今週の気になるセキュリティニュース - Issue #125


podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。


Europol が 2020年に摘発した EncroChat について、その後 6500人以上を逮捕し、900M ユーロ近い犯罪者の資産を差押えたことを公表

(6/27) Dismantling encrypted criminal EncroChat communications leads to over 6 500 arrests and close to EUR 900 million seized | Europol

The dismantling of the encrypted communications tool EncroChat, widely used by organised crime groups (OCGs), has so far led to 6 558 arrests worldwide. 197 of those arrested were High Value Targets. This result is detailed in the first review of EncroChat, which was presented today by the French and Dutch judicial and law enforcement authorities in Lille.

The successful takedown of EncroChat followed the efforts of a joint investigation team (JIT) set up by both countries in 2020, supported by Eurojust and Europol. Since then, close to EUR 900 million in criminal funds have been seized or frozen.

福岡県宗像市マイナンバーカードを利用した証明書交付サービスで証明書の誤発行が発生。原因となった「Fujitsu MICJET コンビニ交付」システムが再停止

(6/29) 「Fujitsu MICJET コンビニ交付」システムの再停止について : 富士通

富士通Japan株式会社(以下、富士通Japan)の提供するシステム「Fujitsu MICJET コンビニ交付」(以下、当該サービス)に起因する度重なる証明書誤発行により、自治体様ならびにサービスご利用の皆様に多大なるご迷惑ご心配をおかけいたしましたことをあらためて深くお詫び申し上げます。


ロシアの衛星通信会社 Dozor-Teleport でネットワーク障害

(6/29) Hackers claim to take down Russian satellite communications provider

A group of previously unknown hackers has claimed responsibility for a cyberattack on the Russian satellite communications provider Dozor-Teleport, which is used by energy companies and the country's defense and security services.

(6/29) Hackers attack Russian satellite telecom provider, claim affiliation with Wagner Group | CyberScoop

Unidentified hackers claimed to have targeted Dozor, a satellite telecommunications provider that services power lines, oil fields, Russian military units and the Federal Security Service (FSB), among others, according to a message posted to Telegram late Wednesday night.

(6/30) Satellite system used by Russian military is hacked - The Washington Post


(6/30) 総務省|報道資料|富士通クラウドテクノロジーズ株式会社に対する通信の秘密の保護及びサイバーセキュリティの確保に係る措置(指導)

(6/30) 当社に対する総務省様からの指導について : 富士通


JOKERSPY の攻撃活動について複数のベンダーが報告

(6/16) Fragments of Cross-Platform Backdoor Hint at Larger Mac OS Attack

(6/21) Emerging Threat! Exposing JOKERSPY | Elastic

  • This is an initial notification of an active intrusion with additional details to follow
  • REF9134 leverages custom and open source tools for reconnaissance and command and control
  • Targets of this activity include a cryptocurrency exchange in Japan

(6/28) JokerSpy | Unknown Adversary Targeting Organizations with Multi-Stage macOS Malware - SentinelOne

Avast が Akira ランサムウェアの復号ツールを公開

(6/29) Decrypted: Akira Ransomware - Avast Threat Labs

Researchers for Avast have developed a decryptor for the Akira ransomware and released it for public download. The Akira ransomware appeared in March 2023 and since then, the gang claims successful attacks on various organizations in the education, finance and real estate industries, amongst others.

Sekoia が DDoSia プロジェクトの分析結果を報告

(6/29) Following NoName057(16) DDoSia Project’s Targets - Sekoia.io Blog

DDoSia is a Distributed Denial of Service (DDoS) attack toolkit, developed and used by the pro Russia hacktivist nationalist group NoName057(16) against countries critical of the Russian invasion of Ukraine.

The DDoSia project was launched on Telegram in early 2022. The NoName057(16) main group main Telegram channel reached more than 45,000 subscribers as of June 2023, while the DDoSia project channels reached over 10,000 users. Administrators posted instructions for potential volunteers who want to participate in projects, and they added the possibility to pay in cryptocurrency for users who declare a valid TON wallet based on their contribution to the DDoS attacks.

CISA が複数のセクターを狙う DDoS 攻撃に関する注意喚起

(6/30) DoS and DDoS Attacks against Multiple Sectors | CISA

CISA is aware of open-source reporting of targeted denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks against multiple organizations in multiple sectors. These attacks can cost an organization time and money and may impose reputational costs while resources and services are inaccessible.

(6/30) CISA issues DDoS warning after attacks hit multiple US orgs


Arcserve UDP に認証バイパスの脆弱性 (CVE-2023-26258)。発見者による PoC も公開。

(6/27) Arcserve UDP Security Fix update - CVE-2023-26258

(6/28) CVE-2023-26258 - Remote Code Execution in ArcServe UDP Backup - MDSec

During a recent adversary simulation, the MDSec ActiveBreach red team were performing a ransomware scenario, with a key objective set on compromising the organisation’s backup infrastructure.

As part of this simulation, Juan Manuel Fernandez and Sean Doherty carried out a detailed analysis of the software used to perform backups (ArcServe UDP). Within minutes of analysing the code, a critical authentication bypass was discovered that allowed access to the administration interface.

In this article we will proceed to explain the root cause of this vulnerability that affects versions 7.0 to 9.0, as well as other interesting tradecraft that may be of interest to both defenders and offensive professionals.

MITRE が 2023年の Common Weakness Enumeration (CWE) Top 25 を発表

(6/29) CWE - 2023 CWE Top 25 Most Dangerous Software Weaknesses

(6/29) 2023 CWE Top 25 Most Dangerous Software Weaknesses | CISA

CISA が Known Exploited Vulnerabilities (KEV) カタログに 8 個の脆弱性を追加

(6/29) CISA Adds Eight Known Exploited Vulnerabilities to Catalog | CISA


Censys が BOD 23-02 の対象となる米連邦政府機関の機器の管理インタフェースの調査結果を報告

(6/26) Identifying CISA BOD 23-02 Internet-Exposed Networked Management Interfaces with Censys - Censys

On June 13, CISA released BOD 23-02 with the objective of mitigating the risks associated with remotely accessible management interfaces that might allow configuration or control of federal agency networks from the public internet. These internet-exposed devices have long been the low-hanging fruit for threat actors to gain unauthorized access to important assets, and it’s encouraging that the federal government is taking this step to proactively improve their overall security posture and those of their adjacent systems.

Censys researchers conducted analysis of the attack surfaces of more than 50 Federal Civilian Executive Branch (FCEB) organizations and sub-organizations. Throughout our investigation, we discovered a total of over 13,000 distinct hosts spread across more than 100 autonomous systems associated with these entities. Examining the services running on these hosts, Censys found hundreds of publicly exposed devices within the scope outlined in the directive.

CISANSA が共同で、CI/CD 環境を保護するためのガイダンスを公開

(6/28) CISA and NSA Release Joint Guidance on Defending Continuous Integration/Continuous Delivery (CI/CD) Environments | CISA

Today, CISA, together with the National Security Agency (NSA), released a Cybersecurity Information Sheet (CSI) to provide recommendations and best practices for organizations to strengthen the security of their CI/CD pipelines against the threat of malicious cyber actors (MCAs).

Proton がパスワードマネージャ Proton Pass をリリース

(6/28) Introducing Proton Pass – Protecting your passwords and online identity | Proton

We’re happy to announce the global launch of Proton Pass, available now as a browser extension on most major browsers (Chrome, Firefox, Edge, Brave, and more) and iPhone/iPad and Android. As the name suggests, Proton Pass is a password manager, one of the most highly demanded services from the Proton community in our annual surveys since we first launched Proton Mail, our encrypted email service, in 2014.


(6/30) 「金融機関のシステム障害に関する分析レポート」の公表について:金融庁