今週の気になるセキュリティニュース - Issue #57

#57・
Weekly newsletter of Masafumi Negishi
73

issues

Subscribe to our newsletter

By subscribing, you agree with Revue’s Terms of Service and Privacy Policy and understand that Weekly newsletter of Masafumi Negishi will receive your email address.

Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi
事件、事故
東映アニメーションで不正アクセスによるシステム障害が発生し、製作中のテレビアニメの放映スケジュールに影響
詳細は現在調査中ですが、弊社製作のテレビアニメ「ドラゴンクエスト ダイの大冒険」「デリシャスパーティ♡プリキュア」「デジモンゴーストゲーム」「ONE PIECE」の放映スケジュールに影響を及ぼすことが判明しましたのでお知らせします。
富士通が昨年報告した不正アクセスについて追加情報
これまで、当社プロジェクト情報共有ツール「ProjectWEB」への不正アクセスによる被害のあったお客様の数は129とお伝えしてまいりましたが、今般その数が142となったことが判明いたしました。対象となったお客様に対しては、個別にご報告を行うとともに、必要な対応を進めております。
ウクライナ、ロシアへのサイバー攻撃関連
Over the past two weeks, TAG has observed activity from a range of threat actors that we regularly monitor and are well-known to law enforcement, including FancyBear and Ghostwriter. This activity ranges from espionage to phishing campaigns. We’re sharing this information to help raise awareness among the security community and high risk users:
On Friday, March 4, we published this blog post to comment on Cogent’s decision to terminate their commercial relationships with their Russian customers. Today, March 7, another international telecom, Lumen, announced that it will also take action. We’ve updated this blog post to reflect the latest information we have.
On March 1, a tweet from MalwareHunterTeam about a possible ransomware variant caught our attention and set our immediate analysis into motion. We found several additional samples of this malware, which has been dubbed as “RURansom” by its developer. Despite its name, analysis has revealed it to be a wiper and not a ransomware variant because of its irreversible destruction of encrypted files.
OpRussiaは、当初ロシアをターゲットとしていたOPでしたが、OpRedScare は、ロシアに加え、ベラルーシも含まれていることから別名とされているようです。状況の変化によって派生したものと考えらるため、実質的には、OpRussiaとして扱って問題ないかと思います。このOPにおいて共有されている情報を調査しましたので共有します。
Opportunistic cybercriminals are attempting to exploit Ukrainian sympathizers by offering malware purporting to be offensive cyber tools to target Russian entities. Once downloaded, these files infect unwitting users rather than delivering the tools originally advertised.
In one such instance, we observed a threat actor offering a distributed denial-of-service (DDoS) tool on Telegram intended to be used against Russian websites. The downloaded file is actually an information stealer that infects the unwitting victim with malware designed to dump credentials and cryptocurrency-related information.
A major Ukrainian internet service provider says it was hacked twice. Sources tell Forbes that the first hack was in February, the second on March 9, and that the hackers managed to reset devices to factory settings.
In the Cyberwar category, we are listing 364,000 files from the Roskomnadzor, the Russian federal agency responsible for censorship of Russian media, specifically from the republic of Bashkortostan.
Backbone Internet connectivity to and from Russia does not appear to be limited or constrained despite recent reports of major global transit providers “disconnecting” from Russia. Russia’s connection to the global Internet continues, enabling traffic to flow into and out of the country—at least at an infrastructure level.
Access to certain Russian sites for government, energy and banking entities has been impacted by traffic blocking implemented by ISPs and site owners based on the source and/or destination of the traffic. In some cases, this filtering was precipitated by prolonged periods of heavy traffic loss indicative of congestion commonly seen during DDoS attacks. 
Western intelligence agencies are investigating a cyberattack by unidentified hackers that disrupted broadband satellite internet access in Ukraine coinciding with Russia’s invasion, according to three people with direct knowledge of the incident.
YouTube announced on Friday that it had begun blocking access globally to channels associated with Russian state-funded media, citing a policy barring content that denies, minimizes or trivializes well-documented violent events.
Masafumi Negishi
IIJ ハニーポットにおける backscatter の観測状況を更新 (3/7 分まで)。ウクライナからはここ数日、メディアなど特定の少数のサイトから多数のパケットを観測。またロシアからは複数のメディアや金融機関からのパケットを連日観測しています。 https://t.co/5UJBZHKKSz
Internet Health Report
Russia’s largest ISP, Rostelecom (AS12389), showing signs of daily congestion on international connections.

Data from @ripencc @RIPE_Atlas
https://t.co/NjBAU3aIoj https://t.co/7XfsM08rYD
NetBlocks
⚠️ Update: The 750 kV #Chernobyl-Kyiv high-voltage power line is cut following damage caused by Russia, and the plant cannot cool spent nuclear fuel per #Ukraine's Energoatom.

Remote monitoring links have also been severed:

📰 https://t.co/VzYBEvfG11
📰 https://t.co/h7QnPQm2RD https://t.co/ALOEzwTjaH
NetBlocks
⚠️ Update: The IAEA has confirmed that it is no longer receiving data from safeguard systems installed to monitor nuclear material at the Zaporizhzhya and Chernobyl nuclear power plants in #Ukraine.

📰 https://t.co/xXp6B9hMlG
📰 https://t.co/h7QnPQm2RD
📰 https://t.co/2L7yAzmZgC
攻撃、脅威
Mitel 製品を悪用する UDP アンプ攻撃を観測したとして Akamai, Cloudflare など各社から注意喚起
Lumen が Emotet の観測状況について報告。日本の感染数が非常に多い。
As depicted in Figure 5, Emotet bots today show a heavy distribution in Asia, namely Japan, India, Indonesia and Thailand. This is not surprising given the preponderance of vulnerable or outdated Windows hosts in the region. The remaining top 10 countries by volume of Emotet bots includes (in order): South Africa, Mexico, the United States, China, Brazil and Italy.
脆弱性
米 CISA が Known Exploited Vulnerabilities (KEV) カタログに 11個の脆弱性を追加
Microsoft が 2022年 3月の月例パッチを公開
今月のセキュリティ更新プログラムで修正した脆弱性のうち、CVE-2022-21990 (リモート デスクトップ クライアント) 、CVE-2022-24459 (Windows Fax とスキャン サービス)、CVE-2022-24512 (.NET と Visual Studio)は、セキュリティ更新プログラムの公開よりも前に、脆弱性の情報が一般に公開されていたことを確認しています。なお、この脆弱性の悪用は、セキュリティ更新プログラムの公開時点では確認されていません。
その他
Twitter が onion サービスに対応
Alec Muffett
This is possibly the most important and long-awaited tweet that I've ever composed.

On behalf of @Twitter, I am delighted to announce their new @TorProject onion service, at:

https://t.co/Un8u0AEXeE https://t.co/AgEV4ZZt3k
Google が Mandiant を買収すると発表
NICT が NICTER プロジェクトのダークネット観測網における2021年第4四半期(10~12月)の観測結果を公開
(告知) 3/15 (火) 22時頃から「ゆくアレくるアレ」生配信やります。お楽しみに!
辻 伸弘 (nobuhiro tsuji)
サイバーセキュリティに関する総務大臣奨励賞受賞記念生配信をSpaceでやります!

来週の3月15日(火)22時頃から!

「ゆくアレくるアレ」ということでコレまでのアレとコレからのアレについて雑談ベースでワイワイやります。

質問などあればハッシュタグ付けてツイート!

#セキュリティのアレ https://t.co/MAat9MiKWZ
Did you enjoy this issue? Yes No
Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi

Security Researcher, IIJ-SECT, SANS Instructor in Japan, OWASP Japan Advisory Board, WASForum Hardening Project, 子供たちが安心して使える安全なネット社会を実現したいですね。

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.