ポッドキャスト収録用のメモですよ。
podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。
事件、事故
Europol が 2020年に摘発した EncroChat について、その後 6500人以上を逮捕し、900M ユーロ近い犯罪者の資産を差押えたことを公表
The dismantling of the encrypted communications tool EncroChat, widely used by organised crime groups (OCGs), has so far led to 6 558 arrests worldwide. 197 of those arrested were High Value Targets. This result is detailed in the first review of EncroChat, which was presented today by the French and Dutch judicial and law enforcement authorities in Lille.
The successful takedown of EncroChat followed the efforts of a joint investigation team (JIT) set up by both countries in 2020, supported by Eurojust and Europol. Since then, close to EUR 900 million in criminal funds have been seized or frozen.
福岡県宗像市でマイナンバーカードを利用した証明書交付サービスで証明書の誤発行が発生。原因となった「Fujitsu MICJET コンビニ交付」システムが再停止
(6/29) 「Fujitsu MICJET コンビニ交付」システムの再停止について : 富士通
富士通Japan株式会社(以下、富士通Japan)の提供するシステム「Fujitsu MICJET コンビニ交付」(以下、当該サービス)に起因する度重なる証明書誤発行により、自治体様ならびにサービスご利用の皆様に多大なるご迷惑ご心配をおかけいたしましたことをあらためて深くお詫び申し上げます。
当該サービスに関しましては、システム停止を伴う再点検を実施させていただき、6月17日に完了した旨をお知らせいたしましたが、6月28日に当該サービスをご利用されている自治体様において新たな証明書の誤発行が発生いたしました。詳細につきましては以下のとおりです。
ロシアの衛星通信会社 Dozor-Teleport でネットワーク障害
(6/29) Hackers claim to take down Russian satellite communications provider
A group of previously unknown hackers has claimed responsibility for a cyberattack on the Russian satellite communications provider Dozor-Teleport, which is used by energy companies and the country's defense and security services.
(6/29) Hackers attack Russian satellite telecom provider, claim affiliation with Wagner Group | CyberScoop
Unidentified hackers claimed to have targeted Dozor, a satellite telecommunications provider that services power lines, oil fields, Russian military units and the Federal Security Service (FSB), among others, according to a message posted to Telegram late Wednesday night.
(6/30) Satellite system used by Russian military is hacked - The Washington Post
We can confirm that Russian satellite operator Dozor Teleport (AS41942) left the global routing table at about 02:00 UTC earlier today. It is now unreachable, reportedly due to a cyber attack.
— Doug Madory (@DougMadory) June 29, 2023
4 of 5 routes previously announced by AS41942 were withdrawn, one is now announced by… https://t.co/q46EMwJbF6 pic.twitter.com/gKZzKDS5pz
⚠️ Confirmed: Metrics show a disruption to satellite internet provider Dozor-Teleport which supplies Russia's FSB, Gazprom, Rosatom and military installations; the incident comes amid a wave of cyberattacks by a group claiming affiliation with Wagner PMC 🛰️📉 pic.twitter.com/rSoRyUFsWm
— NetBlocks (@netblocks) June 29, 2023
総務省が富士通クラウドテクノロジーズに対して行政指導
(6/30) 総務省|報道資料|富士通クラウドテクノロジーズ株式会社に対する通信の秘密の保護及びサイバーセキュリティの確保に係る措置(指導)
(6/30) 当社に対する総務省様からの指導について : 富士通
攻撃、脅威
JOKERSPY の攻撃活動について複数のベンダーが報告
(6/16) Fragments of Cross-Platform Backdoor Hint at Larger Mac OS Attack
(6/21) Emerging Threat! Exposing JOKERSPY | Elastic
- This is an initial notification of an active intrusion with additional details to follow
- REF9134 leverages custom and open source tools for reconnaissance and command and control
- Targets of this activity include a cryptocurrency exchange in Japan
(6/28) JokerSpy | Unknown Adversary Targeting Organizations with Multi-Stage macOS Malware - SentinelOne
Avast が Akira ランサムウェアの復号ツールを公開
(6/29) Decrypted: Akira Ransomware - Avast Threat Labs
Researchers for Avast have developed a decryptor for the Akira ransomware and released it for public download. The Akira ransomware appeared in March 2023 and since then, the gang claims successful attacks on various organizations in the education, finance and real estate industries, amongst others.
Sekoia が DDoSia プロジェクトの分析結果を報告
(6/29) Following NoName057(16) DDoSia Project’s Targets - Sekoia.io Blog
DDoSia is a Distributed Denial of Service (DDoS) attack toolkit, developed and used by the pro Russia hacktivist nationalist group NoName057(16) against countries critical of the Russian invasion of Ukraine.
The DDoSia project was launched on Telegram in early 2022. The NoName057(16) main group main Telegram channel reached more than 45,000 subscribers as of June 2023, while the DDoSia project channels reached over 10,000 users. Administrators posted instructions for potential volunteers who want to participate in projects, and they added the possibility to pay in cryptocurrency for users who declare a valid TON wallet based on their contribution to the DDoS attacks.
CISA が複数のセクターを狙う DDoS 攻撃に関する注意喚起
(6/30) DoS and DDoS Attacks against Multiple Sectors | CISA
CISA is aware of open-source reporting of targeted denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks against multiple organizations in multiple sectors. These attacks can cost an organization time and money and may impose reputational costs while resources and services are inaccessible.
(6/30) CISA issues DDoS warning after attacks hit multiple US orgs
脆弱性
Arcserve UDP に認証バイパスの脆弱性 (CVE-2023-26258)。発見者による PoC も公開。
(6/27) Arcserve UDP Security Fix update - CVE-2023-26258
(6/28) CVE-2023-26258 - Remote Code Execution in ArcServe UDP Backup - MDSec
During a recent adversary simulation, the MDSec ActiveBreach red team were performing a ransomware scenario, with a key objective set on compromising the organisation’s backup infrastructure.
As part of this simulation, Juan Manuel Fernandez and Sean Doherty carried out a detailed analysis of the software used to perform backups (ArcServe UDP). Within minutes of analysing the code, a critical authentication bypass was discovered that allowed access to the administration interface.
In this article we will proceed to explain the root cause of this vulnerability that affects versions 7.0 to 9.0, as well as other interesting tradecraft that may be of interest to both defenders and offensive professionals.
バックアップソリューションのArcserve UDPの認証Bypassの脆弱性CVE-2023-26258のPoCが公開されています。
— nekono_nanomotoni (@nekono_naha) June 29, 2023
Arcserve UDPはGlobalで1694台、日本国内は2番目に多い308台が公開されていますが、まだパッチが全く当たっていません
利用者は社内分含めて至急アップデートを⚠️https://t.co/kw08JDFtBB pic.twitter.com/fFV0iEOPbN
MITRE が 2023年の Common Weakness Enumeration (CWE) Top 25 を発表
(6/29) CWE - 2023 CWE Top 25 Most Dangerous Software Weaknesses
(6/29) 2023 CWE Top 25 Most Dangerous Software Weaknesses | CISA
CISA が Known Exploited Vulnerabilities (KEV) カタログに 8 個の脆弱性を追加
(6/29) CISA Adds Eight Known Exploited Vulnerabilities to Catalog | CISA
- CVE-2019-17621 D-Link DIR-859 Router Command Execution Vulnerability
- CVE-2019-20500 D-Link DWL-2600AP Access Point Command Injection Vulnerability
- CVE-2021-25487 Samsung Mobile Devices Out-of-Bounds Read Vulnerability
- CVE-2021-25489 Samsung Mobile Devices Improper Input Validation Vulnerability
- CVE-2021-25394 Samsung Mobile Devices Race Condition Vulnerability
- CVE-2021-25395 Samsung Mobile Devices Race Condition Vulnerability
- CVE-2021-25371 Samsung Mobile Devices Unspecified Vulnerability
- CVE-2021-25372 Samsung Mobile Devices Improper Boundary Check Vulnerability
その他
Censys が BOD 23-02 の対象となる米連邦政府機関の機器の管理インタフェースの調査結果を報告
(6/26) Identifying CISA BOD 23-02 Internet-Exposed Networked Management Interfaces with Censys - Censys
On June 13, CISA released BOD 23-02 with the objective of mitigating the risks associated with remotely accessible management interfaces that might allow configuration or control of federal agency networks from the public internet. These internet-exposed devices have long been the low-hanging fruit for threat actors to gain unauthorized access to important assets, and it’s encouraging that the federal government is taking this step to proactively improve their overall security posture and those of their adjacent systems.
Censys researchers conducted analysis of the attack surfaces of more than 50 Federal Civilian Executive Branch (FCEB) organizations and sub-organizations. Throughout our investigation, we discovered a total of over 13,000 distinct hosts spread across more than 100 autonomous systems associated with these entities. Examining the services running on these hosts, Censys found hundreds of publicly exposed devices within the scope outlined in the directive.
CISA と NSA が共同で、CI/CD 環境を保護するためのガイダンスを公開
Today, CISA, together with the National Security Agency (NSA), released a Cybersecurity Information Sheet (CSI) to provide recommendations and best practices for organizations to strengthen the security of their CI/CD pipelines against the threat of malicious cyber actors (MCAs).
Proton がパスワードマネージャ Proton Pass をリリース
(6/28) Introducing Proton Pass – Protecting your passwords and online identity | Proton
We’re happy to announce the global launch of Proton Pass, available now as a browser extension on most major browsers (Chrome, Firefox, Edge, Brave, and more) and iPhone/iPad and Android. As the name suggests, Proton Pass is a password manager, one of the most highly demanded services from the Proton community in our annual surveys since we first launched Proton Mail, our encrypted email service, in 2014.
金融庁が「金融機関のシステム障害に関する分析レポート」を公表
(6/30) 「金融機関のシステム障害に関する分析レポート」の公表について:金融庁
金融庁では、監督指針等に基づき、金融機関からシステム障害等の報告を受領するとともに、障害からの復旧状況、障害の原因及び再発防止策等について、必要に応じて確認やヒアリング等を行っています。
金融庁では、例年、金融機関からのシステム障害の報告等に基づき、システム障害の傾向、原因及び対策を分析した結果をレポートとしてまとめ、金融機関のシステムリスク管理上の参考となるよう公表しています。
今般、2022年度(2022年4月~2023年3月)に報告書を受領したシステム障害の傾向、並びに、2018年7月から2023年3月までに報告書を受領したシステム障害のうち代表的な事例の事象、原因及び対策についてまとめましたので、PDFレポートとして公表します。
