今週の気になるセキュリティニュース - Issue #141

ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。



事件、事故

NTTビジネスソリューションズにおいて、システム運用保守業務に従事していた元派遣社員が、顧客情報を長期にわたって大量に持ち出していたことが発覚

(10/17) NTTビジネスソリューションズに派遣された元派遣社員によるお客さま情報の不正流出について(お詫び) - お知らせ|NTTマーケティングアクトProCX

当社(株式会社NTTマーケティングアクトProCX)が利用するコールセンタシステムの運用保守業務を担うNTTビジネスソリューションズ株式会社(以下、NTTビジネスソリューションズ)において、同システムの運用保守業務従事者(NTTビジネスソリューションズに派遣された元派遣社員)がお客さま情報を不正に持ち出し、第三者に流出させていたことが判明いたしました。

(10/17) NTTビジネスソリューションズに派遣された元派遣社員によるお客さま情報の不正流出について(お詫び)|ニュースリリース|NTTビジネスソリューションズ

(参考) NTTビジネスソリューションズ元派遣社員による顧客情報の不正な持ち出しについてまとめてみた - piyolog


カシオ計算機が提供する ICT教育アプリ「ClassPad.net」のシステムへの不正アクセスにより、多数の顧客情報が漏洩。国内の自治体などにも影響

(10/18) 不正アクセスによる個人情報漏えいのお詫びとご報告 | CASIO

当社が管理運用する「ClassPad.net」の開発環境のデータベースに対して、外部からサイバー攻撃が行われ、その結果そのデータベースに含まれていた国内外の一部のお客様の個人情報が漏えいしました。なお、開発環境のデータベース以外については、不正侵入の形跡がないことを確認しております。


Okta のサポートチームへの不正アクセスにより、複数の顧客の認証トークンが盗まれ悪用される

(10/20) Tracking Unauthorized Access to Okta's Support System | Okta Security

Within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users. Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.

(10/20) BeyondTrust Discovers Breach of Okta Support Unit | BeyondTrust

On October 2nd, 2023, the BeyondTrust security teams detected an identity-centric attack on an in-house Okta administrator account. We immediately detected and remediated the attack through our own Identity Security tools, resulting in no impact or exposure to BeyondTrust’s infrastructure or to our customers. The incident was the result of Okta’s support system being compromised which allowed an attacker to access sensitive files uploaded by their customers.

(10/20) How Cloudflare mitigated yet another Okta compromise

On Wednesday, October 18, 2023, we discovered attacks on our system that we were able to trace back to Okta – threat actors were able to leverage an authentication token compromised at Okta to pivot into Cloudflare’s Okta instance. While this was a troubling security incident, our Security Incident Response Team’s (SIRT) real-time detection and prompt response enabled containment and minimized the impact to Cloudflare systems and data. We have verified that no Cloudflare customer information or systems were impacted by this event because of our rapid response. Okta has now released a public statement about this incident.

(10/20) Hackers Stole Access Tokens from Okta’s Support Unit – Krebs on Security


Europol ほか多数の国の法執行機関の協力により、Ragnar Locker ランサムウェアのグループを摘発

(10/21) Ragnar Locker ransomware gang taken down by international police swoop | Europol

In an action carried out between 16 and 20 October, searches were conducted in Czechia, Spain and Latvia. The “key target” of this malicious ransomware strain was arrested in Paris, France, on 16 October, and his home in Czechia was searched. Five suspects were interviewed in Spain and Latvia in the following days. At the end of the action week, the main perpetrator, suspected of being a developer of the Ragnar group, has been brought in front of the examining magistrates of the Paris Judicial Court.

The ransomware’s infrastructure was also seized in the Netherlands, Germany and Sweden and the associated data leak website on Tor was taken down in Sweden.

This international sweep follows a complex investigation led by the French National Gendarmerie, together with law enforcement authorities from the Czechia, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine and the United States of America.

(10/21) Authorities confirm RagnarLocker ransomware taken down during international sting | TechCrunch


攻撃、脅威

CISA などが共同で、Atlassian Confluence の脆弱性 CVE-2023-22515 を悪用する攻撃活動について注意喚起

(10/16) Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks | CISA

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts. Threat actors exploited CVE-2023-22515 as a zero-day to obtain access to victim systems and continue active exploitation post-patch. Atlassian has rated this vulnerability as critical; CISA, FBI, and MS-ISAC expect widespread, continued exploitation due to ease of exploitation.


Mandiant が今月修正された Citrix Netscaler の脆弱性 CVE-2023-4966 について、8月から攻撃を観測していたと報告

(10/17) Remediation for Citrix NetScaler ADC and Gateway Vulnerability (CVE-2023-4966) | Mandiant

On Oct. 10, 2023, Citrix released a security bulletin for a sensitive information disclosure vulnerability (CVE-2023-4966) impacting NetScaler ADC and NetScaler Gateway appliances.

Mandiant has identified zero-day exploitation of this vulnerability in the wild beginning in late August 2023. Successful exploitation could result in the ability to hijack existing authenticated sessions, therefore bypassing multifactor authentication or other strong authentication requirements. These sessions may persist after the update to mitigate CVE-2023-4966 has been deployed. Additionally, we have observed session hijacking where session data was stolen prior to the patch deployment, and subsequently used by a threat actor.

(10/20) Citrix ADCおよびCitrix Gatewayの脆弱性(CVE-2023-4966)に関する注意喚起


Microsoft が JetBrains TeamCity の脆弱性 CVE-2023-42793 を悪用する北朝鮮の攻撃者グループの活動について報告

(10/18) Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability | Microsoft Security Blog

Since early October 2023, Microsoft has observed two North Korean nation-state threat actors – Diamond Sleet and Onyx Sleet – exploiting CVE-2023-42793, a remote-code execution vulnerability affecting multiple versions of JetBrains TeamCity server. TeamCity is a continuous integration/continuous deployment (CI/CD) application used by organizations for DevOps and other software development activities.


CISA などが共同で、フィッシング対策ガイダンスを公開

(10/18) CISA, NSA, FBI, and MS-ISAC Release Phishing Prevention Guidance | CISA

Today, the Cybersecurity Infrastructure and Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint guide, Phishing Guidance: Stopping the Attack Cycle at Phase One. The joint guide outlines phishing techniques malicious actors commonly use and provides guidance for both network defenders and software manufacturers to reduce the impact of phishing techniques used in obtaining credentials and deploying malware.

(10/18) Phishing Guidance: Stopping the Attack Cycle at Phase One | CISA


脆弱性

Cisco IOS XE にゼロデイ脆弱性。すでに悪用が確認されている

(10/16) Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature

Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in IOS-XE. A fix has been identified and the build, test, and release process has been initiated. The first fixed software releases are estimated to post on Cisco Software Download Center on Sunday, 22 October 2023.

Our investigation has determined that the actors exploited two previously unknown issues.

The attacker first exploited CVE-2023-20198 to gain initial access and issued a privilege 15 command to create a local user and password combination. This allowed the user to log in with normal user access.

The attacker then exploited another component of the web UI feature, leveraging the new local user to elevate privilege to root and write the implant to the file system. Cisco has assigned CVE-2023-20273 to this issue.

(10/16) Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerabilities

(10/17) CVE-2023-20198 - Cisco IOS-XE ZeroDay - Censys

  • On October 19th, the number of compromised Cisco devices has ebbed to 36,541, over 5,000 less than 24 hours ago.
  • On October 18th, we have seen an increase in the number of infections from 34,140 to 41,983 hosts.
  • On October 16, Cisco released an advisory regarding a critical zero day privilege escalation vulnerability in their IOS XE Web UI software
  • This vulnerability, tracked as CVE-2023-20198, has already been used to exploit tens of thousands of devices to install a backdoor
  • As of this post, Censys researchers observe 34,140 devices that appear to have the backdoor installed

(10/18) Unpacking CVE-2023-20198: A Critical Weakness In Cisco IOS XE:

(10/18) Threat Brief: Cisco IOS XE Web UI Privilege Escalation Vulnerability (Updated)

(10/18) Cisco IOS XEのWeb UIにおける権限昇格の脆弱性(CVE-2023-20198)に関する注意喚起

(10/20) CISA Releases Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities | CISA

(参考) Cisco IOS XE の脆弱性 CVE-2023-20198 についてまとめてみた - piyolog


CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+2 個の脆弱性を追加

(10/16) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

(10/19) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA


その他