今週の気になるセキュリティニュース - Issue #147


podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。



(11/28) International collaboration leads to dismantlement of ransomware group in Ukraine amidst ongoing war | Europol

In an unprecedented effort, law enforcement and judicial authorities from seven countries have joined forces with Europol and Eurojust to dismantle and apprehend in Ukraine key figures behind significant ransomware operations wreaking havoc across the world. The operation comes at a critical time, as the country grapples with the challenges of Russia’s military aggression against its territory.

財務省が、北朝鮮の Lazarus Group による資金洗浄に利用されているとして、暗号資産ミキシングサービス Sinbad への制裁を実施

(11/29) Treasury Sanctions Mixer Used by the DPRK to Launder Stolen Virtual Currency | U.S. Department of the Treasury

oday, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Sinbad.io (Sinbad), a virtual currency mixer that serves as a key money-laundering tool of the OFAC-designated Lazarus Group, a state-sponsored cyber hacking group of the Democratic People’s Republic of Korea (DPRK). Sinbad has processed millions of dollars’ worth of virtual currency from Lazarus Group heists, including the Horizon Bridge and Axie Infinity heists. Sinbad is also used by cybercriminals to obfuscate transactions linked to malign activities such as sanctions evasion, drug trafficking, the purchase of child sexual abuse materials, and additional illicit sales on darknet marketplaces.

(11/29) Sinbad crypto mixer flagged by Elliptic sanctioned and seized

Okta のサポートシステムへの不正アクセスに関する続報

(11/29) October Customer Support Security Incident - Update and Recommended Actions | Okta Security

We have determined that the threat actor ran and downloaded a report that contained the names and email addresses of all Okta customer support system users. All Okta Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) customers are impacted except customers in our FedRamp High and DoD IL4 environments (these environments use a separate support system NOT accessed by the threat actor). The Auth0/CIC support case management system was also not impacted by this incident.


(11/30) Treasury Targets DPRK’s International Agents and Illicit Cyber Intrusion Group | U.S. Department of the Treasury

Today, in coordination with foreign partners, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned eight foreign-based Democratic People’s Republic of Korea’s (DPRK) agents that facilitate sanctions evasion, including revenue generation and missile-related technology procurement that support the DPRK’s weapons of mass destruction (WMD) programs. Additionally, OFAC sanctioned cyber espionage group Kimsuky for gathering intelligence to support the DPRK’s strategic objectives.

(12/1) 北朝鮮の核その他の大量破壊兵器及び弾道ミサイル関連計画その他の北朝鮮に関連する国際連合安全保障理事会決議により禁止された活動等に関与する者に対する資産凍結等の措置の対象者の追加について|外務省



(12/1) 懲戒処分の公表について|仙台市




Elliptic と Corvus Insurance が共同で、Black Basta ランサムウェアに対する身代金の支払い状況を分析。2022年以降これまでに、少くとも $107M に相当する Bitcoin が支払われている。

(11/29) Black Basta ransomware victims have paid over $100 million

  • Joint research by Elliptic and Corvus Insurance has identified at least $107 million in Bitcoin ransom payments to the Black Basta ransomware group since early 2022.
  • Black Basta has infected over 329 victims, including Capita, ABB and Dish Network.
  • Analysis of blockchain transactions shows a clear link between Black Basta and the Conti Group - a Russian ransomware gang that ceased operations in 2022, around the time that Black Basta emerged.
  • Much of the laundered ransom payments can be traced onwards to Garantex, the sanctioned Russian crypto exchange.

CISA などが共同で、イランの攻撃者グループによる攻撃活動に関する注意喚起

(12/1) IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities | CISA

The IRGC is an Iranian military organization that the United States designated as a foreign terrorist organization in 2019. IRGC-affiliated cyber actors using the persona “CyberAv3ngers” are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. The PLCs may be rebranded and appear as different manufacturers and companies. In addition to the recent CISA Alert, the authoring agencies are releasing this joint CSA to share indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with IRGC cyber operations.

(11/28) Exploitation of Unitronics PLCs used in Water and Wastewater Systems | CISA

CISA is responding to active exploitation of Unitronics programmable logic controllers (PLCs) used in the Water and Wastewater Systems (WWS) Sector. Cyber threat actors are targeting PLCs associated with WWS facilities, including an identified Unitronics PLC, at a U.S. water facility. In response, the affected municipality’s water authority immediately took the system offline and switched to manual operations—there is no known risk to the municipality’s drinking water or water supply.


Arcserve UDP にリモートコード実行可能な脆弱性 CVE-2023-41998

(11/27) Arcserve Unified Data Protection Multiple Vulnerabilities - Research Advisory | Tenable®

An unauthenticated, remote attacker can execute code remotely via the downloadAndInstallPatch() routine within “com.ca.arcflash.rps.webservice.RPSService4CPMImpl.” This routine allows users to upload and execute arbitrary files.

GoogleChrome のゼロデイ脆弱性を修正

(11/28) Chrome Releases: Stable Channel Update for Desktop

Google is aware that an exploit for CVE-2023-6345 exists in the wild.

ownCloud の脆弱性 CVE-2023-49103 で悪用が確認される

(11/28) Hackers start exploiting critical ownCloud flaw, patch now

(11/29) CVE-2023-49103: ownCloud Critical Vulnerability Quickly Exploited in the Wild | GreyNoise Blog

(11/29) ownCloud vulnerability with maximum 10 severity score comes under “mass” exploitation | Ars Technica

(12/1) CVE-2023-49103: Critical Information Disclosure in ownCloud Graph API | Rapid7 Blog

ApplemacOS Sonoma 14.1.2, iOS 17.1.2 / iPadOS 17.1.2, Safari 17.1.2 をリリース。すでに悪用が確認されている脆弱性の修正を含む。

(11/30) Apple security releases - Apple Support

Zyxel の NAS 製品に複数の脆弱性

(11/30) Zyxel security advisory for authentication bypass and command injection vulnerabilities in NAS products | Zyxel Networks

Zyxel has released patches addressing an authentication bypass vulnerability and command injection vulnerabilities in NAS products. Users are advised to install them for optimal protection.

CISA が Known Exploited Vulnerabilities (KEV) カタログに 2 個の脆弱性を追加

(11/30) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA


11/27 に B-Root の IP アドレスが変更

(11/28) b.root-servers.net(B-Root)のIPアドレス変更に伴う設定変更について