今週の気になるセキュリティニュース - Issue #60

2022年3月26日11時08分、キンドリルジャパンのデータセンターにおいて電源系統の一部で障害が発生しました。データセンターの電源は、同日11時44分に復旧しましたが、この影響でデータセンターをご利用いただいている一部のお客様システムに影響がでております。

There has been a security breach on the Ronin Network. Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions (1 and 2). The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge. 

Just like the February 2021 incident, the incident yesterday was likely a failed attempt to block a service in the country or for their own network, and it lead to accidentally leaking those routes to the global routing table. Thankfully, the industry has learned some valuable lessons from the past and is taking strong steps to fix problems like these. Last year, Twitter had not created ROAs for any of its IP resources. This year it has, and it is now much more difficult for a bogus announcement to propagate.

Following on the success of Operation Wire Wire and Operation reWired, the FBI conducted another significant, coordinated effort to disrupt Business Email Compromise (BEC) schemes that intercept and steal wire transfers sent by businesses and individuals. The U.S. Department of Justice and international law enforcement partners carried out Operation Eagle Sweep over a three-month period and arrested 65 suspects in the United States and overseas, including 12 in Nigeria, eight in South Africa, two in Canada, and one in Cambodia. In parallel with Operation Eagle Sweep, Australia, Japan, and Nigeria conducted local operations targeting BEC actors.

Subsequent investigation and forensic analysis identified a ground-based network intrusion by an attacker exploiting a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network. The attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable.

On Thursday, February 24th, 2022, a cyber attack rendered Viasat KA-SAT modems inoperable in Ukraine.

Spillover from this attack rendered 5,800 Enercon wind turbines in Germany unable to communicate for remote monitoring or control.

Viasat’s statement on Wednesday, March 30th, 2022 provides a somewhat plausible but incomplete description of the attack.

SentinelLabs researchers discovered new malware that we named ‘AcidRain’.

AcidRain is an ELF MIPS malware designed to wipe modems and routers.

We assess with medium-confidence that there are developmental similarities between AcidRain and a VPNFilter stage 3 destructive plugin. In 2018, the FBI and Department of Justice attributed the VPNFilter campaign to the Russian government

AcidRain is the 7th wiper malware associated with the Russian invasion of Ukraine.

Update: In a statement disseminated to journalists, Viasat confirmed the use of the AcidRain wiper in the February 24th attack against their modems.

In early March, Google’s Threat Analysis Group (TAG) published an update on the cyber activity it was tracking with regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns. Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links.

An authentication bypass vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall and responsibly disclosed to Sophos. It was reported via the Sophos bug bounty program by an external security researcher. The vulnerability has been fixed.

There is no action required for Sophos Firewall customers with the “Allow automatic installation of hotfixes” feature enabled. Enabled is the default setting.

Sophos has observed this vulnerability being used to target a small set of specific organizations primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.

Apex Central, およびApex Central (SaaS)において、ファイルに対する不適切な処理により、任意のファイルがアップロードされる脆弱性が確認されました。これにより、さらにリモートから任意のコードが実行される可能性があります。

A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. This is a critical severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, 9.1). It is now mitigated in the latest release and is assigned CVE-2022-1162.

(1)パスワードのセキュリティ対策「できるだけ長いパスワード」「使いまわしをしない」「初期パスワードの変更」のうち、実施率が最も低いのは「使いまわしをしない」で、使いまわす人の割合は4-5割。（脅威調査2021_概要資料.pdf　P23）

(2)「プライベートな情報を書き込む」「金銭をやりとりする」など使途の異なるアカウントにおけるパスワード管理方法に差は見られず、ツールなどを使わず「自分で記憶」「紙などにメモ」が2トップ（同 P25、26）

(3)脆弱性対策において、IoT機器の対策はパソコン関連の対策よりも実施率が低く、やり方がわからないという割合が高い（同 P27）

(4)SNS等で知り合った人と1対1で合ったことがない人の割合は平均で7割弱いる一方で、「6回以上会ったことがある」人の割合は約1割（倫理調査2021_概要資料.pdf P27）

(5)SNS等で会った結果「金銭トラブル」「身の危険を感じた」と回答した割合は10代が他世代より顕著に高い（同 P31）

(6)セキュリティ教育の受講経験は10代の割合が最も高く、次いで20代。年齢が上がるにつれ低下する（脅威調査2021_概要資料.pdf P12 、倫理調査2021_概要資料.pdf P11）