ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。

---

• 事件、事故
  • 米司法省がロシアによる米国への偽情報キャンペーンに用いられたソーシャルメディアのインフラを摘発
  • 米AT&T が不正アクセスにより、2022年5月から10月までのほぼ全ての顧客の通話記録などが漏洩したことを発表
• 攻撃、脅威
  • JPCERT/CC が日本の組織を狙う攻撃グループ Kimsuky の攻撃活動について報告
  • Avast が DoNex ランサムウェアの復号ツールを公開
  • オーストラリアの ASD などが共同で、中国の攻撃者グループ APT40 の攻撃活動に関する注意喚起
  • JPCERT/CC が攻撃グループ MirrofFace の攻撃活動について報告
  • Cloudflare が 2024年第 2 四半期の DDoS 攻撃レポートを公開
• 脆弱性
  • Microsoft が 2024年 7月の月例パッチを公開。すでに悪用が確認されている脆弱性を含む。
  • RADIUS プロトコルに脆弱性 (Blast-RADIUS)
  • CISA が Known Exploited Vulnerabilities (KEV) カタログに 3 個の脆弱性を追加
• その他
  • サイバーセキュリティ戦略本部が「サイバーセキュリティ 2024」を公表
  • Google が Advanced Protection Program において Passkeys をサポート

事件、事故

米司法省がロシアによる米国への偽情報キャンペーンに用いられたソーシャルメディアのインフラを摘発

(7/9) Office of Public Affairs | Justice Department Leads Efforts Among Federal, International, and Private Sector Partners to Disrupt Covert Russian Government-Operated Social Media Bot Farm | United States Department of Justice

The Justice Department today announced the seizure of two domain names and the search of 968 social media accounts used by Russian actors to create an AI-enhanced social media bot farm that spread disinformation in the United States and abroad. The social media bot farm used elements of AI to create fictitious social media profiles — often purporting to belong to individuals in the United States — which the operators then used to promote messages in support of Russian government objectives, according to affidavits unsealed today.

(7/9) State-Sponsored Russian Media Leverages Meliorator Software for Foreign Malign Influence Activity

米AT&T が不正アクセスにより、2022年5月から10月までのほぼ全ての顧客の通話記録などが漏洩したことを発表

(7/12) AT&T Addresses Illegal Download of Customer Data

In April, AT&T learned that customer data was illegally downloaded from our workspace on a third-party cloud platform. We launched an investigation and engaged leading cybersecurity experts to understand the nature and scope of the criminal activity. We have taken steps to close off the illegal access point. We are working with law enforcement in its efforts to arrest those involved in the incident. We understand that at least one person has been apprehended.

Based on our investigation, the compromised data includes files containing AT&T records of calls and texts of nearly all of AT&T’s cellular customers, customers of mobile virtual network operators (MVNOs) using AT&T’s wireless network, as well as AT&T’s landline customers who interacted with those cellular numbers between May 1, 2022 - October 31, 2022. The compromised data also includes records from January 2, 2023, for a very small number of customers. The records identify the telephone numbers an AT&T or MVNO cellular number interacted with during these periods. For a subset of records, one or more cell site identification number(s) associated with the interactions are also included.

The data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information. It also does not include some typical information you see in your usage details, such as the time stamp of calls or texts. While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.

(7/12) Unlawful Access of Customer Data - AT&T Bill & account Customer Support

(7/12) AT&T says criminals stole phone records of 'nearly all' customers in new data breach | TechCrunch

AT&T’s Huguely told TechCrunch that the most recent compromise of customer records were stolen from the cloud data giant Snowflake during a recent spate of data thefts targeting Snowflake’s customers.

Snowflake allows its corporate customers, like tech companies and telcos, to analyze huge amounts of customer data in the cloud. It’s not clear for what reason AT&T was storing customer data in Snowflake, and the spokesperson would not say.

攻撃、脅威

JPCERT/CC が日本の組織を狙う攻撃グループ Kimsuky の攻撃活動について報告

(7/8) 日本の組織を狙った攻撃グループKimsukyによる攻撃活動 - JPCERT/CC Eyes | JPCERTコーディネーションセンター公式ブログ

Avast が DoNex ランサムウェアの復号ツールを公開

(7/8) Decrypted: DoNex Ransomware and its Predecessors - Avast Threat Labs

Researchers from Avast have discovered a flaw in the cryptographic schema of the DoNex ransomware and its predecessors. In cooperation with law enforcement organizations, we have been silently providing the decryptor to DoNex ransomware victims since March 2024. The cryptographic weakness was made public at Recon 2024 and therefore we have no reason to keep this secret anymore.

オーストラリアの ASD などが共同で、中国の攻撃者グループ APT40 の攻撃活動に関する注意喚起

(7/9) APT40 Advisory | Cyber.gov.au

This advisory, authored by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC-UK), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV), the Republic of Korea's National Intelligence Service (NIIS) and NIS’ National Cyber Security Center, and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Police Agency (NPA) – hereafter referred to as the “authoring agencies” – outlines a People’s Republic of China (PRC) state-sponsored cyber group and their current threat to Australian networks. The advisory draws on the authoring agencies’ shared understanding of the threat as well as ASD’s ACSC incident response investigations.

(7/9) 豪州主導の APT40 グループに関する国際アドバイザリーへの共同署名について

(7/9) 中国背景のサイバー攻撃集団「APT40」注意喚起 7カ国と警察庁：朝日新聞デジタル

JPCERT/CC が攻撃グループ MirrofFace の攻撃活動について報告

(7/9) 攻撃グループMirrorFaceの攻撃活動 - JPCERT/CC Eyes | JPCERTコーディネーションセンター公式ブログ

Cloudflare が 2024年第 2 四半期の DDoS 攻撃レポートを公開

(7/9) DDoS threat report for 2024 Q2

脆弱性

Microsoft が 2024年 7月の月例パッチを公開。すでに悪用が確認されている脆弱性を含む。

(7/9) 2024 年 7 月のセキュリティ更新プログラム (月例) | MSRC Blog | Microsoft Security Response Center

今月のセキュリティ更新プログラムで修正した脆弱性のうち、以下の脆弱性は更新プログラムが公開されるよりも前に悪用や脆弱性の詳細が一般へ公開されていることを確認しています。お客様においては、更新プログラムの適用を早急に行ってください。脆弱性の詳細は、各 CVE のページを参照してください。

• CVE-2024-37985 Arm: CVE-2024-37985 Systematic Identification and Characterization of Proprietary Prefetchers
• CVE-2024-35264 .NET と Visual Studio のリモート コードが実行される脆弱性
• CVE-2024-38112 Windows MSHTML Platform Spoofing Vulnerability
• CVE-2024-38080 Windows Hyper-V の特権の昇格の脆弱性

(7/9) Zero Day Initiative — The July 2024 Security Update Review

(7/9) Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112) - Check Point Research

RADIUS プロトコルに脆弱性 (Blast-RADIUS)

(7/9) BLAST RADIUS

The Blast-RADIUS attack allows a man-in-the-middle attacker between the RADIUS client and server to forge a valid protocol accept message in response to a failed authentication request. This forgery could give the attacker access to network devices and services without the attacker guessing or brute forcing passwords or shared secrets. The attacker does not learn user credentials.

(7/12) JVNVU#99565539: RADIUSプロトコルにおける認証レスポンスを偽造可能な問題

CISA が Known Exploited Vulnerabilities (KEV) カタログに 3 個の脆弱性を追加

(7/9) CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA

• CVE-2024-23692 Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability
• CVE-2024-38080 Microsoft Windows Hyper-V Privilege Escalation Vulnerability
• CVE-2024-38112 Microsoft Windows MSHTML Platform Spoofing Vulnerability

その他

サイバーセキュリティ戦略本部が「サイバーセキュリティ 2024」を公表

(7/10) サイバーセキュリティ 2024 (2023 年度年次報告・2024 年度年次計画）

Google が Advanced Protection Program において Passkeys をサポート

(7/10) Google rolls out Passkeys to high risk users in Advanced Protection Program