View profile

今週の気になるセキュリティニュース - Issue #25

Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi
事件、事故
米司法省は APT40 による攻撃活動に関与しているとして 4人の中国人を起訴。またこれにあわせて英国、欧州、日本なども声明を発表した。
A federal grand jury in San Diego, California, returned an indictment in May charging four nationals and residents of the People’s Republic of China with a campaign to hack into the computer systems of dozens of victim companies, universities and government entities in the United States and abroad between 2011 and 2018. The indictment, which was unsealed on Friday, alleges that much of the conspiracy’s theft was focused on information that was of significant economic benefit to China’s companies and commercial sectors, including information that would allow the circumvention of lengthy and resource-intensive research and development processes. The defendants and their Hainan State Security Department (HSSD) conspirators sought to obfuscate the Chinese government’s role in such theft by establishing a front company, Hainan Xiandun Technology Development Co., Ltd. (海南仙盾) (Hainan Xiandun), since disbanded, to operate out of Haikou, Hainan Province.
こうした中、7月19日(現地時間)、英国及び米国等は、中国政府を背景に持つAPT40といわれるサイバー攻撃グループ等に関して声明文を発表するとともに、米国はAPT40の構成員4名を起訴しました。我が国としても、APT40は中国政府を背景に持つものである可能性が高いと評価しており、サイバー空間の安全を脅かすAPT40等の攻撃を強い懸念をもって注視してきています。今回の英国及び米国等の声明は、サイバー空間におけるルールに基づく国際秩序を堅持するとの決意を示すものであり、これを強く支持します。
(コメント) 起訴状に書かれている内容は、2020年 1月に Intrusion Truth がブログで指摘していた内容とも一致する。
2020年 7月に発生した Twitter アカウント大量乗っ取り事件に関与したとみられる英国人がスペインで逮捕
A citizen of the United Kingdom was arrested today in Estepona, Spain, by Spanish National Police pursuant to a U.S. request for his arrest on multiple charges in connection with the July 2020 hack of Twitter that resulted in the compromise of over 130 Twitter accounts, including those belonging to politicians, celebrities and companies.
Kaseya VSA を悪用した REvil ランサムウェア感染事案の続報。Kaseya は 7/21 に REvil の復号ツールを入手し、顧客への対応にあたっていると報告。セキュリティ企業の Emsisoft が支援している。
July 22, 2021 - 3:30 PM EDT
Kaseya has obtained universal decryptor key.
On 7/21/2021, Kaseya obtained a decryptor for victims of the REvil ransomware attack, and we’re working to remediate customers impacted by the incident.
We can confirm that Kaseya obtained the tool from a third party and have teams actively helping customers affected by the ransomware to restore their environments, with no reports of any problem or issues associated with the decryptor. Kaseya is working with Emsisoft to support our customer engagement efforts, and Emsisoft has confirmed the key is effective at unlocking victims.
We remain committed to ensuring the highest levels of safety for our customers and will continue to update here as more details become available.
Customers who have been impacted by the ransomware will be contacted by Kaseya representatives.
(コメント) どういう経緯でこの復号ツールを入手したのか詳細は不明。
Akamai の Edge DNS に障害が発生し、多数のサービスに影響
At 15:45 UTC on July 22, 2021, a software configuration update triggered a bug in our Secure Edge Content Delivery Network impacting that network’s domain name service (DNS) system (the system that directs browsers to websites for that specific service). This caused a disruption impacting availability of some customer websites. The disruption lasted up to an hour. Upon rolling back the software configuration update, the services resumed normal operations.
Akamai can confirm this was not a cyberattack against Akamai’s platform. 
We apologize for the inconvenience that resulted. We are reviewing our software update process to prevent future disruptions.
攻撃、脅威
Forbidden Stories が Amnesty International と The Washington Post など世界中の 17の報道機関と協力し、イスラエルの NSO Group のスパイウェア “Pegasus” の活動実態についての調査結果を公開 (The Pegasus Project)
Forbidden Stories and Amnesty International had access to a leak of more than 50,000 records of phone numbers that NSO clients selected for surveillance. According to an analysis of these records by Forbidden Stories and its partners, the phones of at least 180 journalists were selected in 20 countries by at least 10 NSO clients. These government clients range from autocratic (Bahrain, Morocco and Saudi Arabia) to democratic (India and Mexico) and span the entire world, from Hungary and Azerbaijan in Europe to Togo and Rwanda in Africa. As the Pegasus Project will show, many of them have not been afraid to select journalists, human rights defenders, political opponents, businesspeople and even heads of state as targets of this invasive technology.
The Pegasus attacks detailed in this report and accompanying appendices are from 2014 up to as recently as July 2021. These also include so-called “zero-click” attacks which do not require any interaction from the target. Zero-click attacks have been observed since May 2018 and continue until now. Most recently, a successful “zero-click” attack has been observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021.
On July 18, non-profit journalism organization Forbidden Stories released a major new investigation into NSO Group. The investigation exposes widespread global targeting with Pegasus spyware. The investigation also includes results from the forensic examination of a number of devices that their technical partner, Amnesty International, assessed to be infected.
Forbidden Stories and Amnesty International requested that the Citizen Lab undertake an independent peer review of a sample of their forensic evidence and their general forensic methodology. We were provided with iTunes backups of several devices and a separate methodology brief. No additional context or information about the devices or the investigation was provided to us.
We independently validated that Amnesty International’s forensic methodology correctly identified infections with NSO’s Pegasus spyware within four iTunes backups. We also determined that their overall methodology is sound. In addition, the Citizen Lab’s own research has independently arrived at a number of the same key findings as Amnesty International’s analysis.
The report by Forbidden Stories is full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources. It seems like the “unidentified sources” have supplied information that has no factual basis and are far from reality.
After checking their claims, we firmly deny the false allegations made in their report. Their sources have supplied them with information which has no factual basis, as evident by the lack of supporting documentation for many of their claims.
In fact, these allegations are so outrageous and far from reality, that NSO is considering a defamation lawsuit.
MS-EFSRPC を利用して Windows に認証を強制させる新たな攻撃手法 PetitPotam が公開される。これをドメインコントローラに対して利用し、AD CS relay 攻撃と組み合わせることで、ドメイン乗っ取りが可能。
PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function. This is possible via other protocols and functions as well ;) .
topotam
Hi all,
MS-RPRN to coerce machine authentication is great but the service is often disabled nowadays by admins on most orgz.
Here is one another way we use to elicit machine account auth via MS-EFSRPC. Enjoy!! :)
https://t.co/AGiS4f6yt8
Rémi Escourrou
Finally finished testing it, it's quite brutal! Network access to full AD takeover... I really underestimated the impact of NTLM relay on PKI #ESC8 😱The combo with PetitPotam is awesome !
Everything is already published to quickly exploit it ... https://t.co/NVe6QJFrx6 https://t.co/q55OyC7dME
🥝 Benjamin Delpy
It's time to play with #mimikatz🥝& #kekeo🐤& #impacket
If you have a Windows PKI with its WebServer, you'll have problems🤪

No authentication/credential to *full domain owned*

> https://t.co/Wzb5GAfWfd
> https://t.co/x3n9B8HHGT

👍@topotam77 EFS & PetitPotam
👍@ExAndroidDev PR https://t.co/Z2qn1NM9zx
Cloudflare から 2021年第2四半期の DDoS 攻撃に関するレポート
Over 11% of our surveyed customers who were targeted by a DDoS attack reported receiving a threat or ransom letter threatening in advance, in the first six months of this year. Emergency onboarding of customers under an active DDoS attack increased by 41.8% in 2021 H1 compared to 2020 H2.
Coveware から 2021年第2四半期のランサムウェア攻撃に関するレポート
脆弱性
Windows の Point and Print 機能を悪用することにより、任意のコードが実行可能となる脆弱性
Microsoft Windows allows for non-admin users to be able to install printer drivers via Point and Print. Printers installed via this technique also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Windows Print Spooler process.
🥝 Benjamin Delpy
Want to test #printnightmare (ep 4.x) user-to-system as a service?🥝
(POC only, will write a log file to system32)

connect to \\https://t.co/6Pk2UnOXaG with
- user: .\gentilguest
- password: password

Open 'Kiwi Legit Printer - x64', then 'Kiwi Legit Printer - x64 (another one)' https://t.co/zHX3aq9PpM
macOS, iOS, iPadOS, tvOS, watchOS が複数の脆弱性を修正。iOS でリモートコード実行可能な WiFi の脆弱性 (CVE-2021-30800) の修正を含む。
Wi-Fi
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Joining a malicious Wi-Fi network may result in a denial of service or arbitrary code execution
Description: This issue was addressed with improved checks.
CVE-2021-30800: vm_call, Nozhdar Abdulkhaleq Shukri
ZecOps Mobile EDR Research team investigated if the recently announced WiFi format-string bug in wifid was exploited in the wild. 
This research led us to interesting discoveries:
Recently a silently patched 0-click WiFi proximity vulnerability on iOS 14 – iOS 14.4 without any assigned CVE
That the publicly announced WiFi Denial of Service (DoS) bug, which is currently a 0day, is more than just a DoS and actually a RCE!
Analysis if any of the two bugs were exploited across our cloud user-base.
Windows にレジストリハイブのファイルに対するアクセス制御の不備があり、ローカル権限昇格が可能となる脆弱性 (SeriousSAM / HiveNightmare)
An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
(コメント) Windows 10 version 1809 以降で、なぜか SAM ファイルなどが一般ユーザ (BUILTIN\Users グループ) から読み取り可能となっていた。2年以上も見つからなかったとは驚き。
Jonas L
yarh- for some reason on win11 the SAM file now is READ for users.
So if you have shadowvolumes enabled you can read the sam file like this:

I dont know the full extent of the issue yet, but its too many to not be a problem I think. https://t.co/kl8gQ1FjFt
その他
DuckDuckGo が Email Protection 機能を発表。ユーザに中継用のメールアドレスを発行し、受信したメールからトラッカーを排除したうえで、フォワードしてくれる。
We’re excited to announce the beta release of DuckDuckGo’s Email Protection. Our free email forwarding service removes email trackers and protects the privacy of your personal email address without asking you to change email services or apps. Most existing email privacy solutions come with significant tradeoffs. You either have to switch email services or apps entirely, or degrade your email experience by hiding all images. We believe protecting your personal information from leaking to third parties should be simple and seamless, like the rest of DuckDuckGo’s privacy protection bundle.
(コメント) 単に中継するだけであれば、Firefox Relay がある。DuckDuckGo の Email Protection はプライバシー機能を強化したのが特徴か。ベータテストに参加したい人は DuckDuckGo アプリから登録できる。
Did you enjoy this issue? Yes No
Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi

Security Researcher, IIJ-SECT, SANS Instructor in Japan, OWASP Japan Advisory Board, WASForum Hardening Project, 子供たちが安心して使える安全なネット社会を実現したいですね。

If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.