今週の気になるセキュリティニュース - Issue #115

Revue アレかね

ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。


事件、事故

LINEギフトおよび関連する ECサービスで不適切なデータの取り扱いがあったと LINE が報告

(4/17) LINEギフトおよび提供を終了した弊社ECサービスにおけるデータの取り扱いに関するお知らせとお詫び | LINE Corporation | セキュリティ&プライバシー

このたび、LINEギフトおよび過去に弊社が提供をしていたLINEのECサービス(LINE FLASH SALE・アカウントコマース等)にて、不適切なデータの取り扱いがあったことを確認いたしました。

本件の概要について、下記のとおりご報告いたしますとともに、ユーザーおよび関係者の皆さまに多大なるご迷惑とご心配をおかけしましたことを、深くお詫び申し上げます。

なお、該当データには住所・電話番号・メールアドレスや、銀行口座・クレジットカード番号などは含まれておりません。また、2023年4月17日時点で情報の不正利用などの二次被害の発生は確認されておりません。


3CX への侵入事件について続報。3CX 自身も別のサプライチェーン攻撃の被害者だったことが Mandiant の調査で明らかに。

(4/20) Mandiant Security Update – Initial Intrusion Vector | 3CX

Mandiant identified the source of our internal network compromise began in 2022 when an employee installed the Trading Technologies X_TRADER software on the employee’s personal computer. Although the X_TRADER installation software was downloaded from the Trading Technologies website, it contained VEILEDSIGNAL malware, which enabled the threat actor (identified as UNC4736) to initially compromise and maintain persistence on the employee’s personal computer.

The X_TRADER installer (X_TRADER_r7.17.90p608.exe) was digitally signed by a valid code signing certificate with the subject of “Trading Technologies International, Inc”. It was hosted on hxxps://download.tradingtechnologies[.]com. While the X_TRADER software was reportedly retired in 2020 by Trading Technologies, the software was still available for download on the Trading Technologies website in 2022. The code signing certificate used to digitally sign the malicious software was set to expire in October 2022.

(4/20) 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible | Mandiant

Mandiant Consulting’s investigation of the 3CX supply chain compromise has uncovered the initial intrusion vector: a malware-laced software package distributed via an earlier software supply chain compromise that began with a tampered installer for X_TRADER, a software package provided by Trading Technologies (Figure 1). Mandiant determined that a complex loading process led to the deployment of VEILEDSIGNAL, a multi-stage modular backdoor, and its modules.

(4/20) MAR-10435108-1.v1 ICONICSTEALER | CISA

This submission included one unique file. This file has been identified as a variant of the malware known as ICONICSTEALER. This variant of malware was utilized in the supply chain attack on the commercial software 3CXDesktopApp. The primary purpose of this malware is to steal sensitive data from a victim user's web browser, and make it available for exfiltration by a separate malicious component.

(4/20) Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack | WeLiveSecurity

ESET researchers have discovered a new Lazarus Operation DreamJob campaign targeting Linux users. Operation DreamJob is the name for a series of campaigns where the group uses social engineering techniques to compromise its targets, with fake job offers as the lure. In this case, we were able to reconstruct the full chain, from the ZIP file that delivers a fake HSBC job offer as a decoy, up until the final payload: the SimplexTea Linux backdoor distributed through an OpenDrive cloud storage account. To our knowledge, this is the first public mention of this major North Korea-aligned threat actor using Linux malware as part of this operation.

Additionally, this discovery helped us confirm with a high level of confidence that the recent 3CX supply-chain attack was in fact conducted by Lazarus – a link that was suspected from the very beginning and demonstrated by several security researchers since. In this blogpost, we corroborate these findings and provide additional evidence about the connection between Lazarus and the 3CX supply-chain attack.

(4/21) X_Trader Supply Chain Attack Affects Critical Infrastructure Organizations in U.S. and Europe | Symantec Enterprise Blogs

The X_Trader software supply chain attack affected more organizations than 3CX. Initial investigation by Symantec’s Threat Hunter Team has, to date, found that among the victims are two critical infrastructure organizations in the energy sector, one in the U.S. and the other in Europe. In addition to this, two other organizations involved in financial trading were also breached.


Mullvad VPNスウェーデン警察の家宅捜索を受けたことを報告

(4/20) Mullvad VPN was subject to a search warrant. Customer data not compromised - Blog | Mullvad VPN

Mullvad have been operating our VPN service for over 14 years. This is the first time our offices have been visited with a search warrant.


ブラジルで日本アニメの海賊版サイトが一斉摘発

(4/20) ブラジル「アニメ作戦」一斉摘発で36の日本アニメ海賊版サイトが閉鎖 | 一般社団法人コンテンツ海外流通促進機構(CODA)

 2023年2月から3月にかけて、「goyabu.com」、「animeyabu.com」などブラジルにおける日本アニメの複数の悪質な海賊版サイトがCODA会員の告発によって閉鎖されました。これら海賊版サイトは、権利者から正規の許諾を受けることなく、日本アニメに現地語であるポルトガル語の字幕を付けてインターネット上に公開していました。

 ブラジル政府は、2019年より官民協力による海賊版サイト対策「404作戦」(※1) を継続的に実施し大きな成果を挙げていますが、今回、この作戦の一環として日本アニメに特化した「アニメ作戦(Operation Animes)」(※2) と命名された一斉摘発が初めて決行されました。

 CODAはこれまで、ブラジルの「Anitube」、中国の「B9GOOD」など、海外で運営されている日本人向け海賊版サイトに対する会員の刑事告訴やCODAの刑事告発を行ってきました。しかし今回対象となったサイトは日本人向けではなくブラジルの現地視聴者向けのサイトであり、このような「海外向け」に特化した海賊版サイトに対してCODA会員が刑事告発(※3)を行い、摘発されたのは今回が初めてです。


攻撃、脅威

Google Cybersecurity Action Team が Threat Horizons Report を公開

(4/13) April 2023 Threat Horizons Report


Microsoft が攻撃者グループの命名規則を変更

(4/18) Microsoft shifts to a new threat actor naming taxonomy - Microsoft Security Blog

Today, Microsoft is excited to announce that we are shifting to a new threat actor naming taxonomy aligned to the theme of weather. The complexity, scale, and volume of threats is increasing, driving the need to reimagine not only how Microsoft talks about threats but also how we enable customers to understand those threats quickly and with clarity. With the new taxonomy, we intend to bring better context to customers and security researchers that are already confronted with an overwhelming amount of threat intelligence data. It will offer a more organized, memorable, and easy way to reference adversary groups so that organizations can better prioritize threats and protect themselves. Simply put, security professionals will instantly have an idea of the type of threat actor they are up against, just by reading the name.


Microsoft がイランの攻撃者グループ Mint Sandstorm (旧 PHOSPHORUS) の攻撃活動について報告

(4/18) Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets - Microsoft Security Blog

Over the past several months, Microsoft has observed a mature subgroup of Mint Sandstorm, an Iranian nation-state actor previously tracked as PHOSPHORUS, refining its tactics, techniques, and procedures (TTPs). Specifically, this subset has rapidly weaponized N-day vulnerabilities in common enterprise applications and conducted highly-targeted phishing campaigns to quickly and successfully access environments of interest. This Mint Sandstorm subgroup has also continued to develop and use custom tooling in selected targets, notably organizations in the energy and transportation sectors. Given this subgroup’s capabilities, the profile of past targets, and the potential for cascading effects, Microsoft is publishing details on known tradecraft alongside corresponding detections and mitigations to help organizations protect against this and similar threats.


(4/18) M-Trends 2023: Cybersecurity Insights From the Frontlines | Mandiant


Citizen Lab がイスラエルNSO グループによる 2022年の攻撃活動について報告

(4/18) Triple Threat: NSO Group’s Pegasus Spyware Returns in 2022 with a Trio of iOS 15 and iOS 16 Zero-Click Exploit Chains - The Citizen Lab


NCSC、NSACISA、FBI が共同で攻撃者グループ APT28 による攻撃活動に関する注意喚起

(4/18) APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers - NCSC.GOV.UK

The UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI) are releasing this joint advisory to provide details of tactics, techniques and procedures (TTPs) associated with APT28’s exploitation of Cisco routers in 2021.

We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy) is a highly skilled threat actor.

(4/18) APT28 Exploits Known Vulnerability To Carry Out Reconnaissance and Deploy Malware on Cisco Routers | CISA

NCSC, NSA, CISA, and FBI have released a joint advisory to provide details of tactics, techniques, and procedures (TTPs) associated with APT28's exploitation of Cisco routers in 2021. By exploiting the vulnerability CVE-2017-6742, APT28 used infrastructure to masquerade Simple Network Management protocol (SNMP) access into Cisco routers worldwide, including routers in Europe, U.S. government institutions, and approximately 250 Ukrainian victims.

(4/18) State-sponsored campaigns target global network infrastructure


Sophos が古いドライバを悪用して EDR の停止を試みる攻撃活動について報告

(4/19) ‘AuKill’ EDR killer malware abuses Process Explorer driver – Sophos News

Over the past several months, Sophos X-Ops has investigated multiple incidents where attackers attempted to disable EDR clients with a new defense evasion tool we’ve dubbed AuKill. The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.


NTTセキュリティが FlowCloud マルウェアを利用する攻撃事例について報告

(4/19) USBメモリを起点としたFlowCloudを用いた攻撃について, Syogo Hayashi, Rintaro Koike


NTTセキュリティが FortiMail を侵入経路とする攻撃事例について報告

(4/21) FortiMailを侵入経路としたインシデントについての事例紹介, Yuki Suzuki

2022年3~4月にかけて対応したインシデントにおいて、インターネットに公開されているFortimailが侵入口であると強く考えられる不正アクセスを確認しました。特筆すべきは、PoCが公開されていない、認証無しでSQLインジェクションが可能な脆弱性(CVE-2021-24007)が利用された可能性がある点です。ただし、状況証拠から推測したものであり、明確な証跡があるわけではありません。


脆弱性

CISA が Known Exploited Vulnerabilities (KEV) カタログに 2+1+3 個の脆弱性を追加

(4/17) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA

(4/19) CISA Adds One Known Vulnerability to Catalog | CISA

(4/21) CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA


PaperCut が修正済みの脆弱性の悪用を確認したと報告

(4/19) URGENT | PaperCut MF/NG vulnerability bulletin (March 2023) | PaperCut

We have received two vulnerability reports from a 3rd party cyber security company (Trend Micro), for high/critical severity security issues in PaperCut MF/NG. We have evidence to suggest that unpatched servers are being exploited in the wild.

(4/21) Critical Vulnerabilities in PaperCut Print Management Software

Our team is tracking in-the-wild exploitation of zero-day vulnerabilities against PaperCut MF/NG which allow for unauthenticated remote code execution due to an authentication bypass.


その他

CRYPTREC が暗号技術ガイドライン 2件と耐量子計算機暗号の研究動向調査報告書を公開

(4/17) CRYPTREC | 「CRYPTREC 暗号技術ガイドライン(耐量子計算機暗号)」及び「CRYPTREC 暗号技術ガイドライン(高機能暗号)」の公開

(4/17) CRYPTREC | 耐量子計算機暗号の研究動向調査報告書の公開


WhatsApp、Signal など複数のメッセージングサービスが共同で、英国政府に対して Online Safety Bill 法案の再考を求めるオープンレターを公開

(4/17) An open letter - WhatsApp Blog

As end-to-end-encrypted communication services, we urge the UK Government to address the risks that the Online Safety Bill poses to everyone's privacy and safety. It is not too late to ensure that the Bill aligns with the Government's stated intention to protect end-to-end encryption and respect the human right to privacy.


CISA が SBOM を共有するライフサイクルに関するレポートを公開

(4/17) Software Bill of Materials (SBOM) Sharing Lifecycle Report | CISA

The purpose of this report is to enumerate and describe the different parties and phases of the SBOM sharing lifecycle and to assist readers in choosing suitable SBOM sharing solutions based on the amount of time, resources, subject-matter expertise, effort, and access to tooling that is available to the reader to implement a phase of the SBOM sharing lifecycle. This report also highlights SBOM sharing survey results obtained from interviews with stakeholders to understand the current SBOM sharing landscape.