今週の気になるセキュリティニュース - Issue #150


podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。



(12/18) Hacktivists say they shut down Iran's gasoline pumps • The Register

Hacktivists reportedly disrupted services at about 70 percent of Iran's gas stations in a politically motivated cyberattack.

Iran's oil minister Javad Owji confirmed on Monday the IT systems of the nation's petrol stations had been attacked as Iranian media told of long queues at the pumps and traffic jams – particularly in Tehran - as folks tried and failed to fill up.

(12/18) Iran confirms nationwide cyberattack on gas stations

(12/19) イランでガソリンスタンドに大規模サイバー攻撃か | NHK | イラン

多数の法執行機関の協力による半年間に及ぶ作戦 Operation HAECHI IV の結果、34ヶ国で約 3,500人を逮捕し、$300Mの資産を差し押え

(12/19) USD 300 million seized and 3,500 suspects arrested in international financial crime operation

A transcontinental police operation against online financial crime has concluded with almost 3,500 arrests and seizures of USD 300 million (approx. EUR 273 million) worth of assets across 34 countries.

The six-month Operation HAECHI IV (July-December 2023) targeted seven types of cyber-enabled scams: voice phishing, romance scams, online sextortion, investment fraud, money laundering associated with illegal online gambling, business email compromise fraud, and e-commerce fraud.


(12/22) おわび(サーバーウイルス感染のため特別紙面) – Nagano Nippo Web




CISA などが共同で、Play ランサムウェアに関する注意喚起

(12/18) #StopRansomware: Play Ransomware | CISA

CISA と FBI が共同で ALPHV Blackcat ランサムウェアに関する注意喚起。また米司法省は Blackcat ランサムウェアのリークサイトを差し押え、被害組織に対して復号ツールを提供

(12/19) #StopRansomware: ALPHV Blackcat | CISA

(12/19) Office of Public Affairs | Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant | United States Department of Justice

The Justice Department announced today a disruption campaign against the Blackcat ransomware group — also known as ALPHV or Noberus — that has targeted the computer networks of more than 1,000 victims and caused harm around the world since its inception, including networks that support U.S. critical infrastructure.

Over the past 18 months, ALPHV/Blackcat has emerged as the second most prolific ransomware-as-a-service variant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world. Due to the global scale of these crimes, multiple foreign law enforcement agencies are conducting parallel investigations.

The FBI developed a decryption tool that allowed FBI field offices across the country and law enforcement partners around the world to offer over 500 affected victims the capability to restore their systems. To date, the FBI has worked with dozens of victims in the United States and internationally to implement this solution, saving multiple victims from ransom demands totaling approximately $68 million. As detailed in a search warrant unsealed today in the Southern District of Florida, the FBI has also gained visibility into the Blackcat ransomware group’s computer network as part of the investigation and has seized several websites that the group operated.

(12/19) FBI disrupts Blackcat ransomware operation, creates decryption tool

(12/19) How the FBI seized BlackCat (ALPHV) ransomware’s servers

ESET が 2023年下半期の脅威レポート "ESET Threat Report H2 2023" を公開

(12/19) ESET Threat Report H2 2023

IIJ が Mirai 亜種 InfectedSlurs の活動状況について報告

(12/20) Mirai 亜種 InfectedSlurs の活動状況 – IIJ Security Diary

(コメント) 久しぶりに会社ブログの方に記事書きました


(12/21) 人気ブランドの女性用衣料品等を販売すると称する偽サイトに関する注意喚起 | 消費者庁




QNAP VioStor NVR に脆弱性。すでに悪用が確認されている。

(12/9) Vulnerability Affecting Legacy VioStor NVR - Security Advisory | QNAP

(12/14) Actively Exploited Vulnerability in QNAP VioStor NVR: Fixed, Patches Available | Akamai

(12/22) JVNVU#96089700: QNAP製VioStor NVRにおけるOSコマンドインジェクションの脆弱性


メールの送信元詐称を可能にする SMTP Smuggling 脆弱性。複数の SMTP サーバ実装に影響

(12/18) SMTP Smuggling - Spoofing E-Mails Worldwide - SEC Consult

By exploiting interpretation differences of the SMTP protocol, it is possible to smuggle/send spoofed e-mails - hence SMTP smuggling - while still passing SPF alignment checks. During this research, two types of SMTP smuggling, outbound and inbound, were discovered. These allowed sending spoofed e-mails from millions of domains (e.g., admin@outlook.com) to millions of receiving SMTP servers (e.g., Amazon, PayPal, eBay). Identified vulnerabilities in Microsoft and GMX were quickly fixed, however, SEC Consult urges companies using the also affected Cisco Secure Email product to manually update their vulnerable default configuration (see Responsible Disclosure section below)!

(12/22) SMTP Smuggling

Days before a 10+ day holiday break and associated production change freeze, SEC Consult has published an email spoofing attack that involves a composition of email services with specific differences in the way they handle line endings other than .

Unfortunately, criticial information provided by the researcher was not passed on to Postfix maintainers before publication of the attack, otherwise we would certainly have convinced SEC Consult to change their time schedule until after people had a chance to update their Postfix systems.


(12/19) Terrapin Attack

Terrapin is a prefix truncation attack targeting the SSH protocol. More precisely, Terrapin breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it.

(12/19) SSH protects the world’s most sensitive networks. It just got a lot weaker | Ars Technica

(12/19) シーケンス番号操作によるSSH通信の完全性への攻撃

GoogleChrome のゼロデイ脆弱性を修正

(12/20) Chrome Releases: Stable Channel Update for Desktop

Google is aware that an exploit for CVE-2023-7024 exists in the wild.

CISA が Known Exploited Vulnerabilities (KEV) カタログに 2 個の脆弱性を追加

(12/21) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA

  • CVE-2023-49897 FXC AE1021, AE1021PE OS Command Injection Vulnerability
  • CVE-2023-47565 QNAP VioStor NVR OS Command Injection Vulnerability


IPA がサポート詐欺の「偽セキュリティ警告画面の閉じ方体験サイト」を公開

(12/19) サポート詐欺の「偽セキュリティ警告画面の閉じ方体験サイト」を公開 | 情報セキュリティ | IPA 独立行政法人 情報処理推進機構

(12/19) 偽セキュリティ警告(サポート詐欺)対策特集ページ | 情報セキュリティ | IPA 独立行政法人 情報処理推進機構


(12/20) Tallinn Mechanism | Välisministeerium

Estonia and Canada, Denmark, France, Germany, Netherlands, Poland, Sweden, Ukraine, the United Kingdom and the United States have decided to set up a system aimed at amplifying the cyber support of donors to Ukraine in the civilian domain. The plan composed on 30 May in Tallinn by all participating states was launched on 20 December 2023 and the system was named the Tallinn Mechanism after the location of the initial meeting.

(12/20) Formalization of the Tallinn Mechanism to Coordinate Civilian Cyber Assistance to Ukraine - United States Department of State

(12/20) UK and partners form The Tallinn Mechanism for cyber security - GOV.UK