ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。

---

• 事件、事故
  • GitHub が誤って公開した RSA SSH ホスト鍵を更新
  • 米司法省が BreachForums を摘発し、サイトを創設した管理者を逮捕
  • 英NCA が偽の DDoS 攻撃代行サービスを運用したおとり捜査を実施
• 攻撃、脅威
  • JPCERT/CC が EmoCheck v2.4.0 をリリース
  • Mandiant が 2022年に観測したゼロデイ攻撃について報告
  • 攻撃者グループ Clop が GoAnywhere MFT の脆弱性を悪用して多数の組織を攻撃
• 脆弱性
  • Netgear Orbi ルーターに複数の脆弱性
  • 今月修正された Veeam Backup and Replication の脆弱性 CVE-2023-27532 の PoC が公開
  • Microsoft が先週修正した脆弱性 CVE-2023-23397 を悪用する攻撃の調査ガイドを公開
• その他
  • 日本シーサート協議会が「サイバー攻撃演習訓練実施マニュアル」を公開
  • 経済産業省が「サイバーセキュリティ経営ガイドライン Ver3.0」を公開
  • CISA が Pre-Ransomware Notification Initiative を発表
  • CISA が Untitled Goose Tool を公開

事件、事故

GitHub が誤って公開した RSA SSH ホスト鍵を更新

(3/24) We updated our RSA SSH host key | The GitHub Blog

At approximately 05:00 UTC on March 24, out of an abundance of caution, we replaced our RSA SSH host key used to secure Git operations for GitHub.com. We did this to protect our users from any chance of an adversary impersonating GitHub or eavesdropping on their Git operations over SSH. This key does not grant access to GitHub’s infrastructure or customer data. This change only impacts Git operations over SSH using RSA. Web traffic to GitHub.com and HTTPS Git operations are not affected.

Only GitHub.com’s RSA SSH key was replaced. No change is required for ECDSA or Ed25519 users. Our keys are documented here.

米司法省が BreachForums を摘発し、サイトを創設した管理者を逮捕

(3/24) Justice Department Announces Arrest of the Founder of One of the World’s Largest Hacker Forums and Disruption of Forum’s Operation | OPA | Department of Justice

The founder of BreachForums made his initial appearance today in the Eastern District of Virginia on a criminal charge related to his alleged creation and administration of a major hacking forum and marketplace for cybercriminals that claimed to have more than 340,000 members as of last week. In parallel with his arrest on March 15, the FBI and Department of Health and Human Services Office of Inspector General (HHS-OIG) have conducted a disruption operation that caused BreachForums to go offline.

(3/24) The FBI's BreachForums bust is causing 'chaos in the cybercrime underground' | CyberScoop %

(3/24) ポムポムプリンを探して一万里

英NCA が偽の DDoS 攻撃代行サービスを運用したおとり捜査を実施

(3/24) NCA infiltrates cyber crime market with disguised DDoS sites - National Crime Agency

The National Crime Agency has today revealed that it has infiltrated the online criminal marketplace by setting up a number of sites purporting to offer DDoS-for-hire services.

Today’s announcement comes after the Agency chose to identify one of the sites currently being run by officers as part of a sustained programme of activity to disrupt and undermine DDoS as a criminal service.

The NCA replaced the site’s domain with a splash page warning users that their data has been collected and they will be contacted by law enforcement.

攻撃、脅威

JPCERT/CC が EmoCheck v2.4.0 をリリース

(3/20) マルウェアEmotetの感染再拡大に関する注意喚起

2023年3月20日、EmoCheck v2.4.0をリリースしました。2023年3月にアップデートされたEmotetの挙動の変化に対応するため、一部の検知機能のロジックを改善しています。

Mandiant が 2022年に観測したゼロデイ攻撃について報告

(3/20) Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace | Mandiant

• Mandiant tracked 55 zero-day vulnerabilities that we judge were exploited in 2022. Although this count is lower than the record-breaking 81 zero-days exploited in 2021, it still represents almost triple the number from 2020.
• Chinese state-sponsored cyber espionage groups exploited more zero-days than other cyber espionage actors in 2022, which is consistent with previous years.
• We identified four zero-day vulnerabilities exploited by financially motivated threat actors. 75% of these instances appear to be linked to ransomware operations.
• Products from Microsoft, Google, and Apple made up the majority of zero-day vulnerabilities in 2022, consistent with previous years. The most exploited product types were operating systems (OS) (19), followed by browsers (11), security, IT, and network management products (10), and mobile OS (6).

攻撃者グループ Clop が GoAnywhere MFT の脆弱性を悪用して多数の組織を攻撃

(3/22) New victims come forward after mass-ransomware attack | TechCrunch

CL0Pランサムのリーク数がこれまでにない数になっています。こちらはGoAnywhere MFTの脆弱性を利用したものと思われます。ランサムとはいえ暗号化するタイプではなく情報を窃取しての脅迫を行っているものと思われます。

下図は、参考までにLockbitのリーク数と比較したものです。 pic.twitter.com/63aUrSQOZh

— 辻 伸弘 (nobuhiro tsuji) (@ntsuji) March 23, 2023

脆弱性

Netgear Orbi ルーターに複数の脆弱性

(3/21) Vulnerability Spotlight: Netgear Orbi router vulnerable to arbitrary command execution

Cisco Talos worked with Netgear to ensure that TALOS-2022-1596, TALOS-2022-1597 and TALOS-2022-1598 are resolved and an update is available for affected customers. However, the company is still developing a patch for TALOS-2022-1595, though we are disclosing this vulnerability according to our 90-day timeline outlined in Cisco’s vulnerability disclosure policy.

今月修正された Veeam Backup and Replication の脆弱性 CVE-2023-27532 の PoC が公開

(3/23)Veeam Backup and Replication CVE-2023-27532 Deep Dive – Horizon3.ai

Veeam has recently released an advisory for CVE-2023-27532 for Veeam Backup and Replication which allows an unauthenticated user with access to the Veeam backup service (TCP 9401 by default) to request cleartext credentials. Others, including Huntress, Y4er, and CODE WHITE , have provided insight into this vulnerability. In this post, we hope to offer additional insights and release our POC (found here) which is built on .NET Core and capable of running on Linux.

(3/7) KB4424: CVE-2023-27532

Microsoft が先週修正した脆弱性 CVE-2023-23397 を悪用する攻撃の調査ガイドを公開

(3/24) Guidance for investigating attacks using CVE-2023-23397 - Microsoft Security Blog

This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. A successful exploit of this vulnerability can result in unauthorized access to an organization’s environment by triggering a Net-NTLMv2 hash leak. Understanding the vulnerability and how it has been leveraged by threat actors can help guide the overall investigative process.

(3/14) Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability - MDSec

(3/17) Everything We Know About CVE-2023-23397

(3/17) CVE-2023-23397: Exploitations in the Wild – What You Need to Know | Deep Instinct

(3/21) Patch CVE-2023-23397 Immediately: What You Need To Know and Do

その他

日本シーサート協議会が「サイバー攻撃演習訓練実施マニュアル」を公開

(3/23) サイバー攻撃演習訓練実施マニュアル｜CSIRT - 日本シーサート協議会

経済産業省が「サイバーセキュリティ経営ガイドライン Ver3.0」を公開

(3/23) サイバーセキュリティ経営ガイドラインと支援ツール（METI/経済産業省）

CISA が Pre-Ransomware Notification Initiative を発表

(3/23) Getting Ahead of the Ransomware Epidemic: CISA’s Pre-Ransomware Notifications Help Organizations Stop Attacks Before Damage Occurs | CISA

CISA が Untitled Goose Tool を公開

(3/23) Untitled Goose Tool Aids Hunt and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments | CISA

Today, CISA released the Untitled Goose Tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments. The Untitled Goose Tool offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services.