ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。

---

• 事件、事故
  • 2022年6月に起きた Horizon Bridge への攻撃について、北朝鮮の攻撃者グループ Lazarus Group によるものと確認したことを FBI が発表
  • GoTo から 11月に報告した不正アクセスについて続報。サードパーティのクラウドストレージから、顧客に関する暗号化されたバックアップデータが流出。また一部は暗号鍵も取得されていた。
  • 元社員が退職後に以前の勤務先に不正アクセスしたとして、不正アクセス禁止法違反と電子計算機損壊等業務妨害の容疑で逮捕
  • 米 CISA などがリモート管理ソフトウェアの悪用に関する注意喚起
  • Microsoft 365 や Azure など複数のサービスで障害
  • 米司法省が欧州の法執行機関との協力により Hive ランサムウェアのインフラを差し押え。また攻撃者グループに関する情報提供に $10M の報奨金
• 攻撃、脅威
  • Google が攻撃者グループ DRAGONBRIDGE による 2022年の情報作戦の活動について報告
• 脆弱性
  • Apple が macOS Ventura 13.2、macOS Monterey 12.6.3, macOS Big Sur 11.7.3, iOS 16.3 / iPadOS 16.3, iOS 15.7.3 / iPadOS 15.7.3, iOS 12.5.7, watchOS 9.3, Safari 16.3 をリリース。
  • 米 CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+1 個の脆弱性を追加
• その他
  • Meta が Messenger の E2EE 機能を拡充。またデフォルトで E2EE となるテストユーザを順次拡大
  • Apple ID が FIDO のセキュリティキーに対応
  • JSAC2023 が開催

事件、事故

2022年6月に起きた Horizon Bridge への攻撃について、北朝鮮の攻撃者グループ Lazarus Group によるものと確認したことを FBI が発表

(1/23) FBI Confirms Lazarus Group Cyber Actors Responsible for Harmony's Horizon Bridge Currency Theft — FBI

The FBI continues to combat malicious cyber activity, including the threat posed by the Democratic People's Republic of Korea (DPRK) to the U.S. and our private sector partners. Through our investigation, we were able to confirm that the Lazarus Group (also known as APT38), cyber actors associated with the DPRK, are responsible for the theft of $100 million of virtual currency from Harmony’s Horizon bridge reported on June 24, 2022.

GoTo から 11月に報告した不正アクセスについて続報。サードパーティのクラウドストレージから、顧客に関する暗号化されたバックアップデータが流出。また一部は暗号鍵も取得されていた。

(1/23) Our Response to a Recent Security Incident- GoTo

Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere. We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.

(コメント) GoTo は LastPass の親会社で、サードパーティのクラウドストレージを共有して利用していたため、影響範囲が親会社にまで拡大したと思われる。

元社員が退職後に以前の勤務先に不正アクセスしたとして、不正アクセス禁止法違反と電子計算機損壊等業務妨害の容疑で逮捕

(1/24) 弊社元社員の報道について｜インフォメーション｜共立電気計器株式会社

昨日より一部報道されておりますとおり、弊社元社員が退職後の昨年6月、社内ネットワーク等に不正アクセスしてサーバーに保管されていたデータを削除し、弊社の業務を妨害した容疑で今回逮捕されました。

現時点で弊社が把握している限り、お客様およびお取引先様の個人情報を含め、保管データの外部流出は確認されておりません。また削除されたデータは現在復旧が完了しております。

(参考) システム管理をしていた元社員による社内データ削除事案についてまとめてみた - piyolog

米 CISA などがリモート管理ソフトウェアの悪用に関する注意喚起

(1/25) Protecting Against Malicious Use of Remote Monitoring and Management Software | CISA

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the “authoring organizations”) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders about malicious use of legitimate remote monitoring and management (RMM) software. In October 2022, CISA identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, cyber criminal actors sent phishing emails that led to the download of legitimate RMM software—ScreenConnect (now ConnectWise Control) and AnyDesk—which the actors used in a refund scam to steal money from victim bank accounts.

Microsoft 365 や Azure など複数のサービスで障害

(1/25) Azure status history | Microsoft Azure

What went wrong and why?

We determined that a change made to the Microsoft Wide Area Network (WAN) impacted connectivity between clients on the internet to Azure, connectivity across regions, as well as cross-premises connectivity via ExpressRoute. As part of a planned change to update the IP address on a WAN router, a command given to the router caused it to send messages to all other routers in the WAN, which resulted in all of them recomputing their adjacency and forwarding tables. During this re-computation process, the routers were unable to correctly forward packets traversing them. The command that caused the issue has different behaviors on different network devices, and the command had not been vetted using our full qualification process on the router on which it was executed.

We're investigating issues impacting multiple Microsoft 365 services. More info can be found in the admin center under MO502273.

— Microsoft 365 Status (@MSFT365Status) January 25, 2023

⚠️We are currently investigating a networking issue impacting connectivity to Azure for a subset of users. More information will be provided as it becomes available. For more information, please refer to https://t.co/GIfq5mC5Eb

— Azure Support (@AzureSupport) January 25, 2023

米司法省が欧州の法執行機関との協力により Hive ランサムウェアのインフラを差し押え。また攻撃者グループに関する情報提供に $10M の報奨金

(1/26) U.S. Department of Justice Disrupts Hive Ransomware Variant | OPA | Department of Justice

(1/26) Cybercriminals stung as HIVE infrastructure shut down | Europol

(参考) 司法機関によるHiveランサムウエアのネットワーク潜入とインフラ停止についてまとめてみた - piyolog

FBI disrupts the Dark Web site of the Hive ransomware group.

If you have information that links Hive or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government, send us your tip via our Tor tip line. You could be eligible for a reward. https://t.co/7Bqz0DUSCf pic.twitter.com/n8U3TNC7lh

— Rewards for Justice (@RFJ_USA) January 26, 2023

攻撃、脅威

Google が攻撃者グループ DRAGONBRIDGE による 2022年の情報作戦の活動について報告

(1/26) Over 50,000 instances of DRAGONBRIDGE activity disrupted in 2022

In 2022, Google disrupted over 50,000 instances of DRAGONBRIDGE activity across YouTube, Blogger, and AdSense, reflecting our continued focus on this actor and success in scaling our detection efforts across Google products. We have terminated over 100,000 DRAGONBRIDGE accounts in the IO network’s lifetime. Despite their scale and profuse content production, DRAGONBRIDGE achieved practically no organic engagement from real viewers — in 2022, the majority of DRAGONBRIDGE channels had 0 subscribers when Google disrupted them, and over 80% of DRAGONBRIDGE videos had fewer than 100 views. Engagement for DRAGONBRIDGE’s blogs on Blogger was also low, with nearly 95% receiving 10 or fewer views for blogs terminated in December.

脆弱性

Apple が macOS Ventura 13.2、macOS Monterey 12.6.3, macOS Big Sur 11.7.3, iOS 16.3 / iPadOS 16.3, iOS 15.7.3 / iPadOS 15.7.3, iOS 12.5.7, watchOS 9.3, Safari 16.3 をリリース。

(1/23) Apple security updates - Apple Support

米 CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+1 個の脆弱性を追加

(1/23) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

(1/26) CISA Has Added One Known Exploited Vulnerability to Catalog | CISA

その他

Meta が Messenger の E2EE 機能を拡充。またデフォルトで E2EE となるテストユーザを順次拡大

(1/23) Expanding Features for End-to-End Encryption on Messenger | Meta

Apple ID が FIDO のセキュリティキーに対応

(1/23) About Security Keys for Apple ID - Apple Support (QA)

What's required for Security Keys for Apple ID

• At least two FIDO® Certified* security keys that work with the Apple devices that you use on a regular basis.
• iOS 16.3, iPadOS 16.3, or macOS Ventura 13.2, or later on all of the devices where you're signed in with your Apple ID.
• Two-factor authentication set up for your Apple ID.
• A modern web browser. If you can't use your security key to sign in on the web, update your browser to the latest version or try another browser.
• To sign in to Apple Watch, Apple TV, or HomePod after you set up security keys, you need an iPhone or iPad with a software version that supports security keys.

JSAC2023 が開催

(1/25,26) JSAC2023