ポッドキャスト収録用のメモですよ。
podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。
事件、事故
欧米の複数の法執行機関の国際協力により、ウクライナのランサムウェアグループを摘発
In an unprecedented effort, law enforcement and judicial authorities from seven countries have joined forces with Europol and Eurojust to dismantle and apprehend in Ukraine key figures behind significant ransomware operations wreaking havoc across the world. The operation comes at a critical time, as the country grapples with the challenges of Russia’s military aggression against its territory.
米財務省が、北朝鮮の Lazarus Group による資金洗浄に利用されているとして、暗号資産ミキシングサービス Sinbad への制裁を実施
oday, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Sinbad.io (Sinbad), a virtual currency mixer that serves as a key money-laundering tool of the OFAC-designated Lazarus Group, a state-sponsored cyber hacking group of the Democratic People’s Republic of Korea (DPRK). Sinbad has processed millions of dollars’ worth of virtual currency from Lazarus Group heists, including the Horizon Bridge and Axie Infinity heists. Sinbad is also used by cybercriminals to obfuscate transactions linked to malign activities such as sanctions evasion, drug trafficking, the purchase of child sexual abuse materials, and additional illicit sales on darknet marketplaces.
(11/29) Sinbad crypto mixer flagged by Elliptic sanctioned and seized
Okta のサポートシステムへの不正アクセスに関する続報
(11/29) October Customer Support Security Incident - Update and Recommended Actions | Okta Security
We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users. All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident.
日米などが共同で、北朝鮮の団体・個人に対する制裁措置を実施
Today, in coordination with foreign partners, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned eight foreign-based Democratic People’s Republic of Korea’s (DPRK) agents that facilitate sanctions evasion, including revenue generation and missile-related technology procurement that support the DPRK’s weapons of mass destruction (WMD) programs. Additionally, OFAC sanctioned cyber espionage group Kimsuky for gathering intelligence to support the DPRK’s strategic objectives.
(12/1) 北朝鮮の核その他の大量破壊兵器及び弾道ミサイル関連計画その他の北朝鮮に関連する国際連合安全保障理事会決議により禁止された活動等に関与する者に対する資産凍結等の措置の対象者の追加について|外務省
我が国は、令和5年11月21日に北朝鮮が我が国の上空を通過する形で、「衛星」打ち上げのために、弾道ミサイル技術を使用した発射を行ったこと等を踏まえ、北朝鮮をめぐる問題の解決を目指す国際平和のための国際的な努力に我が国として寄与するため、主要国が講じた措置の内容に沿い、閣議了解「外国為替及び外国貿易法に基づく北朝鮮の核その他の大量破壊兵器及び弾道ミサイル関連計画その他の北朝鮮に関連する国際連合安全保障理事会決議により禁止された活動等に関与する者に対する資産凍結等の措置について」(令和5年12月1日付)を行い、これに基づき、外国為替及び外国貿易法による次の措置を実施することとした。
仙台市の職員が住民情報システムを不正に利用したとして懲戒処分
(12/1) 懲戒処分の公表について|仙台市
市民局区政部において住民基本台帳事務を担当していた令和4年8月6日、業務とは関係ない私的な理由から、住民情報システムを用いて、知人女性の住所情報を不正に収集したもの。
また、令和3年6月30日に、総務局人事課から、当該女性に対するつきまとい行為等に係る指導を受けていたにもかかわらず、不正に収集した住所情報を用いて、複数回にわたり当該女性宅付近を訪れたほか、令和5年3月12日に当該女性宅前で待ち伏せ行為を行ったもの。
攻撃、脅威
Elliptic と Corvus Insurance が共同で、Black Basta ランサムウェアに対する身代金の支払い状況を分析。2022年以降これまでに、少くとも $107M に相当する Bitcoin が支払われている。
(11/29) Black Basta ransomware victims have paid over $100 million
- Joint research by Elliptic and Corvus Insurance has identified at least $107 million in Bitcoin ransom payments to the Black Basta ransomware group since early 2022.
- Black Basta has infected over 329 victims, including Capita, ABB and Dish Network.
- Analysis of blockchain transactions shows a clear link between Black Basta and the Conti Group - a Russian ransomware gang that ceased operations in 2022, around the time that Black Basta emerged.
- Much of the laundered ransom payments can be traced onwards to Garantex, the sanctioned Russian crypto exchange.
CISA などが共同で、イランの攻撃者グループによる攻撃活動に関する注意喚起
The IRGC is an Iranian military organization that the United States designated as a foreign terrorist organization in 2019. IRGC-affiliated cyber actors using the persona “CyberAv3ngers” are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. The PLCs may be rebranded and appear as different manufacturers and companies. In addition to the recent CISA Alert, the authoring agencies are releasing this joint CSA to share indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with IRGC cyber operations.
(11/28) Exploitation of Unitronics PLCs used in Water and Wastewater Systems | CISA
CISA is responding to active exploitation of Unitronics programmable logic controllers (PLCs) used in the Water and Wastewater Systems (WWS) Sector. Cyber threat actors are targeting PLCs associated with WWS facilities, including an identified Unitronics PLC, at a U.S. water facility. In response, the affected municipality’s water authority immediately took the system offline and switched to manual operations—there is no known risk to the municipality’s drinking water or water supply.
脆弱性
Arcserve UDP にリモートコード実行可能な脆弱性 CVE-2023-41998
(11/27) Arcserve Unified Data Protection Multiple Vulnerabilities - Research Advisory | Tenable®
An unauthenticated, remote attacker can execute code remotely via the downloadAndInstallPatch() routine within “com.ca.arcflash.rps.webservice.RPSService4CPMImpl.” This routine allows users to upload and execute arbitrary files.
Google が Chrome のゼロデイ脆弱性を修正
(11/28) Chrome Releases: Stable Channel Update for Desktop
Google is aware that an exploit for CVE-2023-6345 exists in the wild.
ownCloud の脆弱性 CVE-2023-49103 で悪用が確認される
(11/28) Hackers start exploiting critical ownCloud flaw, patch now
(11/29) CVE-2023-49103: ownCloud Critical Vulnerability Quickly Exploited in the Wild | GreyNoise Blog
(11/29) ownCloud vulnerability with maximum 10 severity score comes under “mass” exploitation | Ars Technica
(12/1) CVE-2023-49103: Critical Information Disclosure in ownCloud Graph API | Rapid7 Blog
We are sharing ownCloud instances we see in our scans (no vuln assessment, only accessibility) in our Device Identification report https://t.co/1uPaaDBQcc
— Shadowserver (@Shadowserver) November 27, 2023
Currently over 11K IPs being reported out (we are also working on adding additional fingerprints)https://t.co/kwKF6LY3i0 https://t.co/Qb2ytyJmKv pic.twitter.com/yY7g15bwSa
OSSのファイル共有ツールownCloudでPHPinfo経由で認証情報等が漏洩するCVE-2023-49103が公開。Globalで20K、国内419台の同製品の公開を確認
— nekono_nanomotoni (@nekono_naha) November 28, 2023
GrayNoiseが11/25より急速な悪用増加を観測済み。いかにも情報窃取型ランサムで使われそうですが、中小企業の利用が多く情報が届きにくそうです。 pic.twitter.com/ZUnE0VgU0I
Apple が macOS Sonoma 14.1.2, iOS 17.1.2 / iPadOS 17.1.2, Safari 17.1.2 をリリース。すでに悪用が確認されている脆弱性の修正を含む。
(11/30) Apple security releases - Apple Support
Zyxel の NAS 製品に複数の脆弱性
Zyxel has released patches addressing an authentication bypass vulnerability and command injection vulnerabilities in NAS products. Users are advised to install them for optimal protection.
CISA が Known Exploited Vulnerabilities (KEV) カタログに 2 個の脆弱性を追加
(11/30) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
- CVE-2023-6345 Google Skia Integer Overflow Vulnerability
- CVE-2023-49103 ownCloud graphapi Information Disclosure Vulnerability