ポッドキャスト収録用のメモですよ。
podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。
事件、事故
Multichain において多額の不正な資金移動
(7/7) More than $125 million taken from crypto platform Multichain
(7/10) Multichain Exploit: Possible hack or rug pull
On July 6, 2023, cross-chain bridge protocol Multichain experienced unusually large, unauthorized withdrawals in what appears to be a hack or rug pull by insiders, leaving many ecosystem participants perplexed. Multichain’s recent exploit, which resulted in losses of more than $125 million, is one of the biggest crypto hacks on record.
Cross-chain bridge protocols have proven lucrative targets for hackers, largely due to their experimental designs and the fact that they generally have large, centralized repositories of assets bridged by users to other blockchains. However, Multichain has recently experienced some notable issues unrelated to its protocol design, which have prompted public suspicions that this recent exploit may have been carried out by insiders. Below, we’ll share what we know so far about the Multichain exploit.
The lockup assets on the Multichain MPC address have been moved to an unknown address abnormally.
— Multichain (Previously Anyswap) (@MultichainOrg) July 6, 2023
The team is not sure what happened and is currently investigating.
It is recommended that all users suspend the use of Multichain services and revoke all contract approvals…
1. On May 21, 2023, Multichain CEO Zhaojun was taken away by the Chinese police from his home and has been out of contact with the global Multichain team ever since. The team contacted the MPC node operators and learned that their operational access keys to MPC node servers had…
— Multichain (Previously Anyswap) (@MultichainOrg) July 14, 2023
個人情報保護委員会がトヨタ自動車に対して行政指導
(7/12) トヨタ自動車株式会社による個人データの漏えい等事案に対する個人情報の保護に関する法律に基づく行政上の対応について(令和5年7月12日) |個人情報保護委員会
(7/12) お客様情報の漏洩可能性に関するお詫びとお知らせについて(再発防止策のご報告) | コーポレート | グローバルニュースルーム | トヨタ自動車株式会社 公式企業サイト
富士通が「Fujitsu MICJET コンビニ交付」システムの点検結果と改修計画を発表
(7/14) 「Fujitsu MICJET コンビニ交付」システムに関する改修計画ついて : 富士通
上記の点検①、②を行った結果、全123団体のうち、44団体において当該事象の修正プログラムが未適用であることが判明したため、引き続きサービス停止を依頼させていただき修正プログラムの適用作業を7月中旬から実施いたします。また、それ以外にも必要な修正プログラムが未適用のケースがあることが判明し、これらについては他の方の証明書が誤発行されるといった個人情報漏洩につながる障害に対する修正プログラムではありませんでしたが、当該事象の修正プログラムとあわせて適用する等、各団体様のご意向も踏まえて調整をしたうえで、可能な限り速やかに適用させていただきます。なお、そのいずれにも該当しない団体様については必要な修正プログラムがすべて適用され、最新の状態であることが確認できております。
攻撃、脅威
ESET Threat Report H1 2023 が公開
(7/11) ESET Threat Report H1 2023 | WeLiveSecurity
Microsoft が中国の攻撃者グループ Storm-0558 による攻撃活動について報告
(7/11) Mitigation for China-Based Threat Actor Activity - Microsoft On the Issues
Today, we are publishing details of activity by a China-based actor Microsoft is tracking as Storm-0558 that gained access to email accounts affecting approximately 25 organizations including government agencies as well as related consumer accounts of individuals likely associated with these organizations. We have been working with the impacted customers and notifying them prior to going public with further details. At this stage – and in coordination with customers – we are sharing the details of the incident and threat actor to benefit the industry.
Microsoft has mitigated an attack by a China-based threat actor Microsoft tracks as Storm-0558 which targeted customer emails. Storm-0558 primarily targets government agencies in Western Europe and focuses on espionage, data theft, and credential access. Based on customer reported information on June 16, 2023, Microsoft began an investigation into anomalous mail activity. Over the next few weeks, our investigation revealed that beginning on May 15, 2023, Storm-0558 gained access to email accounts affecting approximately 25 organizations in the public cloud including government agencies as well as related consumer accounts of individuals likely associated with these organizations. They did this by using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key. Microsoft has completed mitigation of this attack for all customers.
Our telemetry indicates that we have successfully blocked Storm-0558 from accessing customer email using forged authentication tokens. No customer action is required. As with any observed nation-state actor activity, Microsoft has contacted all targeted or compromised organizations directly via their tenant admins and provided them with important information to help them investigate and respond. We continue to work closely with these organizations. If you have not been contacted, our investigations indicate that you have not been impacted.
Microsoft is partnering with DHS CISA and others to protect affected customers and address the issue. We continue to investigate and monitor the Storm-0558 activity.
(7/14) Analysis of Storm-0558 techniques for unauthorized email access | Microsoft Security Blog
On July 11, 2023, Microsoft published two blogs detailing a malicious campaign by a threat actor tracked as Storm-0558 that targeted customer email that we’ve detected and mitigated: Microsoft Security Response Center and Microsoft on the Issues. As we continue our investigation into this incident and deploy defense in depth measures to harden all systems involved, we’re providing this deeper analysis of the observed actor techniques for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics.
(7/12) Chinese hackers breach U.S. government email through Microsoft cloud - The Washington Post
Chinese cyberspies, exploiting a fundamental gap in Microsoft’s cloud, hacked email accounts at the Commerce and State departments, including that of Commerce Secretary Gina Raimondo — whose agency has imposed stiff export controls on Chinese technologies that Beijing has denounced as a malicious attempt to suppress its companies.
JPCERT/CC が DangerousPassword による攻撃活動について報告
(7/12) 開発者のWindows、macOS、Linux環境を狙ったDangerousPasswordによる攻撃 - JPCERT/CC Eyes | JPCERTコーディネーションセンター公式ブログ
JPCERT/CCは、2019年6月から継続して攻撃を行っている標的型攻撃グループDangerousPassword [1][2](CryptoMimicまたは、SnatchCryptoとも呼ばれる)に関連すると思われる、暗号資産交換事業者の開発者を狙った攻撃を5月末に確認しています。この攻撃は、マシン上にPythonやNode.jsがインストールされたWindows、macOS、Linux環境をターゲットとしたものです。
Chainalysis が 2023年上半期における暗号資産関連の犯罪について報告
(7/12) 2023 Crypto Crime Mid-year Update: Crime Down 65% Overall
脆弱性
Apple が macOS と iOS / iPadOS 向けに Rapid Security Response を配信
(7/10) Apple security releases - Apple Support
Microsoft が 2023年 7月の月例パッチを公開。すでに悪用が確認されている複数の脆弱性を含む。
(7/11) 2023 年 7 月のセキュリティ更新プログラム (月例) | MSRC Blog | Microsoft Security Response Center
今月のセキュリティ更新プログラムで修正した脆弱性のうち、以下の脆弱性は更新プログラムが公開されるよりも前に悪用や脆弱性の詳細が一般へ公開されていることを確認しています。お客様においては、更新プログラムの適用を早急に行ってください。脆弱性の詳細は、各 CVE のページを参照してください。
- CVE-2023-32046 Windows MSHTML プラットフォームの特権の昇格の脆弱性
- CVE-2023-32049 Windows SmartScreen のセキュリティ機能のバイパスの脆弱性
- CVE-2023-35311 Microsoft Outlook のセキュリティ機能のバイパスの脆弱性
- CVE-2023-36874 Windows エラー報告サービスの特権の昇格の脆弱性
- ADV230001Microsoft 署名済みドライバーが悪用された場合のガイダンス
今月、公開した脆弱性のうち、CVE-2023-36884 「Office および Windows における HTML のリモートでコードが実行される脆弱性」は現時点で更新プログラムは公開されていません。準備ができ次第、更新プログラムを公開し、セキュリティ更新プログラムガイドの脆弱性のページ CVE-2023-36884 を更新します。
(7/11) Storm-0978 attacks reveal financial and espionage motives | Microsoft Security Blog
Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents, using lures related to the Ukrainian World Congress.
(7/10) RomCom Threat Actor Suspected of Targeting Ukraine's NATO Membership Talks at the NATO Summit
On July 4, the BlackBerry Threat Research and Intelligence team found two malicious documents submitted from an IP address in Hungary, sent as lures to an organization supporting Ukraine abroad, and a document targeting upcoming NATO Summit guests who may also be providing support to Ukraine.
Our analysis based on the tactics, techniques, and procedures (TTPs), code similarity, and threat actor network infrastructure leads us to conclude that the threat actor known as RomCom is likely behind this operation.
Based on our internal telemetry, network data analysis, and the full set of cyber weapons we collected, we believe the threat actor behind this campaign ran their first drills on June 22, and also a few days before the command-and-control (C2) mentioned in this report was registered and went live.
(7/11) Zero Day Initiative — The July 2023 Security Update Review
(7/11) Microsoft Revokes Malicious Drivers in Patch Tuesday Culling – Sophos News
(7/11) Hunting for A New Stealthy Universal Rootkit Loader
(7/11) Old certificate, new signature: Open-source tools forge signature timestamps on Windows drivers
(7/11) Microsoft: Unpatched Office zero-day exploited in NATO summit attacks
CISA が Known Exploited Vulnerabilities (KEV) カタログに 5+2 個の脆弱性を追加
(7/11) CISA Adds Five Known Vulnerabilities to Catalog | CISA
- CVE-2023-32046 Microsoft Windows MSHTML Platform Privilege Escalation Vulnerability
- CVE-2023-32049 Microsoft Windows Defender SmartScreen Security Feature Bypass Vulnerability
- CVE-2023-35311 Microsoft Outlook Security Feature Bypass Vulnerability
- CVE-2023-36874 Microsoft Windows Error Reporting Service Privilege Escalation Vulnerability
- CVE-2022-31199 Netwrix Auditor Insecure Object Deserialization Vulnerability
(7/13) CISA Adds Two Known Vulnerabilities to Catalog | CISA
- CVE-2023-37450 Apple Multiple Products WebKit Code Execution Vulnerability
- CVE-2022-29303 SolarView Compact Command Injection Vulnerability
SonicWall GMS/Analytics に複数の脆弱性
(7/12) Urgent Security Notice: SonicWall GMS/Analytics Impacted by suite of vulnerabilities | SonicWall
GMS/Analytics is remediating a suite of 15 security vulnerabilities, disclosed in a Coordinated Vulnerability Disclosure (CVD) report in conjunction with NCCGroup. This suite of vulnerabililtes, which was responsibility disclosed, includes four (4) vulnerabilities with a CVSSv3 rating of CRITICAL, that allows an attacker to bypass authentication and could potentially result in exposure of sensitive information to an unauthorized actor.
SonicWall PSIRT is not aware of active exploitation in the wild. No reports of a PoC have been made public, and malicious use of this vulnerability have not been reported to SonicWall.
Zimbra Collaboration Suite が XSS 脆弱性を修正。すでに悪用を確認。
(7/13) Security Update for Zimbra Collaboration Suite Version 8.8.15 - Zimbra : Blog
An XSS vulnerability in Zimbra Collaboration Suite Version 8.8.15 that could potentially impact the confidentiality and integrity of your data has surfaced. We take this matter very seriously and have already taken immediate action to address the issue.
Important: This vulnerability has been actively exploited, making it imperative to take immediate action. We strongly recommend following the provided mitigation steps without delay.
(7/13) Zimbra urges admins to manually fix zero-day exploited in attacks
その他
GitHub が passkeys に対応
(7/12) Introducing passwordless authentication on GitHub.com | The GitHub Blog
That’s why GitHub is committed to helping all developers employ strong account security while staying true to our promise of not compromising their user experience. We began this commitment with our 2FA initiative across GitHub. Today, we are furthering this work by ensuring seamless and secure access on GitHub.com with the public beta of passkey authentication.
(7/13) GitHubのパスキー/Passkey対応を試してみた
NTT セキュリティが「サイバーセキュリティレポート 2023.06」を公開
(7/14) サイバーセキュリティレポート 2023.06
