今週の気になるセキュリティニュース - Issue #102

ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。


事件、事故

NortonLifeLock に対して credential stuffing attack (リスト型攻撃) による不正ログイン

(1/13) NortonLifeLock warns that hackers breached Password Manager accounts

(参考) Nortonアカウントへのリスト型攻撃についてまとめてみた - piyolog


Mailchimp への不正アクセスによりユーザのアカウント情報が漏洩

(1/13) Information About a Recent Security Incident | Mailchimp

On January 11, the Mailchimp Security team identified an unauthorized actor accessing one of our tools used by Mailchimp customer-facing teams for customer support and account administration. The unauthorized actor conducted a social engineering attack on Mailchimp employees and contractors, and obtained access to select Mailchimp accounts using employee credentials compromised in that attack.

Based on our investigation to date, this targeted incident has been limited to 133 Mailchimp accounts. There is no evidence that this compromise affected Intuit systems or customer data beyond these Mailchimp accounts.


米司法省が暗号資産取引所 Bitzlato の創業者を逮捕。マネーロンダリングなどに関与した疑い。

(1/18) Founder and Majority Owner of Bitzlato, a Cryptocurrency Exchange, Charged with Unlicensed Money Transmitting | USAO-EDNY | Department of Justice

According to court documents, Legkodymov is a senior executive and the majority shareholder of Bitzlato Ltd. (Bitzlato), a Hong Kong-registered cryptocurrency exchange that operates globally. Bitzlato has marketed itself as requiring minimal identification from its users, specifying that “neither selfies nor passports [are] required.” On occasions when Bitzlato did direct users to submit identifying information, it repeatedly allowed them to provide information belonging to “straw man” registrants.

As a result of these deficient know-your-customer (KYC) procedures, Bitzlato allegedly became a haven for criminal proceeds and funds intended for use in criminal activity. Bitzlato’s largest counterparty in cryptocurrency transactions was Hydra Market, an anonymous, illicit online marketplace for narcotics, stolen financial information, fraudulent identification documents, and money laundering services that was the largest and longest running darknet market in the world. Hydra Market users exchanged more than $700 million in cryptocurrency with Bitzlato, either directly or through intermediaries, until Hydra Market was shuttered by U.S. and German law enforcement in April 2022. Bitzlato also received more than $15 million in ransomware proceeds.


PayPal に対して credential stuffing attack (リスト型攻撃) による不正ログイン

(1/19) PayPal accounts breached in large-scale credential stuffing attack


T-Mobile から API の悪用により顧客情報が漏洩し、約 3,700万人に影響

(1/19) T‑Mobile Informing Impacted Customers about Unauthorized Activity ‑ T‑Mobile Newsroom

No passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised. Some basic customer information (nearly all of which is the type widely available in marketing databases or directories) was obtained, including name, billing address, email, phone number, date of birth, account number, and information such as the number of lines on the account and service plan features.

(1/19) FORM 8-K

Our systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, based on our investigation to date, customer accounts and finances were not put at risk directly by this event. The API abused by the bad actor does not provide access to any customer payment card information (PCI), social security numbers/tax IDs, driver’s license or other government ID numbers, passwords/PINs or other financial account information, so none of this information was exposed. Rather, the impacted API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features. The preliminary result from our investigation indicates that the bad actor(s) obtained data from this API for approximately 37 million current postpaid and prepaid customer accounts, though many of these accounts did not include the full data set.


攻撃、脅威

KELA から 2022年のランサムウェア攻撃やネットワークアクセス販売などに関するレポート

(1/12) 2022 Annual Report on Ransomware,Extortion, and Network Access Sales


Avast が BIanLian ランサムウェアの復号ツールを公開

(1/16) Decrypted: BianLian Ransomware - Avast Threat Labs


Chainalysis が 2022年のランサムウェア感染による身代金支払い状況などについて分析結果を報告

(1/19) Ransomware Revenue Down As More Victims Refuse to Pay - Chainalysis


Coveware が 2022年第 4四半期のランサムウェアレポートを公開

(1/20) Improved Security and Backups Result in Record Low Number of Ransomware Payments

Over the last 4 years, the propensity for victims of ransomware to pay a ransom has fallen dramatically, from 85% of victims in Q1 of 2019, to 37% of victims in Q4 of 2022. On an annual basis, 41% of victims paid in 2022 vs. 76% in 2019. Despite the best efforts of the cyber criminals rowing in the opposite direction, shaving 48 whole percentage points of this key indicator has been the result of several factors.


脆弱性

複数の Cisco 製ルータにリモートコード実行可能な脆弱性。対象機種は EOL のためパッチは提供されない。

(1/11) Cisco Small Business RV016, RV042, RV042G, and RV082 Routers Vulnerabilities

(1/17) CVE-2023-20025 - RCE in End-of-Life Cisco Routers - Censys


CISA が Known Exploited Vulnerabilities (KEV) カタログに 1 個の脆弱性を追加

(1/17) CISA Adds One Known Exploited Vulnerability to Catalog | CISA


1/10 にアドバイザリが公開された ManageEngine の脆弱性 (CVE-2022-47966) について、PoC が公開され、その後攻撃も観測される

(1/19) CVE-2022-47966 SAML ShowStopper

(1/19) ManageEngine CVE-2022-47966 Technical Deep Dive – Horizon3.ai

(1/19) CVE-2022-47966: Rapid7 Observed Exploitation of Critical ManageEngine Vulnerability | Rapid7 Blog


その他

Coinbase が日本事業からの撤退を発表

(1/18) Halting Operations in Japan - Blog

当社は、市場環境の変化により、現在の日本での事業の全面的な見直しと既存顧客との取引停止という難しい決断を下しました。しかし、私たちは大切なお客様のために、この移行をできる限りスムーズに行うことをお約束します。


Twitter が開発者利用規約を改定し、サードパーティ製アプリを禁止

(1/19) Twitter’s new developer terms ban third-party clients | Engadget

(1/20) Twitter、「開発者契約」を密かに改定し、公式にサードパーティアプリを禁止 - ITmedia NEWS