View profile

今週の気になるセキュリティニュース - Issue #1

Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi
Twitter の新しいニュースレター機能 (Revue) を使ってみたかっただけなので、たぶん続かないと思う…w

事件、事故
Instagram, TikTok, Twitter などが協調して、不正なアカウントの仲買人 (OGUsers などで販売していた) を摘発。アカウントを停止して、特定した個人に対して警告レターを送付。
SolarWinds 社から侵害調査の続報。Office 365 アカウントの侵害はあったが、脆弱性があったわけではなく、また初期侵入経路でもない。サードパーティアプリケーションのゼロデイ脆弱性の可能性が高いとのこと。Microsoft からも関連する報告あり。
Together with our third-party forensic investigators, we’re pursuing numerous theories but currently believe the most likely attack vectors came through a compromise of credentials and/or access through a third-party application via an at the time zero-day vulnerability. Investigations are still ongoing and given the sophistication of these attacks and the actions taken by the threat actors to manipulate our environment and remove evidence of their activities, combined with the large volumes of log and other data to analyze, our investigations will be ongoing for at least several more weeks, and possibly months.
As we previously shared, FireEye contacted us December 12, 2020 regarding malicious code that was identified in the SolarWinds Orion Platform. Additionally, Microsoft notified us December 13, 2020 about a compromise related to our Office 365 environment.
We’ve analyzed data from multiple systems and logs, including from our Office 365 and Azure tenants, along with logs from SolarWinds Security Event Manager, and our build environment platforms. As previously reported, this analysis has determined threat actors gained unauthorized access to our environment and conducted reconnaissance prior to the trial conducted on our Orion Platform software build in October 2019. We have not yet determined the exact date that the threat actors first gained unauthorized access to our environments.
While we’ve confirmed suspicious activity related to our Office 365 environment, our investigation has not identified a specific vulnerability in Office 365 that would have allowed the threat actor to enter our environment through Office 365.
We’ve confirmed that a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles. By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion development environment.
We have investigated thoroughly and have found no evidence they were attacked via Office 365. The wording of the SolarWinds 8K filing was unfortunately ambiguous, leading to erroneous interpretation and speculation, which is not supported by the results of our investigation. SolarWinds has confirmed these findings in their blog on February 3, 2021.
Android 版 COCOA アプリに不具合があり、昨年 9/28 のアップデート以降、4ヶ月にわたって、陽性者との接触通知が届いていなかった。2月中旬に修正予定。
本障害は、昨年9月28日のバージョンアップに伴って生じたものです。その後、本アプリ改修時には、テスト環境を用いて必要なテストを実施してきましたが、その際のテスト内容は、本アプリの基盤となっている接触通知APIから出力される接触リスクに関する値を前提とした模擬的な検証を行うものでした。
しかしながら、陽性者と接触しているはずであるが本アプリで通知がこなかった旨の報道を受け、従来の模擬的な検証に加えて実機を用いた動作検証を行ったところ、接触リスクに関する値がAndroid端末については想定と異なる形で接触通知APIから出力され、その結果、接触が正しく通知されないこととなっていることが判明したものです。
Google グループの設定不備による情報流出
(参考) 2013年にも似たような事案あり
Accellion のファイル転送サービスの脆弱性による情報漏洩
(コメント) ニュージーランド、オーストラリア、アメリカの公的機関において、相次いで事件が発覚している。
攻撃、脅威
CONTI ランサムウェアの被害組織と攻撃者との身代金交渉のやり取りや支払われた Bitcoin の状況を ClearSky が分析。
During our routine monitoring of ransomware groups, we detected a sample of the CONTI ransomware uploaded to Virus Total from Canada. We were able to access the entire negotiation process between the company and the extortion group in real time by analyzing the sample. Furthermore, we succeeded in following the ransom payment, tracking all of the involved bitcoin blockchain transactions. In this report, ClearSky and Whitestream, we uncover the negotiation process between this adversary to the extorted company, following by the Bitcoin Tracking.
(コメント) この手のレポートはこれまでもあり、生々しい交渉のやり取りなど非常に興味深くはあるのだが、晒された被害組織のことを考えるとモヤっとする。
SolarWinds の脆弱性を利用した中国による攻撃活動 (ロシアによる攻撃活動とは別)
Two people briefed on the case said FBI investigators recently found that the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, was among the affected organizations, raising fears that data on thousands of government employees may have been compromised.
The software flaw exploited by the suspected Chinese group is separate from the one the United States has accused Russian government operatives of using to compromise up to 18,000 SolarWinds customers, including sensitive federal agencies, by hijacking the company’s Orion network monitoring software.
Security researchers have previously said a second group of hackers was abusing SolarWinds’ software at the same time as the alleged Russian hack, but the suspected connection to China and ensuing U.S. government breach have not been previously reported.
Reuters was not able to establish how many organizations were compromised by the suspected Chinese operation. The sources, who spoke on condition of anonymity to discuss ongoing investigations, said the attackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies.
Coveware の Q4 2020 ランサムウェアレポート。身代金支払い金額が前四半期から減少。窃取した情報をリークすると 2重に脅迫するタイプが全体の 7割を占める。
Ransomware groups continue to leverage data exfiltration as a tactic. However, the trust that stolen data will be deleted is eroding; defaults are becoming more frequent when exfiltrated data is made public despite the victim paying. As a result, fewer companies are giving in to cyber extortion when they are able to recover from back ups. This inflection led to a large decline in average ransom amounts paid. Stemming the tide of cyber extortion will only happen if the industry is starved of its profitability. This trend was a distinct positive during Q4. 
NoxPlayer (Windows / Mac 用の Android エミュレータ) に対するサプライチェーン攻撃 “Operation NightScout"。BigNox 社のアップデートサーバが侵害されたと見られる。
In January 2021, we discovered a new supply-chain attack compromising the update mechanism of NoxPlayer, an Android emulator for PCs and Macs, and part of BigNox’s product range with over 150 million users worldwide.
This software is generally used by gamers in order to play mobile games from their PCs, making this incident somewhat unusual.
Three different malware families were spotted being distributed from tailored malicious updates to selected victims, with no sign of leveraging any financial gain, but rather surveillance-related capabilities.
脆弱性
SolarWinds Orion に新たな脆弱性が見つかり修正される。攻撃に利用された形跡はなし。
In this blog, I will be discussing three new security issues that I recently found in several SolarWinds products. All three are severe bugs with the most critical one allowing remote code execution with high privileges. To the best of Trustwave’s knowledge, none of the vulnerabilities were exploited during the recent SolarWinds attacks or in any “in the wild” attacks. However, given the criticality of these issues, we recommend that affected users patch as soon as possible. We have purposely left out specific Proof of Concept (PoC) code in this post in order to give SolarWinds users a longer margin to patch but we will post an update to this blog that includes the PoC code on Feb. 9.
SonicWall SMA 100 シリーズのゼロデイ脆弱性、ようやく修正される。SonicWall 社自身がこの脆弱性を利用した攻撃を受けたことを先月明らかにしている。
その他
Microsoft Edge Legacy のサポートは 3/9 で終了するが、4/13 の Windows Update (Patch Tuesday, いわゆる “B” リリース) において、Edge Legacy は削除され、Chromium ベースの新しい Edge がインストールされる。
To replace this out of support application, we are announcing that the new Microsoft Edge will be available as part of the Windows 10 cumulative monthly security update—otherwise referred to as the Update Tuesday (or “B”) release—on April 13, 2021. When you apply this update to your devices, the out of support Microsoft Edge Legacy desktop application will be removed and the new Microsoft Edge will be installed. The new Microsoft Edge offers built-in security and our best interoperability with the Microsoft security ecosystem, all while being more secure than Chrome for businesses on Windows 10.
Did you enjoy this issue? Yes No
Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi

Security Researcher, IIJ-SECT, SANS Instructor in Japan, OWASP Japan Advisory Board, WASForum Hardening Project, 子供たちが安心して使える安全なネット社会を実現したいですね。

If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter