ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。

---

• 事件、事故
  • 米独などの法執行機関の協力により、暗号資産のミキシングサービス ChipMixer を摘発
• 攻撃、脅威
  • ESET が攻撃者グループ Tick の活動について報告
  • 警察庁が「令和４年におけるサイバー空間をめぐる脅威の情勢等について」を公表
  • 警察庁が「不正アクセス行為の発生状況及びアクセス制御機能に関する技術の研究開発の状況」を公表
  • CISA が LockBit 3.0 ランサムウェアに関する注意喚起
  • Kaspersky がリークされた Conti をベースにしたランサムウェアの復号ツールを公開
  • Team Cymru が MoqHao マルウェアの活動状況について報告
• 脆弱性
  • Microsoft が 2023年 3月の月例パッチを公開。すでに悪用が確認されている 2つの脆弱性の修正を含む。
  • CISA が Known Exploited Vulnerabilities (KEV) カタログに 3+1 個の脆弱性を追加
  • Samsung 製の Exynos チップに複数の脆弱性
• その他
  • CISA が Ransomware Vulnerability Warning Pilot (RVWP) を発表
  • 日本クレジット協会が「クレジットカード・セキュリティガイドライン [4.0版]」を公表
  • IPA が「ECサイト構築・運用セキュリティガイドライン」を公開

事件、事故

米独などの法執行機関の協力により、暗号資産のミキシングサービス ChipMixer を摘発

(3/15) Justice Department Investigation Leads to Takedown of Darknet Cryptocurrency Mixer that Processed Over $3 Billion of Unlawful Transactions | OPA | Department of Justice

The Justice Department announced today a coordinated international takedown of ChipMixer, a darknet cryptocurrency “mixing” service responsible for laundering more than $3 billion worth of cryptocurrency, between 2017 and the present, in furtherance of, among other activities, ransomware, darknet market, fraud, cryptocurrency heists and other hacking schemes. The operation involved U.S. federal law enforcement’s court-authorized seizure of two domains that directed users to the ChipMixer service and one Github account, as well as the German Federal Criminal Police’s (the Bundeskriminalamt) seizure of the ChipMixer back-end servers and more than $46 million in cryptocurrency.

(3/15) One of the darkweb’s largest cryptocurrency laundromats washed out | Europol

German and US authorities, supported by Europol, have targeted ChipMixer, a cryptocurrency mixer well-known in the cybercriminal underworld. The investigation was also supported by Belgium, Poland and Switzerland. On 15 March, national authorities took down the infrastructure of the platform for its alleged involvement in money laundering activities and seized four servers, about 1909.4 Bitcoins in 55 transactions (approx. EUR 44.2 million) and 7 TB of data.

攻撃、脅威

ESET が攻撃者グループ Tick の活動について報告

(3/14) The slow Tick‑ing time bomb: Tick APT group compromise of a DLP software developer in East Asia | WeLiveSecurity

ESET researchers discovered a campaign that we attribute with high confidence to the APT group Tick. The incident took place in the network of an East Asian company that develops data-loss prevention (DLP) software.

The attackers compromised the DLP company’s internal update servers to deliver malware inside the software developer’s network, and trojanized installers of legitimate tools used by the company, which eventually resulted in the execution of malware on the computers of the company’s customers.

警察庁が「令和４年におけるサイバー空間をめぐる脅威の情勢等について」を公表

(3/16) サイバー空間をめぐる脅威の情勢等｜警察庁Webサイト

警察庁が「不正アクセス行為の発生状況及びアクセス制御機能に関する技術の研究開発の状況」を公表

(3/16) 不正アクセス行為の発生状況及びアクセス制御機能に関する技術の研究開発の状況｜警察庁Webサイト

CISA が LockBit 3.0 ランサムウェアに関する注意喚起

(3/16) #StopRansomware: LockBit 3.0 | CISA

Kaspersky がリークされた Conti をベースにしたランサムウェアの復号ツールを公開

(3/16) Kaspersky releases tool for decrypting Conti-based ransomware | Kaspersky

In late February 2023, Kaspersky experts uncovered a new portion of leaked data published on forums. After analyzing the data, which contained 258 private keys, source code and some pre-compiled decryptors, Kaspersky released a new version of the public decryptor to help victims of this modification of Conti ransomware.

Team Cymru が MoqHao マルウェアの活動状況について報告

(3/17) MoqHao Part 3: Recent Global Targeting Trends

This blog post is part of an ongoing series of analysis on MoqHao (also referred to as Wroba and XLoader), a malware family commonly associated with Roaming Mantis. MoqHao is generally used to target Android users, often via an initial attack vector of phishing SMS messages (smishing).

The threat group behind Roaming Mantis are characterized as Chinese-speaking and financially motivated, first public acknowledgement goes back to around 2018. The group has historically targeted countries in the Far East – Japan, South Korea and Taiwan, but they are expanding their campaign.

脆弱性

Microsoft が 2023年 3月の月例パッチを公開。すでに悪用が確認されている 2つの脆弱性の修正を含む。

(3/14) 2023 年 3 月のセキュリティ更新プログラム (月例) | MSRC Blog | Microsoft Security Response Center

• 今月のセキュリティ更新プログラムで修正した脆弱性のうち、CVE-2023-24880 Windows SmartScreen のセキュリティ機能のバイパスの脆弱性は、セキュリティ更新プログラムの公開よりも前に、脆弱性の情報の一般への公開、脆弱性の悪用を確認しています。お客様においては、更新プログラムの適用を早急に行ってください。詳細は、CVE-2023-24880 を参照してください。

• 今月のセキュリティ更新プログラムで修正した脆弱性のうち、CVE-2023-23397 Microsoft Outlook の特権昇格の脆弱性は、既に脆弱性の悪用が行われていることを確認しています。なお、セキュリティ更新プログラムの公開時点では、この脆弱性の詳細の一般への公開は確認されていません。お客様においては、更新プログラムの適用を早急に行ってください。 詳細は、CVE-2023-23397、および Microsoft Mitigates Outlook Elevation of Privilege Vulnerability を参照してください。

(3/14) Microsoft Mitigates Outlook Elevation of Privilege Vulnerability | MSRC Blog | Microsoft Security Response Center

Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure.

(3/14) Magniber ransomware actors used a variant of Microsoft SmartScreen bypass

Google’s Threat Analysis Group (TAG) recently discovered usage of an unpatched security bypass in Microsoft’s SmartScreen security feature, which financially motivated actors are using to deliver the Magniber ransomware without any security warnings. The attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature. The malformed signature causes SmartScreen to return an error that results in bypassing the security warning dialog displayed to users when an untrusted file contains a Mark-of-the-Web (MotW), which indicates a potentially malicious file has been downloaded from the internet.

TAG reported its findings to Microsoft on February 15, 2023. The security bypass was patched today as CVE-2023-24880 in Microsoft’s Patch Tuesday release.

(3/14) Zero Day Initiative — The March 2023 Security Update Review

CISA が Known Exploited Vulnerabilities (KEV) カタログに 3+1 個の脆弱性を追加

(3/14) CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA

• CVE-2023-23397 Microsoft Outlook Elevation of Privilege Vulnerability
• CVE-2023-24880 Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
• CVE-2022-41328 Fortinet FortiOS Path Traversal Vulnerability

(3/15) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

• CVE-2023-26360 Adobe ColdFusion Improper Access Control Vulnerability

Samsung 製の Exynos チップに複数の脆弱性

(3/16) Project Zero: Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems

In late 2022 and early 2023, Project Zero reported eighteen 0-day vulnerabilities in Exynos Modems produced by Samsung Semiconductor. The four most severe of these eighteen vulnerabilities (CVE-2023-24033 and three other vulnerabilities that have yet to be assigned CVE-IDs) allowed for Internet-to-baseband remote code execution. Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim's phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.

その他

CISA が Ransomware Vulnerability Warning Pilot (RVWP) を発表

(3/13) CISA Announces Ransomware Vulnerability Warning Pilot | CISA

日本クレジット協会が「クレジットカード・セキュリティガイドライン [4.0版]」を公表

(3/15) 「クレジットカード・セキュリティガイドライン【4.0 版】」を取りまとめました

IPA が「ECサイト構築・運用セキュリティガイドライン」を公開

(3/16) ECサイト構築・運用セキュリティガイドライン：IPA 独立行政法人 情報処理推進機構