware to Evade Root of Trust Security: Researchers have uncovered two vulnerabilities in Supermicro's Baseboard Management Controller (BMC) that could allow attackers to bypass security measures and install malicious firmware. These flaws pose significant risks to the integrity of systems relying on Supermicro hardware. Source: The Hacker News.
3. Iran Targets Job-Seeking European Aerospace Engineers: A new campaign by Iranian threat actors is targeting European aerospace engineers through fake job offers. The attackers aim to gather sensitive information and potentially compromise the security of aerospace projects. Source: BankInfoSecurity.
4. AI-Powered App Exposes User Data, Creates Risk of Supply Chain Attacks: A security flaw in an AI-powered application has been discovered, which exposes user data and increases the risk of supply chain attacks. This vulnerability highlights the growing concerns around AI applications and their potential security implications. Source: Trend Micro.
5. Rapid7: OnePlus phones vulnerable to SMS theft since 2021: Security researchers have identified a critical vulnerability in OnePlus smartphones that allows applications to read SMS and MMS data without user consent. This flaw has been present since 2021, raising concerns about user privacy and data security. Source: The Register.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is as dynamic as ever, with new challenges emerging at every turn. From Boyd Gaming's data breach revealing vulnerabilities in corporate defenses to Stellantis's encounter with ShinyHunters, the importance of robust cybersecurity strategies cannot be overstated. These incidents remind us that no organization is immune, and vigilance is key.

Meanwhile, the exposure of user data in apps and the persistent vulnerabilities in systems like SolarWinds and Supermicro highlight the ongoing battle between security experts and cyber adversaries. The need for continuous updates and patches is a stark reminder of the evolving nature of threats.

As we navigate these complex issues, sharing knowledge and insights becomes crucial. If you found today's newsletter informative, consider sharing it with your friends and colleagues. Together, we can foster a community that is better prepared to tackle the cybersecurity challenges of tomorrow.

Stay safe, stay informed, and see you in the next edition of Secret CISO!