View profile

今週の気になるセキュリティニュース - Issue #14

Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi
事件、事故
dark[.]fail, darknetlive[.]com など複数のドメインが第三者によって不正に乗っ取られる。レジストラである Tucows に対して偽の裁判所命令が送付され、それによってドメイン移管されたことが原因。その後ドメインは元のオーナーに返還された。
A few days ago, one of our partners (Tucows) was however the victim of a phishing attack themselves. They received a court order (including a gag order) to hand over a set of domains, where some where registered through Njalla (and others weren’t). Tucows receives quite a lot of these court orders and got tricked by it. We haven’t gotten all of the details with them on exactly how the full attack was done, but we’ve asked for clarifications. We have been promised that Tucows have strongly improved their operations for how to deal with future court orders.
dark.fail
My domain dark[.]fail was hijacked 12hr ago. I am not in control of it. DarknetLive's domain was also stolen.

We are not the same person. Our registrar Njalla is the common denominator between both attacks. My 2FA was on. I received no emails from Njalla. Something is broken.
Peter Sunde Kolmisoppi
Maybe you heard that the domain https://t.co/3Ip8qhGgxd (@DarkDotFail ) got hijacked. Here's the story on how it happened. A thread! (I've pieced together the data I have so I might have some small errors in this thread, FYI.)
ベルギーの ISP である Belnet (AS2611) が大規模な DDoS 攻撃を受け、大学、政府機関、研究機関などおよそ 200のサイトが影響を受ける
Le mardi 4 mai à 11 heures, le réseau Belnet a été victime d'une attaque DDoS de grande envergure. Toutes les institutions connectées au réseau Belnet ont été touchées par l'incident. Environ 200 organisations étaient concernées, dont des universités, des administrations publiques et des instituts de recherche. Ces institutions ont été complètement ou partiellement coupées de l’internet.
(コメント) IHR の AS Dependency グラフを見ると、5/4 10:00 UTC 頃から攻撃の影響を受けている様子がわかる
Internet Health Report
@belnet_be under DDoS attack during the Uyghur 'genocide' debate at Belgian parlement on May 4th.

See interactive graphs on IHR:
https://t.co/LGltJfAeS9 https://t.co/ADfviBUwdi
2020年12月に明らかとなった SolarWinds へのサプライチェーン攻撃に関して、SolarWinds 社が最新の調査結果を報告
We now estimate that the actual number of customers who were hacked through SUNBURST to be fewer than 100. It’s important to note that this group of up to 18,000 downloads includes two significant groups that could not have been affected by SUNBURST due to the inability of the malicious code to contact the threat actor command-and-control server: (1) those customers who did not install the downloaded version and (2) those customers who did install the affected version, but only did so on a server without access to the internet. Among a third group of customers, those whose affected servers accessed the internet, we believe, based on sample DNS data, only a very small proportion saw any activity with the command-and-control server deployed by the threat actor. This statistical analysis of the same DNS data leads to our belief that fewer than 100 customers had servers that communicated with the threat actor. This information is consistent with estimates provided by U.S. government entities and other researchers, and consistent with the presumption the attack was highly targeted.
攻撃、脅威
2020年 7月に米司法省が起訴した 2人の中国人ハッカーについて Intrusion Truth が調査結果を報告 (次週以降に続報があるもよう)
A federal grand jury in Spokane, Washington, returned an indictment earlier this month charging two hackers, both nationals and residents of the People’s Republic of China (China), with hacking into the computer systems of hundreds of victim companies, governments, non-governmental organizations, and individual dissidents, clergy, and democratic and human rights activists in the United States and abroad, including Hong Kong and China. The defendants in some instances acted for their own personal financial gain, and in others for the benefit of the MSS or other Chinese government agencies. The hackers stole terabytes of data which comprised a sophisticated and prolific threat to U.S. networks.
(コメント) この 2人は中華人民共和国国家安全部 (MSS) の支援を受けて活動していたとされており、2020年の起訴状には被害組織として複数の日本企業が含まれている
中国人民解放軍の 61419部隊が米国など海外のセキュリティ会社から複数のウイルス対策ソフトを購入していたと Recorded Future が報告
Recorded Future’s Insikt Group has discovered six procurement documents from official People’s Liberation Army (PLA) military websites and other sources that show the Strategic Support Force (SSF) branch of the PLA, specifically Unit 61419, has sought to purchase antivirus software from several major American, European, and Russian security companies. The PLA’s Unit 61419 sought to purchase English-language versions of the security software listed below (Table 1). The focus on English versions of these products is notable because Chinese-language versions would be the more logical choice if the software was intended for legitimate use or to test the potential exposure of private and commercial end-users in China to vulnerabilities in foreign antivirus software. 
(コメント) 61419部隊は日本および韓国を担当するサイバー攻撃部隊と見られており、Tick あるいは BRONZE BUTLER とよばれる攻撃グループと関連があるとされている。この部隊番号は総参謀部第三部第四局を指すものだったが、2016年以降の大規模な組織改革によって、戦略支援部隊のネットワークシステム部 (網絡系統部) に再編されたと見られている
ロシア対外情報庁 (SVR) によるサイバー攻撃に関して、NCSC、CISA、FBI、NSA が共同でアドバイザリを公開
The NCSC, NSA, CISA and CSE previously issued a joint report regarding the group’s targeting of organisations involved in COVID-19 vaccine development throughout 2020 using WellMess and WellMail malware.
SVR cyber operators appear to have reacted to this report by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders.
These changes included the deployment of the open-source tool Sliver in an attempt to maintain their accesses.
The group has also been observed making use of numerous vulnerabilities, most recently the widely reported Microsoft Exchange vulnerability.
(コメント) 昨年公開されたアドバイザリの内容を受けて SVR が攻撃手法を変えてきたと指摘。例として、BishopFox が公開している Silver フレームワークの利用を挙げている。
脆弱性
Apple が WebKit のゼロデイ脆弱性を修正した macOS、iOS、iPadOS、watchOS をリリース。すでに悪用が確認されているとのこと
Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
4/20 に公開された Pulse Connect Secure (PCS) の脆弱性を修正した PCS 9.1R11.4 がリリース
メールサーバの Exim にリモートコード実行可能な複数の脆弱性
多数の Dell 製 PC で利用されているファームウェア更新ユーティリティに権限昇格が可能な脆弱性 (CVE-2021-21551)。現時点では悪用は確認されていない。
Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure. Local authenticated user access is required.
Qualcomm の Mobile Station Modem (MSM) に脆弱性 (CVE-2020-11292) があり、多数の Android スマートフォンに影響
Check Point Research (CPR) found a security vulnerability in Qualcomm’s mobile station modem (MSM), the chip responsible for cellular communication in nearly 40% of the world’s phones. If exploited, the vulnerability would have allowed an attacker to use Android OS itself as an entry point to inject malicious and invisible code into phones, granting them access to SMS messages and audio of phone conversations.
その他
Facebook が広告のためにユーザの情報を収集していることについて、注意を促すための広告を Signal が Instagram 上に出すが、その後 Facebook によってアカウントを停止される
Moxie Marlinspike
Signal tried to use Instagram ads to display the data Facebook collects about you and sells access to.

Facebook wasn't into the idea, and shut down our account instead: https://t.co/sSqJ8JlxR7 https://t.co/PU6WoDdt70
Google が今後 Google アカウントで自動的に 2段階認証 (2SV) を有効にしていくと発表
Today we ask people who have enrolled in two-step verification (2SV) to confirm it’s really them with a simple tap via a Google prompt on their phone whenever they sign in. Soon we’ll start automatically enrolling users in 2SV if their accounts are appropriately configured. (You can check the status of your account in our Security Checkup). Using their mobile device to sign in gives people a safer and more secure authentication experience than passwords alone.
(コメント) これはひょっとすると大きな一歩になるかもしれない。World Password Day (5月第1木曜日) にふさわしい内容。詳細はわからないが、Google Prompt を有効にするのだとすると、Android や iPhone などのスマートフォンにおいて Google アカウントにログイン済みのユーザが対象になると思われる
大手保険会社 AXA が、フランスにおいて今後の契約ではランサムウェア感染における身代金支払いを保険対象外とする方針を発表
The suspension only applies to France and does not affect existing policies, said Christine Weirsky, a spokeswoman for the U.S. AXA subsidiary, a leading underwriter of cyber-insurance in the United States. She said it also does not affect coverage for responding and recovering from ransomware attacks, in which criminals based in safe havens including Russia break into networks, seed malware and cripple them by scrambling data.
(コメント) ランサムウェアの身代金が保険でカバーされることが、犯罪者への身代金支払いを促す結果になっているとの批判が以前からあり、保険会社としても難しい選択を迫られている
Did you enjoy this issue? Yes No
Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi

Security Researcher, IIJ-SECT, SANS Instructor in Japan, OWASP Japan Advisory Board, WASForum Hardening Project, 子供たちが安心して使える安全なネット社会を実現したいですね。

If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.