ポッドキャスト収録用のメモですよ。
podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。
事件、事故
レジストラの Squarespace で複数のドメインの乗っ取り被害が発生
(7/12) DNS hijacks target crypto platforms registered with Squarespace
(7/12) Squarespace Security Advisory
(7/14) A Squarespace Retrospective, or How to Coordinate an Industry-Wide Incident Response
インドの暗号資産取引所 WazirX へのサイバー攻撃により、$230M相当の暗号資産が不正に送金される
(7/18) WazirX halts withdrawals after losing $230M worth crypto assets in security breach | TechCrunch
(7/18) $235 million lost by WazirX in North Korea-linked breach
At WazirX, our commitment to transparency and community welfare is paramount. There was a cyber attack on one of our multisig wallets. Below are the preliminary findings to clarify the situation:
— WazirX: India Ka Bitcoin Exchange (@WazirXIndia) July 18, 2024
» Incident Overview: A cyber attack occurred in one of our multisig wallets…
CrowdStrike Falcon の製品アップデートにより Windows がクラッシュする不具合が発生。世界中の多数のシステムに影響
(7/19) Statement on Falcon Content Update for Windows Hosts - crowdstrike.com
(7/19) Our Statement on Today's Outage | CrowdStrike
The outage was caused by a defect found in a Falcon content update for Windows hosts. Mac and Linux hosts are not impacted. This was not a cyberattack.
(7/19) Falcon Sensor Issue Likely Used to Target CrowdStrike Customers
(7/20) Technical Details on July 19, 2024 Outage | CrowdStrike
On July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update to Windows systems. Sensor configuration updates are an ongoing part of the protection mechanisms of the Falcon platform. This configuration update triggered a logic error resulting in a system crash and blue screen (BSOD) on impacted systems.
The sensor configuration update that caused the system crash was remediated on Friday, July 19, 2024 05:27 UTC.
This issue is not the result of or related to a cyberattack.
(7/20) Helping our customers through the CrowdStrike outage - The Official Microsoft Blog
While software updates may occasionally cause disturbances, significant incidents like the CrowdStrike event are infrequent. We currently estimate that CrowdStrike’s update affected 8.5 million Windows devices, or less than one percent of all Windows machines. While the percentage was small, the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services.
(7/19) Widespread IT Outage Due to CrowdStrike Update | CISA
(7/19) CrowdStrike update crashes Windows systems, causes outages worldwide
(7/19) システム障害 世界各地で 空港など影響 国内でも ジェットスター・USJ セキュリティーソフト【19日詳細】 | NHK | 航空
(7/20) クラウドストライクの「世界シェア1位」があだ…Windowsシステム障害は「過去最大規模」に : 読売新聞
攻撃、脅威
Mandiant が中国の攻撃者グループ APT41 の攻撃活動について報告
(7/19) APT41 Has Arisen From the DUST | Google Cloud Blog
In collaboration with Google’s Threat Analysis Group (TAG), Mandiant has observed a sustained campaign by the advanced persistent threat group APT41 targeting and successfully compromising multiple organizations operating within the global shipping and logistics, media and entertainment, technology, and automotive sectors. The majority of organizations were operating in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom.
脆弱性
CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+3 個の脆弱性を追加
(7/15) CISA Adds One Known Exploited Vulnerability to Catalog | CISA
- CVE-2024-36401 OSGeo GeoServer GeoTools Eval Injection Vulnerability
(7/17) CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA
- CVE-2024-34102 Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability
- CVE-2024-28995 SolarWinds Serv-U Path Traversal Vulnerability
- CVE-2022-22948 VMware vCenter Server Incorrect Default File Permissions Vulnerability
CISA added GeoServer CVE-2024-36401 to its Known Exploited Vulnerability Catalog https://t.co/0jvga7TBFr
— The Shadowserver Foundation (@Shadowserver) July 16, 2024
We first observed CVE-2024-36401 "POST /geoserver/wfs" exploitation July 9th in our sensors. Check for signs of compromise & patch https://t.co/CTcIZzwtsI
Cisco の Smart Software Manager に脆弱性 (CVE-2024-20419)
(7/17) Cisco Smart Software Manager On-Prem Password Change Vulnerability
A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users.
