今週の気になるセキュリティニュース - Issue #156


podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。


ブラジルの法執行機関が Grandoreiro マルウェアのインフラを摘発し、容疑者を逮捕

(1/30) PF combate organização criminosa que praticava fraudes bancárias eletrônicas contra vítimas no exterior — Polícia Federal

(1/30) ESET takes part in global operation to disrupt the Grandoreiro banking trojan

ESET has collaborated with the Federal Police of Brazil in an attempt to disrupt the Grandoreiro botnet. ESET contributed to the project by providing technical analysis, statistical information, and known command and control (C&C) server domain names and IP addresses. Due to a design flaw in Grandoreiro’s network protocol, ESET researchers were also able to get a glimpse into the victimology.

(1/30) Police disrupt Grandoreiro banking malware operation, make arrests

埼玉県健康づくり事業団が所有する X 線画像読影システムでランサムウェア感染被害

(1/31) X 線画像読影システムへの不正アクセスについて

(2/1) 漏えいの可能性も…埼玉で年間40万人が健康診断する法人、サイバー攻撃され復旧未定 X線画像読影システム、画像など暗号化され身代金要求される ランサムウエアは「ロックビット」、今後は | 埼玉新聞


(1/31) 不正ログインによる個人情報漏洩のお知らせとお詫び/保育・物流業界の人材派遣・人材紹介 / SESなら株式会社サンライズワークス

弊社が求人情報を掲載しておりますディップ株式会社(以下、ディップ社)の運営にかかる求人情報サイト「バイトル」において、弊社の応募者情報管理画面(以下、本件管理画面)への不正ログインが行われ、2023年1月から同年11月に「バイトル」を利用して弊社にご応募いただいた方(以下、応募者様)のうち20名の応募情報の一部と上記不正ログインに使用されたID・パスワードが記載されたメール(以下、本件メール)が、本件管理画面のメール送信機能を利用して、外部へ送信された事実が判明いたしました。 そのため、本件管理画面に保存されていた応募者様1296名分の応募情報が、不正ログインを行った第三者及び本件メールに記載されたID・パスワードを用いてアクセスした者に閲覧された可能性があります。

なお、送信された個人情報および 閲覧された可能性のある個人情報は後記の通りであり、クレジットカード情報は含まれておりません。 また、現時点で、不正ログインに使用されたID・パスワードが弊社内部から漏洩した事実は確認されておりません。

(1/31) 求人掲載企業の管理画面への不正ログインに関するお詫びとお知らせ | ディップ株式会社


(1/31) 当社アジア大洋州グループ会社における資金流出事案について


(1/31) 三浦工業:お詫びとご報告

2024年1月26日(金)17時00分頃から1月28日(日)11時21分までの間に、第三者からのサイバー攻撃によりホームページが改ざんされていた事が判明いたしました。 ご利用いただいておりますお客様の皆様には多大なご迷惑、ご心配をお掛けしたことを深くお詫び申し上げます。 現在、原因と影響の調査を進めており、ホームページを閉じさせていただいております。

Ripple Labs の共同創業者である Chris Larsen 氏の個人アカウントが不正アクセスを受け、約 156億円相当の XRP が盗まれる

(1/31) Ripple chairman Chris Larsen hacked for reported 213M XRP worth approximately $112.5M

Cloudflare が昨年 11月に社内システムへの不正アクセスがあったと公表

(2/1) Thanksgiving 2023 security incident

On Thanksgiving Day, November 23, 2023, Cloudflare detected a threat actor on our self-hosted Atlassian server. Our security team immediately began an investigation, cut off the threat actor’s access, and on Sunday, November 26, we brought in CrowdStrike’s Forensic team to perform their own independent analysis.

50ヶ国以上の法執行機関が協力する Operation Synergia により、フィッシングやマルウェア感染に利用される不正な約 1,300 の IP アドレスや URL を特定し摘発

(2/1) INTERPOL-led operation targets growing cyber threats

SINGAPORE – Some 1,300 suspicious IP addresses or URLs have been identified as part of a global INTERPOL operation targeting phishing, malware and ransomware attacks.

Operation Synergia, which ran from September to November 2023, was launched in response to the clear growth, escalation and professionalisation of transnational cybercrime and the need for coordinated action against new cyber threats.

The operation involved 60 law enforcement agencies from more than 50 INTERPOL member countries, with officers conducting house searches and seizing servers as well as electronic devices. To date, 70% of the command-and-control (C2) servers identified have been taken down, with the remainder currently under investigation.

AnyDesk が社内システムへの不正アクセスがあったと発表

(2/2) AnyDesk Incident Response 2-2-2024


Coveware が 2023年第 4四半期のランサムウェアレポートを公開

(1/26) New Ransomware Reporting Requirements Kick in as Victims Increasingly Avoid Paying

JC3 が KeepSpy および XLoader/MoqHao マルウェアに関する注意喚起

(1/30) あなたのスマホがフィッシングサイトをばら撒く! | トピックス | 脅威情報 | 一般財団法人日本サイバー犯罪対策センター(JC3)

米司法省は中国の攻撃者グループ Volt Typhoon が使用する KV ボッネットを感染機器から削除する作戦を実施

(1/31) Office of Public Affairs | U.S. Government Disrupts Botnet People’s Republic of China Used to Conceal Hacking of Critical Infrastructure | United States Department of Justice

The vast majority of routers that comprised the KV Botnet were Cisco and NetGear routers that were vulnerable because they had reached “end of life” status; that is, they were no longer supported through their manufacturer’s security patches or other software updates. The court-authorized operation deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet.

(1/31) China's Hackers Have Entire Nation in Their Crosshairs, FBI Director Warns — FBI

(1/31) CISA and FBI Release Secure by Design Alert Urging Manufacturers to Eliminate Defects in SOHO Routers | CISA


(2/1) 詐欺SMSの発生状況がリアルタイムでわかる?!「詐欺SMSモニター」 |トビラシステムズ(証券コード:4441)



Jenkins に複数の脆弱性。PoC も公開

(1/24) Jenkins Security Advisory 2024-01-24

(1/24) Excessive Expansion: Uncovering Critical Security Vulnerabilities in Jenkins | Sonar

(1/28) Exploits released for critical Jenkins RCE flaw, patch now

(1/30) CVE-2024-23897: Jenkins - Censys

As of January 30, 2024, Censys has observed 83,509 Jenkins servers on the internet, 79,952 (~96%) of which are potentially vulnerable.

(参考) Jenkinsの脆弱性 CVE-2024-23897 についてまとめてみた - piyolog

Hitron Systems 製の複数の DVR に脆弱性。すでに悪用が確認されている

(1/30) Actively Exploited Vulnerability in Hitron DVRs: Fixed, Patches Available | Akamai

As part of the InfectedSlurs discovery, the Akamai SIRT uncovered vulnerabilities in multiple Hitron DVR device models that are actively exploited in the wild. Hitron devices are manufactured in South Korea by Hitron Systems.

The vulnerability allows an authenticated attacker to achieve OS command injection with a payload delivered via a POST request to the management interface. In its current configuration, it is utilizing device default credentials in the captured payloads.

(1/31) JVNVU#93639653: 複数のHitron Systems製デジタルビデオレコーダにおける不適切な入力確認の脆弱性

Ivanti Connect Secure と Ivanti Policy Secure に新たな脆弱性。すでに悪用が確認されている。

(1/31) Security Update for Ivanti Connect Secure and Ivanti Policy Secure Gateways

As part of our ongoing strengthening of the security of our products we have discovered new vulnerabilities in Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways. We are reporting these vulnerabilities as CVE-2023-46805 and CVE-2024-21887. These vulnerabilities impact all supported versions of the products. Mitigations are available now.

(1/31) CVE-2024-21888 Privilege Escalation for Ivanti Connect Secure and Ivanti Policy Secure

We have no evidence of any customers being impacted by CVE-2024-21888 at this time. We are only aware of a small number of customers who have been impacted by CVE-2024-21893 at this time. The table below provides details on the vulnerabilities:

(1/31) Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation | Mandiant

In this follow-up blog post, we detail additional tactics, techniques, and procedures (TTPs) employed by UNC5221 and other threat groups during post-exploitation activity across our incident response engagements. We also detail new malware families and variants to previously identified malware families being used by UNC5221. We acknowledge the possibility that one or more related groups may be associated with the activity described in this blog post. It is likely that additional groups beyond UNC5221 have adopted one or more of these tools.

(1/31) Updated: New Software Updates and Mitigations to Defend Against Exploitation of Ivanti Connect Secure and Policy Secure Gateways | CISA

(1/31) Supplemental Direction V1: ED 24-01: Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities | CISA

(2/2) CVE-2024-21893 | AttackerKB

CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+1 個の脆弱性を追加

(1/31) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

(1/31) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

  • CVE-2024-21893 Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability

Docker と runc にコンテナエスケープ可能な脆弱性

(1/31) Leaky Vessels: Docker and runc Container Breakout Vulnerabilities - January 2024 | Snyk

Snyk security researcher Rory McNamara, with the Snyk Security Labs team, identified four vulnerabilities — dubbed "Leaky Vessels" — in core container infrastructure components that allow container escapes. An attacker could use these container escapes to gain unauthorized access to the underlying host operating system from within the container.

(1/31) Docker Security Advisory: Multiple Vulnerabilities in runc, BuildKit, and Moby | Docker

We at Docker prioritize the security and integrity of our software and the trust of our users. Security researchers at Snyk Labs recently identified and reported four security vulnerabilities in the container ecosystem. One of the vulnerabilities, CVE-2024-21626, concerns the runc container runtime, and the other three affect BuildKit (CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). We want to assure our community that our team, in collaboration with the reporters and open source maintainers, has been diligently working on coordinating and implementing necessary remediations.

(1/31) several container breakouts due to internally leaked fds · Advisory · opencontainers/runc · GitHub