ポッドキャスト収録用のメモですよ。
podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。
事件、事故
38 North が北朝鮮のサーバから入手したファイルの調査結果を報告。北朝鮮が日本など海外のアニメ製作に関与していた可能性
A misconfigured North Korean Internet cloud server has provided a fascinating glance into the world of North Korean animation outsourcing and how foreign companies might be inadvertently employing North Korean companies on information technology (IT) projects. The incident also underlines how difficult it is for foreign companies to verify their outsourced work is not potentially breaking sanctions and ending up on computers in Pyongyang.
(4/23) 北朝鮮、日本アニメ制作関与か サーバーからファイル―米分析:時事ドットコム
(4/26) 「全く知らない」「勝手に使われた」──日米のアニメ制作会社が相次ぎ声明 北朝鮮のサーバから関連ファイルが見つかった問題で - ITmedia NEWS
米国で TikTok 禁止法案が成立。ByteDance に対して TikTok の売却を義務付け
(4/24) Press Release: Bill Signed: H.R. 815 | The White House
(4/24) TikTok禁止法案が米上院で可決。バイデン大統領の署名で成立へ | テクノエッジ TechnoEdge
(4/25) TikTok禁止法案が米国で成立--「法廷で戦う」とCEO - CNET Japan
米司法省が暗号資産ミキシングサービス Samourai Wallet の共同創設者を逮捕および起訴
Keonne Rodriguez and William Lonergan Hill Are Charged with Operating Samourai Wallet, an Unlicensed Money Transmitting Business That Executed Over $2 Billion in Unlawful Transactions and Laundered Over $100 Million in Criminal Proceeds
米司法省が米国へのサイバー攻撃に関与したとして 4人のイラン人を起訴
An indictment was unsealed today in Manhattan federal court charging Iranian nationals Hossein Harooni (حسین هارونی), Reza Kazemifar (رضا کاظمی فر), Komeil Baradaran Salmani (کمیل برادران سلمانی), and Alireza Shafie Nasab (علیرضا شفیعی نسب) for their involvement in a cyber-enabled campaign to compromise U.S. government and private entities, including the U.S. Departments of Treasury and State, defense contractors, and two New York-based companies. Nasab was charged for the same conduct in a previous indictment that was unsealed on Feb. 29. The defendants remain at large.
攻撃、脅威
Microsoft がロシアの攻撃者グループ Forest Blizzard の活動について報告
Microsoft Threat Intelligence is publishing results of our longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks. Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations. While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks.
Avast がインドのウイルス対策ソフト eScan のアップデートを悪用したマルウェアのキャンペーンについて報告
- Avast discovered and analyzed a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers
- Avast disclosed the vulnerability to both eScan antivirus and India CERT. On 2023-07-31, eScan confirmed that the issue was fixed and successfully resolved
- The campaign was orchestrated by a threat actor with possible ties to Kimsuky
- Two different types of backdoors have been discovered, targeting large corporate networks
- The final payload distributed by GuptiMiner was also XMRig
Mandiant が M-Trends 2024 レポートを公開
(4/24) M-Trends 2024: Our View from the Frontlines | Google Cloud Blog
Sekoia が PlugX マルウェアの活動状況について報告
(4/25) Unplugging PlugX: Sinkholing the PlugX USB worm botnet - Sekoia.io Blog
In September 2023, we successfully sinkholed a command and control server linked to the PlugX worms. For just $7, we acquired the unique IP address tied to a variant of this worm, which had been previously documented by Sophos.
Almost four years after its initial launch, between ~90,000 to ~100,000 unique public IP addresses are still infected, sending distinctive PlugX requests daily to our sinkhole. We observed in 6 months of sinkholing more than 2,5M unique IPs connecting to it.
While studying the cryptography of PlugX’s communications, we discovered that it was possible to send disinfection commands to the compromised workstations. Two approaches can be implemented: one that disinfects only the workstation, and a more intrusive one that disinfects both the workstation and the USB drive.
Despite the fact that this worm cannot be completely stopped, we are offering the affected countries the possibility of disinfection, with a concept of sovereign disinfection process.
脆弱性
Citizen Lab が複数のベンダーの中国語キーボードアプリの脆弱性を報告
We analyzed the security of cloud-based pinyin keyboard apps from nine vendors — Baidu, Honor, Huawei, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi — and examined their transmission of users’ keystrokes for vulnerabilities.
CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+3 個の脆弱性を追加
(4/23) CISA Adds One Known Exploited Vulnerability to Catalog | CISA
- CVE-2022-38028 Microsoft Windows Print Spooler Privilege Escalation Vulnerability
(4/24) CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA
- CVE-2024-20353 Cisco ASA and FTD Denial of Service Vulnerability
- CVE-2024-20359 Cisco ASA and FTD Privilege Escalation Vulnerability
- CVE-2024-4040 CrushFTP VFS Sandbox Escape Vulnerability
Cisco ASA に複数の脆弱性。すでに悪用を確認
(4/24) Cisco Event Response: Attacks Against Cisco Firewall Platforms
In early 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of attacks that were targeting certain devices that were running Cisco Adaptive Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD) Software to implant malware, execute commands, and potentially exfiltrate data from the compromised devices.
This attack campaign has been named ArcaneDoor. Although Cisco has not yet identified the initial attack vector, the software updates that are identified in the advisories in the following table address software weaknesses that could allow an attacker to implant malware and obtain persistence on an affected device. Of these software weaknesses, CVE-2024-20353 and CVE-2024-20359 were used by the attacker in this attack campaign.
(4/24) ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective. Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications. In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations — critical infrastructure entities that are likely strategic targets of interest for many foreign governments.
(4/24) Cyber Activity Impacting CISCO ASA VPNs - Canadian Centre for Cyber Security
その他
Section 702 of FISA が 2026年4月まで 2年間延長される
(4/20) Bill Signed: H.R. 7888 | The White House
Microsoft がインシデント対応における Windows フォレンジックのガイドを公開
(4/23) New Microsoft Incident Response guide simplifies threat investigation | Microsoft Security Blog
GitHub がユーザーの 2要素認証の利用状況を報告
(4/24) Securing millions of developers through 2FA - The GitHub Blog
