A total of 25 breaches were found and analysed resulting in 29,695,958 leaked accounts containing a total of 25 different data types. The breaches found publicly and freely available included Trello, 7k7k, Sword Fantasy, Zaimer and Xiaomi. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

The underground cybercrime community is experiencing significant turmoil. Prominent threat actors have accused the owners of the notorious BreachForum of potentially being compromised. This accusation has caused widespread concern within the community. Despite doxing being banned on the forum, a banned threat actor has declared war on BreachForum, doxing several members and inciting serious infighting. Another hacker has even placed a 1 Bitcoin bounty on a former staff member, with the funds reportedly held in escrow on a respected Russian-speaking cybercrime forum. The conflict appears to be primarily between two well-known threat actors and the forum's admin and community. The allegation of compromise stems from claims that a member of the Shiny Hunters gang, doxed by the DOJ but not imprisoned, is running the forum.

CrowdStrike is facing challenges after a major mishap. A file leaked on an underground forum contains a list of threat actors compiled by CrowdStrike, with information on usernames, motivations, and origins. This leak, which spans nearly 250 lines of text, was not a data breach but rather information obtained through abusing CrowdStrike's endpoints to extract Indicators of Compromise (IOCs). The data was intended for CrowdStrike's customers and internal use, not for public release.

ESET researchers have discovered a Telegram 0day vulnerability affecting Android users. This flaw allows the sending of malicious files disguised as videos. Due to Telegram's auto-video download feature, users may inadvertently download and interact with these malicious files. A popular Russian-speaking channel released the 0day file for free and advised its followers to "be careful where you lurk." Android users are urged to disable the auto-download feature to avoid potential risks.

VULNERABILITY CHAT

Cisco has identified a critical security flaw in its networking devices, leading to an urgent response to address the risk. According to Cisco's security advisory, the vulnerability stems from an improper implementation of the password-change process. Exploiting this flaw, attackers can send crafted HTTP requests to compromised devices, gaining unauthorised access to the web UI or API with the privileges of the compromised user. No workarounds are available, highlighting the necessity for immediate patching.

Researchers at Binarly have discovered a long-standing security leak, dubbed PKfail, affecting numerous production model PCs. This issue exposes private keys for various motherboard firmware builds, making systems vulnerable to low-level malware attacks that evade OS-level anti-malware protections. The persistent nature of this flaw poses significant risks to affected devices.

Tenable cybersecurity researchers have disclosed a privilege escalation vulnerability in Google Cloud Platform's Cloud Functions service. Named ConfusedFunction, this flaw allows attackers to escalate their privileges to the Default Cloud Build Service Account, granting unauthorised access to various services such as Cloud Build, storage, artefact registry, and container registry. This exposure underscores the importance of rigorous access controls and regular security assessments.

Security researchers have highlighted significant vulnerabilities and malicious activities within GitHub. Issues include improperly configured action workflows, the persistence of deleted data from repositories, and the misuse of GitHub accounts for distributing malware. These risks emphasise the need for stringent security practices and vigilance in managing repository configurations.

A previously patched Microsoft Defender SmartScreen vulnerability continues to be exploited in global info-stealing attacks. Despite the patch in February, recent campaigns involving Meduza and ACR stealers have targeted the US, Spain, and Thailand. Fortinet's recent flagging of these activities highlights the ongoing threat and the necessity for robust endpoint protection measures.

ServiceNow has patched vulnerabilities in its software in May and July, securing all instances hosted by the company. However, attackers are now targeting organisations with self-hosted, unpatched instances, including government entities, data centres, energy providers, and software development firms. Ensuring timely updates and patches is crucial to mitigating these risks.

The Internet Systems Consortium (ISC) has released critical security advisories for multiple vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 software, a key component of the DNS infrastructure. The most severe vulnerability allows a malicious client to flood the server with DNS messages over TCP, potentially destabilising the server during the attack. Immediate attention to these advisories is essential to maintain DNS stability and security.

2 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including Twilio (Authy). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 457 vulnerabilities last week, making the 2024 total 23,030. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

The Paris Summer Olympics features an extensive deployment of algorithmic video surveillance, an AI-driven event-security technology. This system uses machine learning to analyse video footage in real time to detect and predict threats and anomalies. Privacy advocates raise significant concerns, citing potential civil liberties infringements, inherent biases, false positives, and biometric data collection. These issues may persist if the technology is used at other major events, such as the 2026 FIFA World Cup, the 2028 Summer Olympics in Los Angeles, and the 2034 Winter Olympics in Salt Lake City.

Social media platform X is under scrutiny from European privacy regulators for using users' posts to train its AI chatbot, Grok, without notifying them or obtaining consent. This practice potentially infringes on data protection rules and has drawn considerable criticism for its lack of transparency and possible violation of privacy rights.

The UK's Information Commissioner's Office (ICO) expressed disappointment over Google's decision to retain third-party cookies in Chrome, despite previous plans to eliminate them. Google's Privacy Sandbox initiative, designed to balance advertising performance with user privacy, has raised concerns due to potential vulnerabilities that could compromise user privacy and identify individuals who opted out of tracking. The ICO emphasises the need for robust privacy measures within these tools.

Chelmer Valley High School in the UK received a reprimand from the ICO for unlawfully implementing facial recognition technology (FRT). The school failed to conduct a Data Protection Impact Assessment (DPIA) before using FRT and did not obtain proper consent from students. This oversight violated laws protecting children's biometric information and underscored the importance of thorough risk assessments in educational settings.

India's Ministry of Electronics and Information Technology (MeitY) has raised concerns about the data privacy risks posed by major tech companies, including Google, Alibaba, Airbnb, Amazon, Uber, and Facebook. These concerns were highlighted in an internal presentation on the Digital Personal Data Protection Act, emphasising the need for stringent data protection measures to safeguard user information from potential misuse by large technology firms.

The Malaysian Dewan Rakyat passed the Personal Data Protection (Amendment) Bill 2024, marking significant changes to the Personal Data Protection Act 2010. The amendments aim to align Malaysia's data protection framework more closely with international standards, reflecting a growing global emphasis on robust data privacy regulations.

Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan