今週の気になるセキュリティニュース - Issue #143

Revue アレかね

ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。


事件、事故

国立環境研究所でオンラインストレージサービス (Proself) への不正アクセスによる情報漏洩

(10/30) オンラインストレージサービスへの不正アクセス|2023年度|国立環境研究所

 国立環境研究所における本事案の経緯及び講じた措置は以下のとおりです。

  • 10月5日 Proselfへの不正アクセスの痕跡を発見。同日に対象サーバを運用停止。
  • 10月10日 調査により、脆弱性を悪用してアカウントの一覧やパスワードハッシュを窃取し、その情報をもとに不正ログインが行われ、一部のファイルへアクセスが行われたことが確認された。(同日、個人情報保護委員会に報告)。


カナダ政府が政府支給のモバイル端末における WeChat と Kaspersky 製品の利用を禁止

(10/30) Minister Anand announces a ban on the use of WeChat and Kaspersky suite of applications on government mobile devices - Canada.ca

(11/2) カナダ政府、公用端末での「WeChat」と「カスペルスキー」を使用禁止(中国、カナダ、ロシア) | ビジネス短信 ―ジェトロの海外ニュース - ジェトロ

(11/2) 中国、カナダによるWeChat禁止に反対、公平・公正・無差別のビジネス環境を要望(中国、カナダ) | ビジネス短信 ―ジェトロの海外ニュース - ジェトロ


Okta がサポートシステムへの不正アクセスに関する調査結果を報告

(11/3) Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation | Okta Security

On Thursday, October 19, Okta advised customers of a security incident. Having finalized our investigation, we can confirm that from September 28, 2023 to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers, or less than 1% of Okta customers. Some of these files were HAR files that contained session tokens which could in turn be used for session hijacking attacks. The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers, 3 of whom have shared their own response to this event.

The unauthorized access to Okta’s customer support system leveraged a service account stored in the system itself. This service account was granted permissions to view and update customer support cases. During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop. The username and password of the service account had been saved into the employee’s personal Google account. The most likely avenue for exposure of this credential is the compromise of the employee’s personal Google account or personal device.


攻撃、脅威

Coveware が 2023年第 3四半期のランサムウェアレポートを公開

(10/30) Scattered Ransomware Attribution Blurs Focus on IR Fundamentals

The proportion of ransomware victims that opted to pay in Q3 2023 jumped up slightly, from 34% in Q2 to 41% in Q3. We do not believe this is the start of a new upward trend, rather normal swings that will occur in the current range of outcomes we observe.


Mandiant が Citrix NetScaler の脆弱性 (CVE-2023-4966) を悪用する攻撃活動について報告

(10/31) Investigation of Session Hijacking via Citrix NetScaler ADC and Gateway Vulnerability (CVE-2023-4966) | Mandiant

On Oct. 10, 2023, Citrix released a security bulletin for a sensitive information disclosure vulnerability (CVE-2023-4966) impacting NetScaler ADC and NetScaler Gateway appliances.

Mandiant has identified zero-day exploitation of this vulnerability in the wild beginning in late August 2023 as well as n-day exploitation after Citrix’s publication. Mandiant is investigating multiple instances of successful exploitation of CVE-2023-4966 that resulted in the takeover of legitimate user sessions on NetScaler ADC and Gateway appliances. The session takeovers bypassed password and multi-factor authentication.

In this blog post, we will discuss artifacts that can be used to identify exploitation activity and highlight some of the post exploitation techniques we observed during the incident response investigations.


ESET が Mozi ボットネットの活動状況について報告

(11/1) Who killed Mozi? Finally putting the IoT zombie botnet in its grave

In August 2023, the notorious Mozi botnet, infamous for exploiting vulnerabilities in hundreds of thousands of IoT devices each year, experienced a sudden and unanticipated nosedive in activity. First observed in India on August 8th, 2023 and a week later in China on August 16th, this mysterious disappearance stripped Mozi bots of most of their functionality.


「カウンターランサムウェア・イニシアティブ会合」に日本を含む 50ヶ国・機関が参加し、共同声明を発表

(11/1) International Counter Ransomware Initiative 2023 Joint Statement | The White House

(11/2) 「カウンターランサムウェア・イニシアティブ会合」への参加


脆弱性

Apache ActiveMQ にリモートコード実行可能な脆弱性 (CVE-2023-46604)。悪用も確認される。

(10/25) activemq.apache.org/security-advisories.data/CVE-2023-46604

(11/1) Suspected Exploitation of Apache ActiveMQ CVE-2023-46604 | Rapid7 Blog

Beginning Friday, October 27, Rapid7 Managed Detection and Response (MDR) identified suspected exploitation of Apache ActiveMQ CVE-2023-46604 in two different customer environments. In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations. Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October. Rapid7 observed similar indicators of compromise across the affected customer environments, both of which were running outdated versions of Apache ActiveMQ.

(11/2) Critical Vulnerability: Exploitation of Apache ActiveMQ CVE-2023-46604

A partner recently deployed Huntress agents on October 30, 2023, after experiencing a “HelloKitty” ransomware attack on October 27. This ransomware attack followed closely with what was described by Rapid7 in their blog post on November 1, titled Suspected Exploitation of Apache ActiveMQ CVE-2023-46604.


Cisco IOS XE の脆弱性 (CVE-20198) の POC が公開

(10/30) Cisco IOS XE CVE-2023-20198: Deep Dive and POC – Horizon3.ai


Atlassian Confluence に脆弱性 (CVE-2023-22518)

(10/31) CVE-2023-22518 - Improper Authorization Vulnerability In Confluence Data Center and Server | Atlassian Support | Atlassian Documentation

As part of Atlassian's ongoing monitoring of this CVE, we observed publicly posted critical information about the vulnerability which increases risk of exploitation. There are still no reports of an active exploit, though customers must take immediate action to protect their instances. If you already applied the patch, no further action is required.

(11/2) Atlassian Confluence Server (CVE-2023-22518) - Improper Authorization

(11/2) Atlassian warns of exploit for Confluence data wiping bug, get patching

(11/3) CVE-2023-22518: Critical Atlassian Confluence Data Center and Server Improper Authorization Vulnerability - Blog | Tenable®


CISA が Known Exploited Vulnerabilities (KEV) カタログに 2+1 個の脆弱性を追加

(10/31) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA

(11/2) CISA Adds One Known Exploited Vulnerability to Catalog | CISA


CVSS v4.0 が正式にリリース

(11/1) FIRST has officially published the latest version of the Common Vulnerability Scoring System (CVSS v4.0)

(11/2) CVSS v4 Is Now Live and What You Need To Know About It | Qualys Security Blog


その他

10/16 リリースの Chrome 118 から HTTPS への自動アップグレード機能がデフォルトで有効になった

(10/30) Google Chrome now auto-upgrades to secure connections for all users

(11/1) ChromeがHTTPSに優先アクセスする307リダイレクトをHSTS関係なくやるようになった - Code Day's Night


MITRE ATT&CK v14 がリリース

(10/31) ATT&CK v14 Unleashes Detection Enhancements, ICS Assets, and Mobile Structured Detections | by Amy L. Robertson | MITRE ATT&CK® | Nov, 2023 | Medium


NICT が 2023年第 3 四半期の NICTER観測統計を公開

(10/31) NICTER観測統計 - 2023年7月~9月 - NICTER Blog