今週の気になるセキュリティニュース - Issue #130

Revue アレかね

ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。


事件、事故

内閣サイバーセキュリティセンター (NISC) と気象庁において、メールデータ漏洩の可能性

(8/4) 内閣サイバーセキュリティセンターの電子メール関連システムからのメールデータの漏えいの可能性について

NISCにおける本事案の経緯及び講じた措置は以下のとおりです。

・6月13日 電子メール関連システムに係る不正通信の痕跡を発見。

・6月14~15日 当該システムの状況を確認するため、速やかに運用を停止。不正通信の原因と疑われる機器を交換するとともに、他の機器等に異常がないことの確認や、内部監視の強化等の対策を実施の上で、当該システムを再稼働。

・6月21日 保守運用事業者の調査により、不正通信が当該機器の脆弱性を原因とするものであることを示す証跡を発見(本事案について個人情報保護委員会に報告)。

これを受けて、外部専門機関等による調査を行った結果、現時点までに、NISCが令和4年10月上旬から令和5年6月中旬までの間にインターネット経由で送受信した個人情報を含むメールデータの一部が外部に漏えいした可能性があることが判明したところです。

(8/4) 気象庁及び気象研究所のメール関連機器に対する不正通信の発生について

気象庁及び気象研究所がそれぞれ使用しているメール関連機器に対して、 メーカーにおいてこれまで確認できていなかったシステムの脆弱性を狙った不正通信があったことが判明しました。 これは、国外においても確認されているメール関連機器の脆弱性を原因とするものであると考えられます。  気象庁及び気象研究所は、当該機器をセキュリティ対策を強化した機器に全て交換するなどの対策を講じてきたところですが、 令和4年6月上旬から令和5年5月下旬までに気象庁気象研究所を含む全国の気象官署)にお送りいただいたメールのうち、 一部のデータが外部に流出した可能性があります。

(コメント) 対象機器や脆弱性については公表されていないが、おそらく 6月に報告された Barracuda ESG のゼロデイ脆弱性 (CVE-2023-2868) だと思われる


攻撃、脅威

CISAノルウェーの NCSC-NO が共同で、Ivanti EPMM の脆弱性を悪用する攻撃活動について注意喚起

(8/1) CISA and International Partner NCSC-NO Release Joint Cybersecurity Advisory on Threat Actors Exploiting Ivanti EPMM Vulnerabilities | CISA

The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint Cybersecurity Advisory (CSA), Threat Actors Exploiting Ivanti EPMM Vulnerabilities, in response to the active exploitation of CVE-2023-35078 and CVE-2023-35081 affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). Threat actors can chain these vulnerabilities to gain initial, privileged access to EPMM systems and execute uploaded files, such as webshells.


Microsoft がロシアの攻撃者グループ Midnight Blizzard (NOBELIUM) の攻撃活動について報告

(8/2) Midnight Blizzard conducts targeted social engineering over Microsoft Teams | Microsoft Security Blog

Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM). This latest attack, combined with past activity, further demonstrates Midnight Blizzard’s ongoing execution of their objectives using both new and common techniques. In this latest activity, the threat actor uses previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities. Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multifactor authentication (MFA) prompts. As with any social engineering lures, we encourage organizations to reinforce security best practices to all users and reinforce that any authentication requests not initiated by the user should be treated as malicious.


Recorded Future がロシアの攻撃者グループ BlueCharlie の攻撃活動について報告

(8/2) BlueCharlie, Previously Tracked as TAG-53, Continues to Deploy New Infrastructure in 2023 | Recorded Future

Insikt Group has been tracking the threat activity group BlueCharlie, associated with the Russia-nexus group Callisto/Calisto, COLDRIVER, and Star Blizzard/SEABORGIUM. BlueCharlie, a Russia-linked threat group active since 2017, focuses on information gathering for espionage and hack-and-leak operations. BlueCharlie has evolved its tactics, techniques, and procedures (TTPs) and built new infrastructure, indicating sophistication in adapting to public disclosures and improving operations security. While specific victims are unknown, past targets include government, defense, education, political sectors, NGOs, journalists, and think tanks.


Google Cloud が Threat Horizons Report を公開

(8/3) August 2023 Threat Horizons Report

(8/3) August 2023 Threat Horizons Report Provides Cloud-Focused Cybersecurity Insights and Recommendations | Mandiant


脆弱性

PaperCut NG/MF に認証なしでリモートコード実行可能な脆弱性 (CVE-2023-39143)

(7/25) PaperCut NG/MF Security Bulletin (July 2023) | PaperCut

The security research team at Horizon3.ai carried out complex security research to identify two path traversal vulnerabilities which could be potentially leveraged to read and write arbitrary files. Direct server IP access is required. The Horizon3.ai team has worked with PaperCut to mitigate and validate our fixes.

(8/4)CVE-2023-39143: PaperCut Path Traversal/File Upload RCE Vulnerability – Horizon3.ai

CVE-2023-39143 enables unauthenticated attackers to potentially read, delete, and upload arbitrary files to the PaperCut MF/NG application server, resulting in remote code execution in certain configurations.


Citrix ADC/Gateway脆弱性 CVE-2023-3519 の攻撃コードが公開され、攻撃活動も観測

(7/31) CVE-2023-3519 | AttackerKB

(7/31) Add CVE-2023-3519 Citrix RCE by zeroSteiner · Pull Request #18240 · rapid7/metasploit-framework · GitHub

(8/2) Over 640 Citrix servers backdoored with web shells in ongoing attacks

(8/3) Will the real Citrix CVE-2023-3519 please stand up?

(8/4) Analysis and Exploitation of CVE-2023-3519 | Bishop Fox


CISA が Known Exploited Vulnerabilities (KEV) カタログに 1 個の脆弱性を追加

(7/31) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

  • CVE-2023-35081 Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability


多くの CPU が影響を受けるサイドチャネル攻撃 "Collide+Power" を研究者が報告

(8/2) Collide+Power

Collide+Power is a novel method to exploit the fundamental way we build and share components in CPUs. We do not target specific programs but instead the underlying CPU hardware itself. This advance in software-based power side channels echoes the discovery of Meltdown and Spectre — where similarly, the underlying hardware provided unforeseen attack possibilities, leaking actual data values.


Ivanti EPMM に新たな脆弱性 (CVE-2023-35082)

(8/2) CVE-2023-35082 – Remote Unauthenticated API Access Vulnerability in MobileIron Core 11.2 and older

A vulnerability has been discovered in MobileIron Core which affects version 11.2 and prior. The vulnerability was incidentally resolved in MobileIron Core 11.3 as part of work on a product bug. It had not previously been identified as a vulnerability.

(8/2) CVE-2023-35082 - MobileIron Core Unauthenticated API Access Vulnerability | Rapid7 Blog

While investigating CVE-2023-35078, a critical API access vulnerability in Ivanti Endpoint Manager Mobile and MobileIron Core that was exploited in the wild, Rapid7 discovered a new vulnerability that allows unauthenticated attackers to access the API in older unsupported versions of MobileIron Core (11.2 and below). Rapid7 reported this vulnerability to Ivanti on July 26, 2023 and we are now disclosing it in accordance with our vulnerability disclosure policy. The new vulnerability has been assigned CVE-2023-35082.


CISA, NSA, FBI などが共同で、2022年にもっとも悪用された脆弱性のリストを公開

(8/3) 2022 Top Routinely Exploited Vulnerabilities | CISA

This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.

(8/3) CISA, NSA, FBI and International Partners Issue Advisory on the Top Routinely Exploited Vulnerabilities in 2022

(8/4) Unmasking the top exploited vulnerabilities of 2022

The Cybersecurity and Infrastructure Security Agency (CISA) just released a report highlighting the most commonly exploited vulnerabilities of 2022. With our role as a reverse proxy to a large portion of the Internet, Cloudflare is in a unique position to observe how the Common Vulnerabilities and Exposures (CVEs) mentioned by CISA are being exploited on the Internet.

We wanted to share a bit of what we’ve learned.

Based on our analysis, two CVEs mentioned in the CISA report are responsible for the vast majority of attack traffic seen in the wild: Log4J and Atlassian Confluence Code Injection. Although CISA/CSA discuss a larger number of vulnerabilities in the same report, our data clearly suggests a major difference in exploit volume between the top two and the rest of the list.


Microsoft Power Platform に脆弱性

(8/4) Microsoft mitigates Power Platform Custom Code information disclosure vulnerability | MSRC Blog | Microsoft Security Response Center

On 30 March 2023, Tenable informed Microsoft under Coordinated Vulnerability Disclosure (CVD) of a security issue concerning Power Platform Custom Connectors using Custom Code. This feature allows customers to write code for custom connectors. This issue has been fully addressed for all customers and no customer remediation action is required.

(7/31) Unauthorized Access to Cross-Tenant Applications in Microsoft Power Platform - Research Advisory | Tenable®


その他

米国政府が "National Cyber Workforce and Education Strategy" を発表

(7/31) FACT SHEET: Biden-Harris Administration Announces National Cyber Workforce and Education Strategy, Unleashing America’s Cyber Talent | The White House


CISA が 2024年から2026年までの "Cybersecurity Strategic Plan" を発表

(8/4) CISA Cybersecurity Strategic Plan | CISA

The FY2024-2026 Cybersecurity Strategic Plan guides CISA’s efforts in pursuit of a new vision for cybersecurity: a vision grounded in collaboration, in innovation, and in accountability.