今週の気になるセキュリティニュース - Issue #42

#42・
Weekly newsletter of Masafumi Negishi
50

issues

Subscribe to our newsletter

By subscribing, you agree with Revue’s Terms of Service and Privacy Policy and understand that Weekly newsletter of Masafumi Negishi will receive your email address.

Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi
事件、事故
米 FBI のシステムが第三者に不正に悪用され、外部に大量のスパムメールを送信
The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners. While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.
On November 13, 2021, the FBI.gov domain was used to send out hoax emails to tens of thousands of people regarding Night Lion’s ongoing investigation into The Dark Overlord hacking group. The purpose of the email was to apparently discredit Night Lion & Shadowbyte’s founder, Vinny Troia, claiming that I am a member of that group.
I was initially warned of the attack around 10 pm EST on November 12 when user PomPompurin contacted me via direct message on Twitter to say “Enjoy”. I knew immediately an attack was coming as he typically likes to (sadistically) give me a heads-up right before they stage some sort of attack on me.
PyPI リポジトリに 11 の不正なパッケージが見つかり削除される
The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling to report vulnerable and malicious packages to repository maintainers. Earlier this year we disclosed several malicious packages targeting developers’ private data that were downloaded approximately 30K times. Today, we will share details about 11 new malware packages that we’ve recently discovered and disclosed to the PyPI maintainers (who promptly removed them).
経済同友会の事務局システムに不正アクセスがあり、外部に情報が流出した可能性
2021年11月15日(月)、経済同友会事務局の情報システムへの不正アクセスが確認され、現時点で個人情報を含む情報流出の可能性が高いことが判明しました。これを受けた緊急対応として、本会情報システムの一部稼働を見合わせております。
攻撃、脅威
2021年1月末に 8ヶ国の法執行機関による Operation Ladybird によってテイクダウンされた Emotet マルウェアが 10ヶ月ぶりに活動を再開
tl;dr: Emotet
The (slighty) longer story:
On Sunday, November 14, at around 9:26pm UTC we observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet. However, since the botnet was taken down earlier this year, we were suspicious about the findings and conducted an initial manual verification. Please find first results and IOCs below. Currently, we have high confidence that the samples indeed seem to be a re-incarnation of the infamous Emotet.
Back in January 2021, law enforcement and judicial authorities worldwide took down the Emotet botnet. Although some Emotet emails still went out in the weeks after that, those were remnants from the inactive botnet infrastructure. We hadn’t seen any new Emotet since then.
But on Monday 2021-11-15, we saw indicators that Emotet has returned. This diary reviews activity from a recent Emotet infection.
日本時間の2021年11月15日、マルウェアEmotetの活動が再開され、11月17日頃から日本組織においても攻撃メールが届き始めていることを当社で確認しています。
Cryptolaemus
This is our 3rd anniversary of Cryptolaemus1. Thanks for all the follows and sharing of intel these past 3 years! To celebrate, Ivan has released a new version of Emotet because he feels left out and wants to be part of the party. More details coming soon. As always watch URLHaus https://t.co/Qwvel32ibB
bom
Emotet は現在2つのbotnetが確認されています。TriageではE4/E5を区別可能です。
ダウンロードURLやC2、キーが異なります。通信先を1種類だけブロックしても足りないので注意ください。

サンプル

■Epoch4
https://t.co/zMmLBZcNyz

■Epoch5
https://t.co/vj1iZN6rNF
新たな Rowhammer 攻撃の効果的な手法 Blacksmith がチューリッヒ工科大学の研究グループによって公開
We demonstrate that it is possible to trigger Rowhammer bit flips on all DRAM devices today despite deployed mitigations on commodity off-the-shelf systems with little effort. This result has a significant impact on the system’s security as DRAM devices in the wild cannot easily be fixed, and previous work showed real-world Rowhammer attacks are practical, for example, in the browser using JavaScripton smartphonesacross VMs in the cloud, and even over the network.
Rowhammer is a vulnerability caused by leaking charges in DRAM cells that enables attackers to induce bit flips in DRAM memory. To stop Rowhammer, DRAM implements a mitigation known as Target Row Refresh (TRR). Our previous work showed that the new n-sided patterns can still trigger bit flips on 31% of today’s PC-DDR4 devices. We propose a new highly effective approach for crafting non-uniform and frequency-based Rowhammer access patterns that can bypass TRR from standard PCs. We implement these patterns in our Rowhammer fuzzer named Blacksmith and show that it can bypass TRR on 100% of the PC-DDR4 DRAM devices in our test pool. Further, our work provides new insights on the deployed mitigations.
JPCERT/CC が Web メールサービスのアカウント情報の詐取を目的としたフィッシング攻撃について注意喚起
Webメールサービスのメンテナンスやお知らせなどをかたったメールが送られており、メールの本文中のリンクへ接続すると、同サービスのログイン画面になりすましたサイトに誘導されます。そのサイトでメールアドレスとパスワードなどを入力して情報を送信すると、攻撃者にアカウント情報が詐取されます。また、詐取されたアカウント情報は、別のフィッシングメールを送るための踏み台として攻撃者に悪用され、さらなる攻撃が展開されます。
イラン政府が関与する攻撃者グループによる活動について、CISA、FBI、ACSC、NCSC が注意喚起
CISA, the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) have released a joint Cybersecurity Advisory highlighting ongoing malicious cyber activity by an advanced persistent threat (APT) group that FBI, CISA, ACSC, and NCSC assess is associated with the government of Iran. FBI and CISA have observed this Iranian government-sponsored APT exploit Fortinet and Microsoft Exchange ProxyShell vulnerabilities to gain initial access to systems in advance of follow-on operations, which include deploying ransomware.
脆弱性
複数の NETGEAR 製品にリモートコード実行可能な脆弱性
NETGEAR is aware of a pre-authentication buffer overflow security vulnerability that requires access via your local area network to be exploited.
Continuing in our series of research findings involving Netgear1 products,2 this blog post describes a pre-authentication vulnerability in Netgear SOHO Devices that can lead to Remote Code Execution (RCE) as root. While our previous research investigated the Netgear web server and update daemons, the issues described in this blog revolve around the device’s UPnP daemon. Anyone with Small Offices/Home Offices (SOHO) device vulnerability research experience will be familiar with UPnP. UPnP servers allow any unauthenticated device on the network to connect to the server and reconfigure the network to support its operations. For instance, the Xbox One uses UPnP to configure port forwarding necessary for gameplay. However, this service provides a large attack surface for the device, as it must allow unauthenticated requests and parse complex input to handle those requests. Further, the UPnP service on SOHO devices has previously been exploited in the wild.3
npm レジストリで最近起きた 2件の問題について、GitHub が報告
The npm registry is central to all JavaScript development, and, as stewards of the registry, ensuring its security is a responsibility GitHub takes seriously. Transparency is key in maintaining the trust of our community. Today, we are sharing details of recent incidents on the npm registry, the details of our investigations, and how we’re continuing to invest in the security of npm. These investments include the requirement of two-factor authentication (2FA) during authentication for maintainers and admins of popular packages on npm, starting with a cohort of top packages in the first quarter of 2022. Read on to learn more.
その他
Bitcoin の大型アップデート Taproot がアクティベート
At 5:15 UTC (00:15 EST) on Sunday, Nov. 14, Taproot, the long-anticipated Bitcoin upgrade, activated at block 709,632, opening the door for developers to integrate new features that will improve privacy, scalability and security on the network.
The upgrade locked in back in June, when over 90% of miners chose to “signal” their support. A programmed waiting period between lock-in and activation has since given node operators and miners time to fully upgrade to the latest version of Bitcoin Core, 21.1, which contains the merged code for Taproot. Only once they do so will they be able to enforce the new rules making it possible to use the new type of transaction.
米 CISA は連邦政府機関向けに、インシデントおよび脆弱性への対応に関する標準的な手続きを定めたプレイブックを公開
The White House, via Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, tasked CISA, as the operational lead for federal cybersecurity, to “develop a standard set of operational procedures (i.e., playbook) to be used in planning and conducting cybersecurity vulnerability and incident response activity” for federal civilian agency information systems. In response, today, CISA published the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. The playbooks provide federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. The playbooks provide illustrated decision trees and detail each step for both incident and vulnerability response.  
Yurika
脆弱性レスポンスプレイブックで、評価のフェーズではstakeholder-specific vulnerability categorization SSVCがすすめられているのが興味深いな 。CVSSの評価と比較してSSVCをすすめるのよく耳にするようになってきた気がする。
Mozilla が Firefox Relay Premium サービスを発表
Today, Firefox Relay, a privacy-first and free product that hides your real email address to help protect your identity, is available with a new paid Premium service offering. The release comes just in time for the holiday season to help spare your inbox from being inundated with emails from e-commerce sites, especially those sites where you may shop or visit a few times a year.
(コメント) 5つまでのエイリアスであれば引き続き無料で利用できる。なかなか重宝します。
Did you enjoy this issue? Yes No
Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi

Security Researcher, IIJ-SECT, SANS Instructor in Japan, OWASP Japan Advisory Board, WASForum Hardening Project, 子供たちが安心して使える安全なネット社会を実現したいですね。

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.