今週の気になるセキュリティニュース - Issue #133

Revue アレかね

ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。


事件、事故

政策研究大学院大学が情報セキュリティインシデント報告書を公表

(8/22) 情報セキュリティインシデント報告書の公表について | 政策研究大学院大学(GRIPS)

セキュリティ専門会社による調査の結果、攻撃者がウェブシェルを操作し、大学のサーバ10台と端末2台が侵害を受け、大学内の全ユーザのIDとパスワードと、本学のネットワーク構成がスキャンされ、システム構成が攻撃者に把握されたと判断した。なお、攻撃者の特定には至らなかった。

 一方、アドバイザリーボードと大学との間で調査方針を検討・決定した内部調査の結果、ファイルサーバの監査ログは、すべてユーザの通常の業務利用によるものであるという判断に至った。そのため、ファイルサーバに格納された機密性の高い情報や個人情報が漏えいした可能性はないと判断し、個人情報保護委員会に報告した。


Kroll の従業員が SIM スワップ攻撃を受け、複数の暗号資産サービスの破産債権者の情報が流出

(8/25) Security Incident | Kroll

We were recently informed that on Saturday, August 19, 2023, a cyber threat actor targeted a T-Mobile US., Inc. account belonging to a Kroll employee in a highly sophisticated “SIM swapping” attack. Specifically, T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee’s phone number to the threat actor's phone at their request. As a result, it appears the threat actor gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis. Immediate actions were taken to secure the three affected accounts. Affected individuals have been notified by email.

(8/25) Kroll Employee SIM-Swapped for Crypto Investor Data – Krebs on Security


攻撃、脅威

Akira ランサムウェアCiscoVPN 機器を侵入経路として利用しているとの報告

(8/22) Akira ransomware targets Cisco VPNs to breach organizations

There's mounting evidence that Akira ransomware targets Cisco VPN (virtual private network) products as an attack vector to breach corporate networks, steal, and eventually encrypt data.


WinRAR の脆弱性 CVE-2023-38831 が今年の 4月から攻撃に悪用されているとの報告

(8/23) Traders' dollars in danger: CVE-2023-38831 zero-day vulnerability in WinRAR exploited by cybercriminals to target traders | Group-IB Blog

On July 10, 2023, while researching the spread of DarkMe malware the Group-IB Threat Intelligence unit came across a previously unknown vulnerability in the processing of the ZIP file format by WinRAR. By exploiting a vulnerability within this program, threat actors were able to craft ZIP archives that serve as carriers for various malware families. Weaponized ZIP archives were distributed on trading forums. Once extracted and executed, the malware allows threat actors to withdraw money from broker accounts. This vulnerability has been exploited since April 2023.


Microsoft が攻撃者グループ Flax Typhoon の活動について報告

(8/24) Flax Typhoon using legitimate software to quietly access Taiwanese organizations | Microsoft Security Blog

Microsoft has identified a nation-state activity group tracked as Flax Typhoon, based in China, that is targeting dozens of organizations in Taiwan with the likely intention of performing espionage. Flax Typhoon gains and maintains long-term access to Taiwanese organizations’ networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks. Microsoft has not observed Flax Typhoon using this access to conduct additional actions. This blog aims to raise awareness of the techniques used by this threat actor and inform better defenses to protect against future attacks.


Cisco Talos が攻撃者グループ Lazarus の活動について報告

(8/24) Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT

  • Cisco Talos discovered the North Korean state-sponsored actor Lazarus Group targeting internet backbone infrastructure and healthcare entities in Europe and the United States. This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.
  • In this campaign, the attackers began exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) five days after PoCs for the exploit were publicly disclosed to deliver and deploy a newer malware threat we track as “QuiteRAT.” Security researchers first discovered this implant in February, but little has been written on it since then.
  • QuiteRAT has many of the same capabilities as Lazarus Group’s better-known MagicRAT malware, but its file size is significantly smaller. Both implants are built on the Qt framework and include capabilities such as arbitrary command execution.
  • Lazarus Group’s increasing use of the Qt framework creates challenges for defenders. It increases the complexity of the malware’s code, making human analysis more difficult compared to threats created using simpler programming languages such as C/C++, DOT NET, etc. Furthermore, since Qt is rarely used in malware development, machine learning and heuristic analysis detection against these types of threats are less reliable.

(8/24) Lazarus Group's infrastructure reuse leads to discovery of new malware


脆弱性

Ivanti Sentry の管理インタフェースに認証バイパスの脆弱性 (CVE-2023-38035)

(8/21) CVE-2023-38035 – API Authentication Bypass on Sentry Administrator Interface

A vulnerability has been discovered in Ivanti Sentry, formerly known as MobileIron Sentry. This vulnerability impacts versions 9.18 and prior. The vulnerability does not impact other Ivanti products, such as Ivanti EPMM or Ivanti Neurons for MDM.

If exploited, this vulnerability enables an unauthenticated actor to access some sensitive APIs that are used to configure the Ivanti Sentry on the administrator portal (port 8443, commonly MICS). While the issue has a high CVSS score, there is a low risk of exploitation for customers who do not expose port 8443 to the internet.

Successful exploitation can be used to change configuration, run system commands, or write files onto the system. Ivanti recommends that customers restrict access to MICS to internal management networks and not expose this to the internet.

As of now, we are only aware of a limited number of customers impacted by CVE-2023-38035.

(8/24) Ivanti Sentry Authentication Bypass CVE-2023-38035 Deep Dive – Horizon3.ai


OpenFire の脆弱性 CVE-2023-32315 が攻撃に悪用されているとの注意喚起

(8/22) Exploitation of Openfire CVE-2023-32315 - Blog - VulnCheck

This vulnerability has flown under the radar on the defensive side of the industry. CVE-2023-32315 has been exploited in the wild, but you won’t find it in the CISA KEV catalog. There has also been minimal discussion about indicators of compromise and very few detections (although to their credit, Ignite Realtime put out patches and a great mitigation guide back in May).

(6/19) Openfire CVE-2023-32315; what we know - Surevine

On 16th June 2023, the Openfire community became aware that this vulnerability had been exploited in unpatched installations ‘in the wild’ i.e. on production systems which are operated and maintained by users of Openfire. The earliest known date of exploitation was identified as 9th June 2023. The malicious actor used the vulnerability to create new admin console user accounts, which were then used to install a malicious Openfire plugin called ‘Product’. This plugin contains a remote web shell endpoint, which would allow an attacker to execute arbitrary commands and access any data on the server.


CISA が Known Exploited Vulnerabilities (KEV) カタログに 2+2 個の脆弱性を追加

(8/22) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA

  • CVE-2023-38035 Ivanti Sentry Authentication Bypass Vulnerability
  • CVE-2023-27532 Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability

(8/24) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA


Barracuda ESG の脆弱性 CVE-2023-2868 に関して、FBI がパッチによる修正では不十分との注意喚起

(8/23) Suspected PRC Cyber ActorsContinue to Globally Exploit Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868)

As a part of the FBI investigation into the exploitation of CVE-2023-2868, a zero-day vulnerability in Barracuda Network’s Email Security Gateway (ESG) appliances, the FBI has independently verified that all exploited ESG appliances, even those with patches pushed out by Barracuda, remain at risk for continued computer network compromise from suspected PRC cyber actors exploiting this vulnerability. For more details regarding malware found to date related to this exploit and learn more about Barracuda backdoors, please visit CISA Releases Malware Analysis Reports on Barracuda Backdoors. The cyber actors utilized this vulnerability to insert malicious payloads onto the ESG appliance with a variety of capabilities that enabled persistent access, email scanning, credential harvesting, and data exfiltration. The FBI strongly advises all affected ESG appliances be isolated and replaced immediately, and all networks scanned for connections to the provided list of indicators of compromise immediately.

(8/24) FBI warns of patched Barracuda ESG appliances still being hacked


その他

IPA が「サイバー情報共有イニシアティブ(J-CSIP) 運用状況 [2023年4月~6月]」を公開

(8/22) サイバー情報共有イニシアティブ(J-CSIP) 運用状況 [2023年4月~6月]


Tor ネットワークが DoS 対策のため、Onion サービスに PoW システムを導入

(8/24) Introducing Proof-of-Work Defense for Onion Services | The Tor Project

Today, we are officially introducing a proof-of-work (PoW) defense for onion services designed to prioritize verified network traffic as a deterrent against denial of service (DoS) attacks with the release of Tor 0.4.8.

Tor's PoW defense is a dynamic and reactive mechanism, remaining dormant under normal use conditions to ensure a seamless user experience, but when an onion service is under stress, the mechanism will prompt incoming client connections to perform a number of successively more complex operations. The onion service will then prioritize these connections based on the effort level demonstrated by the client. We believe that the introduction of a proof-of-work mechanism will disincentivize attackers by making large-scale attacks costly and impractical while giving priority to legitimate traffic. Onion Services are encouraged to update to version 0.4.8.