ポッドキャスト収録用のメモですよ。
podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。
事件、事故
Tor ネットワークに対して、数ヶ月間にわたり様々なサービス妨害攻撃が行われていると Tor Project が発表
(2/7) Tor is slow right now. Here is what is happening. | The Tor Project
For at least 7 months, several different types of ongoing denial of service (DoS) attacks have affected the Tor network. At some points, the attacks impacted the network severely enough that users could not load pages or access onion services.
Microsoft Outlook で障害
(2/7) Microsoft Outlook outage prevents users from sending, receiving emails
We're investigating access and service issues for Outlook. More information will be provided in the admin center under EX512238 as it becomes available.
— Microsoft 365 Status (@MSFT365Status) February 7, 2023
Microsoft Teams で障害
We’re investigating an issue affecting user access to Teams services and functionality for customers hosted within the Asia-Pacific region. Please refer to TM512596 in the Microsoft 365 admin center for further details.
— Microsoft 365 Status (@MSFT365Status) February 7, 2023
米英両国が Trickbot の活動に関与した 7人のロシア人を制裁対象に指定
Today, the United States, in coordination with the United Kingdom, is designating seven individuals who are part of the Russia-based cybercrime gang Trickbot. This action represents the very first sanctions of their kind for the U.K., and result from a collaborative partnership between the U.S. Department of the Treasury’s Office of Foreign Assets Control and the U.K.’s Foreign, Commonwealth, and Development Office; National Crime Agency; and His Majesty’s Treasury to disrupt Russian cybercrime and ransomware.
(2/9) UK cracks down on ransomware actors - GOV.UK
Seven Russian cyber criminals have today (Thursday 9 February) been sanctioned by the UK and US in the first wave of new coordinated action against international cyber crime. These individuals have been associated with the development or deployment of a range of ransomware strains which have targeted the UK and US.
Reddit で不正アクセスによる情報漏洩
(2/9) We had a security incident. Here’s what we know.
On late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees. As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.
After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems. We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).
Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information. Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.
攻撃、脅威
Google 広告経由でマルウェアを配布する攻撃活動について、NTTセキュリティ・ジャパンが注意喚起
(2/8) SteelCloverによるGoogle広告経由でマルウェアを配布する攻撃の活発化について
2023年1月初めから複数の日本企業において、Google広告経由でマルウェアをダウンロードするインシデントが急増しています。IcedIDやAurora Stealerを配布するものなど、観測されている攻撃キャンペーンは数多く存在しますが、特に私たちがSteelCloverと呼んでいる攻撃グループによるものが多くなっています。
VMware ESXi を狙うランサムウェア攻撃キャンペーンについて、米 CISA が復旧ガイドを公開
(2/8) ESXiArgs Ransomware Virtual Machine Recovery Guidance | CISA
(2/8) New ESXiArgs ransomware version prevents VMware ESXi recovery
The Security Community seems to be focusing on a single vulnerability. GreyNoise believes that CVE-2021-21974 makes sense as an initial access vector, but are not aware of any 1st party sources confirming that to be the case. We encourage defenders to remain vigilant and not accept every vendor at their word (including us).
(2/8) ESXWhy: A Look at ESXiArgs Ransomware - Censys
We’ve observed a new variant of ESXiArgs emerge over the last 24 hours. Key updates to this version include:
- A new ransom note with no BTC addresses–making it more difficult for researchers to track payments
- Encryption of additional data, rendering existing decryption tools ineffective
In the last few days, we’ve seen just over 3,800 unique hosts compromised, and 1,800 which are online currently. Over the last 24 hours, just over 900 hosts have upgraded to the latest ransomware variant.
As we reported yesterday, OpenSLP does not appear to be the method of attack, given that multiple compromised hosts did not have SLP running.
米 CISA が北朝鮮によるランサムウェア攻撃活動について注意喚起
IPA が 2022年 10月~12月のサイバー情報共有イニシアティブ運用状況を公開
(2/9) サイバー情報共有イニシアティブ(J-CSIP) 運用状況 [2022 年 10 月~12 月]
脆弱性
GoAnywhere MFT のゼロデイ脆弱性 (CVE-2023-0669) の PoC が公開、脆弱性の悪用も確認されている
(2/6) GoAnywhere MFT - A Forgotten Bug | Frycos Security Diary
(2/6) Exploit released for actively exploited GoAnywhere MFT zero-day
(2/8) Investigating Intrusions From Intriguing Exploits
(2/10) Clop ransomware claims it breached 130 orgs using GoAnywhere zero-day
OpenSSL に複数の脆弱性
(2/7) OpenSSL Security Advisory
米 CISA が Known Exploited Vulnerabilities (KEV) カタログに 3 個の脆弱性を追加
(2/10) CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA
(コメント) 1つは GoAnywhere MFT の脆弱性 (CVE-2023-0669)
その他
NIST が軽量暗号の標準として Ascon を選定
(2/7) NIST Selects ‘Lightweight Cryptography’ Algorithms to Protect Small Devices | NIST
