ポッドキャスト収録用のメモですよ。
podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。
事件、事故
アルプスアルパインの元従業員が営業秘密情報を不正に持ち出したとして、不正競争防止法違反の容疑で逮捕
(12/5) 退職した元従業員の逮捕について
(参考) 私物HDDを使用して営業秘密を不正に持ち出ししていた事案についてまとめてみた - piyolog
元ドコモショップ店員が電子計算機使用詐欺などの疑いで逮捕
(12/5) 「dポイント」40万円分を不正取得か、元ドコモショップ店員の女を逮捕…客のスマホ預かり操作 : 読売新聞
NTTドコモの「dポイント」を不正に取得したとして、元ドコモショップ店員の女が11月、北海道警に逮捕された。機種変更のために来店した客からスマートフォンを預かり、聞き出したパスワードを入力して操作。7月以降、40回にわたって計40万円分のポイントを自分のアカウントに送信していたとみられる。
攻撃、脅威
CISA が Adobe ColdFusion の脆弱性 CVE-2023-26360 を悪用する攻撃活動に関する注意喚起
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing a Cybersecurity Advisory (CSA) in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive Branch (FCEB) agency. This vulnerability presents as an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations; however, they are no longer supported since they reached end of life. Exploitation of this CVE can result in arbitrary code execution. Following the FCEB agency’s investigation, analysis of network logs confirmed the compromise of at least two public-facing servers within the environment between June and July 2023.
CISA などが共同で、ロシアの攻撃者グループによる攻撃活動に関する注意喚起。また米英政府は攻撃者グループの 2人のロシア人を制裁対象に追加し、米司法省は 2人を起訴
(12/7) Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns | CISA
The Russia-based actor Star Blizzard (formerly known as SEABORGIUM, also known as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) continues to successfully use spear-phishing attacks against targeted organizations and individuals in the UK, and other geographical areas of interest, for information-gathering activity.
Indictment Alleges the So-Called “Callisto Group” Hacked Computers in the United States and Allied Countries, and Stole Information Used in Foreign Malign Influence Operations Designed to Influence the U.K.’s 2019 Elections
Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC), in coordination with the United Kingdom, designated two individuals associated with an advanced persistent threat (APT) group that is sponsored by the Russian Federal Security Service (FSB) and has targeted individuals and entities in the United States, United Kingdom, and other allied and partner countries.
(12/7) UK exposes attempted Russian cyber interference in politics and democratic processes - GOV.UK
(12/7) Russian FSB cyber actor Star Blizzard continues worldwide... - NCSC.GOV.UK
(12/7) Star Blizzard increases sophistication and evasion in ongoing attacks | Microsoft Security Blog
脆弱性
CISA が Known Exploited Vulnerabilities (KEV) カタログに 2+4+2 個の脆弱性を追加
(12/4) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
- CVE-2023-42917 Apple Multiple Products WebKit Memory Corruption Vulnerability
- CVE-2023-42916 Apple Multiple Products WebKit Out-of-Bounds Read Vulnerability
(12/5) CISA Adds Four Known Exploited Vulnerabilities to Catalog | CISA
- CVE-2023-33106 Qualcomm Multiple Chipsets Use of Out-of-Range Pointer Offset Vulnerability
- CVE-2023-33063 Qualcomm Multiple Chipsets Use-After-Free Vulnerability
- CVE-2023-33107 Qualcomm Multiple Chipsets Integer Overflow Vulnerability
- CVE-2022-22071 Qualcomm Multiple Chipsets Use-After-Free Vulnerability
(12/7) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
- CVE-2023-41265 Qlik Sense HTTP Tunneling Vulnerability
- CVE-2023-41266 Qlik Sense Path Traversal Vulnerability
FXC製無線LANルータ「AE1021PE」および「AE1021」に脆弱性。すでに悪用が確認されている
(12/6) JVNVU#92152057: FXC製無線LANルータ「AE1021PE」および「AE1021」におけるOSコマンドインジェクションの脆弱性
(12/6) AE1021/AE1021PEのファームウェア 2.0.10 公開のお知らせ
ファームウェアを2.0.10 にアップデート実施後、工場出荷リセット実施して、デフォルトパスワードを変更してください。
(12/6) Actively Exploited Vulnerability in FXC Routers: Fixed, Patches Available | Akamai
As part of the InfectedSlurs discovery, the SIRT uncovered a vulnerability in FXC AE1021 and AE1021PE outlet wall routers that are being actively exploited in the wild. This device is described as an outlet-based wireless LAN router for hotels and residential units. It is manufactured in Japan by FXC. This vulnerability has been assigned the CVE ID of CVE-2023-49897 with a CVSS v3 score of 8.0.
WordPress がプラグインなど他の脆弱性と組み合わせることでリモートコード実行可能な脆弱性を修正
(12/6) WordPress 6.4.2 Maintenance & Security Release – WordPress News
A Remote Code Execution vulnerability that is not directly exploitable in core, however the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installs.
(12/6) PSA: Critical POP Chain Allowing Remote Code Execution Patched in WordPress 6.4.2
WordPress 6.4.2 was released today, on December 6, 2023. It includes a patch for a POP chain introduced in version 6.4 that, combined with a separate Object Injection vulnerability, could result in a Critical-Severity vulnerability allowing attackers to execute arbitrary PHP code on the site.
We urge all WordPress users to update to 6.4.2 immediately, as this issue could allow full site takeover if another vulnerability is present.
その他
Microsoft が2025年10月14日にサポートを終了する Windows 10 に関して、最長 3年間の延長サポート (Extended Security Updates) を有償で提供する計画を発表
(12/5) Plan for Windows 10 EOS with Windows 11, Windows 365, and ESU | Windows IT Pro Blog
While we strongly recommend moving to Windows 11, we understand there are circumstances that could prevent you from replacing Windows 10 devices before the EOS date. Therefore, Microsoft will offer Extended Security Updates.
Like the Windows 7 ESU program, your organization will be able to purchase a yearly subscription to security updates. The yearly commitment is renewable for three years. Devices enrolled in ESUs will receive monthly security updates to keep these Windows 10 PCs secure.
Meta が Messenger における E2EE のデフォルト有効化を開始すると発表
(12/6) Launching Default End-to-End Encryption on Messenger | Meta
We want to be open about the security technology we use and welcome the chance to engage with external cryptographers and security experts. That’s why we are also publishing two papers which outline our approach to cryptography, as well as how we encrypt your message history with Secure Storage. Because there are over a billion Messenger users, not everyone will get default end-to-end encryption right away. It will take a number of months to complete the global roll-out. When your chats are upgraded, you will be prompted to set up a recovery method, such as a PIN, so you can restore your messages if you lose, change or add a device.
(12/6) Building end-to-end security for Messenger - Engineering at Meta
Today, we’re announcing that we’ve begun to upgrade people’s personal conversations on Messenger to use E2EE by default. Our aim is to ensure that everyone’s personal messages on Messenger can only be accessed by the sender and the intended recipients, and that everyone can be sure the messages they receive are from an authentic sender.
(12/7) NCA response to Meta's rollout of end-to-end-encryption - National Crime Agency
(12/8) As Meta rolls out end-to-end encryption, police warn keeping children safe ‘no longer possible’
