ポッドキャスト収録用のメモですよ。
podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。
事件、事故
米証券取引委員会 (SEC) の X アカウントが乗っ取り被害。「ビットコイン現物 ETF を SEC が承認した」との偽投稿により、市場が混乱。翌日に SEC は承認を正式に発表
(1/9) US SEC’s X account hacked to announce fake Bitcoin ETF approval
(1/10) ビットコイン相場乱高下 「SECがETF承認」偽情報で - 日本経済新聞
(1/10) 米証券取引委のXアカウント ハッキングされ偽投稿で市場混乱 | NHK | アメリカ
(1/10) SEC.gov | Statement on the Approval of Spot Bitcoin Exchange-Traded Products
The @SECGov X account was compromised, and an unauthorized post was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.
— U.S. Securities and Exchange Commission (@SECGov) January 9, 2024
We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation. Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number…
— Safety (@Safety) January 10, 2024
ジェットスター・ジャパンでシステム障害により、複数の国内便が欠航
(1/12) 1月12日に発生したシステム障害による欠航便の影響について | 重要なお知らせ | ジェットスター
(1/12) ジェットスター 午後7時半すぎにシステム障害復旧 運航を再開 17便が欠航 | NHK | 航空
(1/12) ジェットスター・ジャパンで17便が欠航、原因はパイロット向けシステムの不具合 | 日経クロステック(xTECH)
攻撃、脅威
Cisco Talos が Avast と協力して、Babuk Tortilla ランサムウェアの復号ツールを公開
(1/9) New decryptor for Babuk Tortilla ransomware variant released
- Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor.
- Cisco Talos shared the key with our peers at Avast for inclusion in the Avast Babuk decryptor released in 2021. The decryptor includes all known private keys, allowing many users to recover their files once encrypted by different Babuk ransomware variants.
- Dutch Police, acting on threat intelligence supplied by Talos, identified, apprehended and the Dutch Prosecution Office prosecuted the threat actor behind Babuk Tortilla operations, demonstrating the power of cooperation between law enforcement agencies and commercial security organizations such as Talos and Avast.
Babuk, an advanced ransomware strain, was publicly discovered in 2021. Since then, Avast has blocked more than 5,600 targeted attacks, mostly in Brazil, Czech Republic, India, the United States, and Germany.
Today, in cooperation with Cisco Talos and Dutch Police, Avast is releasing an updated version of the Avast Babuk decryption tool, capable of restoring files encrypted by the Babuk variant called Tortilla. To download the tool, click here.
Akamai が 2023年の DDoS 攻撃の傾向について報告
(1/9) A Retrospective on DDoS Trends in 2023 and Actionable Strategies for 2024 | Akamai
Cloudflare が 2023年第 4四半期の DDoS 攻撃レポートを公開
(1/9) DDoS threat report for 2023 Q4
Mandiant が暗号資産の Solana を狙う攻撃キャンペーンについて報告。自身の X アカウント乗っ取り被害と関連。
奇安信の Xlab が Mirai 亜種 Rimasuta の活動状況について報告
(1/10) Rimasuta New Variant Switches to ChaCha20 Encryption Algorithm
Akamai が Mirai 亜種 NoaBot の活動状況について報告
(1/10) You Had Me at Hi — Mirai-Based NoaBot Makes an Appearance | Akamai
脆弱性
CISA が Known Exploited Vulnerabilities (KEV) カタログに 6+1+2 個の脆弱性を追加
(1/8) CISA Adds Six Known Exploited Vulnerabilities to Catalog | CISA
- CVE-2023-38203 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
- CVE-2023-29300 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
- CVE-2023-27524 Apache Superset Insecure Default Initialization of Resource Vulnerability
- CVE-2023-41990 Apple Multiple Products Code Execution Vulnerability
- CVE-2016-20017 D-Link DSL-2750B Devices Command Injection Vulnerability
- CVE-2023-23752 Joomla! Improper Access Control Vulnerability
(1/10) CISA Adds One Known Exploited Vulnerability to Catalog | CISA
- CVE-2023-29357 Microsoft SharePoint Server Privilege Escalation Vulnerability
(1/10) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
- CVE-2024-21887 Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
- CVE-2023-46805 Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
Microsoft が 2024年 1月の月例パッチを公開
(1/9) 2024 年 1 月のセキュリティ更新プログラム (月例) | MSRC Blog | Microsoft Security Response Center
(1/9) Zero Day Initiative — The January 2024 Security Update Review
Ivanti Connect Secure と Ivanti Policy Secure にゼロデイ脆弱性。すでに悪用が確認されている。
(1/10) Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN | Volexity
Volexity has uncovered active in-the-wild exploitation of two vulnerabilities allowing unauthenticated remote code execution in Ivanti Connect Secure VPN devices. An official security advisory and knowledge base article have been released by Ivanti that includes mitigation that should be applied immediately. However, a mitigation does not remedy a past or ongoing compromise. Systems should simultaneously be thoroughly analyzed per details in this post to look for signs of a breach.
On January 10, 2024, Ivanti disclosed two vulnerabilities, CVE-2023-46805 and CVE-2024-21887, impacting Ivanti Connect Secure VPN (“CS”, formerly Pulse Secure) and Ivanti Policy Secure (“PS”) appliances. Successful exploitation could result in authentication bypass and command injection, leading to further downstream compromise of a victim network. Mandiant has identified zero-day exploitation of these vulnerabilities in the wild beginning as early as December 2023 by a suspected espionage threat actor, currently being tracked as UNC5221.
If you are searching for exposed Ivanti Connect Secure appliances in your network/constituency, you can get a daily breakdown of these (amongst other devices) in our device identification report: https://t.co/1uPaaDBimE
— Shadowserver (@Shadowserver) January 12, 2024
(vendor is set to "Pulse Secure")
Over 17.1K exposed https://t.co/wYO3Z0SwZg pic.twitter.com/1G6PEwECXD
GitLab が複数の脆弱性を修正
(1/11) GitLab Critical Security Release: 16.7.2, 16.6.4, 16.5.6 | GitLab
(1/12) GitLab warns of critical zero-click account hijacking vulnerability