View profile

今週の気になるセキュリティニュース - Issue #48

Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi
事件、事故
京都大学のスーパーコンピュータシステムで、バックアッププログラムの不具合により、約 3,400万ファイル (約 77TB) が消失
スーパーコンピュータシステムの納入会社である日本ヒューレット・パッカード合同会社によるバックアッププログラムの機能改修において,不用意なプログラムの修正とその適用手順に問題があったことで,本来は不要になった過去のバックアップログファイルを削除する処理が,/LARGE0 ディレクトリ配下のファイル群を削除してしまう処理として誤動作しました.
LastPass で複数のユーザへの Credential Stuffing 攻撃
Our initial findings led us to believe that these alerts were triggered in response to attempted “credential stuffing” activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. We quickly worked to investigate this activity and, at this time, have no indication that any LastPass accounts were compromised by an unauthorized third-party as a result of these credential stuffing attempts, nor have we found any indication that user’s LastPass credentials were harvested by malware, rogue browser extensions, or phishing campaigns.
(コメント) 当初複数のユーザに不正ログインの警告メールが届いたことから騷ぎになったが、メール送信はミスによるもので、不正ログインは発生していないと LastPass は説明している
Microsoft Exchange サーバで Y2K22 バグによる障害
We have addressed the issue causing messages to be stuck in transport queues of on-premises Exchange Server 2016 and Exchange Server 2019. The problem relates to a date check failure with the change of the new year and it not a failure of the AV engine itself. This is not an issue with malware scanning or the malware engine, and it is not a security-related issue. The version checking performed against the signature file is causing the malware engine to crash, resulting in messages being stuck in transport queues.
Twitter は新型コロナウイルス誤情報に関する規約に違反したとして、米共和党所属の下院議員 Marjorie Taylor Greene 氏の個人アカウントを永久停止
イスラエルのエルサレム・ポスト紙の Web サイトがイランを支持するハッカーグループによって改ざん
The Jerusalem Post website was hacked by pro-Iranian hackers in the early hours of Monday morning, with a photo of a model Dimona nuclear facility being blown up and the text “we are close to you where you do not think about it” in English and Hebrew placed on the Twitter and website.
政府への大規模な抗議活動が拡がるカザフスタンで、インターネットが全面遮断
Network data from NetBlocks confirm a significant disruption to internet service in Kazakhstan from the evening of Tuesday 4 January 2022, progressing to a nation-scale communications blackout on Wednesday afternoon.
The ongoing disruptions come amid widening protests against sudden energy price rises that started on the weekend in the western town of Zhanaozen.
In Kazakhstan, the year had barely got going when yesterday disruptions of Internet access ended up in a nationwide Internet shutdown from today, January 5, 2022 (below you’ll find two updates — January 6 and 7, 2022). The disruptions and subsequent shutdown happened amid mass protests against sudden energy price rises.
一部のホンダ車で Y2K22 バグによってカーナビの日付が 2002年に戻ってしまう不具合
インスタグラムなど他人のアカウントへの不正アクセスを行ったとして愛知県警が容疑者を逮捕
SonicWall の Email Security 製品に Y2K22 バグによる不具合
パナソニック株式会社から社内ファイルサーバへの不正アクセスに関する続報
当社は、外部の専門機関と連携して、原因の究明や被害の内容等について調査を進めてまいりました。その結果、第三者が、当社海外子会社のサーバを経由し、日本のファイルサーバに不正アクセスを行った事実が確認されました。当該ファイルサーバ以外の業務システムへの不正アクセスは確認されませんでした。
攻撃、脅威
iPhone でシャットダウンを偽装する攻撃テクニック “NoReboot”
We’ll dissect the iOS system and show how it’s possible to alter a shutdown event, tricking a user that got infected into thinking that the phone has been powered off, but in fact, it’s still running. The “NoReboot” approach simulates a real shutdown. The user cannot feel a difference between a real shutdown and a “fake shutdown”. There is no user-interface or any button feedback until the user turns the phone back “on”.
ニューヨーク州司法長官が Credential Stuffing 攻撃に関する注意喚起
New York Attorney General Letitia James today announced the results of a sweeping investigation into “credential stuffing” that discovered more than 1.1 million online accounts compromised in cyberattacks at 17 well-known companies.
FIN7 グループが不正な USB デバイスを米国の会社に送付しているとして、FBI が注意喚起
脆弱性
H2 database console に Log4Shell に似た脆弱性 (CVE-2021-42392)。ただし影響範囲はかなり限定的。
H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI.
H2 Console doesn’t accept remote connections by default. If remote access was enabled explicitly and some protection method (such as security constraint) wasn’t set, an intruder can load own custom class and execute its code in a process with H2 Console (H2 Server process or a web server with H2 Console servlet).
Very recently, the JFrog security research team has disclosed an issue in the H2 database console which was issued a critical CVE – CVE-2021-42392. This issue has the same root cause as the infamous Log4Shell vulnerability in Apache Log4j (JNDI remote class loading).
その他
Salesforce が 2022年2月1日からログイン時の多要素認証を必須に
Beginning February 1, 2022, Salesforce will require customers to use MFA in order to access Salesforce products. All internal users who log in to Salesforce products (including partner solutions) through the user interface must use MFA for every login. We encourage you to start planning for this change now, and where possible, begin implementing MFA.
Did you enjoy this issue? Yes No
Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi

Security Researcher, IIJ-SECT, SANS Instructor in Japan, OWASP Japan Advisory Board, WASForum Hardening Project, 子供たちが安心して使える安全なネット社会を実現したいですね。

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.