今週の気になるセキュリティニュース - Issue #48

スーパーコンピュータシステムの納入会社である日本ヒューレット・パッカード合同会社によるバックアッププログラムの機能改修において,不用意なプログラムの修正とその適用手順に問題があったことで,本来は不要になった過去のバックアップログファイルを削除する処理が,/LARGE0 ディレクトリ配下のファイル群を削除してしまう処理として誤動作しました.

Our initial findings led us to believe that these alerts were triggered in response to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns.

We have addressed the issue causing messages to be stuck in transport queues of on-premises Exchange Server 2016 and Exchange Server 2019. The problem relates to a date check failure with the change of the new year and it not a failure of the AV engine itself. This is not an issue with malware scanning or the malware engine, and it is not a security-related issue. The version checking performed against the signature file is causing the malware engine to crash, resulting in messages being stuck in transport queues.

The Jerusalem Post website was hacked by pro-Iranian hackers in the early hours of Monday morning, with a photo of a model Dimona nuclear facility being blown up and the text “we are close to you where you do not think about it” in English and Hebrew placed on the Twitter and website.

Network data from NetBlocks confirm a significant disruption to internet service in Kazakhstan from the evening of Tuesday 4 January 2022, progressing to a nation-scale communications blackout on Wednesday afternoon.

The ongoing disruptions come amid widening protests against sudden energy price rises that started on the weekend in the western town of Zhanaozen.

In Kazakhstan, the year had barely got going when yesterday disruptions of Internet access ended up in a nationwide Internet shutdown from today, January 5, 2022 (below you’ll find two updates — January 6 and 7, 2022). The disruptions and subsequent shutdown happened amid mass protests against sudden energy price rises.

当社は、外部の専門機関と連携して、原因の究明や被害の内容等について調査を進めてまいりました。その結果、第三者が、当社海外子会社のサーバを経由し、日本のファイルサーバに不正アクセスを行った事実が確認されました。当該ファイルサーバ以外の業務システムへの不正アクセスは確認されませんでした。

We’ll dissect the iOS system and show how it’s possible to alter a shutdown event, tricking a user that got infected into thinking that the phone has been powered off, but in fact, it’s still running. The “NoReboot” approach simulates a real shutdown. The user cannot feel a difference between a real shutdown and a “fake shutdown”. There is no user-interface or any button feedback until the user turns the phone back “on”.

New York Attorney General Letitia James today announced the results of a sweeping investigation into “credential stuffing” that discovered more than 1.1 million online accounts compromised in cyberattacks at 17 well-known companies.

H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI.

H2 Console doesn’t accept remote connections by default. If remote access was enabled explicitly and some protection method (such as security constraint) wasn’t set, an intruder can load own custom class and execute its code in a process with H2 Console (H2 Server process or a web server with H2 Console servlet).

Very recently, the JFrog security research team has disclosed an issue in the H2 database console which was issued a critical CVE – CVE-2021-42392. This issue has the same root cause as the infamous Log4Shell vulnerability in Apache Log4j (JNDI remote class loading).

Beginning February 1, 2022, Salesforce will require customers to use MFA in order to access Salesforce products. All internal users who log in to Salesforce products (including partner solutions) through the user interface must use MFA for every login. We encourage you to start planning for this change now, and where possible, begin implementing MFA.