View profile

今週の気になるセキュリティニュース - Issue #31

Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi
事件、事故
アイルランドの Data Protection Commission (DPC) が WhatsApp に対して、GDPR 違反による 2億2500万ユーロの制裁金を課すと発表。
ニュージーランドの通信事業者 Vocus で大規模な通信障害。顧客向けの DDoS 攻撃への対応が障害を引き起こしたもよう。
Outage - Friday 3rd September - further detail
03/09/2021 3:41pm
This afternoon a Vocus customer was under DDoS attack this afternoon. A DDoS mitigation rule was updated to our Arbor DDoS platform to block the attack for the end customer. Based on initial investigations it was this rule change that disrupted service to a range of Vocus customers. We are working closely with the vendor of this platform to understand why this occurred. Customers should have come back online automatically. Please contact us on 0800 65 65 38 if you are unable to connect.
(コメント) DDoS 攻撃による直接の影響ではなく、攻撃に対応しようとした結果、多数の顧客の通信にも影響を及ぼすような問題が発生した思われる。オペレーションのミスなのか、製品のバグなのか、詳細は不明。
攻撃、脅威
8/16 に公開された Realtek SDK の 4つの脆弱性のうちの 1つ CVE-2021-35394 の悪用を確認したと Juniper が報告。Mirai 亜種が脆弱性を利用して感染試行している。
Juniper Threat Labs has detected that the threat actors that we recently observed exploiting CVE-2021-20090 are now actively exploiting CVE-2021-35394, a vulnerability disclosed last week by IoT Inspector Research Lab. This attack targets the Realtek RTL8xxx SoC chipsets that are used in many embedded devices, particularly wireless routers. At the time of this writing, all of the download servers used in this campaign are online and the attacks are ongoing.
Masafumi Negishi
This Mirai variant "PUTIN" use EmerDNS (.lib TLD) for C2 domain. Several OpenNIC public server addresses are hardcoded. This technique was also used by Fbot in 2018.

https://t.co/MySOfPiZCO https://t.co/apyA5tVzbQ
米国でのランサムウェアによる攻撃が祝日や週末に増加しているとして、米 CISA から注意喚起
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed—in the United States, as recently as the Fourth of July holiday in 2021. The FBI and CISA do not currently have any specific threat reporting indicating a cyberattack will occur over the upcoming Labor Day holiday. However, the FBI and CISA are sharing the below information to provide awareness to be especially diligent in your network defense practices in the run up to holidays and weekends, based on recent actor tactics, techniques, and procedures (TTPs) and cyberattacks over holidays and weekends during the past few months. The FBI and CISA encourage all entities to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyber threats, including ransomware.
Babuk ランサムウェアの攻撃者がソースコードを公開
Emsisoft CTO and ransomware expert Fabian Wosar and researchres from McAfee Enterprise have both told BleepingComputer that the leak appears legitimate. Wosar also stated that the leak may contain decryption keys for past victims.
Babuk ransomware uses elliptic-curve cryptography (ECC) as part of its encryption routine. Included in the leak are folders containing encryptors and decryptors compiled for specific victims of the ransomware gang.
Wosar told BleepingComputer that these folders also contain curve files that could be the ECC decryption keys for these victims, but this has not been confirmed yet.
vx-underground
One of the developers for Babuk ransomware group, a 17 year old person from Russia, has been diagnosed with Stage-4 Lung Cancer. He has decided to leaked the ENTIRE Babuk source code for Windows, ESXI, NAS.

You can download the Babuk source here: vx-underground[.]org/tmp/
脆弱性
Confluence に OGNL インジェクションによる任意のコード実行が可能な脆弱性 (CVE-2021-26084)。すでに悪用が確認されている。
An OGNL injection vulnerability exists that would allow an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance. 
All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability.
Microsoft Exchange サーバに新たな脆弱性 ProxyToken (CVE-2021-33766)。認証なしにユーザの設定を変更することが可能。Microsoft からは 7月にパッチがリリース済み。
Continuing with the theme of serious vulnerabilities that have recently come to light in Microsoft Exchange Server, in this article we present a new vulnerability we call ProxyToken. It was reported to the Zero Day Initiative in March 2021 by researcher Le Xuan Tuyen of VNPT ISC, and it was patched by Microsoft in the July 2021 Exchange cumulative updates. Identifiers for this vulnerability are CVE-2021-33766 and ZDI-CAN-13477.
With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users. As an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker.
シンガポール工科デザイン大学の研究グループが Bluetooth の新たな脆弱性 BrakTooth を発表。
In this report, we disclose BrakTooth , a family of new security vulnerabilities in commercial BT stacks that range from denial of service (DoS) via firmware crashes and deadlocks in commodity hardware to arbitrary code execution (ACE) in certain IoTs. As of today, we have evaluated 13 BT devices from 11 vendors. We have discovered a total of 16 new security vulnerabilities, with 20 common vulnerability exposures (CVEs) already assigned and four (4) vulnerabilities are pending CVE assignment from Intel and Qualcomm.
その他
NICT が NICTER プロジェクトのダークネット観測網における 2021年第2四半期 (4月〜6月) の観測結果を公開
米CISAが MSP を利用する組織向けにリスクへの対応指針を公開
This resource focuses guidance to the three main organizational groups that play a role in reducing overall risk: (1) senior executives and boards of directors (strategic decision-making); (2) procurement professionals (operational decision-making); and (3) network administrators, systems administrators, and front-line cybersecurity staff (tactical decision-making).
The bottom line is that outsourcing IT services provides both increased benefits and risk to an organization. Key responsible individuals should take a step back to look at the security practices in place across their enterprise to answer:
Who is responsible for security and operations when outsourcing IT services to an MSP?
What are the most critical assets that we must protect and how do we protect them?
What should an MSP provide to an organization in advance of a contract award to demonstrate security controls in place?
What network and system access levels are appropriate for third-party service providers?
It will require effort and time upfront for an organization to review their security practices and answer these types of questions. But, in the long run, it will help them spot pockets of risk from third-party vendors and improve their overall security and resilience.
Apple は児童の性的虐待コンテンツ (CSAM) を検出する機能を次期 OS から提供予定としていたが、様々な意見が寄せられていることから、数ヶ月延期すると発表
Update as of September 3, 2021: Previously we announced plans for features intended to help protect children from predators who use communication tools to recruit and exploit them and to help limit the spread of Child Sexual Abuse Material. Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.
Did you enjoy this issue? Yes No
Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi

Security Researcher, IIJ-SECT, SANS Instructor in Japan, OWASP Japan Advisory Board, WASForum Hardening Project, 子供たちが安心して使える安全なネット社会を実現したいですね。

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.