今週の気になるセキュリティニュース - Issue #122

ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。



事件、事故

DNSランダムサブドメイン攻撃 (水責め攻撃) の影響により、三重県や鹿児島県などのサイトで接続障害

(6/6) 三重県|県庁DX:三重県及び県内10市町のホームページの閲覧障害等について

1 事実・内容

 本日(6月6日)午後6時00分頃から三重県及び県内10市町(津市、四日市市伊勢市松阪市桑名市名張市亀山市、熊野市、伊賀市紀宝町)のホームページが県民から閲覧できなくなるとともに、インターネットメールの送受信が遅延する障害が発生しましたが、午後6時36分頃に復旧しました。

2 原因

 三重県が利用しているセキュリティクラウドサービス(三重県自治体情報セキュリティクラウド)に対して外部からサイバー攻撃があったことによるものです。  今回のサイバー攻撃は、DNSサーバに大量の接続要求を送り付けてサービスを停止させることを目的としたもので、DNSサーバのダウン以外の影響は無く、情報漏洩はないとの報告をサービス提供事業者から受けています。

(6/8) 鹿児島県/県ホームページの通信障害について(6月8日(木曜日))

令和5年6月8日(木曜日)の午前8時頃から、鹿児島県ホームページがつながりにくい状況となっていました。 この障害は、同日午後8時15分頃にはおおむね復旧し、その後は支障なく利用していただける状況となっております。


攻撃、脅威

Recorded Future が北朝鮮の攻撃者グループによる日本を含むアジアと米国での活動について報告

(6/6) North Korea-Aligned TAG-71 Spoofs Financial Institutions in Asia and US | Recorded Future

Insikt Group has discovered malicious cyber threat activity spoofing several financial institutions and venture capital firms in Japan, Vietnam, and the United States. The group responsible, referred to as Threat Activity Group 71 (TAG-71), has significant overlaps with the North Korean state-sponsored APT38. Between September 2022 and March 2023, Insikt Group discovered 74 domains and 6 malicious files associated with TAG-71's activities.

TAG-71 has previously been observed spoofing domains belonging to financial firms and cloud services in Japan, Taiwan, and the United States. In March 2022, Insikt Group identified 18 malicious servers tied to TAG-71, which were also linked to the publicly reported CryptoCore campaign. These servers were used for malware delivery, phishing, and command and control operations, often impersonating popular cloud services and cryptocurrency exchanges.


Verizon が "2023 Data Breach Investigations Report" を公開

(6/7) 2023 Data Breach Investigations Report | Verizon


CISA と FBI が共同で CL0P Ransomware グループの攻撃活動に関する注意喚起

(6/7) CISA and FBI Release #StopRansomware: CL0P Ransomware Gang Exploits MOVEit Vulnerability | CISA

The CL0P Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection vulnerability in Progress Software's managed file transfer (MFT) solution known as MOVEit Transfer. Internet- facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases.

(6/8) MOVEit Transfer Vulnerability (CVE-2023-34362) | Kroll

On June 5, 2023, the Clop ransomware group publicly claimed responsibility for exploitation of a zero-day vulnerability in the MOVEit Transfer secure file transfer web application (CVE-2023-34362). Kroll previously provided guidance on steps to mitigate risks associated with this critical vulnerability, which allows attackers to gain unauthenticated access to MOVEit Transfer servers.

Subsequent Kroll analysis of this exploitation has confirmed that threat actors are using this vulnerability to upload a web shell and exfiltrate data. However, Kroll forensic review has also identified activity indicating that the Clop threat actors were likely experimenting with ways to exploit this particular vulnerability as far back as 2021.


Microsoft が AiTM フィッシングとビジネスメール詐欺 (BEC) のキャンペーンに関する注意喚起

(6/8) Detecting and mitigating a multi-stage AiTM phishing and BEC campaign | Microsoft Security Blog

Microsoft Defender Experts uncovered a multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attack against banking and financial services organizations. The attack originated from a compromised trusted vendor and transitioned into a series of AiTM attacks and follow-on BEC activity spanning multiple organizations. This attack shows the complexity of AiTM and BEC threats, which abuse trusted relationships between vendors, suppliers, and other partner organizations with the intent of financial fraud.


脆弱性

GoogleChrome のゼロデイ脆弱性を修正

(6/5) Chrome Releases: Stable Channel Update for Desktop


CISA が Known Exploited Vulnerabilities (KEV) カタログに 2+1 個の脆弱性を追加

(6/5) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA

  • CVE-2023-33009 Zyxel Multiple Firewalls Buffer Overflow Vulnerability
  • CVE-2023-33010 Zyxel Multiple Firewalls Buffer Overflow Vulnerability

(6/7) CISA Adds One Known Exploited Vulnerability to Catalog | CISA


Barracuda Email Security Gateway (ESG) アプライアンス脆弱性に続報。Barracuda は影響を受けたアプライアンスをすぐに交換するように顧客に通知

(6/6) Barracuda Email Security Gateway Appliance (ESG) Vulnerability

ACTION NOTICE: Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now (support@barracuda.com).

Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.

(6/8) CVE-2023-2868: Total Compromise of Physical Barracuda ESG Appliances | Rapid7 Blog


MOVEit Transfer に CVE-2023-34362 とは異なる別の脆弱性

(6/9) MOVEit Transfer and MOVEit Cloud Vulnerability

June 9, 2023, In addition to the ongoing investigation into vulnerability (CVE-2023-34362), we have partnered with third-party cybersecurity experts to conduct further detailed code reviews as an added layer of protection for our customers. As part of these code reviews, cybersecurity firm Huntress has helped us to uncover additional vulnerabilities that could potentially be used by a bad actor to stage an exploit. These newly discovered vulnerabilities are distinct from the previously reported vulnerability shared on May 31, 2023.

(6/9) MOVEit Transfer Critical Vulnerability – CVE Pending Reserve Status (June 9, 2023) - Progress Community

SQL Injection (CVE pending MITRE) In Progress MOVEit Transfer versions released before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), 2023.0.2 (15.0.2), multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content. All versions of MOVEit Transfer are affected by this vulnerability. Patches for this vulnerability are available for supported versions and are listed in the Recommended Remediation section.


その他

1Password がベータ版のブラウザ拡張で Passkeys に対応

(6/6) Save and Sign In with Passkeys Using 1Password In the Browser | 1Password

Last year, we joined the FIDO Alliance and committed to building safer, simpler, and faster login solutions for everyone. Today, we’re taking a major step forward and announcing that passkey support has started to arrive in 1Password. Using the public beta versions of 1Password in the browser, you can now save and sign in to online accounts with passkeys.


CISA、FBI などが共同でリモートアクセスソフトウエアの安全な利用に関するガイドラインを公開

(6/6) CISA and Partners Release Joint Guide to Securing Remote Access Software | CISA


FIRST が CVSS v4.0 Public Preview を公開

(6/8) Common Vulnerability Scoring System