View profile

今週の気になるセキュリティニュース - Issue #19

Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi
事件、事故
Colonial Pipeline が DarkSide ランサムウェアに感染した際に支払った身代金 75 BTC のうち、63.7 BTC (約 $2.3M 相当) を米司法省が差し押さえたと発表。
The Department of Justice today announced that it has seized 63.7 bitcoins currently valued at approximately $2.3 million. These funds allegedly represent the proceeds of a May 8, ransom payment to individuals in a group known as DarkSide, which had targeted Colonial Pipeline, resulting in critical infrastructure being taken out of operation. The seizure warrant was authorized earlier today by the Honorable Laurel Beeler, U.S. Magistrate Judge for the Northern District of California.
差し押さえ対象となった Bitcoin アドレス
(コメント) FBI がどのようにして秘密鍵を入手したのか詳細は不明
米 FBI、豪 AFP など複数の法執行機関が協力して、大規模なおとり捜査による組織犯罪の摘発作戦を実施し 800人以上を逮捕 (Operation Trojan Shield / Operation Ironside)。FBI と AFP が 2018年に立ち上げた An0m という暗号化チャットアプリを搭載した携帯端末を犯罪者が使うように仕向け、これを密かに当局が盗聴していた。
The 500-plus arrests that took place during a worldwide two-day takedown were possible because of a San Diego-based investigation like no other. For the first time, the FBI operated its own encrypted device company, called “ANOM,” which was promoted by criminal groups worldwide. These criminals sold more than 12,000 ANOM encrypted devices and services to more than 300 criminal syndicates operating in more than 100 countries, including Italian organized crime, Outlaw Motorcycle Gangs, and various international drug trafficking organizations, according to court records.
During the course of the investigation, while ANOM’s criminal users unknowingly promoted and communicated on a system operated lawfully by the FBI, agents catalogued more than 27 million messages between users around the world who had their criminal discussions reviewed, recorded, and translated by the FBI, until the platform was taken down yesterday.
Operation Ironside began almost three years ago and is the Australian component of a long-term, international, covert investigation. The FBI and AFP targeted the dedicated encrypted communications platform, which was used exclusively by organised crime.
After working in close partnership on Operation Safe Cracking to take down the encrypted platform provider Phantom Secure, the AFP and FBI worked together to fill the vacuum.
The FBI had access to a new app, named AN0M, and began running it without the knowledge of the criminal underworld.
Since 2019, the US Federal Bureau of Investigation, in close coordination with the Australian Federal Police, strategically developed and covertly operated an encrypted device company, called ANOM, which grew to service more than 12 000 encrypted devices to over 300 criminal syndicates operating in more than 100 countries, including Italian organised crime, outlaw motorcycle gangs, and international drug trafficking organisations. 
CDN サービスの Fastly でソフトウェアのバグに起因する大規模な障害が発生し、約 1時間にわたり世界中の多数のサイトに影響
We experienced a global outage due to an undiscovered software bug that surfaced on June 8 when it was triggered by a valid customer configuration change. We detected the disruption within one minute, then identified and isolated the cause, and disabled the configuration. Within 49 minutes, 95% of our network was operating as normal.
5/30 に REvil ランサムウェアに感染した食肉加工大手 JBS が、攻撃者に身代金として $11M 相当の Bitcoin を支払ったと公表。米下院監視・政府改革委員会は JBS に対して、ランサムウェア感染から身代金支払いに関連する全ての文書の提出を要求。
JBS USA today confirmed it paid the equivalent of $11 million in ransom in response to the criminal hack against its operations. At the time of payment, the vast majority of the company’s facilities were operational. In consultation with internal IT professionals and third-party cybersecurity experts, the company made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.
The Committee’s letter requests that JBS provide all documents and communications relating to the discovery of the May 30, 2021, ransomware attack and the payment of the ransom by June 24, 2021.
東芝テック株式会社が 5月に公表した欧州子会社へのサイバー攻撃について続報
外部の専門機関による調査を進めた結果、フランス、ベルギーの2カ国3現地法人(東芝テックフランス画像情報システム社、東芝テックヨーロッパ画像情報システム社、東芝グローバルコマースソリューション・ベネルクス社)のサーバーから情報が流出したことが判明しました。
東芝グローバルコマースソリューション・ベネルクス社については、顧客情報の流出がないことを確認できましたが、東芝テックフランス画像情報システム社、東芝テックヨーロッパ画像情報システム社については、引き続き外部の専門機関による調査を継続し、流出した情報の特定ができたものから必要に応じて関係者の皆様へ報告させていただきます。
また、これ以外の地域では情報流出の被害は発生していないことも確認しております。
(コメント) 5月に DarkSide ランサムウェアの感染が確認されているが、DarkSide はその後活動を停止している
今年 2月のランサムウェア感染の際に盗まれた CD PROJEKT の内部データが、リークサイト上で公開される
This message is a follow-up on the February security breach which targeted the CD PROJEKT Group. Today, we have learned new information regarding the breach, and now have reason to believe that internal data illegally obtained during the attack is currently being circulated on the Internet. 
(コメント) Hello Kitty ランサムウェアに感染したはずだが、なぜか Payload.bin (Babuk) ランサムウェアのリークサイトに掲載されている
Electronic Arts が不正アクセスを受け、ゲームのソースコードなどが漏洩
We are investigating a recent incident of intrusion into our network where a limited amount of game source code and related tools were stolen. No player data was accessed, and we have no reason to believe there is any risk to player privacy. Following the incident, we’ve already made security improvements and do not expect an impact on our games or our business. We are actively working with law enforcement officials and other experts as part of this ongoing criminal investigation.
不正に窃取されたアカウント情報を売買するサイト Slilpp を米司法省など複数の法執行機関が協力してテイクダウン
According to a seizure warrant affidavit that was unsealed today, since 2012, the Slilpp marketplace has been selling stolen login credentials, including usernames and passwords for bank accounts, online payment accounts, mobile phone accounts, retailer accounts, and other online accounts. According to the affidavit, the Slilpp marketplace allowed vendors to sell, and customers to buy, stolen login credentials by providing the forum and payment mechanism for such transactions; Slilpp buyers subsequently used those login credentials to conduct unauthorized transactions (such as wire transfers) from the related accounts. To date, over a dozen individuals have been charged or arrested by U.S. law enforcement in connection with the Slilpp marketplace.
LINE 株式会社が日本ユーザーの国内へのデータ移転スケジュールなど、取り組みの進捗状況を報告
このたび、これまでにいただいた各監督官庁からのご指導および本日の特別委員会による第一次報告を踏まえ、以下の3点について、当社における改善策と取り組みの進捗状況についてご報告いたします。
(1)ユーザー目線でのアカウンタビリティ強化のための取り組み
(2)日本ユーザーの安心・安全のための取り組み進捗状況
- データの国内移転の詳細スケジュール
- ユーザー向けプライバシーポリシーの改定状況
- データ・ガバナンスと情報セキュリティの強化
(3)安全管理措置等における改善状況
攻撃、脅威
APWG が 2021年第1四半期のフィッシング攻撃に関するレポートを公開
After doubling in 2020, the amount of phishing declined during the first quarter of 2021. However, January 2021 was a high in the APWG’s records, with an unprecedented 245,771 attacks in one month.
Ruhr University Bochum の研究者らにより、TLS 通信への攻撃手法 ‘ALPACA Attack’ が発表される
ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. Attackers can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.
(コメント) HTTPS と FTPS など異なるプロトコルで同じ証明書を使っている場合などに影響を受ける。一部の攻撃は MitB でも可能だが、大半の攻撃は MitM ポジションが必要なため、影響は限定的。IE と Edge Legacy は他のブラウザよりも攻撃の影響を受けやすい。
Marcus Brinkmann
We found another flaw in the design of TLS! If you have servers that share certificates across services you might want to take a look at this: https://t.co/jwRODhaHmE. 🧵👇 https://t.co/ij8nOuUiYX
Avaddon ランサムウェアが復号鍵を BleepingComputer に提供し、サービスを停止。Emsisoft はこの鍵を利用した復号ツールを公開
The Avaddon ransomware gang has shut down operation and released the decryption keys for their victims to BleepingComputer.com.
(コメント) Avaddon オペレータの今回の行動の理由は不明
脆弱性
Microsoft が 2021年6月の月例パッチを公開。修正された 50件の脆弱性の中には、すでに悪用が確認されている 6件のゼロデイ脆弱性を含む
  • CVE-2021-33742 – Windows MSHTML Platform Remote Code Execution Vulnerability
  • CVE-2021-33739 – Microsoft DWM Core Library Elevation of Privilege Vulnerability
  • CVE-2021-31955 – Windows Kernel Information Disclosure Vulnerability
  • CVE-2021-31956 – Windows NTFS Elevation of Privilege Vulnerability
  • CVE-2021-31199 – Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
  • CVE-2021-31201 – Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
(補足) CVE-2021-31199/31201 は先月修正された Adobe Reader のゼロデイ脆弱性 (CVE-2021-28550) と組み合わせて利用されている。CVE-2021-33742 は Google TAG が報告したもので、Chrome のゼロデイ脆弱性 (CVE-2021-30551) と組み合わせて利用されている。CVE-2021-31955/31956 は Kaspersky が報告したもので、4月に Chrome のゼロデイ脆弱性と組み合せた攻撃を観測している。
-       CVE-2021-31199/CVE-2021-31201 - Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
These two bugs are linked to the Adobe Reader bug listed as under active attack last month (CVE-2021-28550). It’s common to see privilege escalation paired with code execution bugs, and it seems these two vulnerabilities were the privilege escalation part of those exploits. It is a bit unusual to see a delay between patch availability between the different parts of an active attack, but good to see these holes now getting closed.
On April 14-15, 2021, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an elevation of privilege (EoP) exploit that was used to escape the sandbox and obtain system privileges.
The elevation of privilege exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 – RS5, 18362 – 19H1, 18363 – 19H2, 19041 – 20H1, 19042 – 20H2) and it exploits two distinct vulnerabilities in the Microsoft Windows OS kernel. On April 20, 2021, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the information disclosure vulnerability and CVE-2021-31956 to the elevation of privilege vulnerability. Both vulnerabilities were patched on June 8, 2021, as a part of the June Patch Tuesday.
Yurika
今日はマイクロソフト定例セキュリティパッチの日。今月は50件の脆弱性を修正しました。
既定では自動更新が有効ですが、ぜひ早期の適用をよろしくお願いいたします。IT管理者向けに概要をブログで公開していますのでぜひご覧ください。
https://t.co/wzO5GYxB3Y

(メモ続く→) https://t.co/Fba7WNpqXm
Shane Huntley
Another actively exploited vulnerability discovered in the wild by TAG (@_clem1). Great work by @msftsecresponse in patching within 7 days.

https://t.co/Z2VXqn5kqK
Shane Huntley
More details will be on CVE-2021-33742 will come from the team, but for context this seem to be a commercial exploit company providing capability for limited nation state Eastern Europe / Middle East targeting.
Shane Huntley
Chrome in-the-wild vulnerability CVE-2021-30551 patched today was also from the same actor and targeting.
Thanks to Chrome team for also patching within 7 days.
https://t.co/1RDbbuiBfY https://t.co/Ap9dEq98Cy
RedDrip Team
Possible #CVE-2021-33739 in-the-wild exploit : https://t.co/8umPGBJ6jd
PDB : C:\Users\ghostx\source\repos\test\x64\Release\test.pdb
ShellCode connects to C2: 213.164.205.138:8989 https://t.co/wyZwTrvEDK
RedHat や Ubuntu などの Linux ディストリビューションで利用されている polkit に権限昇格の脆弱性 (CVE-2021-3560)
polkit is a system service installed by default on many Linux distributions. It’s used by systemd, so any Linux distribution that uses systemd also uses polkit. As a member of GitHub Security Lab, my job is to help improve the security of open source software by finding and reporting vulnerabilities. A few weeks ago, I found a privilege escalation vulnerability in polkit. I coordinated the disclosure of the vulnerability with the polkit maintainers and with Red Hat’s security team. It was publicly disclosed, the fix was released on June 3, 2021, and it was assigned CVE-2021-3560.
Did you enjoy this issue? Yes No
Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi

Security Researcher, IIJ-SECT, SANS Instructor in Japan, OWASP Japan Advisory Board, WASForum Hardening Project, 子供たちが安心して使える安全なネット社会を実現したいですね。

If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.