View profile

今週の気になるセキュリティニュース - Issue #39

Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi
事件、事故
New York Times のジャーナリストが Pegasus スパイウェアによる攻撃を受けていたと Citizen Lab が報告
New York Times journalist Ben Hubbard was repeatedly targeted with NSO Group’s Pegasus spyware over a three-year period from June 2018 to June 2021. The targeting took place while he was reporting on Saudi Arabia, and writing a book about Saudi Crown Prince Mohammed bin Salman.
米司法省、ユーロポールなど各国の法執行機関が協力し、ダークウェブ上でのオピオイドの不正取引を摘発。世界中で 150人の容疑者を逮捕。
Police forces across the world have arrested 150 alleged suspects involved in buying or selling illicit goods on the dark web as part of a coordinated international operation involving nine countries. 
More than €26.7 million (USD 31 million) in cash and virtual currencies have been seized in this operation, as well as 234 kg of drugs and 45 firearms. The seized drugs include 152 kg of amphetamine, 27 kg of opioids and over 25 000 ecstasy pills. 
This operation, known as Dark HunTOR, was composed of a series of separate but complementary actions in Australia, Bulgaria, France, Germany, Italy, the Netherlands, Switzerland, the United Kingdom and the United States, with coordination efforts led by Europol and Eurojust. 
イラン国営石油製品配給会社 (NIOPDC) がサイバー攻撃を受け、その影響でガソリンスタンドの利用が一時停止
KLab ID への外部からの不正ログインが発生。2,846 ユーザに影響。
この不正なログインは、当社外から入手したID・パスワードを利用して不正にログインしたもの(パスワードリスト型攻撃)である可能性が高いと考えられます。
Cream Finance が不正アクセスを受け、1億3千万ドル相当の暗号資産を盗まれる。
Cream Finance 🍦
Our Ethereum C.R.E.A.M. v1 lending markets were exploited and liquidity was removed on October 27, 1354 UTC. The attacker removed a total of ~$130m USD worth of tokens from these markets, using this address: https://t.co/17sPIDpCmr
No other markets were impacted.
パプアニューギニアで財務省の統合財務管理システム (IFMS) がランサムウェアに感染
Papua New Guinea’s finance department acknowledged late Thursday that its payment system, which manages access to hundreds of millions of dollars in foreign aid money, was hit with a ransomware attack.
The attack on the Department of Finance’s Integrated Financial Management System (IFMS) occurred at 1 a.m. local time on Oct. 22, according to a statement released by John Pundari, finance minister and acting treasurer.
8ヶ国の法執行機関の協力により、LockerGoga、MegaCortex、Dharma などのランサムウェアを利用した多数の攻撃活動に関与した犯罪者グループ 12人を逮捕。
A total of 12 individuals wreaking havoc across the world with ransomware attacks against critical infrastructure have been targeted as the result of a law enforcement and judicial operation involving eight countries. 
These attacks are believed to have affected over 1 800 victims in 71 countries. These cyber actors are known for specifically targeting large corporations, effectively bringing their business to a standstill.
The actions took place in the early hours of 26 October in Ukraine and Switzerland. Most of these suspects are considered high-value targets because they are being investigated in multiple high-profile cases in different jurisdictions. 
攻撃、脅威
Emsisoft の研究者が BlackMatter ランサムウェアに脆弱性を見つけ、ファイルを復号可能に。攻撃者が問題を修正するまで、Emsisoft は秘かに被害者の復旧を支援していた。
Earlier this year, Emsisoft researchers discovered a critical flaw in the BlackMatter ransomware that allowed them to help victims recover their files without paying a ransom, preventing millions of dollars falling into the hands of cybercriminals. The work has been conducted quietly and privately so as not to alert the BlackMatter operators to the flaw. For the reasons discussed below, we believe it is now safe to share the story without jeopardizing the operation.
Microsoft が攻撃者グループ NOBELIUM による新たな攻撃活動について報告。
Today, we’re sharing the latest activity we’ve observed from the Russian nation-state actor Nobelium. This is the same actor behind the cyberattacks targeting SolarWinds customers in 2020 and which the U.S. government and others have identified as being part of Russia’s foreign intelligence service known as the SVR.
The Microsoft Threat Intelligence Center (MSTIC) has detected nation-state activity associated with the threat actor tracked as NOBELIUM, attempting to gain access to downstream customers of multiple cloud service providers (CSP), managed service providers (MSP), and other IT services organizations (referred to as “service providers” for the rest of this blog) that have been granted administrative or privileged access by other organizations. The targeted activity has been observed against organizations based in the United States and across Europe since May 2021. MSTIC assesses that NOBELIUM has launched a campaign against these organizations to exploit existing technical trust relationships between the provider organizations and the governments, think tanks, and other companies they serve. NOBELIUM is the same actor behind the SolarWinds compromise in 2020, and this latest activity shares the hallmarks of the actor’s compromise-one-to-compromise-many approach. Microsoft has notified known victims of these activities through our nation-state notification process and worked with them and other industry partners to expand our investigation, resulting in new insights and disruption of the threat actor throughout stages of this campaign.
Conti ランサムウェアが身代金の支払いを拒否した企業ネットワークへのアクセスの販売を開始
The Conti ransomware affiliate program appears to have altered its business plan recently. Organizations infected with Conti’s malware who refuse to negotiate a ransom payment are added to Conti’s victim shaming blog, where confidential files stolen from victims may be published or sold. But sometime over the past 48 hours, the cybercriminal syndicate updated its victim shaming blog to indicate that it is now selling access to many of the organizations it has hacked.
Recorded Future による LockBit ランサムウェアの攻撃者へのインタビュー記事
Avast がランサムウェア AtomSilo と LockFile の復号ツールを公開
On Oct 17, 2021, Jiří Vinopal published information about a weakness in the AtomSilo ransomware and that it is possible to decrypt files without paying the ransom. Slightly later, he also analyzed another ransomware strain, LockFile. We prepared our very own free Avast decryptor for both the AtomSilo and LockFile strains.
ENISA が年次レポート ENISA Threat Landscape 2021 を公開
脆弱性
Chrome が複数の脆弱性を修正。すでに悪用が確認されているゼロデイ脆弱性が含まれる。
[$10000][1259864] High CVE-2021-37997 : Use after free in Sign-In. Reported by Wei Yuan of MoyunSec VLab on 2021-10-14
[$7500][1259587] High CVE-2021-37998 : Use after free in Garbage Collection. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-10-13
[$1000][1251541] High CVE-2021-37999 : Insufficient data validation in New Tab Page. Reported by Ashish Arun Dhone on 2021-09-21
[$N/A][1249962] High CVE-2021-38000 : Insufficient validation of untrusted input in Intents. Reported by Clement Lecigne, Neel Mehta, and Maddie Stone of Google Threat Analysis Group on 2021-09-15
[$N/A][1260577] High CVE-2021-38001 : Type Confusion in V8. Reported by @s0rrymybad of Kunlun Lab via Tianfu Cup on 2021-10-16
[$N/A][1260940] High CVE-2021-38002 : Use after free in Web Transport. Reported by @__R0ng of 360 Alpha Lab, 漏洞研究院青训队 via Tianfu Cup on 2021-10-16
[$TBD][1263462] High CVE-2021-38003 : Inappropriate implementation in V8. Reported by Clément Lecigne from Google TAG and Samuel Groß from Google Project Zero on 2021-10-26
Google is aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild.
macOS に System Integrity Protection (SIP) による保護を回避される脆弱性 (CVE-2021-30892)。最新版で修正ずみ。
Microsoft has discovered a vulnerability that could allow an attacker to bypass System Integrity Protection (SIP) in macOS and perform arbitrary operations on a device. We also found a similar technique that could allow an attacker to elevate their privileges to root an affected device. We shared these findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). A fix for this vulnerability, now identified as CVE-2021-30892, was included in the security updates released by Apple on October 26, 2021.
zsh
Available for: Mac Pro (2013 and later), MacBook Air (Early 2015 and later), MacBook Pro (Early 2015 and later), Mac mini (Late 2014 and later), iMac (Late 2015 and later), MacBook (Early 2016 and later), iMac Pro (2017 and later)
Impact: A malicious application may be able to modify protected parts of the file system
Description: An inherited permissions issue was addressed with additional restrictions.
CVE-2021-30892: Jonathan Bar Or of Microsoft
その他
CRYPTREC が 2020年の委員会活動報告を公開
サイバー情報共有イニシアティブ (J-CSIP) が 2021年 7月〜9月の運用状況レポートを公開
Did you enjoy this issue? Yes No
Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi

Security Researcher, IIJ-SECT, SANS Instructor in Japan, OWASP Japan Advisory Board, WASForum Hardening Project, 子供たちが安心して使える安全なネット社会を実現したいですね。

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.