今週の気になるセキュリティニュース - Issue #134

ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。



事件、事故

アフリカのガボンで大統領選挙後 4日間にわたってインターネットがシャットダウン

(8/26) Internet cut in Gabon on election day - NetBlocks

(8/28) Internet shutdown in Gabon continues into third day following national elections

(8/30) アフリカ・ガボンでクーデター 軍が大統領を自宅軟禁に - BBCニュース


オリエンタルエアブリッジ株式会社で退職者による機密情報の持ち出し

(8/28) 【お詫び】退職者による社内情報のデータ持ち出しについて | ORIENTAL AIR BRIDGE CO.,LTD

(参考) 航空保安情報の不正持ち出し事案についてまとめてみた - piyolog


セイコーソリューションズ製の LTE対応ルーター SkyBridge の管理画面が一斉に改ざんされる。処理水の海洋放出への抗議活動の一環と見られる

(8/29) 【再掲】SkyBridge MB-A100/110/200・MB-A130シリーズ・SkySpider MB-R210の脆弱性と対応について | セイコーソリューションズ株式会社

(8/29) 「全人類に対する罪 核下水排出」 日本のルーターが画面改ざん被害:朝日新聞デジタル

(8/31) 処理水の海洋放出に起因した日本企業へのサイバー攻撃に対する注意喚起 | LAC WATCH

(参考) 1500台被害と報じられた国内通信機器の改ざんについてまとめてみた - piyolog


米司法省など欧米の法執行機関の協力により Qakbot のインフラをテイクダウン

(8/29) Office of Public Affairs | Qakbot Malware Disrupted in International Cyber Takedown | United States Department of Justice

The Justice Department today announced a multinational operation involving actions in the United States, France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia to disrupt the botnet and malware known as Qakbot and take down its infrastructure. The Qakbot malicious code is being deleted from victim computers, preventing it from doing any more harm. The Department also announced the seizure of approximately $8.6 million in cryptocurrency in illicit profits.

(8/29) Qakbot botnet infrastructure shattered after international operation | Europol

Europol has supported the coordination of a large-scale international operation that has taken down the infrastructure of the Qakbot malware and led to the seizure of nearly EUR 8 million in cryptocurrencies. The international investigation, also supported by Eurojust, involved judicial and law enforcement authorities from France, Germany, Latvia, The Netherlands, Romania, United Kingdom and the United States. Qakbot, operated by a group of organised cybercriminals, targeted critical infrastructure and businesses across multiple countries, stealing financial data and login credentials. Cybercriminals used this persistent malware to commit ransomware, fraud, and other cyber-enabled crimes.

(8/30) Identification and Disruption of QakBot Infrastructure | CISA

(8/29) Law Enforcement Takes Down Qakbot | Secureworks

(8/30) Troy Hunt: Data From The Qakbot Malware is Now Searchable in Have I Been Pwned, Courtesy of the FBI

(8/30) Qakbot Malware Takedown and Defending Forward


総務省がヤフー株式会社に対して行政指導

(8/30) 総務省|報道資料|ヤフー株式会社に対する行政指導

 ヤフー株式会社(以下「ヤフー社」といいます。)は、Yahoo!JAPANの検索エンジン技術の開発・検証の観点から、NAVER Corporation(以下「NAVER社」といいます。)に対して、令和5年5月18日(木)から同年7月26日(水)までの間の検索関連データの提供を試験的に行っており、その際、慎重な取扱いが求められる情報である位置情報等(約756万のユニークブラウザ分の検索クエリ等(うち、位置情報は約410万のユニークブラウザ分))を利用者に対して事前の十分な周知を行うことなく、NAVER社へ提供し利用させていたほか、当該位置情報等について十分な安全管理措置がとられていなかったことが判明しました。

(8/30) 当社に対する総務省からの指導について - ニュース - ヤフー株式会社


攻撃、脅威

Mandiant が Barracuda ESG の脆弱性 (CVE-2023-2868) を悪用する攻撃活動について報告

(8/29) Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868) | Mandiant

Since Barracuda released a patch to ESG appliances on May 20, 2023, Mandiant and Barracuda have not identified evidence of successful exploitation of CVE-2023-2868 resulting in any newly compromised physical or virtual ESG appliances. Only a limited number of ESG appliances worldwide were compromised (5% of ESG appliances), and impacted customers have been notified to replace the appliances. No other Barracuda product, including Barracuda’s SaaS email solutions, were impacted by this vulnerability.

(コメント) 先週の FBI による注意喚起とやや矛盾する内容


Rapid7 が Cisco ASA SSL VPN に対する攻撃活動について報告

(8/29) Under Siege: Rapid7-Observed Exploitation of Cisco ASA SSL VPNs | Rapid7 Blog

Rapid7’s managed detection and response (MDR) teams have observed increased threat activity targeting Cisco ASA SSL VPN appliances (physical and virtual) dating back to at least March 2023. In some cases, adversaries have conducted credential stuffing attacks that leveraged weak or default passwords; in others, the activity we’ve observed appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users (i.e., via MFA bypass groups). Several incidents our managed services teams have responded to ended in ransomware deployment by the Akira and LockBit groups.


Trend Micro が攻撃者グループ Earth Estries による攻撃活動について報告

(8/30) Earth Estries Targets Government, Tech for Cyberespionage

Earlier this year, we discovered a new cyberespionage campaign by a hacker group we named Earth Estries. Based on our observations, Earth Estries has been active since at least 2020. We also found some overlaps between the tactics, techniques, and procedures (TTPs) used by Earth Estries and those used by another advanced persistent threat (APT) group, FamousSparrow.


ReversingLabs が北朝鮮の攻撃者グループ VMConnect による攻撃活動について報告

(8/31) VMConnect supply chain attack continues, evidence points to North Korea

ReversingLabs researchers discovered more packages that are part of the previously identified VMConnect campaign, as well as evidence linking the campaign to North Korea's Lazarus Group.


NCSC-UK や CISA など Five Eyes が共同で、Infamous Chisel マルウェアに関するレポートを公開

(8/31) CISA and International Partners Release Malware Analysis Report on Infamous Chisel Mobile Malware | CISA

Infamous Chisel is a collection of components targeting Android devices that the authoring organizations have attributed to Sandworm, the Russian Main Intelligence Directorate’s (GRU’s) Main Centre for Special Technologies, GTsST. The malware’s capability includes network monitoring, traffic collection, network backdoor access via The Onion Router (Tor) and Secure Shell (SSH), network scanning, and Secure Copy Protocol (SCP) file transfer.

(8/31) Infamous Chisel Malware Analysis Report | CISA

(8/31) UK and allies support Ukraine calling out Russia's GRU for... - NCSC.GOV.UK


脆弱性

Juniper Networks の SRX と EX シリーズにリモートコード実行可能な複数の脆弱性。PoC コードも公開され、攻撃活動も確認されている。

(8/17) 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution

Multiple vulnerabilities in the J-Web component of Juniper Networks Junos OS on SRX Series and EX Series have been resolved through the application of specific fixes to address each vulnerability.

By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices.

(8/25) CVE-2023-36844 And Friends: RCE In Juniper Devices

(8/29) Hackers exploit critical Juniper RCE bug chain after PoC release


VMware Aria Operations for Networks にリモートコード実行可能な認証バイパスの脆弱性 (CVE-2023-34039)。PoC コードも公開。

(8/29) VMSA-2023-0018

Aria Operations for Networks contains an Authentication Bypass vulnerability due to a lack of unique cryptographic key generation. VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8.

(9/1) VMWare Aria Operations for Networks Static SSH key RCE


その他

トレンドマイクロが「パスワードの利用実態調査 2023」を実施

(8/31) パスワードの利用実態調査2023| トレンドマイクロ

Webサービスの利用者(n=1,030)のうち、83.8%(863人)が複数のWebサービスでパスワードを使いまわしていることが分かりました(図1)。2020年の調査でも85.7%が使いまわしをしていることが明らかになっており、微減傾向は見られるものの、未だに多くの利用者がパスワードを使いまわしている状況が分かりました。