今週の気になるセキュリティニュース - Issue #42

The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners. While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.

On November 13, 2021, the FBI.gov domain was used to send out hoax emails to tens of thousands of people regarding Night Lion’s ongoing investigation into The Dark Overlord hacking group. The purpose of the email was to apparently discredit Night Lion & Shadowbyte’s founder, Vinny Troia, claiming that I am a member of that group.

I was initially warned of the attack around 10 pm EST on November 12 when user PomPompurin contacted me via direct message on Twitter to say “Enjoy”. I knew immediately an attack was coming as he typically likes to (sadistically) give me a heads-up right before they stage some sort of attack on me.

The JFrog Security research team continuously monitors popular open source software (OSS) repositories with our automated tooling to report vulnerable and malicious packages to repository maintainers. Earlier this year we disclosed several malicious packages targeting developers’ private data that were downloaded approximately 30K times. Today, we will share details about 11 new malware packages that we’ve recently discovered and disclosed to the PyPI maintainers (who promptly removed them).

2021年11月15日（月）、経済同友会事務局の情報システムへの不正アクセスが確認され、現時点で個人情報を含む情報流出の可能性が高いことが判明しました。これを受けた緊急対応として、本会情報システムの一部稼働を見合わせております。

tl;dr: Emotet

The (slighty) longer story:

On Sunday, November 14, at around 9:26pm UTC we observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet. However, since the botnet was taken down earlier this year, we were suspicious about the findings and conducted an initial manual verification. Please find first results and IOCs below. Currently, we have high confidence that the samples indeed seem to be a re-incarnation of the infamous Emotet.

Back in January 2021, law enforcement and judicial authorities worldwide took down the Emotet botnet. Although some Emotet emails still went out in the weeks after that, those were remnants from the inactive botnet infrastructure. We hadn’t seen any new Emotet since then.

But on Monday 2021-11-15, we saw indicators that Emotet has returned. This diary reviews activity from a recent Emotet infection.

日本時間の2021年11月15日、マルウェアEmotetの活動が再開され、11月17日頃から日本組織においても攻撃メールが届き始めていることを当社で確認しています。

We demonstrate that it is possible to trigger Rowhammer bit flips on all DRAM devices today despite deployed mitigations on commodity off-the-shelf systems with little effort. This result has a significant impact on the system’s security as DRAM devices in the wild cannot easily be fixed, and previous work showed real-world Rowhammer attacks are practical, for example, in the browser using JavaScript, on smartphones, across VMs in the cloud, and even over the network.

Rowhammer is a vulnerability caused by leaking charges in DRAM cells that enables attackers to induce bit flips in DRAM memory. To stop Rowhammer, DRAM implements a mitigation known as Target Row Refresh (TRR). Our previous work showed that the new n-sided patterns can still trigger bit flips on 31% of today’s PC-DDR4 devices. We propose a new highly effective approach for crafting non-uniform and frequency-based Rowhammer access patterns that can bypass TRR from standard PCs. We implement these patterns in our Rowhammer fuzzer named Blacksmith and show that it can bypass TRR on 100% of the PC-DDR4 DRAM devices in our test pool. Further, our work provides new insights on the deployed mitigations.

Webメールサービスのメンテナンスやお知らせなどをかたったメールが送られており、メールの本文中のリンクへ接続すると、同サービスのログイン画面になりすましたサイトに誘導されます。そのサイトでメールアドレスとパスワードなどを入力して情報を送信すると、攻撃者にアカウント情報が詐取されます。また、詐取されたアカウント情報は、別のフィッシングメールを送るための踏み台として攻撃者に悪用され、さらなる攻撃が展開されます。

CISA, the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) have released a joint Cybersecurity Advisory highlighting ongoing malicious cyber activity by an advanced persistent threat (APT) group that FBI, CISA, ACSC, and NCSC assess is associated with the government of Iran. FBI and CISA have observed this Iranian government-sponsored APT exploit Fortinet and Microsoft Exchange ProxyShell vulnerabilities to gain initial access to systems in advance of follow-on operations, which include deploying ransomware.

NETGEAR is aware of a pre-authentication buffer overflow security vulnerability that requires access via your local area network to be exploited.

Continuing in our series of research findings involving Netgear1 products,2 this blog post describes a pre-authentication vulnerability in Netgear SOHO Devices that can lead to Remote Code Execution (RCE) as root. While our previous research investigated the Netgear web server and update daemons, the issues described in this blog revolve around the device’s UPnP daemon. Anyone with Small Offices/Home Offices (SOHO) device vulnerability research experience will be familiar with UPnP. UPnP servers allow any unauthenticated device on the network to connect to the server and reconfigure the network to support its operations. For instance, the Xbox One uses UPnP to configure port forwarding necessary for gameplay. However, this service provides a large attack surface for the device, as it must allow unauthenticated requests and parse complex input to handle those requests. Further, the UPnP service on SOHO devices has previously been exploited in the wild.3

The npm registry is central to all JavaScript development, and, as stewards of the registry, ensuring its security is a responsibility GitHub takes seriously. Transparency is key in maintaining the trust of our community. Today, we are sharing details of recent incidents on the npm registry, the details of our investigations, and how we’re continuing to invest in the security of npm. These investments include the requirement of two-factor authentication (2FA) during authentication for maintainers and admins of popular packages on npm, starting with a cohort of top packages in the first quarter of 2022. Read on to learn more.

At 5:15 UTC (00:15 EST) on Sunday, Nov. 14, Taproot, the long-anticipated Bitcoin upgrade, activated at block 709,632, opening the door for developers to integrate new features that will improve privacy, scalability and security on the network.

The upgrade locked in back in June, when over 90% of miners chose to “signal” their support. A programmed waiting period between lock-in and activation has since given node operators and miners time to fully upgrade to the latest version of Bitcoin Core, 21.1, which contains the merged code for Taproot. Only once they do so will they be able to enforce the new rules making it possible to use the new type of transaction.

The White House, via Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, tasked CISA, as the operational lead for federal cybersecurity, to “develop a standard set of operational procedures (i.e., playbook) to be used in planning and conducting cybersecurity vulnerability and incident response activity” for federal civilian agency information systems. In response, today, CISA published the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. The playbooks provide federal civilian executive branch (FCEB) agencies with operational procedures for planning and conducting cybersecurity incident and vulnerability response activities. The playbooks provide illustrated decision trees and detail each step for both incident and vulnerability response.  

Today, Firefox Relay, a privacy-first and free product that hides your real email address to help protect your identity, is available with a new paid Premium service offering. The release comes just in time for the holiday season to help spare your inbox from being inundated with emails from e-commerce sites, especially those sites where you may shop or visit a few times a year.