今週の気になるセキュリティニュース - Issue #173

Revue アレかね

ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。


事件、事故

Google Cloud が 5月初めに発生したオーストラリアの UniSuper のインシデントについて報告

(5/25) Details of Google Cloud GCVE incident | Google Cloud Blog

During the initial deployment of a Google Cloud VMware Engine (GCVE) Private Cloud for the customer using an internal tool, there was an inadvertent misconfiguration of the GCVE service by Google operators due to leaving a parameter blank. This had the unintended and then unknown consequence of defaulting the customer’s GCVE Private Cloud to a fixed term, with automatic deletion at the end of that period. The incident trigger and the downstream system behavior have both been corrected to ensure that this cannot happen again.

This incident did not impact any Google Cloud service other than this customer’s one GCVE Private Cloud. Other customers were not impacted by this incident.


Google の検索アルゴリズムに関する内部文書が流出

(5/27) An Anonymous Source Shared Thousands of Leaked Google Search API Documents with Me; Everyone in SEO Should See Them - SparkToro

(5/27) Secrets from the Algorithm: Google Search’s Internal Engineering Documentation Has Leaked

(5/29) Google confirms the leaked Search documents are real - The Verge


Internet Archive が数日間にわたる DDoS 攻撃を受ける

(5/28) Internet Archive and the Wayback Machine under DDoS cyber-attack | Internet Archive Blogs

The Internet Archive, the nonprofit research library that’s home to millions of historical documents, preserved websites, and media content, is currently in its third day of warding off an intermittent DDoS (distributed denial-of-service) cyber-attack. According to library staff, the collections are safe, though service remains inconsistent. Access to the Internet Archive Wayback Machine – which preserves the history of more than 866 billion web pages – has also been impacted.

(5/29) Three-day DDoS attack batters the Internet Archive • The Register


米司法省など複数の法執行機関の協力により、911 S5 ボットネットを摘発し関係者を逮捕

(5/28) Treasury Sanctions a Cybercrime Network Associated with the 911 S5 Botnet | U.S. Department of the Treasury

(5/29) Office of Public Affairs | 911 S5 Botnet Dismantled and Its Administrator Arrested in Coordinated International Operation | United States Department of Justice

According to an indictment unsealed on May 24, from 2014 through July 2022, Wang and others are alleged to have created and disseminated malware to compromise and amass a network of millions of residential Windows computers worldwide. These devices were associated with more than 19 million unique IP addresses, including 613,841 IP addresses located in the United States. Wang then generated millions of dollars by offering cybercriminals access to these infected IP addresses for a fee.

(5/29) How to Identify and Remove VPN Applications That Contain 911 S5 Backdoors — FBI

(5/29) Is Your Computer Part of ‘The Largest Botnet Ever?’ – Krebs on Security

(5/29) US dismantles 911 S5 botnet used for cyberattacks, arrests admin


Europol が複数の法執行機関との連携により、ドロッパーマルウェアを用いた活動を摘発し関係者を逮捕

(5/30) Largest ever operation against botnets hits dropper malware ecosystem | Europol

Between 27 and 29 May 2024 Operation Endgame, coordinated from Europol’s headquarters, targeted droppers including, IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The actions focused on disrupting criminal services through arresting High Value Targets, taking down the criminal infrastructures and freezing illegal proceeds. This approach had a global impact on the dropper ecosystem. The malware, whose infrastructure was taken down during the action days, facilitated attacks with ransomware and other malicious software. Following the action days, eight fugitives linked to these criminal activities, wanted by Germany, will be added to Europe’s Most Wanted list on 30 May 2024. The individuals are wanted for their involvement in serious cybercrime activities.

(5/30) Operation Endgame

(5/30) Troy Hunt: Operation Endgame


暗号資産交換業者 DMM Bitcoin から約482億円相当のビットコインが不正に流出

(5/31) 【重要】暗号資産の不正流出発生に関するご報告(第一報) - DMMビットコイン(2024/05/31)

当社ウォレットより、不正流出したビットコイン(BTC)の数量は、4,502.9BTC(約482億円相当)と判明いたしました。


攻撃、脅威

Microsoft北朝鮮の攻撃者グループ Moonstone Sleet の攻撃活動について報告

(5/28) Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks | Microsoft Security Blog

Microsoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet (formerly Storm-1789), that uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to target companies for its financial and cyberespionage objectives. Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a fully functional malicious game, and deliver a new custom ransomware.


Recorded Future がロシアの攻撃者グループ BlueDelta の攻撃活動について報告

(5/30) GRU's BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Camp | Recorded Future

Insikt Group tracks the evolutions of GRU's BlueDelta operational infrastructure, targeting networks across Europe with information-stealing Headlace malware and credential-harvesting web pages. BlueDelta deployed Headlace infrastructure in three distinct phases from April to December 2023, using phishing, compromised internet services, and living off the land binaries to extract intelligence. Credential harvesting pages targeted Ukraine's Ministry of Defence, European transportation infrastructures, and an Azerbaijani think tank, reflecting a broader Russian strategy to influence regional and military dynamics.


OpenAI が影響工作のキャンペーンに関するレポートを公開し、利用されたアカウントを停止したと発表

(5/30 Disrupting deceptive uses of AI by covert influence operations | OpenAI

In the last three months, we have disrupted five covert IO that sought to use our models in support of deceptive activity across the internet. As of May 2024, these campaigns do not appear to have meaningfully increased their audience engagement or reach as a result of our services.


脆弱性

CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+1+2 個の脆弱性を追加

(5/28) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

(5/29) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

  • CVE-2024-4978 Justice AV Solutions (JAVS) Viewer Installer Embedded Malicious Code Vulnerability

(5/30) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA


Check Point の複数の製品に任意のファイル読み取りが可能な脆弱性。すでに悪用が確認されている

(5/27) Important Security Update – Stay Protected Against VPN Information Disclosure (CVE-2024-24919) - Check Point Blog

(5/29) Advisory: Check Point Remote Access VPN vulnerability (CVE-2024-24919)

(5/30) Check Point - Wrong Check Point (CVE-2024-24919)

(5/30) Check Point Software Technologies社製品のVPN機能における情報漏えいの脆弱性(CVE-2024-24919)について

(5/31) May 31, 2024: Arbitrary File Read in Check Point VPN Gateways [CVE-2024-24919] | Censys


NIST が NVD のステータスを更新し、バックログの解消に向けた取り組みの状況を報告

(5/29) National Vulnerability Database | NIST

NIST has awarded a contract for additional processing support for incoming Common Vulnerabilities and Exposures (CVEs) for inclusion in the National Vulnerability Database. We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months.

In addition, a backlog of unprocessed CVEs has developed since February. NIST is working with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to facilitate the addition of these unprocessed CVEs to the NVD. We anticipate that that this backlog will be cleared by the end of the fiscal year.

(5/30) Analygence chosen as company to help NIST address backlog at NVD


その他

Apple が日本でのAppleウォレットの身分証明書機能の展開について発表

(5/30) Newsroom - Apple (日本)

Appleは、日本のデジタル庁と協力し、来春の後半から日本に住むみなさんがAppleウォレットでマイナンバーカードを利用できるよう準備を進めています。Appleウォレットの身分証明書機能を米国外で展開するのは日本が初となります。この機能によって日本に住むみなさんは、iPhoneAppleウォレットにマイナンバーカードをシームレスに追加し、物理的なカードと同じようにコンビニエンスストアで公的な証明書等を発行したり、「マイナポータル」iOSアプリにアクセスしてオンラインの行政サービスを受けるなど、常にiPhoneのセキュリティ、利便性とともに、安全に利用できるようになります。