今週の気になるセキュリティニュース - Issue #154

Revue アレかね

ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。


事件、事故

ケーズデンキオンラインショップで不正ログインによるなりすまし注文が発生

(1/17) 通販サイトへの不正ログイン・なりすまし注文の発生について


神奈川県公立高等学校入学者選抜インターネット出願システムで発生していた障害が解消

(1/19) 神奈川県公立高等学校入学者選抜インターネット出願システムの稼動状況について - 神奈川県ホームページ

(1/18) 神奈川県高校入試で「あってはならない想定外」 オンライン出願でGmail使うと不具合 原因と対策は?:東京新聞 TOKYO Web

(1/19) 「高校出願システムからGmailに届かない」問題10日で解消も、「キャリアの迷惑メールフィルターにかかる」問題発覚 - ITmedia NEWS


Microsoft がロシアの攻撃者グループ Midnight Blizzard による攻撃を受け、複数の社員のメールアカウントが侵害されたと報告

(1/19) Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard | MSRC Blog | Microsoft Security Response Center

Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed.


攻撃、脅威

Microsoft がイランの攻撃者グループ Mint Sandstorm (PHOSPHORUS) の攻撃活動について報告

(1/17) New TTPs observed in Mint Sandstorm campaign targeting high-profile individuals at universities and research orgs | Microsoft Security Blog

Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States. In this campaign, Mint Sandstorm used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files. In a handful of cases, Microsoft observed new post-intrusion tradecraft including the use of a new, custom backdoor called MediaPl.


Google TAG がロシアの攻撃者グループ COLDRIVER の攻撃活動について報告

(1/18) Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware

Over the years, TAG has analyzed a range of persistent threats including COLDRIVER (also known as UNC4057, Star Blizzard and Callisto), a Russian threat group focused on credential phishing activities against high profile individuals in NGOs, former intelligence and military officers, and NATO governments. For years, TAG has been countering and reporting on this group’s efforts to conduct espionage aligned with the interests of the Russian government. To add to the community’s understanding of COLDRIVER activity, we’re shining light on their extended capabilities which now includes the use of malware.


脆弱性

Atlassian の Confluence Data Center と Confluence Server にリモートコード実行可能な脆弱性 (CVE-2023-22527)

(1/16) CVE-2023-22527 - RCE (Remote Code Execution) Vulnerability In Confluence Data Center and Confluence Server | Atlassian Support | Atlassian Documentation


Citrix の NetScaler ADC と NetScaler Gateway に複数の脆弱性。すでに悪用が確認されている

(1/16) NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-6548 and CVE-2023-6549

Exploits of these CVEs on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.


GoogleChrome のゼロデイ脆弱性を修正

(1/16) Chrome Releases: Stable Channel Update for Desktop

Google is aware of reports that an exploit for CVE-2024-0519 exists in the wild.


CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+3+1 個の脆弱性を追加

(1/16) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

  • CVE-2018-15133 Laravel Deserialization of Untrusted Data Vulnerability

(1/17) CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA

(1/18) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

  • CVE-2023-35082 Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core Authentication Bypass Vulnerability


Ivanti Connect Secure と Ivanti Policy Secure の脆弱性の悪用が拡大していることを受け、CISA脆弱性対応に関する緊急指令 ED 24-01 を発行

(1/19) ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities | CISA

(1/15) Ivanti Connect Secure VPN Exploitation Goes Global | Volexity

(1/16) CVE-2023-46805 | AttackerKB

(1/18) Ivanti Connect Secure VPN Exploitation: New Observations | Volexity

Additionally, Volexity has continued its investigation into activity conducted by UTA0178 and made a few notable discoveries. The first relates to the GIFTEDVISITOR webshell that Volexity scanned for, which led to the initial discovery of over 1,700 compromised Ivanti Connect Secure VPN devices. On January 16, 2024, Volexity conducted a new scan for this backdoor and found an additional 368 compromised Ivanti Connect Secure VPN appliances, bringing the total count of systems infected by GIFTEDVISITOR to over 2,100.

(1/18) Ivanti Connect Secure Exploited to Install Cryptominers | GreyNoise Blog

(参考) Ivanti Connect Secure、Ivanti Policy Secureの脆弱性 CVE-2023-46805およびCVE-2024-21887についてまとめてみた - piyolog


Mandiant が中国の攻撃者グループによる VMware vCenter Server の脆弱性 CVE-2023-34048 を悪用する攻撃活動について報告

(1/19) Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021 | Mandiant

While publicly reported and patched in October 2023, Mandiant and VMware Product Security have found UNC3886, a highly advanced China-nexus espionage group, has been exploiting CVE-2023-34048 as far back as late 2021.

(1/17 更新) VMSA-2023-0023.1

VMware has confirmed that exploitation of CVE-2023-34048 has occurred in the wild.


その他