今週の気になるセキュリティニュース - Issue #123

Revue アレかね

ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。


事件、事故

日本国内で相次いでランサムウェア感染被害。各社が提供するクラウドサービスなどに障害が発生し、多数の顧客に影響

(6/6) 第三者によるランサムウェア感染被害のお知らせ | 株式会社エムケイシステム

(6/8) クラウドAZタワー 第三者によるマルウェア攻撃被害発生のお知らせとお詫び | 新着情報 | パーパス株式会社

(6/13) 現在発生している障害について 株式会社プロット


米司法省が LockBit を利用した攻撃に関与したロシア人を逮捕、起訴

(6/15) Russian National Arrested and Charged with Conspiring to Commit LockBit Ransomware Attacks Against U.S. and Foreign Businesses | OPA | Department of Justice

According to a criminal complaint obtained in the District of New Jersey, from at least as early as August 2020 to March 2023, Astamirov allegedly participated in a conspiracy with other members of the LockBit ransomware campaign to commit wire fraud and to intentionally damage protected computers and make ransom demands through the use and deployment of ransomware. Specifically, Astamirov directly executed at least five attacks against victim computer systems in the United States and abroad.


攻撃、脅威

Mandiant が VMware ESXi の脆弱性を悪用する中国の攻撃者グループの活動について報告

(6/13) VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors | Mandiant


CISA、FBI、MS-ISAC などが共同で LockBit ランサムウェアに関するアドバイザリを公開

(6/14) Understanding Ransomware Threat Actors: LockBit | CISA


Microsoft がロシアの攻撃者グループ Cadet Blizzard の活動について報告

(6/14) Ongoing Russian cyberattacks targeting Ukraine - Microsoft On the Issues

Microsoft threat intelligence teams have been tracking a wave of cyberattacks from an actor we call Cadet Blizzard that is associated with the Russian GRU. These attacks, which began in February 2023, targeted government agencies and IT service providers in Ukraine. We can also now attribute to Cadet Blizzard the destructive WhisperGate wiper attacks against Ukraine detected by Microsoft in January 2022 prior to Russia’s invasion.

(6/14) Ongoing Russian cyberattacks targeting Ukraine - Microsoft On the Issues

Today, Microsoft Threat Intelligence is sharing updated details about techniques of a threat actor formerly tracked as DEV-0586—a distinct Russian state-sponsored threat actor that has now been elevated to the name Cadet Blizzard. As a result of our investigation into their intrusion activity over the past year, we have gained high confidence in our analysis and knowledge of the actor’s tooling, victimology, and motivation, meeting the criteria to convert this group to a named threat actor.


Mandiant が Barracuda ESG の脆弱性を悪用する中国の攻撃者グループの活動について報告

(6/15) Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China | Mandiant

On May 23, 2023, Barracuda announced that a zero-day vulnerability (CVE-2023-2868) in the Barracuda Email Security Gateway (ESG) had been exploited in-the-wild as early as October 2022 and that they engaged Mandiant to assist in the investigation. Through the investigation, Mandiant identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilize as a vector for espionage, spanning a multitude of regions and sectors. Mandiant assesses with high confidence that UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People’s Republic of China.

(6/15 更新) Barracuda Email Security Gateway Appliance (ESG) Vulnerability


脆弱性

VMware Aria Operations for Networks にリモートコード実行可能な脆弱性 (CVE-2023-20887)。PoC も公開され、悪用も確認されている。

(6/7) VMSA-2023-0012.1

(6/13) Pre-authenticated RCE in VMware vRealize Network Insight

In this post we’ll go over the exploitation process of VMware Aria Operations for Networks (Formerly vRealize Network Insight) specifically CVE-2023-20887, This is a chain of two issues which results in Remote Code Execution (RCE), Despite independently discovering and reporting the Pre-Authentication Remote Code Execution (CVE-2023-20887) vulnerability to the Zero Day Initiative (ZDI), along with several other vulnerabilities, I was outpaced by an anonymous researcher who reported it first. This post will examine the exploitation process of CVE-2023-20887 in VMware Aria Operations for Networks (formerly known as vRealize Network Insight). This vulnerability comprises a chain of two issues leading to Remote Code Execution (RCE) that can be exploited by unauthenticated attackers.

(6/15) Observed In The Wild: New Tag For CVE-2023-20887 — VMWare Aria Operations for Networks

At the time of writing we have observed attempted mass-scanning activity utilizing the Proof-Of-Concept code mentioned above in an attempt to launch a reverse shell which connects back to an attacker controlled server in order to receive further commands.


FortiOS と FortiProxy の SSL-VPN にリモートコード実行可能な脆弱性 (CVE-2023-27997)

(6/12) FortiOS & FortiProxy - Heap buffer overflow in sslvpn pre-authentication | PSIRT Advisories | FortiGuard

A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.

(6/12) Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign | Fortinet Blog

Our investigation found that one issue (FG-IR-23-097) may have been exploited in a limited number of cases and we are working closely with customers to monitor the situation.

(6/13) Lexfo's security blog - XORtigate: Pre-authentication Remote Code Execution on Fortigate VPN (CVE-2023-27997)

During a redteam assessment for one of our client, we had the opportunity to look into Fortigate SSL VPN, one of the most used VPN solution worldwide. We discovered a heap overflow bug on the internet-facing interface of the VPN. This vulnerability, which is reachable without authentication, can be leveraged to get remote code execution on Fortigate instances. CVE-2023-27997 was assigned, with a CVSS of 9.2 (but really, it's a 10). We believe the bug has been present for a long, long time (more than on the 7.x and 6.x branches). Please refer to FG-IR-23-097 for details about affected versions.


CISA が Known Exploited Vulnerabilities (KEV) カタログに 1 個の脆弱性を追加

(6/13) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

  • CVE-2023-27997 Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability


Microsoft が 2023年 6月の月例パッチを公開。すでに悪用が確認されている脆弱性はない。

(6/13) 2023 年 6 月のセキュリティ更新プログラム (月例) | MSRC Blog | Microsoft Security Response Center

今月のセキュリティ更新プログラムで修正した脆弱性のうち、以下の脆弱性は、CVSS 基本値が9.8 と高いスコアで、認証やユーザーの操作なしで悪用が可能な脆弱性です。これらの脆弱性が存在する製品、および悪用が可能となる条件については、各CVEのページの「よく寄せられる質問」 を参照してください。セキュリティ更新プログラムが公開されるよりも前に、脆弱性の情報の一般への公開、脆弱性の悪用はありませんが、脆弱性の特性を鑑み、企業組織では早急なリスク評価とセキュリティ更新プログラムの適用を推奨しています。

  • CVE-2023-29357 Microsoft SharePoint Server の特権の昇格の脆弱性
  • CVE-2023-29363 Windows Pragmatic General Multicast (PGM) のリモートでコードが実行される脆弱性
  • CVE-2023-32015 Windows Pragmatic General Multicast (PGM) のリモートでコードが実行される脆弱性
  • CVE-2023-32014 Windows Pragmatic General Multicast (PGM) のリモートでコードが実行される脆弱性

(6/13) Zero Day Initiative — The June 2023 Security Update Review


MOVEit Transfer に CVE-2023-34362、CVE-2023-35036 とは異なる別の脆弱性 (CVE-2023-35708)。また CVE-2023-34362 の PoC も公開。

(6/16 更新) MOVEit Transfer and MOVEit Cloud Vulnerability

June 16, 2023, Yesterday we reported the public posting of a new SQLi vulnerability that required us to take down HTTPs traffic for MOVEit Cloud and to ask MOVEit Transfer customers to take down their HTTP and HTTPs traffic to safeguard their environments. We have now tested and deployed a patch to MOVEit Cloud, returning it to full service across all cloud clusters. We have also shared this patch and the necessary deployment steps with all MOVEit Transfer customers.

(6/15) MOVEit Transfer Critical Vulnerability – CVE-2023-35708 (June 15, 2023) - Progress Community

Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment. In Progress MOVEit Transfer versions released before 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), 2023.0.3 (15.0.3), a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to the MOVEit Transfer database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.

(6/12) CVE-2023-34362 | AttackerKB

This analysis will focus on a full exploit chain for CVE-2023-34362. Notably, the vendor, Progress Software, has continued to update their advisories for both vulnerabilities. We recommend that MOVEit Transfer customers use those advisories (CVE-2023-34362 and CVE-2023-35036) as their source of truth on affected and fixed versions.

(6/15) US government hit in global cyberattack | CNN Politics


その他

CISA連邦政府機関に対して Binding Operational Directive 23-02 を発行

(6/13) CISA Directs Federal Agencies to Secure Internet-Exposed Management Interfaces | CISA

The Cybersecurity and Infrastructure Security Agency (CISA) today issued Binding Operational Directive (BOD) 23-02, Mitigating the Risk from Internet-Exposed Management Interfaces, which requires federal civilian agencies to remove specific networked management interfaces from the public-facing internet or implement Zero Trust Architecture capabilities that enforce access control to the interface within 14 days of discovery.

(6/13 Binding Operational Directive 23-02 | CISA


NTT セキュリティが「サイバーセキュリティレポート 2023.05」を公開

(6/14) サイバーセキュリティレポート 2023.05