Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity incidents and innovations shaping our digital landscape. As we close September, the spotlight is on a series of data breaches that have rocked industries from airlines to healthcare, each revealing vulnerabilities and prompting urgent security overhauls.

WestJet, Albany Gastroenterology Consultants, Lotte Card, Viva Health, and Belkorp Ag are grappling with breaches that exposed sensitive data, affecting millions. These incidents underscore the relentless pursuit of cybercriminals and the critical need for robust defenses.

Meanwhile, the emergence of SpamGPT and EvilAI highlights the dark side of AI, as these tools are weaponized for phishing and infiltration, exploiting the trust in technology. The vulnerabilities in consumer devices like Tile trackers further emphasize the urgency for encryption and privacy safeguards.

On the innovation front, the latest research on CodeQL and discussions at the Innovation Morning event shed light on the future of digital security, advocating for interdisciplinary approaches and machine learning to combat emerging threats.

Finally, we delve into specific vulnerabilities, from Vasion Print's authentication flaws to FreshRSS's admin creation loophole, each a reminder of the constant vigilance required to secure our digital environments.

Stay informed, stay secure, and join us as we navigate the ever-evolving world of cybersecurity.

Data Breaches

1. WestJet Data Breach: WestJet has notified some of its U.S.-based passengers about a cybersecurity breach that may have exposed travel documents and personal information. The airline assures that no sensitive data was compromised and has implemented additional security measures. Source: Global News
2. Albany Gastroenterology Consultants Data Breach: Albany Gastroenterology Consultants reported a data security breach that exposed sensitive information of over 55,000 patients. The healthcare provider is taking steps to enhance its security protocols to prevent future incidents. Source: Teiss
3. Lotte Card Data Breach: Lotte Card experienced a security breach where threat actors infiltrated its internal network and stole confidential data affecting nearly 3 million individuals. The company has launched an investigation and is working to strengthen its security measures. Source: Teiss
4. Viva Health Data Breach: Viva Health, part of the University of Alabama at Birmingham Health System, is investigating a data breach involving the personal data of 4,945 individuals. The insurer is working to determine the scope of the breach and enhance its security practices. Source: Becker's Payer Issues
5. Belkorp Ag Data Breach: Belkorp Ag has announced a data breach and is taking steps to protect the information it maintains. The company is evaluating and enhancing its cybersecurity safeguards to prevent future breaches. Source: Yahoo Finance

Security Research

1. SpamGPT turns AI into phishing playbook: Security researchers have identified a new tool called SpamGPT, which mimics professional email marketing services for malicious purposes. This tool is being used to create sophisticated phishing campaigns, leveraging AI to enhance the effectiveness of these attacks. The discovery highlights the ongoing challenge of AI being used for nefarious activities in the cybersecurity landscape. Source: Information Age | ACS
2. Tile's lack of encryption could make tracker owners vulnerable to stalking: Researchers have uncovered significant security vulnerabilities in Tile tracking devices. These flaws could potentially allow stalkers to track individuals without their consent, raising serious privacy concerns. The findings underscore the importance of robust encryption in consumer devices to protect user privacy. Source: The Verge
3. EvilAI Malware Masquerades as AI Tools to Infiltrate Global Organizations: A new malware strain, dubbed EvilAI, is disguising itself as legitimate AI tools to penetrate organizations worldwide. Security researchers have warned that this malware exploits the growing trust in AI technologies to bypass security measures. The incident serves as a reminder of the need for vigilance and robust security protocols when integrating AI solutions. Source: The Hacker News
4. CodeQL zero to hero part 5: Debugging queries: This research focuses on enhancing security research through the use of CodeQL, a powerful tool for analyzing codebases. The latest installment in the series delves into debugging queries, offering insights into improving the accuracy and efficiency of security analyses. This work is crucial for advancing the capabilities of security researchers in identifying and mitigating vulnerabilities. Source: The GitHub Blog
5. Innovation Morning: The Future of Digital Security: This research event explores the intersection of software, AI, and cybersecurity, highlighting the latest advancements and challenges in the field. It emphasizes the role of machine learning in enhancing software security and the importance of interdisciplinary approaches to tackle emerging threats. The discussions aim to shape the future of digital security by fostering collaboration and innovation. Source: Carleton University

Top CVEs

1. Vasion Print Vulnerability: Vasion Print's Virtual Appliance Host and Application expose PHP scripts without authentication, allowing remote attackers to reconfigure networked printers and modify device settings. This vulnerability, identified as V-2024-029, highlights the critical need for authentication measures in networked device management. Source: Vulners.
2. FreshRSS Admin Creation Flaw: In FreshRSS versions 1.16.0 and above through 1.26.3, an unprivileged attacker can exploit a hidden field to create a new admin user when registration is enabled. This vulnerability underscores the importance of securing user management functionalities. The issue is resolved in later versions. Source: Vulners.
3. FairSketch RISE XSS Vulnerability: A cross-site scripting (XSS) vulnerability in FairSketch RISE Ultimate Project Manager & CRM 3.9.4 allows administrators to store JavaScript payloads via the file explorer in the admin dashboard. This highlights the risks of XSS attacks in web applications, emphasizing the need for input validation. Source: Vulners.
4. DataSpider Servista XML External Entity Issue: DataSpider Servista 4.4 and earlier versions have an XML external entity reference issue, which can lead to arbitrary file reads or denial-of-service conditions. This vulnerability demonstrates the dangers of improper XML handling in server applications. Source: Vulners.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the cybersecurity landscape is as dynamic as ever. From the WestJet data breach to the innovative yet concerning SpamGPT, each story underscores the critical importance of vigilance and proactive measures in safeguarding our digital world.

Whether it's the evolving threats like EvilAI malware or vulnerabilities in everyday devices like Tile trackers, staying informed is our first line of defense. The insights from events like Innovation Morning remind us of the power of collaboration and innovation in shaping a secure digital future.

We hope you found today's newsletter both informative and engaging. If you did, please consider sharing it with your friends and colleagues. Together, we can build a community that is not only aware but also prepared to tackle the challenges of cybersecurity head-on.

Thank you for being a part of our journey. Until next time, stay safe and stay secure!