First Gift from Secret CISO - The Pilot Episode

Welcome to the first pilot newsletter for the Secret CISO project!

We are a group of CISOs who have decided to create an independent and anonymous publication for the CISO community. Like the gifts from Secret Santa, our newsletter will be a surprise delivery each week, full of valuable information and insights for our fellow CISOs.

We aim to create a weekly newsletter that CISOs will enjoy reading and find useful. We will focus on important news, events, threats, and releases and avoid filling them with ads and promotions from vendors.

Inside the newsletter, you'll find a variety of sections, including:

1. Threats: a weekly pulse of the most critical new vulnerabilities
2. Incidents: a weekly report on data breaches and cybersecurity incidents
3. Podcasts: the most popular CISO-related episodes of the week

We're always looking for ways to improve, and we welcome your feedback and contributions. If you have any news, links, or other valuable information for other CISOs, please don't hesitate to email us.

Thank you for joining us on this journey, and we hope you enjoy the newsletter!

In this week's Threats section of the Secret CISO newsletter, we're highlighting a few recent vulnerabilities that have been discovered in popular products such as Cisco, AMD, and Okta.

First, multiple vulnerabilities have been discovered in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, and RV082 Routers. These vulnerabilities could allow a remote attacker to bypass authentication or execute arbitrary commands on the underlying operating system of an affected device. The Common Vulnerability Scoring System (CVSS) score for these vulnerabilities is Base 9.0. The vulnerabilities are identified by the Common Vulnerabilities and Exposures (CVE) numbers: CVE-2023-20025, and CVE-2023-20026.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sbr042-multi-vuln-ej76Pke5

Second, multiple vulnerabilities have been discovered in AMD Server products. These vulnerabilities include issues such as failure to validate the communication buffer and communication service in the BIOS which may allow an attacker to tamper with the buffer resulting in potential SMM arbitrary code execution, and insufficient bounds checking in ASP (AMD Secure Processor) firmware while handling BIOS mailbox commands which may lead to a potential loss of integrity and availability. The vulnerabilities are identified by the Common Vulnerabilities and Exposures (CVE) numbers: CVE-2021-26316, CVE-2021-26398, CVE-2021-26402, and CVE-2021-39298.
https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1032

Finally, there has been some noise about JWT secret poisoning vulnerability in Okta auth0 jsonwebtoken library. However, it has been reported that this vulnerability is almost impossible to exploit in real life. As a result, Palo Alto updated the post. It is interesting to see how Unit42 tried to promote non-exploitable bugs as critical. Details can be found here: https://www.rezilion.com/blog/cve-2022-23529-should-you-be-concerned-about-the-jsonwebtoken-vulnerability/

In this week's Data Breach and Incidents section of the Secret CISO newsletter, we're highlighting a few recent breaches that have caught our attention.

First, researchers have reported that a threat actor is claiming to provide access to internal servers at Telegram for $20,000 on a dark web marketplace. The seller claims that the access is permanent and provided by insiders that are staff members of the company. SafetyDetectives reported that access to the market is not possible via the surface web and it provides counterfeit electronics, money, drugs, illegal software, stolen databases, cracking tools, counterfeit weapons, and carding data dumps. https://securityaffairs.com/140691/deep-web/telegram-access-dark-web.html

Second, 1.7 TB of data was stolen from Cellebrite, a digital intelligence company that provides tools for law enforcement and the data was leaked online. The Israeli mobile forensics firm Cellebrite is one of the leading companies in the world in the field of digital forensics and it works with law enforcement and intelligence agencies worldwide. One of the most popular services provided by the company is the UFED (Universal Foresenic Extraction Device) which is used by law enforcement and intelligence agencies to unlock and access data on mobile devices. Hacktivists argued that the tools have been used in the past against journalists, activists, and dissidents around the world. https://securityaffairs.com/140838/data-breach/cellebrite-software-leaked-online.html

Finally, CircleCI, a software company whose products are popular with developers and software engineers, confirmed that some customers’ data was stolen in a data breach last month. The company said in a detailed blog post that it identified the intruder’s initial point of access as an employee’s laptop that was compromised with malware, allowing the theft of session tokens used to keep the employee logged in to certain applications, even though their access was protected with two-factor authentication. The company took the blame for the compromise, calling it a “systems failure,” adding that its antivirus software failed to detect the token-stealing malware on the employee’s laptop. https://circleci.com/blog/jan-4-2023-incident-report/

As always, please use the provided links for additional details and stay vigilant in protecting your own systems and data.

In this week's podcast section of the Secret CISO newsletter, we're highlighting a few episodes that provide valuable insights for CISOs.

First, we recommend "Be the One Who Gets the Call - The Keys to Landing New Opportunities" from the "The New CISO" podcast. In this episode, guest Mark Weatherford, CISO and Head of Regulated Industries at AlertEnterprise, shares his experience and advice on how to become the go-to person for new opportunities. Listen to part one of this episode to learn more about Mark’s navy experience, the importance of delegating in leadership, and how to become the guy who always gets the call. https://podcasts.apple.com/us/podcast/the-new-ciso/id1460075361

Next, we recommend "Stir in a Little Merger and Acquisition, and Voilà, You’re a Target" from the "CISO Series Podcast". In this episode, Nicole Ford, global vp and CISO at Rockwell Automation, joins host David Spark and Andy Ellis to discuss the unique challenges and opportunities that come with mergers and acquisitions from a cybersecurity perspective. They also discuss some good practices that can be put in place to help mitigate the risks. https://podcasts.apple.com/us/podcast/ciso-series-podcast/id1391337832

Finally, we recommend "When Cybersecurity Regulations Go Sideways" from the "Boomplay" podcast. In this episode, the hosts discuss the pros and cons of cybersecurity regulations, and how they can sometimes go sideways. They also share some examples of when regulations have been helpful, as well as where they have caused more harm than good. https://www.boomplay.com/episode/3102034

Final Words

We hope you've found the first pilot episode of the Secret CISO newsletter informative and helpful. We're committed to providing the latest news, events, threats, and releases for the CISO community, and we appreciate your support.

If you enjoyed this newsletter, please share it with your CISO friends and colleagues. Your feedback is important to us, and we want to know if this newsletter meets your needs and expectations.

We plan to run a second newsletter episode next week, but we need your help. If we can reach 50 new subscribers this week, we'll be able to continue providing valuable content for the CISO community. So please help us spread the word, and let's make this newsletter successful.

Thank you for your support, and we look forward to serving you in the future. It was your first gift from the Secret CISO. Stay in touch!