ポッドキャスト収録用のメモですよ。
podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。
事件、事故
国立環境研究所でオンラインストレージサービス (Proself) への不正アクセスによる情報漏洩
(10/30) オンラインストレージサービスへの不正アクセス|2023年度|国立環境研究所
国立環境研究所における本事案の経緯及び講じた措置は以下のとおりです。
カナダ政府が政府支給のモバイル端末における WeChat と Kaspersky 製品の利用を禁止
(11/2) カナダ政府、公用端末での「WeChat」と「カスペルスキー」を使用禁止(中国、カナダ、ロシア) | ビジネス短信 ―ジェトロの海外ニュース - ジェトロ
(11/2) 中国、カナダによるWeChat禁止に反対、公平・公正・無差別のビジネス環境を要望(中国、カナダ) | ビジネス短信 ―ジェトロの海外ニュース - ジェトロ
Okta がサポートシステムへの不正アクセスに関する調査結果を報告
On Thursday, October 19, Okta advised customers of a security incident. Having finalized our investigation, we can confirm that from September 28, 2023 to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers, or less than 1% of Okta customers. Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks. The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers, 3 of whom have shared their own response to this event.
The unauthorized access to Okta’s customer support system leveraged a service account stored in the system itself. This service account was granted permissions to view and update customer support cases. During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop. The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.
攻撃、脅威
Coveware が 2023年第 3四半期のランサムウェアレポートを公開
(10/30) Scattered Ransomware Attribution Blurs Focus on IR Fundamentals
The proportion of ransomware victims that opted to pay in Q3 2023 jumped up slightly, from 34% in Q2 to 41% in Q3. We do not believe this is the start of a new upward trend, rather normal swings that will occur in the current range of outcomes we observe.
Mandiant が Citrix NetScaler の脆弱性 (CVE-2023-4966) を悪用する攻撃活動について報告
On Oct. 10, 2023, Citrix released a security bulletin for a sensitive information disclosure vulnerability (CVE-2023-4966) impacting NetScaler ADC and NetScaler Gateway appliances.
Mandiant has identified zero-day exploitation of this vulnerability in the wild beginning in late August 2023 as well as n-day exploitation after Citrix’s publication. Mandiant is investigating multiple instances of successful exploitation of CVE-2023-4966 that resulted in the takeover of legitimate user sessions on NetScaler ADC and Gateway appliances. The session takeovers bypassed password and multi-factor authentication.
In this blog post, we will discuss artifacts that can be used to identify exploitation activity and highlight some of the post exploitation techniques we observed during the incident response investigations.
ESET が Mozi ボットネットの活動状況について報告
(11/1) Who killed Mozi? Finally putting the IoT zombie botnet in its grave
In August 2023, the notorious Mozi botnet, infamous for exploiting vulnerabilities in hundreds of thousands of IoT devices each year, experienced a sudden and unanticipated nosedive in activity. First observed in India on August 8th, 2023 and a week later in China on August 16th, this mysterious disappearance stripped Mozi bots of most of their functionality.
「カウンターランサムウェア・イニシアティブ会合」に日本を含む 50ヶ国・機関が参加し、共同声明を発表
(11/1) International Counter Ransomware Initiative 2023 Joint Statement | The White House
(11/2) 「カウンターランサムウェア・イニシアティブ会合」への参加
脆弱性
Apache ActiveMQ にリモートコード実行可能な脆弱性 (CVE-2023-46604)。悪用も確認される。
(10/25) activemq.apache.org/security-advisories.data/CVE-2023-46604
(11/1) Suspected Exploitation of Apache ActiveMQ CVE-2023-46604 | Rapid7 Blog
Beginning Friday, October 27, Rapid7 Managed Detection and Response (MDR) identified suspected exploitation of Apache ActiveMQ CVE-2023-46604 in two different customer environments. In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations. Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October. Rapid7 observed similar indicators of compromise across the affected customer environments, both of which were running outdated versions of Apache ActiveMQ.
(11/2) Critical Vulnerability: Exploitation of Apache ActiveMQ CVE-2023-46604
A partner recently deployed Huntress agents on October 30, 2023, after experiencing a “HelloKitty” ransomware attack on October 27. This ransomware attack followed closely with what was described by Rapid7 in their blog post on November 1, titled Suspected Exploitation of Apache ActiveMQ CVE-2023-46604.
Cisco IOS XE の脆弱性 (CVE-20198) の POC が公開
(10/30) Cisco IOS XE CVE-2023-20198: Deep Dive and POC – Horizon3.ai
Atlassian Confluence に脆弱性 (CVE-2023-22518)
As part of Atlassian's ongoing monitoring of this CVE, we observed publicly posted critical information about the vulnerability which increases risk of exploitation. There are still no reports of an active exploit, though customers must take immediate action to protect their instances. If you already applied the patch, no further action is required.
(11/2) Atlassian Confluence Server (CVE-2023-22518) - Improper Authorization
(11/2) Atlassian warns of exploit for Confluence data wiping bug, get patching
CISA が Known Exploited Vulnerabilities (KEV) カタログに 2+1 個の脆弱性を追加
(10/31) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
- CVE-2023-46747 F5 BIG-IP Authentication Bypass Vulnerability
- CVE-2023-46748 F5 BIG-IP SQL Injection Vulnerability
(11/2) CISA Adds One Known Exploited Vulnerability to Catalog | CISA
- CVE-2023-46604 Apache ActiveMQ Deserialization of Untrusted Data Vulnerability
CVSS v4.0 が正式にリリース
(11/2) CVSS v4 Is Now Live and What You Need To Know About It | Qualys Security Blog
The CVSS Special Interest Group is proud to announce the official release of CVSS v4.0 - https://t.co/xxaoQ2iMjF. This latest version of CVSS seeks to provide all users with the highest fidelity vulnerability assessment.#FIRSTdotOrg #CVSS #BuildingTrust #PSIRT #CSIRT pic.twitter.com/uhyeqs8lSh
— FIRST.org (@FIRSTdotOrg) November 1, 2023
その他
10/16 リリースの Chrome 118 から HTTPS への自動アップグレード機能がデフォルトで有効になった
(10/30) Google Chrome now auto-upgrades to secure connections for all users
(11/1) ChromeがHTTPSに優先アクセスする307リダイレクトをHSTS関係なくやるようになった - Code Day's Night