View profile

今週の気になるセキュリティニュース - Issue #41

Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi
事件、事故
bZx の開発者がフィッシングメールの被害にあい、5,000万ドル相当以上の暗号資産が盗難
A bZx developer had his personal wallet’s private keys taken in a phishing attack. The phishing attack was similar to one that affected another user recently named “mgnr.io”.
The ethereum deployment of bZx protocol is safe following the compromise of an individual bZx developer’s computer and their private keys. The Ethereum bZx protocol itself wasn’t exploited. Since bZx Protocol on ethereum is governed by a DAO, the ethereum implementation was not affected. Ethereum Governance is also unaffected.
This attack granted the hacker access to the content of the bZx Developers wallet, and also the private keys to the BSC and Polygon deployment of bZx Protocol. After gaining control of BSC and Polygon the hacker drained the BSC and Polygon protocol, then upgraded the contract to allow draining of all tokens that the contracts had given unlimited approval.
ユーロポールほか 17ヶ国の法執行機関による共同作戦 Operation GoldDust により、REvil (Sodinokibi) ランサムウェアによる攻撃に関与したとして、5人を逮捕。また GandCrab ランサムウェアによる攻撃に関与したとして、2人を逮捕。
On 4 November, Romanian authorities arrested two individuals suspected of cyber-attacks deploying the Sodinokibi/REvil ransomware. They are allegedly responsible for 5 000 infections, which in total pocketed half a million euros in ransom payments. Since February 2021, law enforcement authorities have arrested three other affiliates of Sodinokibi/REvil and two suspects connected to GandCrab. These are some of the results of operation GoldDust, which involved 17 countries*, Europol, Eurojust and INTERPOL. All these arrests follow the joint international law enforcement efforts of identification, wiretapping and seizure of some of the infrastructure used by Sodinokibi/REvil ransomware family, which is seen as the successor of GandCrab.
米司法省は REvil ランサムウェアによる攻撃に関与したとして 2人を起訴。今年 7月に発生した Kaseya VSA の脆弱性を悪用した攻撃も含まれる。
The Justice Department announced today recent actions taken against two foreign nationals charged with deploying Sodinokibi/REvil ransomware to attack businesses and government entities in the United States.
An indictment unsealed today charges Yaroslav Vasinskyi, 22, a Ukrainian national, with conducting ransomware attacks against multiple victims, including the July 2021 attack against Kaseya, a multi-national information technology software company.
The department also announced today the seizure of $6.1 million in funds traceable to alleged ransom payments received by Yevgeniy Polyanin, 28, a Russian national, who is also charged with conducting Sodinokibi/REvil ransomware attacks against multiple victims, including businesses and government entities in Texas on or about Aug. 16, 2019.
According to the indictments, Vasinskyi and Polyanin accessed the internal computer networks of several victim companies and deployed Sodinokibi/REvil ransomware to encrypt the data on the computers of victim companies.
VoIP サービスの Telnyx で DDoS 攻撃による障害
(コメント) Cloudflare Magic Transit を利用することにより復旧。VoIP サービス事業者を狙う一連の脅迫 DDoS 攻撃キャンペーンと思われる。
攻撃、脅威
Kaspersky Lab から 2021年第 3 四半期の DDoS 攻撃に関するレポート
Cloudflare が Meris Botnet による DDoS 攻撃の観測状況について報告
米国務省は REvil (Sodinokibi) ランサムウェアの攻撃活動に関する情報提供に最大 1,000万ドルの報奨金を支払うと発表
The Department of State is offering a reward of up to $10,000,000 for information leading to the identification or location of any individual holding a key leadership position in the Sodinokibi ransomware variant transnational organized crime group. In addition, the Department is offering a reward offer of up to $5,000,000 for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in a Sodinokibi variant ransomware incident.
国内の組織、個人を対象としたフィッシングメールによる被害が多発
新たなフィッシングサイトの被害が急増している。ばらまき型メールを監視・分析・共有するサイバーセキュリティー技術者の集まりである「ばらまきメール回収の会」は2021年11月11日時点で既に1000件を超えるメールアカウントが盗まれているとみる。被害組織は大企業、中小企業、官公庁、大学、一般個人など多岐にわたる。
macOS のゼロデイ脆弱性が 8月に香港の Web サイトで水飲み場型攻撃に利用されていたと Google の TAG が報告
To protect our users, TAG routinely hunts for 0-day vulnerabilities exploited in-the-wild. In late August 2021, TAG discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group. The watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor.
As is our policy, we quickly reported this 0-day to the vendor (Apple) and a patch was released to protect users from these attacks.
Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code.
脆弱性
Nucleus の TCP/IP スタックに 13の脆弱性 (NUCLEUS:13)
Forescout Research Labs, with support from Medigate Labs, have discovered a set of 13 new vulnerabilities affecting the Nucleus TCP/IP stack, which we are collectively calling NUCLEUS:13. The new vulnerabilities allow for remote code execution, denial of service, and information leak.
Nucleus is used in safety-critical devices, such as anesthesia machines, patient monitors and others in healthcare. Forescout Research Labs is committed to supporting vendors in identifying affected products (our open-source TCP/IP stack detector can be helpful in this respect) and to sharing our findings with the cybersecurity community.
Microsoft が 2021年11月の月例パッチを公開。すでに悪用が確認されている CVE-2021-42292 などを修正
2021年11月のセキュリティ更新プログラムで修正を行った Microsoft Excel セキュリティ機能のバイパスの脆弱性 (CVE-2021-42292) および Microsoft Exchange Server リモートコード実行の脆弱性 (CVE-2021-42321) は、すでに脆弱性の悪用が確認されています。対象の環境をご利用のお客様は早急に更新プログラムの適用をお願いいたします。
Palo Alto Networks の PAN-OS でリモートコード実行可能な脆弱性 (CVE-2021-3064)
A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue.
This issue impacts PAN-OS 8.1 versions earlier than PAN-OS 8.1.17.
Prisma Access customers are not impacted by this issue.
In an effort to avoid enabling misuse, technical details related to CVE-2021-3064 will be withheld from public dissemination for a period of 30 days from the date of this publication. More information will be released at that time. Follow @RandoriAttack on Twitter for updates on future posts.
Palo Alto Networks社のNWアプライアンスで利用されるPAN-OSに関する非常にリスクの高い脆弱性 CVE-2021-3064 が2021年11月10日に公表されました。
本ブログの執筆時点(2021年11月11日)では、ターゲットとなるサーバを探索する活動は観測*1されているものの、本脆弱性を悪用した活動は報告されていません。しかしながら、2021年12月10日には本脆弱性を発見したセキュリティベンダより脆弱性の詳細情報が公開される予定*2であり、その前後で実際の攻撃が始まってしまう恐れがあります。
今回の脆弱性は一度攻撃が始まってしまうとその対応がパッチ適用のみでは終わらず、後述の通り非常に煩雑になってしまう恐れがあります。また、自組織の侵害に悪用された場合には、ランサムウェアの被害等の極めて深刻なインシデントにつながる恐れがあるため、早めの対策を強く推奨します。
その他
日本トラストテクノロジー協議会(JT2A)真正性保証タスクフォースからオンライン身元確認(eKYC)金融事例調査報告書が公開
PayPay がマイナンバーカードの公的個人認証サービスを利用した本人確認の手続きを2021年11月10日から開始
Did you enjoy this issue? Yes No
Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi

Security Researcher, IIJ-SECT, SANS Instructor in Japan, OWASP Japan Advisory Board, WASForum Hardening Project, 子供たちが安心して使える安全なネット社会を実現したいですね。

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.