ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。

---

• 事件、事故
  • JumpCloud が北朝鮮の攻撃者グループによる不正アクセスを受け、一部の顧客に影響
  • 今年 3月にNTTドコモで「ぷらら」「ひかりTV」などを利用する顧客の個人情報が流出した事案について、業務委託先の元派遣社員が業務情報を不正に外部に持ち出していた
  • VirusTotal チームの社員が誤って顧客情報を含むファイルを VirusTotal にアップロードして流出
• 攻撃、脅威
  • Cloudflare が 2023年第 2四半期の DDoS threat report を公開
  • GitHub がソーシャルエンジニアリングによる攻撃キャンペーンについて注意喚起。北朝鮮の攻撃者グループによるもの。
  • Microsoft は Microsoft Purview Audit (Premium) のログ機能を Microsoft Purview Audit (Standard) にも開放する方針を表明。30種類以上のログが含まれ、ログの保持期間も 90日から 180日に延長される。2023年9月から適用予定。
  • Coveware が 2023年第 2四半期のランサムウェアレポートを公開
• 脆弱性
  • Adobe Cold Fusion に複数の脆弱性。すでに悪用が確認されている。また修正の不備があり再修正される
  • CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+1+2 個の脆弱性を追加
  • Citrix Netscaler ADC と Netscaler Gateway に複数の脆弱性。すでに悪用が確認されている。
  • オンラインストレージ用ソフトウェア Proself に脆弱性。すでに悪用が確認されている。
• その他
  • TikTok が passkeys によるログインに対応
  • IPAが「重要情報を扱うシステムの要求策定ガイド」を公開

事件、事故

JumpCloud が北朝鮮の攻撃者グループによる不正アクセスを受け、一部の顧客に影響

(7/12) [Security Update] Incident Details - JumpCloud

First, we can confirm that CrowdStrike is our incident response partner. We can also report that we identified and CrowdStrike confirmed the nation-state actor involved was North Korea. Importantly, fewer than 5 JumpCloud customers were impacted and fewer than 10 devices total were impacted, out of more than 200,000 organizations who rely on the JumpCloud platform for a variety of identity, access, security, and management functions. All impacted customers have been notified directly.

(7/20) JumpCloud Intrusion | Attacker Infrastructure Links Compromise to North Korean APT Activity - SentinelOne

In recent news, the cloud-based IT management service JumpCloud publicly shared details gathered from the investigation into an intrusion on their network. Alongside the updated details, the organization shared a list of associated indicators of compromise (IOCs), noting attribution to an unnamed “sophisticated nation-state sponsored threat actor”.

Reviewing the newly released indicators of compromise, we associate the cluster of threat activity to a North Korean state sponsored APT. The IOCs are linked to a wide variety of activity we attribute to DPRK, overall centric to the supply chain targeting approach seen in previous campaigns.

(7/20) JumpCloud breach traced back to North Korean state hackers

US-based enterprise software company JumpCloud was breached by North Korean Lazarus Group hackers, according to security researchers at SentinelOne, CrowdStrike, and Mandiant.

今年 3月にNTTドコモで「ぷらら」「ひかりTV」などを利用する顧客の個人情報が流出した事案について、業務委託先の元派遣社員が業務情報を不正に外部に持ち出していた

(7/21) ドコモからのお知らせ : 【お詫び】「ぷらら」および「ひかりTV」をご利用のお客さま情報流出のお知らせとお詫び | お知らせ | NTTドコモ

2023年3月31日（金）、株式会社NTTドコモ（以下、ドコモ）が「ぷらら」および「ひかりTV」※1に関する 業務を委託している企業において業務に使用しているパソコンからお客さま情報が流出した可能性があることを ネットワーク監視によって確認したことについてお知らせしておりましたが、その後の内部調査などにより、業務委託先である株式会社NTTネクシア（本社：北海道札幌市　代表取締役社長：高美浩一　以下、NTTネクシア）の元派遣社員が、お客さま情報を含む業務情報を不正に外部に持ち出したことがわかりました。

VirusTotal チームの社員が誤って顧客情報を含むファイルを VirusTotal にアップロードして流出

(7/21) Apology and Update on Recent Accidental Data Exposure ~ VirusTotal Blog

On June 29, an employee accidentally uploaded a CSV file to the VirusTotal platform. This CSV file contained limited information of our Premium account customers, specifically the names of companies, the associated VirusTotal group names, and the email addresses of group administrators. We removed the file, which was only accessible to partners and corporate clients, from our platform within one hour of its posting.

攻撃、脅威

Cloudflare が 2023年第 2四半期の DDoS threat report を公開

(7/18) DDoS threat report for 2023 Q2

GitHub がソーシャルエンジニアリングによる攻撃キャンペーンについて注意喚起。北朝鮮の攻撃者グループによるもの。

(7/18) Security alert: social engineering campaign targets technology industry employees - The GitHub Blog

GitHub has identified a low-volume social engineering campaign that targets the personal accounts of employees of technology firms, using a combination of repository invitations and malicious npm package dependencies. Many of these targeted accounts are connected to the blockchain, cryptocurrency, or online gambling sectors. A few targets were also associated with the cybersecurity sector. No GitHub or npm systems were compromised in this campaign. We’re publishing this blog post as a warning for our customers to prevent exploitation by this threat actor.

(7/20) GitHub warns of Lazarus hackers targeting devs with malicious projects

GitHub is warning of a social engineering campaign targeting the accounts of developers in the blockchain, cryptocurrency, online gambling, and cybersecurity sectors to infect their devices with malware.

The campaign was linked to the North Korean state-sponsored Lazarus hacking group, also known as Jade Sleet (Microsoft Threat Intelligence) and TraderTraitor (CISA). The US government released a report in 2022 detailing the threat actors' tactics.

The hacking group has a long history of targeting cryptocurrency companies and cybersecurity researchers for cyberespionage and to steal cryptocurrency.

Microsoft は Microsoft Purview Audit (Premium) のログ機能を Microsoft Purview Audit (Standard) にも開放する方針を表明。30種類以上のログが含まれ、ログの保持期間も 90日から 180日に延長される。2023年9月から適用予定。

(7/19) How Microsoft is expanding cloud logging to give customers deeper security visibility | Microsoft Security Blog

Today we are expanding Microsoft’s cloud logging accessibility and flexibility even further. Over the coming months, we will include access to wider cloud security logs for our worldwide customers at no additional cost. As these changes take effect, customers can use Microsoft Purview Audit to centrally visualize more types of cloud log data generated across their enterprise.

(7/19) CISA and Microsoft Partnership Expands Access to Logging Capabilities Broadly | CISA

Coveware が 2023年第 2四半期のランサムウェアレポートを公開

(7/21) Ransom Monetization Rates Fall to Record Low Despite Jump In Average Ransom Payments

In the second quarter of 2023, the percentage of ransomware attacks that resulted in the victim paying, fell to a record low of 34%. The trend represents the compounding effects that we have noted previously of companies continuing to invest in security, continuity assets, and incident response training. Despite these encouraging statistics, ransomware threat actors and the entire cyber extortion economy, continue to evolve their attack and extortion tactics.

脆弱性

Adobe Cold Fusion に複数の脆弱性。すでに悪用が確認されている。また修正の不備があり再修正される

(7/11) Security updates available for Adobe ColdFusion | APSB23-40

Adobe is aware that CVE-2023-29298 has been exploited in the wild in limited attacks targeting Adobe ColdFusion.

(7/14) Security updates available for Adobe ColdFusion | APSB23-41

Adobe is aware that a proof of concept blog was posted for CVE-2023-38203.

(7/19) Security updates available for Adobe ColdFusion | APSB23-47

Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion.

(7/11) CVE-2023-29298: Adobe ColdFusion Access Control Bypass | Rapid7 Blog

(7/17) Active Exploitation of Multiple Adobe ColdFusion Vulnerabilities | Rapid7 Blog

(7/19) CVE-2023-38205: Adobe ColdFusion Access Control Bypass [FIXED] | Rapid7 Blog

(7/15) Adobe ColdFusion Pre-Auth RCE(s)

CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+1+2 個の脆弱性を追加

(7/17) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

• CVE-2023-36884 Microsoft Office and Windows HTML Remote Code Execution Vulnerability

(7/19) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

• CVE-2023-3519 Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability

(7/20) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA

• CVE-2023-29298 Adobe ColdFusion Improper Access Control Vulnerability
• CVE-2023-38205 Adobe ColdFusion Improper Access Control Vulnerability

Citrix Netscaler ADC と Netscaler Gateway に複数の脆弱性。すでに悪用が確認されている。

(7/18) Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467

Exploits of CVE-2023-3519 on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.

(7/20) Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells | CISA

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to warn network defenders about exploitation of CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.

(7/21) Analysis of CVE-2023-3519 in Citrix ADC and NetScaler Gateway – Assetnote

(7/21) Citrix ADC Gateway RCE: CVE-2023-3519 Exploitable… | Bishop Fox

Bishop Fox developed an exploit for CVE-2023-3519, a stack overflow in Citrix ADC Gateway that allows remote code execution. There are 61,000 affected appliances exposed on the internet, and roughly 53% of them are currently unpatched. You should patch yours now.

(7/21) Exploitation of Citrix Zero-Day by Possible Espionage Actors (CVE-2023-3519) | Mandiant

On July 18, Citrix released security bulletin CTX561482, which described vulnerabilities in Citrix Netscaler Application Delivery Controller (ADC) and Citrix Netscaler Gateway. One of the vulnerabilities, CVE-2023-3519, could allow an unauthenticated remote attacker to perform arbitrary code execution. This vulnerability was assigned a CVSS of 9.8. Citrix has stated that they have observed exploitation of this vulnerability in the wild. Mandiant is actively involved in investigations involving recently compromised ADC appliances that were fully patched at the time of exploitation. Predominately used in the information technology industry, ADCs are a vital component of enterprise and cloud data centers in ensuring the continuous improvement and the availability, security, and performance of applications. ADCs provide functions that optimize the delivery of enterprise applications across the network.

Mandiant strongly recommends that organizations follow Citrix’s advice to patch vulnerable appliances as soon as possible.Mandiant classifies CVE-2023-3519 as a high-risk vulnerability because it allows for remote code execution without any known offsets. While this vulnerability has been exploited in the wild, the exploit code is not yet publicly available. Mandiant recommends that organizations prioritize patching this vulnerability.

Update on CVE-2023-3519 vulnerable IPs: we now tag 15K Citrix IPs as vulnerable to CVE-2023-3519. We extended the tagging logic to tag as vulnerable all that return Last Modified headers with a date before July 1, 2023 00:00:00Z. We also improved NetScaler AAA detection coverage. https://t.co/xvHv4r5e8g pic.twitter.com/jd1shpdXjF

— Shadowserver (@Shadowserver) July 21, 2023

オンラインストレージ用ソフトウェア Proself に脆弱性。すでに悪用が確認されている。

(7/20) お知らせ: [至急]Proselfのゼロディ脆弱性による攻撃発生について / オンラインストレージ構築パッケージ Proself (プロセルフ) / 株式会社ノースグリッド

弊社製品であるProselfにおきまして、リモートコード実行のゼロディ脆弱性が発見されました。 本脆弱性は現在リリースしている全てのバージョンに含まれております。

既に本脆弱性が悪用されていることを確認しており、悪用されている環境では以下設定が書き換えられていることが判明しております。 そのため、大変恐れ入りますが至急設定をご確認いただき、設定内容にお心当たりが無い場合はウイルススキャン設定の無効化、または設定内容の変更の上、弊社までご連絡いただくようお願い申し上げます。

ほぼ日本国内でしか使われていないファイル共有製品の ProselfでRCEのゼロデイ攻撃があったようです。https://t.co/AiHoE5fJGf

Shodan/Censysで調べるとユニークIPで国内750台、海外15台が外部公開されています。推奨対処が出てますので利用企業はお早めに確認を。ぱっと見では大学が多いです。 pic.twitter.com/edGNx6amaY

— nekono_nanomotoni (@nekono_naha) July 21, 2023

その他

TikTok が passkeys によるログインに対応

(7/17) TikTok Passkeys for Login: The more secure way to log into your TikTok account | TikTok Newsroom

IPAが「重要情報を扱うシステムの要求策定ガイド」を公開

(7/18) 重要情報を扱うシステムの要求策定ガイド | 社会・産業のデジタル変革 | IPA 独立行政法人 情報処理推進機構