今週の気になるセキュリティニュース - Issue #159


podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。


中国の I-Soon の内部情報が何者かによってリークされる

(2/21) A first analysis of the i-Soon data leak | Malwarebytes

(2/21) Unmasking I-Soon | The Leak That Revealed China's Cyber Operations - SentinelOne

(2/22) Lessons from the iSOON Leaks

(2/22) New Leak Shows Business Side of China’s APT Menace – Krebs on Security

(2/23) Data From Chinese Security Services Company i-Soon Linked to Previous Chinese APT Campaigns

AT&T の携帯電話回線で大規模な障害

(2/22) AT&T Network Update

(2/22) Massive AT&T outage impacts US mobile subscribers


米英など複数の法執行機関の協力により、LockBit ランサムウェアのインフラを摘発。日本警察も復号ツールの開発などで協力

(2/20) International investigation disrupts the world’s most harmful cyber crime group - National Crime Agency

(2/20) Office of Public Affairs | U.S. and U.K. Disrupt LockBit Ransomware Variant | United States Department of Justice

(2/20) United States Sanctions Affiliates of Russia-Based LockBit Ransomware Group | U.S. Department of the Treasury

(2/20) Law enforcement disrupt world’s biggest ransomware operation | Europol

(2/20) Unpicking LockBit — 22 Cases of Affiliate Tradecraft | Secureworks

(2/20) OpCronos: The Demise of One of the Most Prominent RaaS Gangs, LOCKBIT

(2/21) ランサムウェア被疑者の検挙及び関連犯罪インフラのテイクダウンに関するユーロポールのプレスリリースについて|警察庁Webサイト

(2/21) ランサムウェアによる暗号化被害データに関する復号ツールの開発について|警察庁Webサイト

(2/22) LockBit Attempts to Stay Afloat with a New Version

JPCERT/CC が Lazarus グループによる PyPI を悪用する攻撃活動について報告

(2/21) PyPIを悪用した攻撃グループLazarusのマルウェア拡散活動 - JPCERT/CC Eyes | JPCERTコーディネーションセンター公式ブログ


ConnectWise ScreenConnect に脆弱性。すでに悪用を確認

(2/19) ConnectWise ScreenConnect 23.9.8 security fix

(2/21) ConnectWise ScreenConnect: Authentication Bypass Deep Dive – Horizon3.ai

(2/23) SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708)

(2/23) ConnectWise ScreenConnect attacks deliver malware – Sophos News

CISA が Known Exploited Vulnerabilities (KEV) カタログに 1 個の脆弱性を追加

(2/22) CISA Adds One Known Exploited ConnectWise Vulnerability, CVE-2024-1709, to Catalog | CISA

  • CVE-2024-1709 ConnectWise ScreenConnect Authentication Bypass Vulnerability


Signal が username をサポート

(2/20) Signal >> Blog >> Keep your phone number private with Signal usernames

(宣伝) 来月セミナーに登壇します!

TECH+ フォーラム - セキュリティ 2024 Mar. 「推奨」と事例に学ぶ事前対策 | マイナビニュース

今週の気になるセキュリティニュース - Issue #158


podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。



(2/14) 委託先2社のアカウントを利用した不正アクセスによる、従業者等の情報漏えいに関するお知らせとお詫び|LINEヤフー株式会社


(2/14) 不正アクセスによる個人情報漏えいへの再発防止策に関するお知らせ|LINEヤフー株式会社

(2/14 更新) 不正アクセスによる、情報漏えいに関するお知らせとお詫び(2024/2/14更新)|LINEヤフー株式会社


(参考) LINEヤフーへの不正アクセスについてまとめてみた - piyolog


(2/15) 株式会社NTTドコモ及び株式会社NTTネクシアに対する個人情報の保護に関する法律に基づく行政上の対応について(令和6年2月15日) |個人情報保護委員会

(2/15) 当社に対する個人情報保護委員会からの指導等について|お知らせ|NTTネクシア

(2/15) 報道発表資料 : 当社に対する個人情報保護委員会からの指導等について | お知らせ | NTTドコモ

トヨタモビリティサービスの「Booking Car」から情報漏洩の可能性

(2/16) お客様のメールアドレス等の漏洩可能性に関するお詫びとお知らせについて - トヨタモビリティサービス株式会社

トヨタモビリティサービス株式会社が提供する社用車専用クラウドサービス「Booking Car」をご利用中、または過去ご利用いただいた企業・自治体の従業員・職員の方のメールアドレスおよびお客様識別番号(管理用の目的でお客様お一人お一人に割り振らせていただいている番号)、約25,000名分が漏洩した可能性があることが判明致しました。 「Booking Car」をご利用いただいている企業・自治体およびご登録いただいているお客様には大変なご迷惑、ご心配をおかけすることを、心よりお詫び申し上げます。


Rhysida ランサムウェアの復号ツールが公開

(2/13) Decrypted: Rhysida Ransomware - Avast Threat Labs

In October 2023, we published a blog post containing technical analysis of the Rhysida ransomware. What we intentionally omitted in the blog post was that we had been aware of a cryptographic vulnerability in this ransomware for several months and, since August 2023, we had covertly provided victims with our decryption tool. Thanks to our collaboration with law enforcement units, we were able to quietly assist numerous organizations by decrypting their files for free, enabling them to regain functionality. Given the weakness in Rhysida ransomware was publicly disclosed recently, we are now publicly releasing our decryptor for download to all victims of the Rhysida ransomware.

(2/12) Rhysida Ransomware Cracked, Free Decryption Tool Released

(2/9) [2402.06440] A Method for Decrypting Data Infected with Rhysida Ransomware

Microsoft と OpenAI が共同で、国家を背景とする攻撃者グループによる AI 関連サービスの利用に関する報告

(2/14) Staying ahead of threat actors in the age of AI | Microsoft Security Blog

Over the last year, the speed, scale, and sophistication of attacks has increased alongside the rapid development and adoption of AI. Defenders are only beginning to recognize and apply the power of generative AI to shift the cybersecurity balance in their favor and keep ahead of adversaries. At the same time, it is also important for us to understand how AI can be potentially misused in the hands of threat actors. In collaboration with OpenAI, today we are publishing research on emerging threats in the age of AI, focusing on identified activity associated with known threat actors, including prompt-injections, attempted misuse of large language models (LLM), and fraud. Our analysis of the current use of LLM technology by threat actors revealed behaviors consistent with attackers using AI as another productivity tool on the offensive landscape. You can read OpenAI’s blog on the research here. Microsoft and OpenAI have not yet observed particularly novel or unique AI-enabled attack or abuse techniques resulting from threat actors’ usage of AI. However, Microsoft and our partners continue to study this landscape closely.

(2/14) Disrupting malicious uses of AI by state-affiliated threat actors

We build AI tools that improve lives and help solve complex challenges, but we know that malicious actors will sometimes try to abuse our tools to harm others, including in furtherance of cyber operations. Among those malicious actors, state-affiliated groups—which may have access to advanced technology, large financial resources, and skilled personnel—can pose unique risks to the digital ecosystem and human welfare.

In partnership with Microsoft Threat Intelligence, we have disrupted five state-affiliated actors that sought to use AI services in support of malicious cyber activities. We also outline our approach to detect and disrupt such actors in order to promote information sharing and transparency regarding their activities.

CISA と MS-ISAC が共同で、州政府機関を標的とした攻撃に関する注意喚起

(2/15) Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization | CISA

The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) conducted an incident response assessment of a state government organization’s network environment after documents containing host and user information, including metadata, were posted on a dark web brokerage site. Analysis confirmed that an unidentified threat actor compromised network administrator credentials through the account of a former employee—a technique commonly leveraged by threat actors—to successfully authenticate to an internal virtual private network (VPN) access point, further navigate the victim’s on-premises environment, and execute various lightweight directory access protocol (LDAP) queries against a domain controller.[1] Analysis also focused on the victim’s Azure environment, which hosts sensitive systems and data, as well as the compromised on-premises environment. Analysis determined there were no indications the threat actor further compromised the organization by moving laterally from the on-premises environment to the Azure environment.


(2/15) Office of Public Affairs | Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU) | United States Department of Justice

A January 2024 court-authorized operation has neutralized a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, used to conceal and otherwise enable a variety of crimes. These crimes included vast spearphishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations. In recent months, allegations of Unit 26165 activity of this type has been the subject of a private sector cybersecurity advisory and a Ukrainian government warning.


CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+2+2 個の脆弱性を追加

(2/12) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

  • CVE-2023-43770 Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability

(2/13) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA

(2/15) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA

Microsoft が 2024年 2月の月例パッチを公開。すでに悪用が確認されている複数の脆弱性を含む。

(2/13) 2024 年 2 月のセキュリティ更新プログラム (月例) | MSRC Blog | Microsoft Security Response Center

今月のセキュリティ更新プログラムで修正した脆弱性のうち、以下の脆弱性は更新プログラムが公開されるよりも前に悪用や脆弱性の詳細が一般へ公開されていることを確認しています。お客様においては、更新プログラムの適用を早急に行ってください。脆弱性の詳細は、各 CVE のページを参照してください。

(2/13) Zero Day Initiative — The February 2024 Security Update Review

(2/13) CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day

(2/14) The Risks of the #MonikerLink Bug in Microsoft Outlook and the Big Picture - Check Point Research

QNAP 製品に複数の脆弱性

(2/13) Multiple Vulnerabilities in QTS, QuTS hero and QuTScloud - Security Advisory | QNAP

(2/13) CVE-2023-47218: QNAP QTS and QuTS Hero Unauthenticated Command Injection (FIXED) | Rapid7 Blog

(2/13) New Vulnerability in QNAP QTS Firmware: CVE-2023-50358


JNSA が「インシデント損害額調査レポート 第2版」を公開

(2/9) NPO日本ネットワークセキュリティ協会 報告書・公開資料

NICT が「NICTER観測レポート2023」を公開

(2/13) NICTER観測レポート2023の公開|2024年|NICT-情報通信研究機構

DuckDuckGo ブラウザがエンドツーエンドでの同期とバックアップに対応

(2/14) DuckDuckGo Browser Update: Private Sync & Backup

nginx のコア開発者が nginx をフォークして freenginx.org を立ち上げ

(2/14) announcing freenginx.org

(2/16) NGINXのコア開発者がF5の経営陣に反発、NGINXをフォークし「FreeNginx」を立ち上げ。F5の経営陣がポリシーや開発者の立場を無視したと - Publickey

JPCERT/CC が 2023年 10〜12月のインターネット定点観測レポートを公開

(2/15) インターネット定点観測レポート(2023年 10~12月)

NICT が 2023年第 4 四半期の NICTER観測統計を公開

(2/15) NICTER観測統計 - 2023年10月~12月 - NICTER Blog

今週の気になるセキュリティニュース - Issue #157


podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。



(2/5) 外務省のシステムに中国がサイバー攻撃、公電含む大規模な情報漏えい…主要な政府機関のシステム点検 : 読売新聞


(参考) 外務省の外交公電を取り扱うシステムへのサイバー攻撃についてまとめてみた - piyolog

ツイキャスへの大規模な DDoS 攻撃が断続的に発生

(2/6) DDoS攻撃によるサービス障害に関するお知らせ - TwitCasting



(2/9) 名刺管理サービスから情報不正入手か 不動産販売会社社員逮捕|NHK 首都圏のニュース

(2/9) 名刺管理サービスに不正アクセス疑い 会社員逮捕 投資勧誘に悪用か | 毎日新聞

(2/9) 「Sansan」社員装い、名刺情報入手=容疑で不動産会社次長逮捕―警視庁 | 時事通信ニュース

(2/9) 本日の報道に関して | Sansan株式会社

(参考) 不正アクセスで入手した名刺情報を投資勧誘に悪用していた事案についてまとめてみた - piyolog

米司法省が Warzone RAT マルウェアの販売サイトを摘発し、容疑者 2人を起訴

(2/9) Office of Public Affairs | International Cybercrime Malware Service Dismantled by Federal Authorities: Key Malware Sales and Support Actors in Malta and Nigeria Charged in Federal Indictments | United States Department of Justice

The Justice Department announced today that, as part of an international law enforcement effort, federal authorities in Boston seized internet domains that were used to sell computer malware used by cybercriminals to secretly access and steal data from victims’ computers. Federal authorities in Atlanta and Boston also unsealed indictments charging individuals in Malta and Nigeria, respectively, for their alleged involvement in selling the malware and supporting cybercriminals seeking to use the malware for malicious purposes.


Google TAG が商用スパイウェアのベンダーの活動に関して報告

(2/6) New Google TAG report: How Commercial Surveillance Vendors work

To shine a light on the spyware industry, today, Google’s Threat Analysis Group (TAG) is releasing Buying Spying, an in-depth report with our insights into Commercial Surveillance Vendors (CSVs). TAG actively tracks around 40 CSVs of varying levels of sophistication and public exposure. The report outlines our understanding of who is involved in developing, selling, and deploying spyware, how CSVs operate, the types of products they develop and sell, and our analysis of recent activity.

CISA, NSA, FBI などが共同で、中国の攻撃者グループ Volt Typhoon による攻撃活動に関する注意喚起

(2/7) PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure | CISA

(2/7) Identifying and Mitigating Living Off the Land Techniques | CISA

(2/7) The Importance of Patching: An Analysis of the Exploitation of N-Day Vulnerabilities | Fortinet Blog

Citizen Lab が中国による影響工作のキャンペーンについて報告

(2/7) PAPERWALL: Chinese Websites Posing as Local News Outlets Target Global Audiences with Pro-Beijing Content - The Citizen Lab

A network of at least 123 websites operated from within the People’s Republic of China while posing as local news outlets in 30 countries across Europe, Asia, and Latin America, disseminates pro-Beijing disinformation and ad hominem attacks within much larger volumes of commercial press releases. We name this campaign PAPERWALL.


JetBrains TeamCity に認証バイパスの脆弱性 CVE-2024-23917

(2/6) Critical Security Issue Affecting TeamCity On-Premises (CVE-2024-23917) – Update to 2023.11.3 Now | The TeamCity Blog

The vulnerability may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.

(2/6) JetBrains warns of new TeamCity auth bypass vulnerability

CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+1 個の脆弱性を追加

(2/6) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

(2/9) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

  • CVE-2024-21762 Fortinet FortiOS Out-of-Bound Write Vulnerability

FortiOS に複数の脆弱性

(2/8) FortiOS - Out-of-bound Write in sslvpnd | PSIRT | FortiGuard

Note: This is potentially being exploited in the wild.

(2/8) FortiOS - Format String Bug in fgfmd | PSIRT | FortiGuard

(2/9) Fortinet製FortiOSの境域外書き込みの脆弱性(CVE-2024-21762)に関する注意喚起

(参考) FortiOSの脆弱性 CVE-2024-21762 についてまとめてみた - piyolog

Ivanti Connect Secure と Ivanti Policy Secure に新たな脆弱性 CVE-2024-22024

(2/8) CVE-2024-22024 (XXE) for Ivanti Connect Secure and Ivanti Policy Secure

As part of the ongoing investigation, we discovered a new vulnerability as part of our internal review and testing of our code, which was also responsibly disclosed by watchTowr. This vulnerability only affects a limited number of supported versions – Ivanti Connect Secure (version 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1, and 22.5R2.2), Ivanti Policy Secure version 22.5R1.1 and ZTA version 22.6R1.3.

(2/8) Ivanti Connect Secure CVE-2024-22024 - Are We Now Part Of Ivanti?



(2/6) 暗号資産交換業者への不正送金対策の強化に関する金融機関への要請について|警察庁Webサイト


(2/7) 第三者への資金移動が可能な暗号資産交換業者への不正送金対策の強化について:金融庁


Mozilla が有料の Mozilla Monitor Plus サービスを開始

(2/7) Introducing Mozilla Monitor Plus, a new tool to automatically remove your personal information from data broker sites

Today, Mozilla Monitor (previously called Firefox Monitor), a free service that notifies you when your email has been part of a breach, announced its new paid subscription service offering: automatic data removal and continuous monitoring of your exposed personal information.

(参考) Data Removal Service - Onerep

(コメント) Mozilla は Onerep と提携して Monitor Plus のサービスを提供している

今週の気になるセキュリティニュース - Issue #156


podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。


ブラジルの法執行機関が Grandoreiro マルウェアのインフラを摘発し、容疑者を逮捕

(1/30) PF combate organização criminosa que praticava fraudes bancárias eletrônicas contra vítimas no exterior — Polícia Federal

(1/30) ESET takes part in global operation to disrupt the Grandoreiro banking trojan

ESET has collaborated with the Federal Police of Brazil in an attempt to disrupt the Grandoreiro botnet. ESET contributed to the project by providing technical analysis, statistical information, and known command and control (C&C) server domain names and IP addresses. Due to a design flaw in Grandoreiro’s network protocol, ESET researchers were also able to get a glimpse into the victimology.

(1/30) Police disrupt Grandoreiro banking malware operation, make arrests

埼玉県健康づくり事業団が所有する X 線画像読影システムでランサムウェア感染被害

(1/31) X 線画像読影システムへの不正アクセスについて

(2/1) 漏えいの可能性も…埼玉で年間40万人が健康診断する法人、サイバー攻撃され復旧未定 X線画像読影システム、画像など暗号化され身代金要求される ランサムウエアは「ロックビット」、今後は | 埼玉新聞


(1/31) 不正ログインによる個人情報漏洩のお知らせとお詫び/保育・物流業界の人材派遣・人材紹介 / SESなら株式会社サンライズワークス

弊社が求人情報を掲載しておりますディップ株式会社(以下、ディップ社)の運営にかかる求人情報サイト「バイトル」において、弊社の応募者情報管理画面(以下、本件管理画面)への不正ログインが行われ、2023年1月から同年11月に「バイトル」を利用して弊社にご応募いただいた方(以下、応募者様)のうち20名の応募情報の一部と上記不正ログインに使用されたID・パスワードが記載されたメール(以下、本件メール)が、本件管理画面のメール送信機能を利用して、外部へ送信された事実が判明いたしました。 そのため、本件管理画面に保存されていた応募者様1296名分の応募情報が、不正ログインを行った第三者及び本件メールに記載されたID・パスワードを用いてアクセスした者に閲覧された可能性があります。

なお、送信された個人情報および 閲覧された可能性のある個人情報は後記の通りであり、クレジットカード情報は含まれておりません。 また、現時点で、不正ログインに使用されたID・パスワードが弊社内部から漏洩した事実は確認されておりません。

(1/31) 求人掲載企業の管理画面への不正ログインに関するお詫びとお知らせ | ディップ株式会社


(1/31) 当社アジア大洋州グループ会社における資金流出事案について


(1/31) 三浦工業:お詫びとご報告

2024年1月26日(金)17時00分頃から1月28日(日)11時21分までの間に、第三者からのサイバー攻撃によりホームページが改ざんされていた事が判明いたしました。 ご利用いただいておりますお客様の皆様には多大なご迷惑、ご心配をお掛けしたことを深くお詫び申し上げます。 現在、原因と影響の調査を進めており、ホームページを閉じさせていただいております。

Ripple Labs の共同創業者である Chris Larsen 氏の個人アカウントが不正アクセスを受け、約 156億円相当の XRP が盗まれる

(1/31) Ripple chairman Chris Larsen hacked for reported 213M XRP worth approximately $112.5M

Cloudflare が昨年 11月に社内システムへの不正アクセスがあったと公表

(2/1) Thanksgiving 2023 security incident

On Thanksgiving Day, November 23, 2023, Cloudflare detected a threat actor on our self-hosted Atlassian server. Our security team immediately began an investigation, cut off the threat actor’s access, and on Sunday, November 26, we brought in CrowdStrike’s Forensic team to perform their own independent analysis.

50ヶ国以上の法執行機関が協力する Operation Synergia により、フィッシングやマルウェア感染に利用される不正な約 1,300 の IP アドレスや URL を特定し摘発

(2/1) INTERPOL-led operation targets growing cyber threats

SINGAPORE – Some 1,300 suspicious IP addresses or URLs have been identified as part of a global INTERPOL operation targeting phishing, malware and ransomware attacks.

Operation Synergia, which ran from September to November 2023, was launched in response to the clear growth, escalation and professionalisation of transnational cybercrime and the need for coordinated action against new cyber threats.

The operation involved 60 law enforcement agencies from more than 50 INTERPOL member countries, with officers conducting house searches and seizing servers as well as electronic devices. To date, 70% of the command-and-control (C2) servers identified have been taken down, with the remainder currently under investigation.

AnyDesk が社内システムへの不正アクセスがあったと発表

(2/2) AnyDesk Incident Response 2-2-2024


Coveware が 2023年第 4四半期のランサムウェアレポートを公開

(1/26) New Ransomware Reporting Requirements Kick in as Victims Increasingly Avoid Paying

JC3 が KeepSpy および XLoader/MoqHao マルウェアに関する注意喚起

(1/30) あなたのスマホがフィッシングサイトをばら撒く! | トピックス | 脅威情報 | 一般財団法人日本サイバー犯罪対策センター(JC3)

米司法省は中国の攻撃者グループ Volt Typhoon が使用する KV ボッネットを感染機器から削除する作戦を実施

(1/31) Office of Public Affairs | U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure | United States Department of Justice

The vast majority of routers that comprised the KV Botnet were Cisco and NetGear routers that were vulnerable because they had reached “end of life” status; that is, they were no longer supported through their manufacturer’s security patches or other software updates. The court-authorized operation deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet.

(1/31) China's Hackers Have Entire Nation in Their Crosshairs, FBI Director Warns — FBI

(1/31) CISA and FBI Release Secure by Design Alert Urging Manufacturers to Eliminate Defects in SOHO Routers | CISA


(2/1) 詐欺SMSの発生状況がリアルタイムでわかる?!「詐欺SMSモニター」 |トビラシステムズ(証券コード:4441)



Jenkins に複数の脆弱性。PoC も公開

(1/24) Jenkins Security Advisory 2024-01-24

(1/24) Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins | Sonar

(1/28) Exploits released for critical Jenkins RCE flaw, patch now

(1/30) CVE-2024-23897: Jenkins - Censys

As of January 30, 2024, Censys has observed 83,509 Jenkins servers on the internet, 79,952 (~96%) of which are potentially vulnerable.

(参考) Jenkinsの脆弱性 CVE-2024-23897 についてまとめてみた - piyolog

Hitron Systems 製の複数の DVR に脆弱性。すでに悪用が確認されている

(1/30) Actively Exploited Vulnerability in Hitron DVRs: Fixed, Patches Available | Akamai

As part of the InfectedSlurs discovery, the Akamai SIRT uncovered vulnerabilities in multiple Hitron DVR device models that are actively exploited in the wild. Hitron devices are manufactured in South Korea by Hitron Systems.

The vulnerability allows an authenticated attacker to achieve OS command injection with a payload delivered via a POST request to the management interface. In its current configuration, it is utilizing device default credentials in the captured payloads.

(1/31) JVNVU#93639653: 複数のHitron Systems製デジタルビデオレコーダにおける不適切な入力確認の脆弱性

Ivanti Connect Secure と Ivanti Policy Secure に新たな脆弱性。すでに悪用が確認されている。

(1/31) Security Update for Ivanti Connect Secure and Ivanti Policy Secure Gateways

As part of our ongoing strengthening of the security of our products we have discovered new vulnerabilities in Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways. We are reporting these vulnerabilities as CVE-2023-46805 and CVE-2024-21887. These vulnerabilities impact all supported versions of the products. Mitigations are available now.

(1/31) CVE-2024-21888 Privilege Escalation for Ivanti Connect Secure and Ivanti Policy Secure

We have no evidence of any customers being impacted by CVE-2024-21888 at this time. We are only aware of a small number of customers who have been impacted by CVE-2024-21893 at this time. The table below provides details on the vulnerabilities:

(1/31) Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation | Mandiant

In this follow-up blog post, we detail additional tactics, techniques, and procedures (TTPs) employed by UNC5221 and other threat groups during post-exploitation activity across our incident response engagements. We also detail new malware families and variants to previously identified malware families being used by UNC5221. We acknowledge the possibility that one or more related groups may be associated with the activity described in this blog post. It is likely that additional groups beyond UNC5221 have adopted one or more of these tools.

(1/31) Updated: New Software Updates and Mitigations to Defend Against Exploitation of Ivanti Connect Secure and Policy Secure Gateways | CISA

(1/31) Supplemental Direction V1: ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities | CISA

(2/2) CVE-2024-21893 | AttackerKB

CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+1 個の脆弱性を追加

(1/31) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

(1/31) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

  • CVE-2024-21893 Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability

Docker と runc にコンテナエスケープ可能な脆弱性

(1/31) Leaky Vessels: Docker and runc Container Breakout Vulnerabilities - January 2024 | Snyk

Snyk security researcher Rory McNamara, with the Snyk Security Labs team, identified four vulnerabilities — dubbed "Leaky Vessels" — in core container infrastructure components that allow container escapes. An attacker could use these container escapes to gain unauthorized access to the underlying host operating system from within the container.

(1/31) Docker Security Advisory: Multiple Vulnerabilities in runc, BuildKit, and Moby | Docker

We at Docker prioritize the security and integrity of our software and the trust of our users. Security researchers at Snyk Labs recently identified and reported four security vulnerabilities in the container ecosystem. One of the vulnerabilities, CVE-2024-21626, concerns the runc container runtime, and the other three affect BuildKit (CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). We want to assure our community that our team, in collaboration with the reporters and open source maintainers, has been diligently working on coordinating and implementing necessary remediations.

(1/31) several container breakouts due to internally leaked fds · Advisory · opencontainers/runc · GitHub


今週の気になるセキュリティニュース - Issue #155


podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。


昨年発覚した NTT ビジネスソリューションズからの情報の不正な持ち出しに関して、個人情報保護委員会が行政指導

(1/24) 株式会社NTTマーケティングアクトProCX及びNTTビジネスソリューションズ株式会社に対する個人情報の保護に関する法律に基づく行政上の対応について(令和6年1月24日) |個人情報保護委員会

(1/24) 当社に対する個人情報保護委員会からの勧告および指導について|ニュースリリース|NTTビジネスソリューションズ

(1/24) 当社に対する個人情報保護委員会からの勧告および指導について - お知らせ|NTTマーケティングアクトProCX

HPE がロシアの攻撃者グループ Midnight Blizzard による攻撃を受け、Microsoft 365 メールアカウントが侵害されたことを公表

(1/24) hpe-20240119

On December 12, 2023, Hewlett Packard Enterprise Company (the “Company,” “HPE,” or “we”) was notified that a suspected nation-state actor, believed to be the threat actor Midnight Blizzard, the state-sponsored actor also known as Cozy Bear, had gained unauthorized access to HPE’s cloud-based email environment. The Company, with assistance from external cybersecurity experts, immediately activated our response process to investigate, contain, and remediate the incident, eradicating the activity. Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.

While our investigation of this incident and its scope remains ongoing, the Company now understands this incident is likely related to earlier activity by this threat actor, of which we were notified in June 2023, involving unauthorized access to and exfiltration of a limited number of SharePoint files as early as May 2023. Following the notice in June, we immediately investigated with the assistance of external cybersecurity experts and took containment and remediation measures intended to eradicate the activity. Upon undertaking such actions, we determined that such activity did not materially impact the Company.

We have notified and are cooperating with law enforcement and are also assessing our regulatory notification obligations, and we will make notifications as appropriate based on our investigation findings. As of the date of this filing, the incident has not had a material impact on the Company’s operations, and the Company has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.

(1/24) HPE: Russian hackers breached its security team’s email accounts


(1/25) 送金詐欺による資金流出被害のお知らせ

株式会社スリー・ディー・マトリックス(本社:東京都千代田区代表取締役社長:岡田淳)は、2023 年 12 月下旬から 2024 年1月上旬にかけて、取引先を装った複数のメールによる虚偽の支払い指示に応じ、当該取引先の真実の銀行口座と異なる銀行口座に対して誤って代金を支払ってしまう送金詐欺による資金流出被害が生じたことが判明しましたので、お知らせいたします。

Trickbot マルウェアの開発者に禁錮 5年4ヶ月の判決

(1/25) Office of Public Affairs | Russian National Sentenced for Involvement in Development and Deployment of Trickbot Malware | United States Department of Justice

(1/25) Russian TrickBot malware dev sentenced to 64 months in prison


伊藤忠サイバー&インテリジェンスが LODEINFO マルウェアの解析結果を報告

(1/24) 分析官と攻撃者の解析回避を巡る終わりなき戦い: LODEINFO v0.6.6 - v0.7.3 の解析から - ITOCHU Cyber & Intelligence Inc.

ESET が中国の攻撃者グループ Blackwood による NSPX30 マルウェアを利用する攻撃活動について報告

(1/24) NSPX30: A sophisticated AitM-enabled implant evolving since 2005

ESET researchers provide an analysis of an attack carried out by a previously undisclosed China-aligned threat actor we have named Blackwood, and that we believe has been operating since at least 2018. The attackers deliver a sophisticated implant, which we named NSPX30, through adversary-in-the-middle (AitM) attacks hijacking update requests from legitimate software.

Microsoft からロシアの攻撃者グループ Midnight Blizzard による攻撃についての続報

(1/25) Midnight Blizzard: Guidance for responders on nation-state attack | Microsoft Security Blog



(1/22) 【注意喚起】バッファロー製VR-S1000における複数の脆弱性(CVE-2023-51363)、早急な対策を | LAC WATCH

(2023/12/25) VR-S1000における複数の脆弱性とその対処方法 | バッファロー

GoAnywhere MFT に認証バイパスの脆弱性 (CVE-2024-0204)。PoC も公開される

(1/22) FI-2024-001 - Authentication Bypass in GoAnywhere MFT | Fortra's Security and Trust Center

(1/23) CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive – Horizon3.ai

(1/24) GoAnywhere MFT vulnerabilities are Going Nowhere for Now - Censys

ApplemacOS Monterey 12.7.3, macOS Ventura 13.6.4, macOS Sonoma 14.3, iOS 15.8.1 / iPadOS 15.8.1, iOS 16.7.5 / iPadOS 16.7.5, iOS 17.3 / iPadOS 17.3, tvOS 17.3, watchOS 10.3, Safari 17.3 をリリース。すでに悪用が確認されている脆弱性の修正を含む。

(1/22) Apple security releases - Apple Support

CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+1+1 個の脆弱性を追加

(1/22) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

(1/23) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

(1/24) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

  • CVE-2023-22527 Atlassian Confluence Data Center and Server Template Injection Vulnerability


X (旧 Twitter) が米国の iOS ユーザ向けに passkeys によるログインをサポート

(1/23) How to use passkey

AppleEU の Digital Markets Act (DMA) に準拠するため、EU を対象に iOSSafariApp Store に大幅な変更を加えると発表

(1/25) Apple announces changes to iOS, Safari, and the App Store in the European Union - Apple

Apple today announced changes to iOS, Safari, and the App Store impacting developers’ apps in the European Union (EU) to comply with the Digital Markets Act (DMA). The changes include more than 600 new APIs, expanded app analytics, functionality for alternative browser engines, and options for processing app payments and distributing iOS apps. Across every change, Apple is introducing new safeguards that reduce — but don’t eliminate — new risks the DMA poses to EU users. With these steps, Apple will continue to deliver the best, most secure experience possible for EU users.

今週の気になるセキュリティニュース - Issue #154


podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。



(1/17) 通販サイトへの不正ログイン・なりすまし注文の発生について


(1/19) 神奈川県公立高等学校入学者選抜インターネット出願システムの稼動状況について - 神奈川県ホームページ

(1/18) 神奈川県高校入試で「あってはならない想定外」 オンライン出願でGmail使うと不具合 原因と対策は?:東京新聞 TOKYO Web

(1/19) 「高校出願システムからGmailに届かない」問題10日で解消も、「キャリアの迷惑メールフィルターにかかる」問題発覚 - ITmedia NEWS

Microsoft がロシアの攻撃者グループ Midnight Blizzard による攻撃を受け、複数の社員のメールアカウントが侵害されたと報告

(1/19) Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard | MSRC Blog | Microsoft Security Response Center

Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.


Microsoft がイランの攻撃者グループ Mint Sandstorm (PHOSPHORUS) の攻撃活動について報告

(1/17) New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs | Microsoft Security Blog

Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. In this campaign, Mint Sandstorm used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files. In a handful of cases, Microsoft observed new post-intrusion tradecraft including the use of a new, custom backdoor called MediaPl.

Google TAG がロシアの攻撃者グループ COLDRIVER の攻撃活動について報告

(1/18) Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware

Over the years, TAG has analyzed a range of persistent threats including COLDRIVER (also known as UNC4057, Star Blizzard and Callisto), a Russian threat group focused on credential phishing activities against high profile individuals in NGOs, former intelligence and military officers, and NATO governments. For years, TAG has been countering and reporting on this group’s efforts to conduct espionage aligned with the interests of the Russian government. To add to the community’s understanding of COLDRIVER activity, we’re shining light on their extended capabilities which now includes the use of malware.


Atlassian の Confluence Data Center と Confluence Server にリモートコード実行可能な脆弱性 (CVE-2023-22527)

(1/16) CVE-2023-22527 - RCE (Remote Code Execution) Vulnerability In Confluence Data Center and Confluence Server | Atlassian Support | Atlassian Documentation

Citrix の NetScaler ADC と NetScaler Gateway に複数の脆弱性。すでに悪用が確認されている

(1/16) NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-6548 and CVE-2023-6549

Exploits of these CVEs on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.

GoogleChrome のゼロデイ脆弱性を修正

(1/16) Chrome Releases: Stable Channel Update for Desktop

Google is aware of reports that an exploit for CVE-2024-0519 exists in the wild.

CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+3+1 個の脆弱性を追加

(1/16) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

  • CVE-2018-15133 Laravel Deserialization of Untrusted Data Vulnerability

(1/17) CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA

(1/18) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

  • CVE-2023-35082 Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Authentication Bypass Vulnerability

Ivanti Connect Secure と Ivanti Policy Secure の脆弱性の悪用が拡大していることを受け、CISA脆弱性対応に関する緊急指令 ED 24-01 を発行

(1/19) ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities | CISA

(1/15) Ivanti Connect Secure VPN Exploitation Goes Global | Volexity

(1/16) CVE-2023-46805 | AttackerKB

(1/18) Ivanti Connect Secure VPN Exploitation: New Observations | Volexity

Additionally, Volexity has continued its investigation into activity conducted by UTA0178 and made a few notable discoveries. The first relates to the GIFTEDVISITOR webshell that Volexity scanned for, which led to the initial discovery of over 1,700 compromised Ivanti Connect Secure VPN devices. On January 16, 2024, Volexity conducted a new scan for this backdoor and found an additional 368 compromised Ivanti Connect Secure VPN appliances, bringing the total count of systems infected by GIFTEDVISITOR to over 2,100.

(1/18) Ivanti Connect Secure Exploited to Install Cryptominers | GreyNoise Blog

(参考) Ivanti Connect Secure、Ivanti Policy Secureの脆弱性 CVE-2023-46805およびCVE-2024-21887についてまとめてみた - piyolog

Mandiant が中国の攻撃者グループによる VMware vCenter Server の脆弱性 CVE-2023-34048 を悪用する攻撃活動について報告

(1/19) Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021 | Mandiant

While publicly reported and patched in October 2023, Mandiant and VMware Product Security have found UNC3886, a highly advanced China-nexus espionage group, has been exploiting CVE-2023-34048 as far back as late 2021.

(1/17 更新) VMSA-2023-0023.1

VMware has confirmed that exploitation of CVE-2023-34048 has occurred in the wild.


今週の気になるセキュリティニュース - Issue #153


podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。


米証券取引委員会 (SEC) の X アカウントが乗っ取り被害。「ビットコイン現物 ETF を SEC が承認した」との偽投稿により、市場が混乱。翌日に SEC は承認を正式に発表

(1/9) US SEC’s X account hacked to announce fake Bitcoin ETF approval

(1/10) ビットコイン相場乱高下 「SECがETF承認」偽情報で - 日本経済新聞

(1/10) 米証券取引委のXアカウント ハッキングされ偽投稿で市場混乱 | NHK | アメリカ

(1/10) SEC.gov | Statement on the Approval of Spot Bitcoin Exchange-Traded Products


(1/12) 1月12日に発生したシステム障害による欠航便の影響について | 重要なお知らせ | ジェットスター

(1/12) ジェットスター 午後7時半すぎにシステム障害復旧 運航を再開 17便が欠航 | NHK | 航空

(1/12) ジェットスター・ジャパンで17便が欠航、原因はパイロット向けシステムの不具合 | 日経クロステック(xTECH)


Cisco Talos が Avast と協力して、Babuk Tortilla ランサムウェアの復号ツールを公開

(1/9) New decryptor for Babuk Tortilla ransomware variant released

  • Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor.
  • Cisco Talos shared the key with our peers at Avast for inclusion in the Avast Babuk decryptor released in 2021. The decryptor includes all known private keys, allowing many users to recover their files once encrypted by different Babuk ransomware variants.
  • Dutch Police, acting on threat intelligence supplied by Talos, identified, apprehended and the Dutch Prosecution Office prosecuted the threat actor behind Babuk Tortilla operations, demonstrating the power of cooperation between law enforcement agencies and commercial security organizations such as Talos and Avast.

(1/9) Avast Updates Babuk Ransomware Decryptor in Cooperation with Cisco Talos and Dutch Police - Avast Threat Labs

Babuk, an advanced ransomware strain, was publicly discovered in 2021. Since then, Avast has blocked more than 5,600 targeted attacks, mostly in Brazil, Czech Republic, India, the United States, and Germany.

Today, in cooperation with Cisco Talos and Dutch Police, Avast is releasing an updated version of the Avast Babuk decryption tool, capable of restoring files encrypted by the Babuk variant called Tortilla. To download the tool, click here.

Akamai が 2023年の DDoS 攻撃の傾向について報告

(1/9) A Retrospective on DDoS Trends in 2023 and Actionable Strategies for 2024 | Akamai

Cloudflare が 2023年第 4四半期の DDoS 攻撃レポートを公開

(1/9) DDoS threat report for 2023 Q4

Mandiant が暗号資産の Solana を狙う攻撃キャンペーンについて報告。自身の X アカウント乗っ取り被害と関連。

(1/10) Hundreds of Thousands of Dollars Worth of Solana Cryptocurrency Assets Stolen in Recent CLINKSINK Drainer Campaigns | Mandiant

奇安信の Xlab が Mirai 亜種 Rimasuta の活動状況について報告

(1/10) Rimasuta New Variant Switches to ChaCha20 Encryption Algorithm

Akamai が Mirai 亜種 NoaBot の活動状況について報告

(1/10) You Had Me at Hi — Mirai-Based NoaBot Makes an Appearance | Akamai


CISA が Known Exploited Vulnerabilities (KEV) カタログに 6+1+2 個の脆弱性を追加

(1/8) CISA Adds Six Known Exploited Vulnerabilities to Catalog | CISA

(1/10) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

(1/10) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA

  • CVE-2024-21887 Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
  • CVE-2023-46805 Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability

Microsoft が 2024年 1月の月例パッチを公開

(1/9) 2024 年 1 月のセキュリティ更新プログラム (月例) | MSRC Blog | Microsoft Security Response Center

(1/9) Zero Day Initiative — The January 2024 Security Update Review

Ivanti Connect Secure と Ivanti Policy Secure にゼロデイ脆弱性。すでに悪用が確認されている。

(1/10) CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways

(1/10) KB CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways

(1/10) Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN | Volexity

Volexity has uncovered active in-the-wild exploitation of two vulnerabilities allowing unauthenticated remote code execution in Ivanti Connect Secure VPN devices. An official security advisory and knowledge base article have been released by Ivanti that includes mitigation that should be applied immediately. However, a mitigation does not remedy a past or ongoing compromise. Systems should simultaneously be thoroughly analyzed per details in this post to look for signs of a breach.

(1/11) Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation | Mandiant

On January 10, 2024, Ivanti disclosed two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, impacting Ivanti Connect Secure VPN (“CS”, formerly Pulse Secure) and Ivanti Policy Secure (“PS”) appliances. Successful exploitation could result in authentication bypass and command injection, leading to further downstream compromise of a victim network. Mandiant has identified zero-day exploitation of these vulnerabilities in the wild beginning as early as December 2023 by a suspected espionage threat actor, currently being tracked as UNC5221.

GitLab が複数の脆弱性を修正

(1/11) GitLab Critical Security Release: 16.7.2, 16.6.4, 16.5.6 | GitLab

(1/12) GitLab warns of critical zero-click account hijacking vulnerability