View profile

今週の気になるセキュリティニュース - Issue #52

Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi
事件、事故
Wormhole が脆弱性を悪用され $325M 相当の暗号資産を盗まれる
Wormhole🌪
1/2

All funds have been restored and Wormhole is back up.

We're deeply grateful for your support and thank you for your patience.
1月末に発生した北朝鮮への DDoS 攻撃は米国の 1人のハッカーによるものだったとの Wired 記事
P4x says he’s found numerous known but unpatched vulnerabilities in North Korean systems that have allowed him to singlehandedly launch “denial-of-service” attacks on the servers and routers the country’s few internet-connected networks depend on.
攻撃、脅威
IPA が 2021年のコンピュータウイルス・不正アクセスの届出状況を報告
Coveware から 2021年第 4四半期のランサムウェアに関するレポート
フィッシング対策協議会が 2021年1月のフィッシング報告状況を公開
2022 年 1 月のフィッシング報告件数は 50,615 件となり、2021 年 12 月と比較すると 12,544 件減少しました。
Amazon をかたるフィッシングは報告数全体の約 33.8 % を占めており、次いで報告数が多かった メルカリ、JCB、三井住友カードをかたるフィッシングの報告も含めた上位 4 ブランドで、報告数全体の約 67.6 % を占めました。また 1,000 件以上の大量の報告を受領したブランドは 10 ブランドあり、これら上位 10 ブランドでは全体の約 82.9 % を占めました。
Zimbra のゼロデイの XSS 脆弱性を狙う攻撃活動について Volexity が報告
In December 2021, through its Network Security Monitoring service, Volexity identified a series of targeted spear-phishing campaigns against one of its customers from a threat actor it tracks as TEMP_Heretic. Analysis of the emails from these spear phishing campaigns led to a discovery: the attacker was attempting to exploit a zero-day cross-site scripting (XSS) vulnerability in the Zimbra email platform. Zimbra is an open source email platform often used by organizations as an alternative to Microsoft Exchange.
News Corporation が 1月に国家を背景とするサイバー攻撃を受けていたことを公表
In January 2022, the Company discovered that one of these systems was the target of persistent cyberattack activity. Together with an outside cybersecurity firm, the Company is conducting an investigation into the circumstances of the activity to determine its nature, scope, duration and impacts. The Company’s preliminary analysis indicates that foreign government involvement may be associated with this activity, and that data was taken. To the Company’s knowledge, its systems housing customer and financial data were not affected. The Company is remediating the issue, and to date has not experienced any related interruptions to its business operations or systems. Based on its investigation to date, the Company believes the activity is contained. At this time, the Company is unable to estimate the expenses it will incur in connection with its investigation and remediation efforts.
攻撃者グループ Gamaredon (Primitive Bear, ACTINIUM) によるウクライナへの攻撃活動に関する報告
Since November, geopolitical tensions between Russia and Ukraine have escalated dramatically. It is estimated that Russia has now amassed over 100,000 troops on Ukraine’s eastern border, leading some to speculate that an invasion may come next. On Jan. 14, 2022, this conflict spilled over into the cyber domain as the Ukrainian government was targeted with destructive malware (WhisperGate) and a separate vulnerability in OctoberCMS was exploited to deface several Ukrainian government websites. While attribution of those events is ongoing and there is no known link to Gamaredon (aka Primitive Bear), one of the most active existing advanced persistent threats targeting Ukraine, we anticipate we will see additional malicious cyber activities over the coming weeks as the conflict evolves. We have also observed recent activity from Gamaredon. In light of this, this blog provides an update on the Gamaredon group.
The Microsoft Threat Intelligence Center (MSTIC) is sharing information on a threat group named ACTINIUM, which has been operational for almost a decade and has consistently pursued access to organizations in Ukraine or entities related to Ukrainian affairs. MSTIC previously tracked ACTINIUM activity as DEV-0157, and this group is also referred to publicly as Gamaredon. 
In the last six months, MSTIC has observed ACTINIUM targeting organizations in Ukraine spanning government, military, non-government organizations (NGO), judiciary, law enforcement, and non-profit, with the primary intent of exfiltrating sensitive information, maintaining access, and using acquired access to move laterally into related organizations. MSTIC has observed ACTINIUM operating out of Crimea with objectives consistent with cyber espionage. The Ukrainian government has publicly attributed this group to the Russian Federal Security Service (FSB).
脆弱性
Samba にリモートコード実行可能な脆弱性 (CVE-2021-44142)
All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit.
ESET のエンドポイント製品に権限昇格の脆弱性 (CVE-2021-37852)
A report of a potential local privilege escalation vulnerability was submitted to ESET by the Zero Day Initiative (ZDI). It potentially allows an attacker to misuse the AMSI scanning feature in specific cases. ESET mitigated the issue and recommends using the most recently released product versions, as detailed below.
This vulnerability allows local attackers to escalate privileges on affected installations of ESET Endpoint Antivirus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the use of named pipes. The issue results from allowing an untrusted process to impersonate the client of a pipe. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.
Cisco Small Business RV シリーズのルーターに複数の脆弱性
The Cisco PSIRT is aware that proof-of-concept exploit code is available for several of the vulnerabilities that are described in this advisory.
その他
経済産業省が「情報セキュリティサービス基準第2版」及び「情報セキュリティサービスに関する審査登録機関基準第2版」を公表
NTTドコモが「IPv6シングルスタック方式」の提供を開始
これまでドコモのお客さまへのIPアドレスの割り当ては「IPv4/IPv6デュアルスタック方式」で提供していましたが、2022年2月1日(火曜)以降、対応端末に順次「IPv6シングルスタック方式」(以下、本方式)を提供します。導入後は対応端末にIPv6アドレスのみを割り当てます。
Yahoo! Japan が一部のサービスを除いて、4/6 より欧州地域からサービスが利用できなくなると発表
Yahoo! JAPANは欧州経済領域(EEA)およびイギリスのお客様に継続的なサービス利用環境を提供することが困難であるとの判断から、以下の「2022年4月6日 (水)以降もご利用可能なサービス」に記載のサービスを除き、2022年4月6日 (水)よりEEAおよびイギリスからご利用いただけなくなります。
Did you enjoy this issue? Yes No
Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi

Security Researcher, IIJ-SECT, SANS Instructor in Japan, OWASP Japan Advisory Board, WASForum Hardening Project, 子供たちが安心して使える安全なネット社会を実現したいですね。

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.