今週の気になるセキュリティニュース - Issue #58

Weekly newsletter of Masafumi Negishi


Subscribe to our newsletter

By subscribing, you agree with Revue’s Terms of Service and Privacy Policy and understand that Weekly newsletter of Masafumi Negishi will receive your email address.

Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi
Cyber Israel
עדכון: בשעות האחרונות זוהתה מתקפת מניעת שירות (DDoS) על ספקית תקשורת אשר כתוצאה ממנה, נמנעה לזמן קצר הגישה למספר אתרים, ביניהם אתרי ממשלה. נכון לשעה זו כלל האתרים שבו לפעילות.
ℹ️ Update: The #Israel Government Network (Tehila Project, AS8867) which hosts several gov·il website domains has become unreachable internationally. Users within the country remain able to access the platforms.

📰 Further Reading: https://t.co/zgeodgMzk1 https://t.co/YAHSf63Wun
360 Netlab
We observed that ripprbot botnet has instructed its bots to attack targets, and, all belong to Israeli Government Network https://t.co/ynVieQyFQU https://t.co/f1XZMlko8M
Masafumi Negishi
昨日から今日にかけて、イスラエル政府のネットワーク (AS8867) に対する DDoS 攻撃が観測されています。時間帯の異なる複数種類の観測報告があがっており、様々なアタックベクターによる複合的な攻撃が行われた可能性があります。IIJ ハニーポットでも今朝から backscatter を観測しています。
node-ipc.js の開発者が、ロシアによるウクライナ侵攻への抗議として、ファイルを削除するコードや、抗議メッセージを表示するコードを追加してリリース
LockBit 2.0 ランサムウェアに関する Microsoft による解説記事
This post illustrates a much more direct attempt at ransomware recovery targeting MSSQL databases, where we uncovered and further exploited bugs present in the LockBit 2.0 ransomware code, up to the point where we were able to revert the encryption process for these database files and restore them back to a functioning state. This is often an impossible task to carry out, given that it implies breaking decades of practical research into cryptography– not simply in theory, but in actual implementation.
米FBI と CISA が共同で、ロシアの攻撃者グループによる活動について注意喚起
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability. As early as May 2021, Russian state-sponsored cyber actors took advantage of a misconfigured account set to default MFA protocols at a non-governmental organization (NGO), allowing them to enroll a new device for MFA and access the victim network. The actors then exploited a critical Windows Print Spooler vulnerability, “PrintNightmare” (CVE-2021-34527) to run arbitrary code with system privileges. Russian state-sponsored cyber actors successfully exploited the vulnerability while targeting an NGO using Cisco’s Duo MFA, enabling access to cloud and email accounts for document exfiltration.
ウクライナの組織を狙う破壊型マルウェア CaddyWiper について ESET が報告
ESET researchers have uncovered yet another destructive data wiper that was used in attacks against organizations in Ukraine.
Dubbed CaddyWiper by ESET analysts, the malware was first detected at 11.38 a.m. local time (9.38 a.m. UTC) on Monday. The wiper, which destroys user data and partition information from attached drives, was spotted on several dozen systems in a limited number of organizations. It is detected by ESET products as Win32/KillDisk.NCX.
CaddyWiper bears no major code similarities to either HermeticWiper or IsaacWiper, the other two new data wipers that have struck organizations in Ukraine since February 23rd.
Much like with HermeticWiper, however, there’s evidence to suggest that the bad actors behind CaddyWiper infiltrated the target’s network before unleashing the wiper.
ESET research
#BREAKING #ESETresearch warns about the discovery of a 3rd destructive wiper deployed in Ukraine 🇺🇦. We first observed this new malware we call #CaddyWiper today around 9h38 UTC. 1/7 https://t.co/gVzzlT6AzN
Google の Threat Analysis Group (TAG) が Initial Access Broker である EXOTIC LILY の活動について報告
In early September 2021, Threat Analysis Group (TAG) observed a financially motivated threat actor we refer to as EXOTIC LILY, exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigating this group’s activity, we determined they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike).
米FBI と CISA が共同で、衛星通信事業者を狙う攻撃活動について注意喚起
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are aware of possible threats to U.S. and international satellite communication (SATCOM) networks. Successful intrusions into SATCOM networks could create risk in SATCOM network providers’ customer environments.
Apple が macOS Monterey 12.3、iOS 15.4、iPadOS 15.4、tvOS 15.4、watchOS 8.5 などをリリース
OpenSSL に脆弱性 (CVE-2022-0778)
ドイツ連邦政府情報セキュリティ庁 (BSI) がカスペルスキーのアンチウイルスソフトを利用しないようにとの警告
個人情報保護委員会が「EC サイトへの不正アクセスに関する実態調査」の結果を報告
Did you enjoy this issue? Yes No
Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi

Security Researcher, IIJ-SECT, SANS Instructor in Japan, OWASP Japan Advisory Board, WASForum Hardening Project, 子供たちが安心して使える安全なネット社会を実現したいですね。

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.