View profile

今週の気になるセキュリティニュース - Issue #40

Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi
事件、事故
ライトオン公式オンラインショップで外部からの不正アクセスがあり、約 25万人分の顧客情報が流出
複数の npm パッケージに不正なコードが混入
This incident follows last month’s hack of another popular npm library “ua-parser-js” that is used by Facebook, Microsoft, Amazon, Reddit, and other big tech firms.
The malware contained in hacked ‘coa’ versions, as analyzed by BleepingComputer, is virtually identical to the code found in the hijacked ua-parser-js versions, potentially establishing a link between the threat actors behind both incidents.
The security team of the npm JavaScript package manager has warned users that two of its most popular packages had been hijacked by a threat actor who released new versions laced with what appeared to be password-stealing malware.
攻撃、脅威
4月に公開された GitLab のリモートコード実行の脆弱性 (CVE-2021-22205) を悪用する活動が観測されているとの報告
Movable Type の脆弱性を悪用する攻撃活動が観測されたとして、ラックが注意喚起
2021年10月20日に公開されたMovable TypeのXMLRPC APIに存在するリモートから悪用可能な脆弱性(CVE-2021-20837)は、10月26日頃に概念実証コード(PoC)が公開されています。
JSOCでは、前述のPoCを用いた検証の結果、当該脆弱性が容易に悪用可能であることを確認しました。また、スレットインテリジェンス基盤で当該脆弱性を悪用しようとする動きを確認したためJSOCオリジナルシグネチャ(JSIG)を緊急リリースしました。
JSIGで検知した通信を分析した結果、脆弱なMovable Typeが外部からアクセス可能な状態で稼働している環境を確認したほか、サーバにバックドアが作成されるなど複数の被害を確認したため、注意を喚起します。
BlackMatter ランサムウェアが活動を停止すると発表
The criminal group behind the BlackMatter ransomware have announced plans today to shut down their operation, citing pressure from local authorities.
The group announced its plan in a message posted in the backend of their Ransomware-as-a-Service portal, where other criminal groups typically register in order to get access to the BlackMatter ransomware strain.
The BlackMatter ransomware collective today announced the closure of their operations, effective November 5. In the blog post, BlackMatter claimed that some of its key members are no longer “available,” which, if true, could be an indication that BlackMatter-affiliated threat actors may have been compromised or made the decision to no longer partake in ransomware activities.
However, it’s important to note that when a ransomware collective goes dark—such as the apparent case here with BlackMatter, or with REvil—it doesn’t necessarily mean that the threat actors associated with the group will cease future illicit cybercrime activities. 
米国務省は DarkSide ランサムウェアの攻撃活動に関する情報提供に最大 1,000万ドルの報奨金を支払うと発表
The U.S. Department of State announces a reward offer of up to $10,000,000 for information leading to the identification or location of any individual(s) who hold(s) a key leadership position in the DarkSide ransomware variant transnational organized crime group. In addition, the Department is also offering a reward offer of up to $5,000,000 for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a DarkSide variant ransomware incident.
Cloudflare が 2021年第 3 四半期の DDoS 攻撃動向レポートを公開
The third quarter of 2021 was a busy quarter for DDoS attackers. Cloudflare observed and mitigated record-setting HTTP DDoS attacksterabit-strong network-layer attacks, one of the largest botnets ever deployed (Meris), and more recently, ransom DDoS attacks on voice over IP (VoIP) service providers and their network infrastructure around the world.
脆弱性
BIND 9.x に外部からの攻撃によってパフォーマンスが低下する脆弱性
BIND 9.xにおける実装上の不具合により、namedに対する外部からの攻撃が可能となる脆弱性が、開発元のISCから発表されました。本脆弱性により、namedのパフォーマンスが低下し、クライアント側でタイムアウトが発生する可能性があります。
プログラムのソースコードに特殊な Unicode の制御文字を挿入するなどして、人間のレビュワーを騙すテクニック Trojan Source が発表される
We have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see different logic. One particularly pernicious method uses Unicode directionality override characters to display code as an anagram of its true logic. We’ve verified that this attack works against C, C++, C#, JavaScript, Java, Rust, Go, and Python, and suspect that it will work against most other modern languages.
We will be releasing Rust 1.56.1 today, 2021-11-01, with two new deny-by-default lints detecting the affected codepoints, respectively in string literals and in comments. The lints will prevent source code files containing those codepoints from being compiled, protecting you from the attack.
If your code has legitimate uses for the codepoints we recommend replacing them with the related escape sequence. The error messages will suggest the right escapes to use.
If you can’t upgrade your compiler version, or your codebase also includes non-Rust source code files, we recommend periodically checking that the following codepoints are not present in your repository and your dependencies: U+202A, U+202B, U+202C, U+202D, U+202E, U+2066, U+2067, U+2068, U+2069.
(コメント) RLO をファイル名に利用して拡張子をごまかす攻撃手法は以前から知られていたが、ソースコードに応用したところが面白い
T. M໐ri
ホモグリフでソースコードに「見えない」脆弱性を入れる話。CSS2019で発表していたのだけど(下のリンク→コンセプト研究賞を受賞)、その後英語論文化できていない内に出しぬかれてしまった。成果はかっちり出しておかないといけないなぁと反省。

https://t.co/k4KPw3nrCd

https://t.co/DYmpXdFS33
8月に公開された Bluetooth の新しい脆弱性 BrakTooth に関して、脆弱性を発見した研究者グループが PoC コードを GihHub で公開
その他
NTTデータが 2021年4月から6月のサイバーセキュリティに関するグローバル動向について調査したレポートを公開
Meta は Facebook における顔認識システムの利用を停止すると発表
In the coming weeks, Meta will shut down the Face Recognition system on Facebook as part of a company-wide move to limit the use of facial recognition in our products. As part of this change, people who have opted in to our Face Recognition setting will no longer be automatically recognized in photos and videos, and we will delete the facial recognition template used to identify them.  
米 CISA は攻撃に利用されている多数の脆弱性について、期限内の修正を連邦機関に求める指示。2021年より前に発見された脆弱性は 6ヶ月以内、それ以外は 2週間以内の対応を要求。
This Directive applies to federal civilian agencies however, CISA strongly recommends that private businesses and state, local, tribal and territorial (SLTT) governments prioritize mitigation of vulnerabilities listed in CISA’s public catalog and sign up to receive notifications when new vulnerabilities are added.
Remediate each vulnerability according to the timelines set forth in the CISA-managed vulnerability catalog. The catalog will list exploited vulnerabilities that carry significant risk to the federal enterprise with the requirement to remediate within 6 months for vulnerabilities with a Common Vulnerabilities and Exposures (CVE) ID assigned prior to 2021 and within two weeks for all other vulnerabilities. These default timelines may be adjusted in the case of grave risk to the Federal Enterprise.
CISA issued Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities to evolve our approach to vulnerability management and keep pace with threat activity. The directive establishes a CISA managed catalog of known exploited vulnerabilities and requires federal civilian agencies to identify and remediate these vulnerabilities on their information systems.
(コメント) 公開された脆弱性カタログには約 300 種類の脆弱性が列挙されており、今後も更新される予定
Did you enjoy this issue? Yes No
Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi

Security Researcher, IIJ-SECT, SANS Instructor in Japan, OWASP Japan Advisory Board, WASForum Hardening Project, 子供たちが安心して使える安全なネット社会を実現したいですね。

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.