今週の気になるセキュリティニュース - Issue #132

Revue アレかね

ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。


事件、事故

防弾ホスティングサービス LolekHosted の管理者が逮捕され、サイトは差し押さえ

(8/11) 5 arrested in Poland for running bulletproof hosting service for cybercrime gangs | Europol

This week, the Polish Central Cybercrime Bureau (Centralne Biuro Zwalczania Cyberprzestępczości) under the supervision of the Regional Prosecutor's Office in Katowice (Prokuratura Regionalna w Katowicach) took action against LolekHosted.net, a bulletproof hosting service used by criminals to launch cyber-attacks across the world.

(8/11) Office of Public Affairs | Administrator of ‘Bulletproof’ Webhosting Domain Charged in Connection with Facilitation of NetWalker Ransomware | United States Department of Justice

An indictment was unsealed yesterday in Tampa, Florida, charging a Polish national with computer fraud conspiracy, wire fraud conspiracy, and international money laundering in connection with the provision of “bulletproof” webhosting services that facilitated the operation of ransomware attacks and the subsequent laundering of the illicit proceeds.


pictBLand および pictSQUARE から不正アクセスによる情報流出

(8/17) 個人情報流出事件によるサービス停止のお知らせ

(参考) 不正アクセスによるpictBLand、pictSQUAREの情報流出の可能性についてまとめてみた - piyolog


INTERPOL と AFRIPOL との共同作戦により、アフリカでサイバー犯罪の容疑者 14人を逮捕

(8/18) Cybercrime: 14 arrests, thousands of illicit cyber networks disrupted in Africa operation

INTERPOL and AFRIPOL have coordinated an operation across 25 African countries that enabled investigators to arrest 14 suspected cybercriminals and identify 20,674 suspicious cyber networks, highlighting the surge in digital insecurity and cyber threats in the region.

The networks identified were linked to financial losses of more than USD 40 million.


攻撃、脅威

LinkedIn のアカウントに対する攻撃キャンペーンについて Cyberint が注意喚起

(8/14) LinkedIn Accounts Under Attack

In recent weeks, the Cyberint research team has observed an alarming emerging trend – an ongoing and successful hacking campaign is targeting LinkedIn accounts, all following a consistent method. This campaign is currently affecting individuals worldwide, resulting in a significant number of victims losing access to their accounts. Some have even been pressured into paying a ransom to regain control or faced with the permanent deletion of their accounts. While LinkedIn has not yet issued an official announcement, it appears that their support response time has lengthened, with reports of a high volume of support requests.


Analyst1 が LockBit ランサムウェアの攻撃活動の内情について詳細な報告

(8/15) Ransomware Diaries V. 3: LockBit's Secrets

In this volume of the Ransomware Diaries, I will share interesting, previously unknown details of the LockBit ransomware operation that LockBit has tried very hard to cover up. Until now, you have been lied to about LockBit’s true capability. Today, I will show you the actual current state of its criminal program and demonstrate with evidence-backed analysis that LockBit has several critical operational problems, which have gone unnoticed.


7月に公開された Citrix ADC/Gateway脆弱性 (CVE-2023-3519) を悪用する攻撃活動について Fox-IT が注意喚起。また Mandiant は侵害された痕跡の調査ツールを公開

(8/15) Approximately 2000 Citrix NetScalers backdoored in mass-exploitation campaign – Fox-IT International blog

Fox-IT (part of NCC Group) has uncovered a large-scale exploitation campaign of Citrix NetScalers in a joint effort with the Dutch Institute of Vulnerability Disclosure (DIVD). An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing webshells on vulnerable NetScalers to gain persistent access. The adversary can execute arbitrary commands with this webshell, even when a NetScaler is patched and/or rebooted. At the time of writing, more than 1900 NetScalers remain backdoored. Using the data supplied by Fox-IT, the Dutch Institute of Vulnerability Disclosure has notified victims.

(8/15) Indicators of Compromise Scanner for Citrix ADC Zero-Day (CVE-2023-3519) | Mandiant

Mandiant recently published a blog post about the compromise of Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Appliances related to the zero-day vulnerability tracked as CVE-2023-3519. CVE-2023-3519 is a zero-day vulnerability that can enable remote code execution, and has been observed being exploited in the wild by a threat actor consistent with a China-nexus based on known capabilities and history of targeting Citrix ADCs. Recently, proof-of-concepts to exploit this vulnerability have been publicly posted.

Today we are releasing a tool to help organizations scan their Citrix appliances for evidence of post-exploitation activity related to CVE-2023-3519. The tool contains indicators of compromise (IOCs) collected during Mandiant investigations and sourced from our partners and the community. Head over to the Mandiant GitHub page to download the tool today to scan your appliances.


Recorded Future がマルウェアによる正規のインターネットサービスの利用状況について報告

(8/16) Threat Actors Leverage Internet Services to Enhance Data Theft and Weaken Security Defenses | Recorded Future

New Insikt research highlights an emerging trend where threat actors are increasingly exploiting trusted platforms like Google Drive, OneDrive, Notion, and GitHub to conceal malicious activities within normal internet traffic. This tactic enhances their efficiency in data theft and operations while weakening conventional defenses. Advanced persistent threat (APT) groups are at the forefront of this strategy, with less sophisticated groups following suit. This underscores the need for adaptable defense strategies that evolve alongside threat actor innovations.


脆弱性

Ivanti Avalanche にリモートコード実行可能な脆弱性

(8/15) Unauthenticated Stack Buffer Overflows in Ivanti Avalanche - Research Advisory | Tenable®

(8/3) Avalanche Vulnerabilities Addressed in 6.4.1


CISA が Known Exploited Vulnerabilities (KEV) カタログに 1 個の脆弱性を追加

(8/16) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

(8/16 更新) Introducing CVE-2023-24489: A Critical Citrix ShareFile RCE Vulnerability

GreyNoise observed a significant spike in attacker activity the day CISA added CVE-2023-24489 to their Known Exploited Vulnerabilities Catalog:


WinRAR にリモートコード実行可能な脆弱性 (CVE-2023-40477)

(8/17) ZDI-23-1152 | Zero Day Initiative

This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

(8/2) WinRAR News: WinRAR 6.23 final released


その他

NTT セキュリティが「サイバーセキュリティレポート 2023.07」を公開

(8/15) サイバーセキュリティレポート 2023年7月


CISA が "Remote Monitoring and Management (RMM) Cyber Defense Plan" を公開

(8/16) CISA Releases JCDC Remote Monitoring and Management (RMM) Cyber Defense Plan | CISA

Today, CISA released the Remote Monitoring and Management (RMM) Cyber Defense Plan, the first proactive Plan developed by industry and government partners through the Joint Cyber Defense Collaborative (JCDC). This plan addresses systemic risks facing the exploitation of RMM software. Cyber threat actors can gain footholds via RMM software into managed service providers (MSPs) or manage security service providers (MSSPs) servers and, by extension, can cause cascading impacts for the small and medium-sized organizations that are MSP/MSSP customers.