今週の気になるセキュリティニュース - Issue #155

Revue アレかね

ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。


事件、事故

昨年発覚した NTT ビジネスソリューションズからの情報の不正な持ち出しに関して、個人情報保護委員会が行政指導

(1/24) 株式会社NTTマーケティングアクトProCX及びNTTビジネスソリューションズ株式会社に対する個人情報の保護に関する法律に基づく行政上の対応について(令和6年1月24日) |個人情報保護委員会

(1/24) 当社に対する個人情報保護委員会からの勧告および指導について|ニュースリリース|NTTビジネスソリューションズ

(1/24) 当社に対する個人情報保護委員会からの勧告および指導について - お知らせ|NTTマーケティングアクトProCX


HPE がロシアの攻撃者グループ Midnight Blizzard による攻撃を受け、Microsoft 365 メールアカウントが侵害されたことを公表

(1/24) hpe-20240119

On December 12, 2023, Hewlett Packard Enterprise Company (the “Company,” “HPE,” or “we”) was notified that a suspected nation-state actor, believed to be the threat actor Midnight Blizzard, the state-sponsored actor also known as Cozy Bear, had gained unauthorized access to HPE’s cloud-based email environment. The Company, with assistance from external cybersecurity experts, immediately activated our response process to investigate, contain, and remediate the incident, eradicating the activity. Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.

While our investigation of this incident and its scope remains ongoing, the Company now understands this incident is likely related to earlier activity by this threat actor, of which we were notified in June 2023, involving unauthorized access to and exfiltration of a limited number of SharePoint files as early as May 2023. Following the notice in June, we immediately investigated with the assistance of external cybersecurity experts and took containment and remediation measures intended to eradicate the activity. Upon undertaking such actions, we determined that such activity did not materially impact the Company.

We have notified and are cooperating with law enforcement and are also assessing our regulatory notification obligations, and we will make notifications as appropriate based on our investigation findings. As of the date of this filing, the incident has not had a material impact on the Company’s operations, and the Company has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.

(1/24) HPE: Russian hackers breached its security team’s email accounts


スリー・ディー・マトリックスで送金詐欺による資金流出被害

(1/25) 送金詐欺による資金流出被害のお知らせ

株式会社スリー・ディー・マトリックス(本社:東京都千代田区代表取締役社長:岡田淳)は、2023 年 12 月下旬から 2024 年1月上旬にかけて、取引先を装った複数のメールによる虚偽の支払い指示に応じ、当該取引先の真実の銀行口座と異なる銀行口座に対して誤って代金を支払ってしまう送金詐欺による資金流出被害が生じたことが判明しましたので、お知らせいたします。


Trickbot マルウェアの開発者に禁錮 5年4ヶ月の判決

(1/25) Office of Public Affairs | Russian National Sentenced for Involvement in Development and Deployment of Trickbot Malware | United States Department of Justice

(1/25) Russian TrickBot malware dev sentenced to 64 months in prison


攻撃、脅威

伊藤忠サイバー&インテリジェンスが LODEINFO マルウェアの解析結果を報告

(1/24) 分析官と攻撃者の解析回避を巡る終わりなき戦い: LODEINFO v0.6.6 - v0.7.3 の解析から - ITOCHU Cyber & Intelligence Inc.


ESET が中国の攻撃者グループ Blackwood による NSPX30 マルウェアを利用する攻撃活動について報告

(1/24) NSPX30: A sophisticated AitM-enabled implant evolving since 2005

ESET researchers provide an analysis of an attack carried out by a previously undisclosed China-aligned threat actor we have named Blackwood, and that we believe has been operating since at least 2018. The attackers deliver a sophisticated implant, which we named NSPX30, through adversary-in-the-middle (AitM) attacks hijacking update requests from legitimate software.


Microsoft からロシアの攻撃者グループ Midnight Blizzard による攻撃についての続報

(1/25) Midnight Blizzard: Guidance for responders on nation-state attack | Microsoft Security Blog


脆弱性

ラックがバッファローVR-S1000における複数の脆弱性に関する注意喚起

(1/22) 【注意喚起】バッファロー製VR-S1000における複数の脆弱性(CVE-2023-51363)、早急な対策を | LAC WATCH

(2023/12/25) VR-S1000における複数の脆弱性とその対処方法 | バッファロー


GoAnywhere MFT に認証バイパスの脆弱性 (CVE-2024-0204)。PoC も公開される

(1/22) FI-2024-001 - Authentication Bypass in GoAnywhere MFT | Fortra's Security and Trust Center

(1/23) CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive – Horizon3.ai

(1/24) GoAnywhere MFT vulnerabilities are Going Nowhere for Now - Censys


ApplemacOS Monterey 12.7.3, macOS Ventura 13.6.4, macOS Sonoma 14.3, iOS 15.8.1 / iPadOS 15.8.1, iOS 16.7.5 / iPadOS 16.7.5, iOS 17.3 / iPadOS 17.3, tvOS 17.3, watchOS 10.3, Safari 17.3 をリリース。すでに悪用が確認されている脆弱性の修正を含む。

(1/22) Apple security releases - Apple Support


CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+1+1 個の脆弱性を追加

(1/22) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

(1/23) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

(1/24) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

  • CVE-2023-22527 Atlassian Confluence Data Center and Server Template Injection Vulnerability


その他

X (旧 Twitter) が米国の iOS ユーザ向けに passkeys によるログインをサポート

(1/23) How to use passkey


AppleEU の Digital Markets Act (DMA) に準拠するため、EU を対象に iOSSafariApp Store に大幅な変更を加えると発表

(1/25) Apple announces changes to iOS, Safari, and the App Store in the European Union - Apple

Apple today announced changes to iOS, Safari, and the App Store impacting developers’ apps in the European Union (EU) to comply with the Digital Markets Act (DMA). The changes include more than 600 new APIs, expanded app analytics, functionality for alternative browser engines, and options for processing app payments and distributing iOS apps. Across every change, Apple is introducing new safeguards that reduce — but don’t eliminate — new risks the DMA poses to EU users. With these steps, Apple will continue to deliver the best, most secure experience possible for EU users.