今週の気になるセキュリティニュース - Issue #183

Revue アレかね

ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。


事件、事故

米国およびドイツの法執行機関が、違法な資金洗浄に関与したとして Cryptonator を摘発

(8/1) US and German Authorities Seize Crypto Wallet Cryptonator and Charge Administrator | TRM Insights

On August 1, 2024, IRS-Criminal Investigation, the US Department of Justice, and the Federal Bureau of Investigation in coordination with the German Federal Criminal Police Office (BKA) and the Attorney General’s Office in Frankfurt, seized the domain for online crypto wallet Cryptonator for failing to have appropriate anti-money laundering controls in place and facilitating illicit activity. Cryptonator, launched in 2014, was an online cryptocurrency wallet that enables direct transactions and allows instant exchange between different cryptocurrencies in one personal account, essentially acting as a personal cryptocurrency exchange.

(8/2) Cryptonator seized for laundering ransom payments, stolen crypto


Yahoo! JAPAN ID のログインのシステムに不具合があり、メールを第三者に閲覧された可能性

(8/5) Yahoo! JAPAN IDログインのシステム不具合に関するお知らせとお詫び|LINEヤフー株式会社

SMS認証によるYIDへのログインにおいてシステム不具合があり、ユーザーのログイン時にSMS認証に使用する携帯電話番号の利用者が変更されていないかを確認する仕組みが一部正常に動作していない期間が生じていました。 そのため、SMS認証に使用する携帯電話番号をご自身でご利用されなくなり、ご変更が行われなかったYIDに対して、同携帯電話番号を新たに取得された利用者がその携帯電話番号を用いてYIDへのログインを試みた場合にログインできてしまう事象が一部のユーザーに限り発生しました。

本不具合により、以前携帯電話番号を所持していた利用者のYahoo!メールが、同携帯電話番号を新たに取得された利用者に閲覧されていた可能性があるYIDがあることが判明いたしました。


国内の Web サイトに DDoS 攻撃を行ったとして、警察庁が電子計算機損壊等業務妨害容疑で男性を逮捕

(8/6) 代行サイト使いDDoS攻撃 25歳男逮捕、出版社の業務妨害容疑―警察庁:時事ドットコム

(8/6) 出版社にDDoS攻撃容疑、25歳の配管工「ストレス発散だった」…海外の代行業者を利用 : 読売新聞

(参考) 代行サービスを使ったDDoS攻撃容疑で摘発された事案についてまとめてみた - piyolog


Mobile Guardian のプラットフォームに不正アクセスがあり、ユーザのデバイスがリモート消去されるなどの影響

(8/5) Security Incident | August 2024 - Mobile Guardian

(8/5) Mobile Guardian Device Management Application to be removed | MOE

(8/6) Hackers remotely wipe 13,000 students’ iPads and Chromebooks after breaching safety software


米司法省が北朝鮮に協力してラップトップ・ファームを運営していた米国人を逮捕

(8/8) Office of Public Affairs | Justice Department Disrupts North Korean Remote IT Worker Fraud Schemes Through Charges and Arrest of Nashville Facilitator | United States Department of Justice

According to court documents, Knoot participated in a scheme to obtain remote employment with American and British companies for foreign information technology (IT) workers, who were actually North Korean actors. Knoot allegedly assisted them in using a stolen identity to pose as a U.S. citizen; hosted company laptops at his residences; downloaded and installed software without authorization on such laptops to facilitate access and perpetuate the deception; and conspired to launder payments for the remote IT work, including to accounts tied to North Korean and Chinese actors.


大雨や地震などの災害発生時に多数のスパム投稿が X などで確認される

(8/9) 南海トラフ臨時情報「巨大地震注意」スパム39万件余りに “買い占め”や“防災対策”でアダルトサイト誘導 | NHK | 南海トラフ地震臨時情報


攻撃、脅威

CISA と FBI が共同で Blacksuit ランサムウェアに関する注意喚起

(8/7) #StopRansomware: Blacksuit (Royal) Ransomware | CISA

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint advisory to disseminate known BlackSuit ransomware IOCs and TTPs identified through FBI threat response activities and third-party reporting as recently as of July 2024. BlackSuit ransomware is the evolution of the ransomware previously identified as Royal ransomware, which was used from approximately September 2022 through June 2023. BlackSuit shares numerous coding similarities with Royal ransomware and has exhibited improved capabilities.


Trend Micro が攻撃者グループ Earth Baku の攻撃活動について報告

(8/9) A Dive into Earth Baku’s Latest Campaign | Trend Micro (US)

Earth Baku (a threat actor associated with APT41) has expanded its activities beyond the Indo-Pacific region to Europe, the Middle East, and Africa — targeting countries like Italy, Germany, UAE, and Qatar, with suspected threat activity in Georgia and Romania.

The group uses public-facing applications such as IIS servers as entry points, deploying advanced malware toolsets such as the Godzilla webshell, StealthVector, StealthReacher, and SneakCross.

StealthVector and StealthReacher are customized loaders that deploy backdoor components while employing techniques such as AES encryption and code obfuscation for stealth. SneakCross, the group’s latest backdoor, uses Google services for command-and-control (C&C) activities and boasts a modular design for easer updates.

During post-exploitation, Earth Baku uses tools like a customized iox tool, Rakshasa, and Tailscale to maintain persistence, along with MEGAcmd for data exfiltration.


脆弱性

CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+2 個の脆弱性を追加

(8/5) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

(8/7) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA


GoogleAndroid の複数の脆弱性を修正。すでに悪用が確認されている脆弱性を含む

(8/5) Android Security Bulletin—August 2024 | Android Open Source Project

Note: There are indications that CVE-2024-36971 may be under limited, targeted exploitation.


VulnCheck が 2024年上半期における脆弱性の悪用状況を報告

(8/5) State of Exploitation - A Peek into 1H-2024 Vulnerability Exploitation


主要なブラウザの実装において、IP アドレス 0.0.0.0 の取り扱いに関する脆弱性

(8/7) 0.0.0.0 Day: Exploiting Localhost APIs From the Browser | Oligo Security

Oligo Security's research team recently disclosed the “0.0.0.0 Day” vulnerability. This vulnerability allows malicious websites to bypass browser security and interact with services running on an organization’s local network, potentially leading to unauthorized access and remote code execution on local services by attackers outside the network.


その他

JPCERT/CC が 2024年 4〜6月のインターネット定点観測レポートを公開

(8/9) インターネット定点観測レポート(2024年 4~6月)


ロシアがメッセージアプリの Signal を国内でブロック

(8/9) Russia blocks Signal for 'violating' anti-terrorism laws

(8/9) Signal >> Blog >> Proxy Please: Help People Connect to Signal