事件、事故

Microsoft がアクセス権の設定不備により 38TB の内部情報を誤って公開していた

(9/18) Microsoft mitigated exposure of internal information in a storage account due to overly-permissive SAS token | MSRC Blog | Microsoft Security Response Center

As part of a recent Coordinated Vulnerability Disclosure (CVD) report from Wiz.io, Microsoft investigated and remediated an incident involving a Microsoft employee who shared a URL for a blob store in a public GitHub repository while contributing to open-source AI learning models. This URL included an overly-permissive Shared Access Signature (SAS) token for an internal storage account. Security researchers at Wiz were then able to use this token to access information in the storage account. Data exposed in this storage account included backups of two former employees’ workstation profiles and internal Microsoft Teams messages of these two employees with their colleagues. No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue. We are sharing the learnings and best practices below to inform our customers and help them avoid similar incidents in the future.

(9/18) 38TB of data accidentally exposed by Microsoft AI researchers | Wiz Blog

Wiz Research found a data exposure incident on Microsoft’s AI GitHub repository, including over 30,000 internal Microsoft Teams messages – all caused by one misconfigured SAS token

個人情報保護委員会が富士通 Japan および複数の地方自治体に対して行政指導

(9/20) コンビニ交付サービスにおける住民票等誤交付事案に対する個人情報の保護に関する法律に基づく行政上の対応について（令和５年９月20日）｜個人情報保護委員会

個人情報保護委員会は、本日、コンビニ交付サービスにおける住民票等誤交付事案に関し、富士通 Japan 株式会社に対し、個人情報の保護に関する法律（以下「個人情報保護法」という。）第 147 条に基づく指導等を行うとともに、足立区、川崎市及び宗像市に対し、個人情報保護法第 157 条に基づく指導を行いましたので、お知らせいたします。

個人情報保護委員会がデジタル庁と国税庁に対して行政指導

(9/20) 公金受取口座誤登録事案に対する特定の個人を識別するための番号の利用等に関する法律及び個人情報の保護に関する法律に基づく行政上の対応について（令和５年９月20日）｜個人情報保護委員会

個人情報保護委員会は、本日、公金受取口座の誤登録事案に関し、デジタル庁に対し、特定の個人を識別するための番号の利用等に関する法律第 33 条及び個人情報の保護に関する法律第 157 条に基づく指導等を行うとともに、国税庁に対し、特定の個人を識別するための番号の利用等に関する法律第 33 条に基づく指導を行いましたので、お知らせいたします。

攻撃、脅威

FBI と CISA が共同で Snatch ランサムウェアに関する注意喚起

(9/20) FBI and CISA Release Advisory on Snatch Ransomware | CISA

Today, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint Cybersecurity Advisory (CSA) #StopRansomware: Snatch Ransomware, which provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the Snatch ransomware variant. FBI investigations identified these IOCs and TTPs as recently as June 1, 2023.

Akamai がホテル宿泊客を狙うフィッシングキャンペーンについて報告

(9/21) Unmasking a Sophisticated Phishing Campaign That Targets Hotel Guests | Akamai

(9/14) Stealing More Than Towels: The New InfoStealer Campaign Hitting Hotels and Travel Agencies - Perception Point

The Citizen Lab と Google が iPhone のゼロデイ脆弱性を悪用する攻撃活動について報告。Apple は該当する複数の脆弱性を 9/21 に修正

(9/22) PREDATOR IN THE WIRES: Ahmed Eltantawy Targeted with Predator Spyware After Announcing Presidential Ambitions - The Citizen Lab

During our investigation, we worked with Google’s Threat Analysis Group (TAG) to obtain an iPhone zero-day exploit chain (CVE-2023-41991, CVE-2023-41992, CVE-2023-41993) designed to install Predator on iOS versions through 16.6.1. We also obtained the first stage of the spyware, which has notable similarities to a sample of Cytrox’s Predator spyware we obtained in 2021. We attribute the spyware to Cytrox’s Predator spyware with high confidence.

(9/22) 0-days exploited by commercial surveillance vendor in Egypt

Last week Google’s Threat Analysis Group (TAG), in partnership with The Citizen Lab, discovered an in-the-wild 0-day exploit chain for iPhones. Developed by the commercial surveillance vendor, Intellexa, this exploit chain is used to install its Predator spyware surreptitiously onto a device.

In response, yesterday, Apple patched the bugs in iOS 16.7 and iOS 17.0.1 as CVE-2023-41991, CVE-2023-41992, CVE-2023-41993. This quick patching from Apple helps to better protect users and we encourage all iOS users to install them as soon as possible.

脆弱性

CISA が Known Exploited Vulnerabilities (KEV) カタログに 8+1+1 個の脆弱性を追加。また KEV カタログに登録された脆弱性が 1,000 に到達

(9/18) CISA Adds Eight Known Exploited Vulnerabilities to Catalog | CISA

CVE-2022-22265 Samsung Mobile Devices Use-After-Free Vulnerability

CVE-2014-8361 Realtek SDK Improper Input Validation Vulnerability

CVE-2017-6884 Zyxel EMG2926 Routers Command Injection Vulnerability

CVE-2021-3129 Laravel Ignition File Upload Vulnerability

CVE-2022-31459 Owl Labs Meeting Owl Inadequate Encryption Strength Vulnerability

CVE-2022-31461 Owl Labs Meeting Owl Missing Authentication for Critical Function Vulnerability

CVE-2022-31462 Owl Labs Meeting Owl Use of Hard-coded Credentials Vulnerability

CVE-2022-31463 Owl Labs Meeting Owl Improper Authentication Vulnerability