ポッドキャスト収録用のメモですよ。
podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。
事件、事故
北朝鮮の IT労働者に口座情報を提供するなどしたとして、警視庁が日本人の男性 2人を書類送検
(4/7) 北朝鮮のIT技術者にデータ不正提供か 会社員ら2人書類送検 | NHK | 事件
北朝鮮のIT技術者とみられる人物に自身の運転免許証や銀行口座のデータを不正に提供し、日本人になりすまして仕事の仲介サイトに登録するのを手助けしたとして、警視庁は日本人の会社員ら2人を書類送検しました。
(4/7) 北朝鮮のIT労働者「日本人成り済まし」を幇助か 警視庁が容疑で日本人の男2人を書類送検 - 産経ニュース
中日本高速道路の一部料金所において ETC の障害が発生
(4/7) NEXCO 中日本の料金所で障害が発生していた料金所での ETC の運用を再開しました
中日本高速道路株式会社が管理するインターチェンジ(以下「IC」という。)で4月6日(日)、ETC を制御する設備に障害が発生したことから、ETC の利用ができなくなっていましたが、4月7日(月)14時よりすべての料金所で応急復旧作業が完了し、ETC無線通信により料金をいただいております。今後本復旧に向けた作業を進めてまいりますが、通行に際しては、安全に気を付けてご通行をお願いします。
(4/9) 【説明資料】NEXCO中日本管内で発生したETCシステム障害について
(参考) NEXCO中日本管内で発生したETCの広域システム障害についてまとめてみた - piyolog
攻撃、脅威
Radware が 2025年第 1四半期のハクティビストによる攻撃活動について報告
(4/4) Hacktivism Unveiled Q1 2025: How Hacktivists Zeroed In on the US
During the first quarter of 2025, hacktivist activity saw a distinct shift in focus, with the United States emerging as the most targeted country globally. According to collected claims from known hacktivist groups, the U.S. alone accounted for 13.5% of all observed distributed denial-of-service (DDoS) attacks between January 1 and March 31. This equates to a staggering 558 claimed attacks—well ahead of Ukraine (400) and Israel (340), which were the second and third most targeted countries, respectively.
Kaspersky が攻撃者グループ ToddyCat による ESET 製品の脆弱性を悪用する攻撃活動について報告
(4/7) APT group ToddyCat exploits a vulnerability in ESET for DLL proxying | Securelist
Akamai が 2024年の DDoS 攻撃の傾向について報告
(4/7) DDoS Attack Trends in 2024 Signify That Sophistication Overshadows Size | Akamai
Google がロシアの攻撃者グループ UNC5837 による RDP を悪用する攻撃活動について報告
(4/8) Windows Remote Desktop Protocol: Remote to Rogue | Google Cloud Blog
In October 2024, Google Threat Intelligence Group (GTIG) observed a novel phishing campaign targeting European government and military organizations that was attributed to a suspected Russia-nexus espionage actor we track as UNC5837. The campaign employed signed .rdp file attachments to establish Remote Desktop Protocol (RDP) connections from victims' machines. Unlike typical RDP attacks focused on interactive sessions, this campaign creatively leveraged resource redirection (mapping victim file systems to the attacker servers) and RemoteApps (presenting attacker-controlled applications to victims). Evidence suggests this campaign may have involved the use of an RDP proxy tool like PyRDP to automate malicious activities like file exfiltration and clipboard capture. This technique has been previously dubbed as “Rogue RDP.”
Fortinet が Fortinet 製品の脆弱性を悪用する攻撃活動について報告
(4/10) Analysis of Threat Actor Activity | Fortinet Blog
During this investigation, a threat actor was observed using known vulnerabilities (e.g. FG-IR-22-398, FG-IR-23-097, FG-IR-24-015) to gain access to Fortinet devices. The targeting of known, unpatched vulnerabilities by a threat actor is not new and has been previously examined; this specific finding is the result of a threat actor taking advantage of a known vulnerability with a new technique to maintain read-only access to vulnerable FortiGate devices after the original access vector was locked down. Immediately upon discovery, we activated our PSIRT response efforts, developed necessary mitigations and have communicated with affected customers. We continue to work directly with those customers to ensure they have taken steps to remediate the issue.
Urgent: Check your Compromised Website Report for critical events tagged “fortinet-compromised” and follow @Fortinet's mitigation advice on compromised devices: https://t.co/X3eVM2Sxw9
— The Shadowserver Foundation (@Shadowserver) April 12, 2025
Data available from 2025-04-11+https://t.co/D1KZAGvfTr pic.twitter.com/FUSDbhuWTO
脆弱性
CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+2+2 個の脆弱性を追加
(4/7) CISA Adds One Known Exploited Vulnerability to Catalog | CISA
- CVE-2025-31161 CrushFTP Authentication Bypass Vulnerability
(4/8) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
- CVE-2025-30406 Gladinet CentreStack Use of Hard-coded Cryptographic Key Vulnerability
- CVE-2025-29824 Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability
(4/9) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
- CVE-2024-53197 Linux Kernel Out-of-Bounds Access Vulnerability
- CVE-2024-53150 Linux Kernel Out-of-Bounds Read Vulnerability
Android が複数の脆弱性を修正。すでに悪用が確認されている脆弱性を含む。
(4/7) Android Security Bulletin—April 2025 | Android Open Source Project
Note: There are indications that the following may be under limited, targeted exploitation.
- CVE-2024-53150
- CVE-2024-53197
Microsoft が 2025年 4月の月例パッチを公開。すでに悪用が確認されている脆弱性を含む。
(4/8) 2025 年 4 月のセキュリティ更新プログラム (月例) | MSRC Blog | Microsoft Security Response Center
今月のセキュリティ更新プログラムで修正した脆弱性のうち、以下の脆弱性は更新プログラムが公開されるよりも前に悪用が行われていることを確認しています。お客様においては、更新プログラムの適用を早急に行ってください。脆弱性の詳細は、各 CVE のページを参照してください。
(4/8) Exploitation of CLFS zero-day leads to ransomware activity | Microsoft Security Blog
Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) against a small number of targets. The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. Microsoft released security updates to address the vulnerability, tracked as CVE-2025-29824, on April 8, 2025.
(4/8) Zero Day Initiative — The April 2025 Security Update Review
その他
NIST が SP 800-61 Rev.3 を公開
トランプ大統領が TikTok 禁止法案の施行をさらに 75日間延期
(4/4) Extending the TikTok Enforcement Delay – The White House
The enforcement delay specified in section 2(a) of Executive Order 14166 of January 20, 2025 (Application of Protecting Americans from Foreign Adversary Controlled Applications Act to TikTok), is further extended until June 19, 2025.
Google がサイバーセキュリティ分野に特化した実験的な AI モデル Sec-Gemini v1 を発表
(4/4) Google Online Security Blog: Google announces Sec-Gemini v1, a new experimental cybersecurity model
