ポッドキャスト収録用のメモですよ。
podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。
- 事件、事故
- Epic Games が Fortnite での児童オンラインプライバシー保護法 (COPPA) 違反に対して、米連邦取引委員会 (FTC) に制裁金 $520M を支払うことで合意
- AdGuard が 11/30 に発生した AdGuard DNS の障害原因について報告
- Anker のセキュリティカメラ Eufy で、ユーザに無断でサムネイル画像がクラウドにアップロードされる問題について、Anker が公式に説明
- Twitter が Mastodon のアカウントを凍結した件について (すでに解除ずみ) 、Mastodon の Eugen Rochko 氏による声明。Mastodon の月間アクティブユーザは 10月の 30万人から 11月は 250万人に急増したとのこと。
- 英ガーディアン紙の IT システムでランサムウェア感染による障害
- Okta が利用している Github のコードリポジトリに不正アクセスがあり、ソースコードが漏洩
- LastPass の不正アクセス事件について続報。影響範囲が拡大し、暗号化されたユーザのパスワードデータも漏洩対象に。
- ByteDance の社員が TikTok を取材する記者の位置情報を不正利用し、情報源となっている ByteDance 社員を特定しようとしていたことが発覚
- 攻撃、脅威
- 脆弱性
- その他
事件、事故
Epic Games が Fortnite での児童オンラインプライバシー保護法 (COPPA) 違反に対して、米連邦取引委員会 (FTC) に制裁金 $520M を支払うことで合意
The Federal Trade Commission has secured agreements requiring Epic Games, Inc., creator of the popular video game Fortnite, to pay a total of $520 million in relief over allegations the company violated the Children’s Online Privacy Protection Act (COPPA) and deployed design tricks, known as dark patterns, to dupe millions of players into making unintentional purchases.
AdGuard が 11/30 に発生した AdGuard DNS の障害原因について報告
(12/19) 2022年11月30日のAdGuard DNS部分的ダウンについて
Anker のセキュリティカメラ Eufy で、ユーザに無断でサムネイル画像がクラウドにアップロードされる問題について、Anker が公式に説明
(12/20) To our eufy Security Customers and Partners - News - Eufy Security Collective
(12/20) Anker’s Eufy breaks its silence on security cam security - The Verge
Twitter が Mastodon のアカウントを凍結した件について (すでに解除ずみ) 、Mastodon の Eugen Rochko 氏による声明。Mastodon の月間アクティブユーザは 10月の 30万人から 11月は 250万人に急増したとのこと。
(12/20) Twitter suspends Mastodon account, prevents sharing links: Our statement - Official Mastodon Blog
While there is no shortage of social media platforms new and old, this is a radically different approach to social media that offers something traditional social media cannot. This may be one of the reasons why Mastodon has recently exploded in popularity, jumping from approx. 300K monthly active users to 2.5M between the months of October and November, with more and more journalists, political figures, writers, actors and organizations moving over. Understanding that freedom of the press is absolutely essential for a functional democracy, we are excited to see Mastodon grow and become a household name in newsrooms across the world, and we are committed to continuing to improve our software to face up to new challenges that come with rapid growth and increasing demand.
英ガーディアン紙の IT システムでランサムウェア感染による障害
(12/21) Guardian hit by serious IT incident believed to be ransomware attack | The Guardian | The Guardian
The Guardian has been hit by a serious IT incident, which is believed to be a ransomware attack.
The incident began late on Tuesday night and has affected parts of the company’s technology infrastructure, with staff told to work from home.
There has also been some disruption to behind-the-scenes services.
Online publishing is largely unaffected, with stories continuing to be written and published to the Guardian website and app.
The company said it was confident it could still produce Thursday’s print newspaper.
Okta が利用している Github のコードリポジトリに不正アクセスがあり、ソースコードが漏洩
(12/21) Okta Code Repositories | Okta Security
In early December 2022, GitHub alerted Okta about possible suspicious access to Okta code repositories. Upon investigation, we have concluded that such access was used to copy Okta code repositories.
Our investigation concluded that there was no unauthorized access to the Okta service, and no unauthorized access to customer data. Okta does not rely on the confidentiality of its source code for the security of its services. The Okta service remains fully operational and secure.
(12/21) Okta's source code stolen after GitHub repositories hacked
LastPass の不正アクセス事件について続報。影響範囲が拡大し、暗号化されたユーザのパスワードデータも漏洩対象に。
(12/22) Notice of Recent Security Incident - The LastPass Blog
To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client. For more information about our Zero Knowledge architecture and encryption algorithms, please see here.
There is no evidence that any unencrypted credit card data was accessed. LastPass does not store complete credit card numbers and credit card information is not archived in this cloud storage environment.
(コメント) マスターパスワードの強度に依存するが、保存しているパスワードそのものが危険にさらされるリスクは低い。ただし、漏洩対象の中には暗号化されていない情報が多数含まれるため注意。
ByteDance の社員が TikTok を取材する記者の位置情報を不正利用し、情報源となっている ByteDance 社員を特定しようとしていたことが発覚
(12/22) EXCLUSIVE: TikTok Spied On Forbes Journalists
An internal investigation by ByteDance, the parent company of video-sharing platform TikTok, found that employees tracked multiple journalists covering the company, improperly gaining access to their IP addresses and user data in an attempt to identify whether they had been in the same locales as ByteDance employees.
According to materials reviewed by Forbes, ByteDance tracked multiple Forbes journalists as part of this covert surveillance campaign, which was designed to unearth the source of leaks inside the company following a drumbeat of stories exposing the company’s ongoing links to China. As a result of the investigation into the surveillance tactics, ByteDance fired Chris Lepitak, its chief internal auditor who led the team responsible for them. The China-based executive Song Ye, who Lepitak reported to and who reports directly to ByteDance CEO Rubo Liang, resigned.
(12/23) TikTok運営会社の社員 取材担当記者のデータに不正アクセス | NHK | IT・ネット
攻撃、脅威
GreyNoise が 2022年の攻撃観測レポートを公開
(12/12) 2022: A Look Back On A Year Of Mass Exploitation
ロシアによるウクライナ侵攻におけるサイバー攻撃による軍事作戦への影響について、カーネギー国際平和基金の研究者による分析
Russia’s cyber operations in Ukraine have apparently not had much military impact. This was probably for a multitude of reasons: Russia’s offensive limitations, as well as the defensive efforts of Ukraine and its partners; the particular context of this war, as well as structural features of cyberspace and warfare generally.
Play ランサムウェアの攻撃で悪用された Microsoft Exchange への新しい攻撃手法 OWASSRF について、CrowdStrike が報告。攻撃に利用された脆弱性 (CVE-2022-41080) は 11月に公開されたパッチで修正済み。
(12/20) OWASSRF: CrowdStrike Identifies New Method for Bypassing ProxyNotShell Mitigations
CrowdStrike recently discovered a new exploit method (called OWASSRF) consisting of CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access (OWA). The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint provided by Microsoft in response to ProxyNotShell.
The discovery was part of recent CrowdStrike Services investigations into several Play ransomware intrusions where the common entry vector was confirmed to be Microsoft Exchange.
After initial access via this new exploit method, the threat actor leveraged legitimate Plink and AnyDesk executables to maintain access, and performed anti-forensics techniques on the Microsoft Exchange server in an attempt to hide their activity.
Beginning December 20, 2022, Rapid7 has responded to an increase in the number of Microsoft Exchange server compromises. Further investigation aligned these attacks to what CrowdStrike is reporting as “OWASSRF”, a chaining of CVE-2022-41080 and CVE-2022-41082 to bypass URL rewrite mitigations that Microsoft provided for ProxyNotShell allowing for remote code execution (RCE) via privilege escalation via Outlook Web Access (OWA).
(12/22) Threat Brief: OWASSRF Vulnerability Exploitation
The OWASSRF exploit method involves two different vulnerabilities tracked by CVE-2022-41080 and CVE-2022-41082 that allow remote code execution (RCE) via Outlook Web Access (OWA). The CVE-2022-41082 vulnerability was previously used by the ProxyNotShell exploit. However, the OWASSRF exploit method bypasses mitigations previously provided by Microsoft for ProxyNotShell. OWASSRF requires authentication to the Exchange Server prior to exploitation, thus we are seeing isolated rather than mass exploitation attempts.
Unit 42 observed that active exploitation of the OWASSRF vulnerability was occurring in late November and early December 2022.
脆弱性
Microsoft が発見した macOS の Gatekeeper が回避される脆弱性について報告。macOS Ventura 13, macOS Monterey 12.6.2, macOS Big Sur 11.7.2 ですでに修正済み。
(12/19) Gatekeeper’s Achilles heel: Unearthing a macOS vulnerability - Microsoft Security Blog
その他
公安調査庁が令和5年版の「内外情勢の回顧と展望」を公表
(12/19) 令和5年「内外情勢の回顧と展望」の公表について | 公安調査庁
(宣伝) 10月に開催された「情報セキュリティワークショップin越後湯沢2022」のナイトセッションの様子を紹介した記事。ぜひご覧ください!
(12/19) 出張版「セキュリティのアレ」〜情報セキュリティワークショップin越後湯沢2022 ナイトセッション参加レポート part.1〜 | SBテクノロジー (SBT)
(12/19) 脆弱性対応に見る現在の課題と対策〜情報セキュリティワークショップin越後湯沢2022 ナイトセッション参加レポート part.2〜 | SBテクノロジー (SBT)
(12/19) ランサム観察から得られた変化と今必要な対策とは〜情報セキュリティワークショップin越後湯沢2022 ナイトセッション参加レポート part.3〜 | SBテクノロジー (SBT)