A total of 13 breaches were found and analysed resulting in 4,834,779 leaked accounts containing a total of 21 different data types. The breaches found publicly and freely available included Stealer Log 0452, Redaq, Stealer Log 0453, Kharkov and Stealer Log 0451. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

A Spanish company specialising in online marketing and solar products faced a significant data breach, highlighting the importance of robust cybersecurity measures for medium-sized businesses. Similarly, a breach affecting the Indian audio device seller and lifestyle website highlights the significant impact of data breaches on consumer privacy. Millions of customer records were exposed, including personal details like full names and physical addresses.

The suspension of the dark-web and clear-net forum's domain reflects the challenges faced by platforms hosting controversial content. While the admin's statement acknowledges the domain suspension as a routine occurrence, it underscores the growing pressure from authorities on such platforms. Despite efforts to migrate to alternative domains and enhance anti-DDoS protection, the forum's issues highlight the ongoing battle between privacy advocates and law enforcement agencies.

VULNERABILITY CHAT

The report from Microsoft Threat Intelligence sheds light on the activities of the Russian-based threat actor Forest Blizzard (STRONTIUM), highlighting their use of a custom tool named GooseEgg to exploit vulnerabilities in Windows Print Spooler service. This tool has been utilised since at least June 2020, possibly even earlier, to elevate privileges and steal credentials in compromised networks.

The decline in the number of Microsoft vulnerabilities in 2023, as noted in BeyondTrust's annual report, may suggest progress in addressing security flaws. However, the prevalence of elevation of privilege and identity attacks highlights persistent areas of concern.

The report of hackers subverting Cisco Systems' digital security devices to gain unauthorised access to government networks is concerning. The exploitation of previously undetected vulnerabilities in the Adaptive Security Appliance range of devices by a sophisticated state-sponsored threat actor underscores the need for robust cybersecurity defences, particularly in critical infrastructure and government systems.

Google has released further details, including the rollout of updates to fix the bug and implementation of measures to prevent exploitation of the Android TV vulnerability discovered earlier this year, which could potentially expose sensitive Google account details.

4 Common Vulnerabilities and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including CrushFTP (CrushFTP). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 601 vulnerabilities last week, making the 2024 total 12,228. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

A mass data protection lawsuit against Grindr in London has been announced. The alleged sharing of private information, including sensitive details such as HIV status, without consent raises serious ethical and legal questions. If proven true, such actions could have far-reaching consequences for affected individuals and highlight the need for robust data protection measures and regulatory oversight in the dating app industry.

On a legislative front, Nebraska's adoption of the Nebraska Data Privacy Act represents a significant step forward in addressing data privacy concerns at the state level. The enactment of comprehensive data privacy legislation demonstrates a commitment to safeguarding the personal information of Nebraska residents and aligning with broader efforts to enhance data protection nationwide. By granting exclusive enforcement authority to the Nebraska Office of the Attorney General, the state aims to ensure effective oversight and enforcement of data privacy laws, thereby enhancing accountability and transparency in the handling of personal data.