ポッドキャスト収録用のメモですよ。
podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。
- 事件、事故
- 攻撃、脅威
- Microsoft が VMware ESXi の脆弱性 CVE-2024-37085 を悪用するランサムウェアの活動について報告
- M365 から Proofpoint のサービスを経由して大量のフィッシングメールを送信する攻撃キャンペーンが確認される
- Mandiant が攻撃者グループ UNC4393 の攻撃活動について報告
- Coveware が 2024年第 2四半期のランサムウェアレポートを公開
- IBM が Cost of a Data Breach Report 2024 を公開
- IPA がサポート詐欺レポートを公開
- Cisco Talos が攻撃者グループ APT41 の攻撃活動について報告
- 脆弱性
- その他
事件、事故
フランス各地で複数の通信事業者の光ファイバーが切断される
(7/29) French telecom infrastructure damaged in another sabotage attack
(7/29) Saboteurs Cut Internet Cables in Latest Disruption During Paris Olympics | WIRED
(7/29) フランス6県で光ファイバーケーブル切断される…パリへの通信接続や五輪運営には支障なし : 読売新聞
⚠️ Confirmed: Network data show disruptions to multiple internet providers in #France amid reports of a fibre sabotage campaign targeting telecoms infrastructure during the Paris 2024 Olympics 📉 pic.twitter.com/OOIfcc4TOO
— NetBlocks (@netblocks) July 29, 2024
DigiCert が証明書発行時の不備により、多数の証明書を失効処理
(7/29) Certificate Revocation Incident | DigiCert
(7/30) DigiCert Status - DigiCert Revocation Incident (CNAME-Based Domain Validation)
攻撃、脅威
Microsoft が VMware ESXi の脆弱性 CVE-2024-37085 を悪用するランサムウェアの活動について報告
The vulnerability, identified as CVE-2024-37085, involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation. Microsoft disclosed the findings to VMware through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR), and VMWare released a security update. Microsoft recommends ESXi server administrators to apply the updates released by VMware to protect their servers from related attacks, and to follow the mitigation and protection guidance we provide in this blog post. We thank VMWare for their collaboration in addressing this issue.
(7/29) CVE-2024-37085 | AttackerKB
(7/30) VMware ESXi CVE-2024-37085 Targeted in Ransomware Campaigns | Rapid7 Blog
VMware ESXiのゼロデイ脆弱性CVE-2024-37085を複数のランサムアクタが組織NW内に侵入後に悪用している件で、参考情報で外部公開サーバ台数をShodanで調べたらグローバルで45499台、日本国内316台を確認。ハニポは除外したつもりですが、どうして・・・https://t.co/oPlIk37gep pic.twitter.com/btT8NNkEXF
— nekono_nanomotoni (@nekono_naha) July 31, 2024
We have started sharing exposed VMware ESXi vulnerable to CVE-2024-37085 (authentication bypass). While rated only CVSS 6.8 by Broadcom, this vuln has been reported by Microsoft as exploited in the wild by ransomware operators.
— The Shadowserver Foundation (@Shadowserver) July 31, 2024
We see 20 275 instances vulnerable on 2024-07-30. pic.twitter.com/wTkqDSLQ38
M365 から Proofpoint のサービスを経由して大量のフィッシングメールを送信する攻撃キャンペーンが確認される
The root cause is a modifiable email routing configuration feature on Proofpoint servers to allow relay of organizations’ outbound messages from Microsoft 365 tenants, but without specifying which M365 tenants to allow
Guardio Labs has uncovered a critical in-the-wild exploit of Proofpoint’s email protection service, responsible for securing 87 of the Fortune 100 companies. Dubbed “EchoSpoofing”, this issue allowed threat actors to dispatch millions of perfectly spoofed phishing emails, leveraging Proofpoint’s customer base of well-known companies and brands such as Disney, IBM, Nike, Best Buy, and Coca-Cola. These emails echoed from official Proofpoint email relays with authenticated SPF and DKIM signatures, thus bypassing major security protections — all to deceive recipients and steal funds and credit card details.
Mandiant が攻撃者グループ UNC4393 の攻撃活動について報告
(7/30) UNC4393 Goes Gently into the SILENTNIGHT | Google Cloud Blog
Coveware が 2024年第 2四半期のランサムウェアレポートを公開
(7/30) Ransomware actors pivot away from major brands in Q2 2024
In the second quarter of 2024, we observed a large increase in attacks that appeared to have unaffiliated branding attribution. Branding attribution includes aspects of the attack that bind the attacker to a specific brand of ransomware (e.g., Lockbit, Black Basta). The attributes are typically obvious indicators of compromise (IOCs) such as the type of encryption malware (which is brand-specific most of the time), the accompanying ransom note (which identifies the brand of ransomware), or a branded TOR site used for victims/threat actor communications. Over 10% of the incidents handled by Coveware in Q2 were unaffiliated; this is attributed to attackers that were deliberately operating independently of a specific brand and what we typically term ‘lone wolves'. We have seen small jumps in unaffiliated ransomware attacks before, but never to such magnitude, so it’s worth discussing why and how this happens.
IBM が Cost of a Data Breach Report 2024 を公開
(7/30) Surging data breach disruption drives costs to record highs
Security teams are getting better at detecting and responding to breach incursions, but attackers are inflicting greater pain on organizations’ bottom lines. IBM’s recent Cost of a Data Breach Report 2024 found the global average breach hit a record $4.88 million. That’s a 10% increase from 2023 and the largest spike since the pandemic.
IPA がサポート詐欺レポートを公開
(7/31) サポート詐欺レポート | 情報セキュリティ | IPA 独立行政法人 情報処理推進機構
Cisco Talos が攻撃者グループ APT41 の攻撃活動について報告
脆弱性
SKYSEA Client View に複数の脆弱性
(7/29) JVN#84326763: SKYSEA Client Viewにおける複数の脆弱性
CISA が Known Exploited Vulnerabilities (KEV) カタログに 3+1 個の脆弱性を追加
(7/29) CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA
- CVE-2024-4879 ServiceNow Improper Input Validation Vulnerability
- CVE-2024-5217 ServiceNow Incomplete List of Disallowed Inputs Vulnerability
- CVE-2023-45249 Acronis Cyber Infrastructure (ACI) Insecure Default Password Vulnerability
(7/30) CISA Adds One Known Exploited Vulnerability to Catalog | CISA
- CVE-2024-37085 VMware ESXi Authentication Bypass Vulnerability
Apple が macOS Monterey 12.7.6, macOS Ventura 13.6.8, macOS Sonoma 14.6, iOS 16.7.9 / iPadOS 16.7.9, iOS 17.6 / iPadOS 17.6, tvOS 17.6, watchOS 10.6, visionOS 1.3, Safari 17.6 をリリース
(7/29) Apple security releases - Apple Support
