今週の気になるセキュリティニュース - Issue #129

ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。



事件、事故

ハワイ・コミュニティカレッジで 6月に発生したランサムウェア感染事案に関して、漏洩した個人情報の公開を防ぐために身代金を支払ったことを公表

(7/26) Hawaiʻi CC cyber attack resolved | University of Hawaiʻi System News

The ransomware attack on the Hawaiʻi Community College network, first reported on June 13, has been resolved.

After determining that the compromised data most likely contained personal information of approximately 28,000 individuals, the University of Hawaiʻi made the difficult decision to negotiate with the threat actors in order to protect the individuals whose sensitive information might have been compromised. A significant consideration in this decision-making process was that the criminal entity responsible for the attack has a documented history of publicly posting the stolen personal information of individuals when agreement with the impacted entity was not reached. Working with an external team of cybersecurity experts, UH reached an agreement with the threat actors to destroy all of the information it illegally obtained.

(7/27) Hawaiʻi Community College pays ransom after attackers steal personal info of 28,000 people


中国の武漢地震観測センターがサイバー攻撃を受けたことを公表

(7/26) Exclusive: Wuhan Earthquake Monitoring Center suffers cyberattack from the US; investigation underway - Global Times

(7/26) China accuses U.S. of hacking earthquake monitoring equipment


攻撃、脅威

IBM が "Cost of a Data Breach Report 2023" を公開

(7/24) IBM Report: Half of Breached Organizations Unwilling to Increase Security Spend Despite Soaring Breach Costs

IBM (NYSE: IBM) Security today released its annual Cost of a Data Breach Report, showing the global average cost of a data breach reached $4.45 million in 2023 – an all-time high for the report and a 15% increase over the last 3 years. Detection and escalation costs jumped 42% over this same time frame, representing the highest portion of breach costs, and indicating a shift towards more complex breach investigations.


Citrix ShareFile の脆弱性 (CVE-2023-24489) に対する攻撃活動を観測

(7/26) Introducing CVE-2023-24489: A Critical Citrix ShareFile RCE Vulnerability

As of the publishing timestamp of this post, GreyNoise has observed IPs attempting to exploit this vulnerability. Two have never seen GreyNoise before this activity:

(7/4) Encrypted Doesn't Mean Authenticated: ShareFile RCE (CVE-2023-24489) – Assetnote

(6/13) ShareFile StorageZones Controller Security Update for CVE-2023-24489


マクニカが「標的型攻撃の実態と対策アプローチ 第7版」を公開

(7/27) 標的型攻撃の実態と対策アプローチ 第7版 日本を狙うサイバーエスピオナージの動向2022年度 - セキュリティ事業 - マクニカ


Google が 2022年に観測したゼロデイ攻撃について報告

(7/27) Google Online Security Blog: The Ups and Downs of 0-days: A Year in Review of 0-days Exploited In-the-Wild in 2022

41 in-the-wild 0-days were detected and disclosed in 2022, the second-most ever recorded since we began tracking in mid-2014, but down from the 69 detected in 2021.


Barracuda ESG の脆弱性 (CVE-2023-2868) を狙う攻撃活動に関して、CISA が攻撃に利用されたマルウェアに関する注意喚起

(7/28) CISA Releases Malware Analysis Reports on Barracuda Backdoors | CISA

CISA has published three malware analysis reports on malware variants associated with exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006. It was exploited as a zero day as early as October 2022 to gain access to ESG appliances. According to industry reporting, the actors exploited the vulnerability to gain initial access to victim systems and then implanted backdoors to establish and maintain persistence. CISA analyzed backdoor malware variants obtained from an organization that had been compromised by threat actors exploiting the vulnerability.


脆弱性

ApplemacOS Ventura 13.5, macOS Monterey 12.6.8, macOS Big Sur 11.7.9, iOS 16.6 / iPadOS 16.6, watchOS 9.6, tvOS 16.6, Safari 16.6 をリリース。すでに悪用が確認されている脆弱性の修正を含む (うち 1件は Rapid Security Response で配信ずみ)

(7/24) Apple security releases - Apple Support


AMD の Zen 2 アーキテクチャの CPU に脆弱性 (Zenbleed)

(7/24) Zenbleed

(7/25) How Cloudflare is staying ahead of the AMD vulnerability known as “Zenbleed”


Ivanti Endpoint Manager Mobile (EPMM) にゼロデイ脆弱性 (CVE-2023-35078, CVE-2023-35081)。ノルウェー政府は 12省庁に対して本脆弱性を悪用する攻撃があったことを報告

(7/24) CVE-2023-35078 - Remote Unauthenticated API Access Vulnerability

A vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk.

If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users’ personally identifiable information and make limited changes to the server. We have received information from a credible source indicating exploitation has occurred. We continue to work with our customers and partners to investigate this situation.

We are only aware of a very limited number of customers that have been impacted. We are actively working with our customers and partners to investigate this situation.

(7/24) CVE-2023-35078 - New Ivanti EPMM Vulnerability

A vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. We will be reporting this as CVE-2023-35078. This vulnerability impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk.

(7/28) CVE-2023-35081 - Remote Arbitrary File Write

CVE-2023-35081 enables an authenticated administrator to perform arbitrary file writes to the EPMM server. This vulnerability can be used in conjunction with CVE-2023-35078, bypassing administrator authentication and ACLs restrictions (if applicable). Successful exploitation can be used to write malicious files to the appliance, ultimately allowing a malicious actor to execute OS commands on the appliance as the tomcat user. As of now we are only aware of the same limited number of customers impacted by CVE-2023-35078 as being impacted by CVE-2023-35081.

(7/28) CVE-2023-35081 - New Ivanti EPMM Vulnerability

During our thorough investigation of Ivanti Endpoint Manager Mobile (EPMM) vulnerability CVE-2023-35078 announced 23 July 2023, we have discovered additional vulnerabilities. We are reporting these vulnerabilities as CVE-2023-35081. As was the case with CVE-2023-35078, CVE-2023-35081 impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk.

(7/24) Departementer utsatt for dataangrep – DSS – Sammen for fellesskapet

(7/24) Nulldagssårbarhet i Ivanti Endpoint Manager (MobileIron Core) - Nasjonal sikkerhetsmyndighet

(7/25) Norway says Ivanti zero-day was used to hack govt IT systems

(7/26) MobileIrony backdoor allows complete takeover of mobile security product and endpoints. | by Kevin Beaumont | Jul, 2023 | DoublePulsar


ASUS 製の複数のルータに脆弱性NICTASUS による修正は不十分との指摘

(7/25) Strengthening DDNS Security for RT-AX1800U, RT-AX3000, RT-AX3000 v2, RT-AX86U, TUF-AX3000 and TUF-AX5400


CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+1+1 個の脆弱性を追加

(7/25) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

  • CVE-2023-35078 Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability

(7/26) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

(7/27) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

  • CVE-2023-37580 Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability


ACSC、CISANSA が共同で Web アプリケーションの insecure direct object reference (IDOR) の脆弱性に関する注意喚起

(7/27) Preventing Web Application Access Control Abuse | CISA

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and U.S. National Security Agency (NSA) are releasing this joint Cybersecurity Advisory to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities. IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users. These requests succeed where there is a failure to perform adequate authentication and authorization checks.


その他

CISA が 2022年に米国の重要インフラに対して行ったリスク評価に関する分析結果を報告

(7/26) CISA Analysis: Fiscal Year 2022 Risk and Vulnerability Assessments

CISA has released an analysis and infographic detailing the findings from the 121 Risk and Vulnerability Assessments (RVAs) conducted across multiple critical infrastructure sectors in fiscal year 2022 (FY22).

The analysis details a sample attack path including tactics and steps a cyber threat actor could follow to compromise an organization with weaknesses representative of those CISA observed in FY22 RVAs. The infographic highlights the most successful techniques for each tactic that RVAs documented. Both the analysis and infographic map threat actor behavior to the MITRE ATT&CK® framework.


米国証券取引委員会 (SEC) が上場企業に対して、重大なサイバー攻撃を受けた場合に 4日以内の報告を義務付ける新たな規則を承認

(7/26) SEC.gov | SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies

The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.


経済産業省が「ソフトウェア管理に向けたSBOM(Software Bill of Materials)の導入に関する手引」を策定

(7/28) 「ソフトウェア管理に向けたSBOM(Software Bill of Materials)の導入に関する手引」を策定しました (METI/経済産業省)