View profile

今週の気になるセキュリティニュース - Issue #44

Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi
事件、事故
風力発電機メーカー Vestas 社でランサムウェア感染被害
Although Vestas is close to normal operations, the work and investigations are still ongoing. In that regard, Vestas maintains there is no indication that the event has impacted customer and supply chain operations, which is supported by the forensics investigation carried out with the assistance of third-party experts. The cyber incident, which our investigations indicate was ransomware, impacted Vestas’ internal systems and resulted in data being compromised. The extent to which data has been compromised is still being investigated, but for now it appears that the data foremost relates to Vestas’ internal matters.
Microsoft Defender で Emotet の誤検知が発生
スマートロック製品の Qrio Lock で 11/26 から 12/2 までサーバーに接続しにくい状態が発生
社内のデータを盗んで会社を脅迫したとして、米司法省が Ubiquiti 社の元従業員を逮捕
Damian Williams, the United States Attorney for the Southern District of New York, and Michael J. Driscoll, Assistant Director-in-Charge of the New York Office of the Federal Bureau of Investigation (“FBI”), announced the arrest today of NICKOLAS SHARP for secretly stealing gigabytes of confidential files from a New York-based technology company where he was employed (“Company‑1”), and then, while purportedly working to remediate the security breach, extorting the company for nearly $2 million for the return of the files and the identification of a remaining purported vulnerability. SHARP subsequently re-victimized his employer by causing the publication of misleading news articles about the company’s handling of the breach that he perpetrated, which were followed by a significant drop in the company’s share price associated with the loss of billions of dollars in its market capitalization.
An Oregon man and a former employee of Ubiquiti Networks was arrested and charged today with hacking the company’s servers, stealing gigabytes of information, and then attempting to extort his employer for $2 million when Ubiquiti began investigating the breach.
MonoX がスマートコントラクトのバグを悪用され、およそ $31M 相当の暗号資産を盗まれる
First, we wanted to give you a quick breakdown of the addresses that have lost funds and each of these wallets are on top of mind to make right. 406 ETH and 15,523 Polygon addresses have been affected by the hack, and of these addresses, 42 ETH and 2,653 Polygon have been actively LPing in more than just 1 pool.
Roughly $31M was drained from the pool as a result of the hack
沖電気工業が社内のファイルサーバに不正アクセスがあったことを公表
OKIは、2021年11月8日、当社ネットワークに対する第三者からの不正アクセスを確認しました。社内調査の結果、社内のファイルサーバーに不審なアクセスがあり、一部のデータが読み出された可能性があることが11月30日に判明しました。外部の専門機関による調査も実施し、お客様に関する情報や個人情報が含まれるかなどの詳細を確認中です。
DeFi プラットフォームの BadgerDAO が不正アクセスを受け、$120M 相当の暗号資産が盗まれる
₿adgerDAO 🦡
Badger has received reports of unauthorized withdrawals of user funds.

As Badger engineers investigate this, all smart contracts have been paused to prevent further withdrawals.

Our investigation is ongoing and we will release further information as soon as possible.
米国の複数の外交官の iPhone に NSO Group の Pegasus スパイウェアが感染していたとの報道
Apple Inc iPhones of at least nine U.S. State Department employees were hacked by an unknown assailant using sophisticated spyware developed by the Israel-based NSO Group, according to four people familiar with the matter.
The hacks, which took place in the last several months, hit U.S. officials either based in Uganda or focused on matters concerning the East African country, two of the sources said.
Apple has alerted 11 U.S. Embassy employees that their iPhones have been hacked in recent months with Pegasus spyware from NSO Group, an Israel-based company that licenses software to government clients in dozens of countries that allows them to secretly steal files, eavesdrop on conversations and track the movements of its targets, according to people familiar with the notifications.
Last night, following an inquiry we received alleging Ugandan phone numbers used by US government officials were hacked, we immediately shut down all the customers potentially relevant to this case, due to the severity of the allegations, and even before we began the investigation.
This termination took place despite the fact that there is no indication the phones were targeted by NSO’s technology. The claims of all involved parties specifically mentioned there is no indication, let alone proof, that it was NSO’s tools that were used by these customers.
攻撃、脅威
警察庁は Movable Type の脆弱性 (CVE-2021-20837) および PowerCMS の脆弱性 (CVE-2021-20850) を狙う攻撃を観測しているとして注意喚起
AT&T 顧客の Edgewater Networks 製機器に感染する新たなボットネット EwDoor について、360 Netlab が報告
On October 27, 2021, our Botmon system ided an attacker attacking Edgewater Networks’ devices via CVE-2017-6079 with a relatively unique mount file system command in its payload, which had our attention, and after analysis, we confirmed that this was a brand new botnet, and based on it’s targeting of Edgewater producers and its Backdoor feature, we named it EwDoor.
FBI が 8月に REvil のアフィリエイトから約 40 BTC を差し押さえていたことが、公開された法廷文書から判明
The FBI seized $2.3 million in August from a well-known REvil and GandCrab ransomware affiliate, according to court documents seen by BleepingComputer.
In a complaint unsealed today, the FBI seized 39.89138522 bitcoins worth approximately $2.3 million at current prices ($1.5 million at time of seizure) from an Exodus wallet on August 3rd, 2021.
Exodus is a desktop or mobile wallet that owners can use to store cryptocurrency, including Bitcoin, Ethereum, Solana, and many others.
The FBI does not state how they gained access to the wallet other than that it is in their custody, indicating that they likely gained access to the wallet’s private key or secret passphrase.
攻撃者グループ KAX17 による Tor ネットワークへの攻撃活動について、セキュリティ研究者が報告
Emotet が偽の Windows App Installer を利用して感染活動
The Emotet malware is now distributed through malicious Windows App Installer packages that pretend to be Adobe PDF software.
(コメント) 先週のポッドキャストで取り上げたネタだ!この手口は元々 BazarLoader が利用していたもの。Emotet の感染活動は週を追うごとに活発になっている模様。
bom
アプリインストーラですが、エラーが修正されてしまい、インストールできます。

挙動としては、アプリが #Emotet のDLLをダウンロードして実行します。
ダウンロード先は他のxlsmで通信する先と同一です。
URLHausのfeedを遮断に活用していれば感染は防げます。

参考
https://t.co/Hczzx5vcIz https://t.co/0ogHdgHIs0
abuse.ch
Emotet's activity yesterday was huge in terms of unique #Emotet malware distribution sites reported to URLhaus 📢 It was an uptick of +447% compared to end of November! 🔥

👉 https://t.co/fkDITyH9GT https://t.co/iMJucbojgM
APT 攻撃グループが Zoho ManageEngine ServiceDesk Plus の脆弱性 (CVE-2021-44077) を悪用しているとして、FBI および CISA が注意喚起
This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of a newly identified vulnerability (CVE-2021-44077) in Zoho ManageEngine ServiceDesk Plus—IT help desk software with asset management.
この2ヶ月間で、持続的に手堅く攻撃を行うあるAPT攻撃グループが、複数の攻撃キャンペーンを展開し、少なくとも13の組織が侵害を受けていました。2021年9月16日、米Cybersecurity and Infrastructure Security Agency(CISA)は、ManageEngine ADSelfService Plusとして知られるセルフサービス型のパスワード管理およびシングルサインオンソリューションにおいて、新たに確認された脆弱性をAPT攻撃グループが積極的に利用しているという警告を発表しました。この最初の報告を受け、11月7日、Unit 42は、さらに洗練された、活発で検出が困難な2つ目のキャンペーンで少なくとも9つの組織が侵害されたことを明らかにしました。
当初の報告内容からの更新として、この1ヶ月で、当該グループはADSelfService Plusだけでなく、ほかの脆弱なソフトウェアにもフォーカスを拡大していることを確認しています。もっとも注目すべきは、10月25日から11月8日にかけて、当該グループがManageEngine ServiceDesk Plusという別のZoho製品を使用する複数の組織へとフォーカスを移していた点です。私たちは現在、これらのアクティビティをまとめたものを「TiltedTempleキャンペーン」の名前で追跡しています。
Emsisoft から 2021年第3四半期のランサムウェアレポート
脆弱性
Mozilla が提供する暗号ライブラリ NSS に脆弱性 (CVE-2021-43527)
NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS.
Note: This vulnerability does NOT impact Mozilla Firefox. However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted.
Zoho ManageEngine Desktop Central にリモートコード実行可能な脆弱性 (CVE-2021-44515)
This notification is in regard to an authentication bypass vulnerability that was recently identified in Desktop Central. This applies to Desktop Central MSP as well. Registered as CVE-2021-44515, this vulnerability has now been fixed and released in our latest build on 3rd December 2021
An authentication bypass vulnerability in ManageEngine Desktop Central was identified and the vulnerability can allow an adversary to bypass authentication and execute arbitrary code in the Desktop Central server.
Note: As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible.
その他
IPA のサイバーレスキュー隊(J-CRAT)が 2021年度上半期の活動状況を報告
FBI が法的手段によってメッセージングサービスから取得可能なデータを示す文書がメディアによってリーク
(コメント) 特に目新しい内容が含まれていたわけではなさそう
NICT が NICTER プロジェクトのダークネット観測網における2021年第3四半期(7~9月)の観測結果を公開
日本 IT 団体連盟が、日経500種平均構成銘柄の企業を対象に各社のサイバーセキュリティの取組姿勢および情報開示に関する調査の報告書を公開
内閣サイバーセキュリティセンター (NISC) の重要インフラグループが、「クラウドを利用したシステム運用に関するガイダンス」を公開
医療 ISAC が「国内病院に対するセキュリティアンケート調査の結果と考察」レポートを公開
Did you enjoy this issue? Yes No
Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi

Security Researcher, IIJ-SECT, SANS Instructor in Japan, OWASP Japan Advisory Board, WASForum Hardening Project, 子供たちが安心して使える安全なネット社会を実現したいですね。

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.