Welcome to your daily dose of ONSEC Cyber Daily. Today, we're diving into a plethora of critical security alerts and vulnerabilities that are making waves in the cyber world. First up, we have a critical security alert issued by PTA against a significant flaw in a WordPress plugin. This alert highlights the importance of proactive measures in safeguarding against potential cyberattacks. Next, we're looking at England's vulnerability to extreme weather and how it ties into cyber warnings over zero-day vulnerabilities. Government bodies are being urged to take cyber insurance seriously. We also have a high severity warning for Android users from the government, underscoring the importance of staying vigilant against multiple vulnerabilities. In other news, iPhone users are being warned about widespread cybersecurity issues, with immediate action advised. Online shoppers are also vulnerable to phishing scams, with cyber criminals gearing up for Black Friday. We also have a report on how the drinking water for 193 million Americans is vulnerable to cyberattacks, emphasizing the need for resilience against increasingly sophisticated cyber threats. In the tech world, Apple has issued an urgent warning for Mac and iPhone users to update their devices due to a critical security alert. We also have reports on vulnerabilities in Grafana, mySCADA myPRO, and ProjectSend being exploited in the wild. On the patching front, Microsoft and QNAP have released patches for some critical gaps and security updates respectively. Lastly, we have a roundup of the latest cybersecurity podcast episodes, offering insights into healthcare cybersecurity, strengthening cybersecurity in financial services, and more. Stay tuned for more updates and remember, staying informed is the first step towards cybersecurity.

Exploits Alert

1. PTA Issues Critical Security Alert Against Big Flaw in WordPress Plugin: The Pakistan Telecommunication Authority (PTA) has issued a critical security alert regarding a significant flaw in a WordPress plugin. Proactive measures are emphasized as crucial in safeguarding against potential cyberattacks. Source: ProPakistani
2. NCSC Cyber Warning Over Zero-Day Vulnerabilities: The National Cyber Security Centre (NCSC) has issued a cyber warning concerning zero-day vulnerabilities. The warning highlights the importance of cyber insurance in mitigating risks. Source: CIR Magazine
3. Vigilance Vulnerability Alerts - Grafana: Write Access via Alert Rule Write API Endpoint: A vulnerability alert has been issued for Grafana, where an attacker can bypass access restrictions via Alert Rule Write API Endpoint, potentially altering data. Source: Global Security Mag
4. Government Warns iPhone Users of Widespread Cyber Security Issues: CERT-In has issued a warning for iPhone users concerning several vulnerabilities identified in Apple devices and their services. Immediate action is advised. Source: India TV News
5. Urgent Apple Warning—Update Your Mac And iPhone Now: Apple has issued a critical security alert on November 19, urging users to update their Mac and iPhone devices to protect against the latest cyberattack. Source: Forbes

Vulnerabilities & Patches

1. NachoVPN Attack Delivers Malicious Updates via Rogue VPN Server Exploits: Attackers are exploiting rogue VPN servers to deliver malicious updates to unpatched Palo Alto and SonicWall SSL-VPN clients. Users are advised to ensure their VPN clients are up-to-date to prevent such attacks. Source: technadu.com
2. ProjectSend Authentication Vulnerability Exploited in the Wild: Hackers are actively exploiting a critical authentication vulnerability in ProjectSend, a popular open-source file-sharing web application. Users are urged to update their software to the latest version to mitigate this risk. Source: gbhackers.com
3. Microsoft Patches Critical Gaps Out of Turn: Microsoft has released four security bulletins addressing critical vulnerabilities. Users are advised to apply these patches immediately to secure their systems. Source: heise.de
4. QNAP Fixes Host of Security Updates Following Major Issues: QNAP has addressed 17 vulnerabilities with a variety of patches. Affected products include Notes Station 3, QuRouter, and others. Users are urged to apply these patches as soon as possible. Source: msn.com
5. Critical Gitlab Vulnerability Let Attackers Escalate Privileges: GitLab has released critical security updates for its Community Edition (CE) and Enterprise Edition (EE) to address a vulnerability that could allow attackers to escalate privileges. Users are advised to update their GitLab instances immediately. Source: gbhackers.com

Podcasts

1. What's Next for Healthcare Cybersecurity After a Tumultuous 2024?: This podcast episode discusses the future of cybersecurity in the healthcare sector after a challenging 2024. It explores the potential threats and strategies for improving security. Source: Healthcare IT Today
2. Strengthening Cybersecurity in Financial Services – Insights from Reuben Koh: Reuben Koh, Director of Security Technology & Strategy at Akamai Technologies, shares his insights on strengthening cybersecurity in the financial services sector. Source: Analytics Insight
3. INsight podcast: learnings from our cyber seminar: This podcast episode shares key learnings from a cybersecurity seminar, providing insights into the latest trends and strategies in the industry. Source: Insurance News
4. Ahead of the Threat Podcast: Episode Three - Chris Cwalina: Chris Cwalina, Global Head of Cybersecurity and Privacy, discusses cybersecurity readiness in this episode of the "Ahead of the Threat" podcast. Source: Norton Rose Fulbright
5. Taking aim at cybercrime - CyberWire: This episode produced by Liz Stokes discusses strategies for combating cybercrime, providing valuable insights for cybersecurity professionals. Source: CyberWire

Final Words

And that's a wrap for today's edition of ONSEC Cyber Daily. We've covered a lot of ground, from critical security alerts in WordPress plugins to vulnerabilities in Android and Apple devices, and even the potential cyber threats to our drinking water. Remember, in the world of cybersecurity, knowledge is power. Stay informed, stay vigilant, and most importantly, stay safe. If you found this information valuable, we encourage you to share this newsletter with your friends and colleagues. Let's work together to create a safer digital world. Until tomorrow, keep your data secure and your systems patched. Stay cyber smart!