View profile

今週の気になるセキュリティニュース - Issue #60

Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi
事件、事故
地銀など 8行の ATM で障害。基幹システムを提供するキンドリルジャパンのデータセンターの電源障害によるもの。
2022年3月26日11時08分、キンドリルジャパンのデータセンターにおいて電源系統の一部で障害が発生しました。データセンターの電源は、同日11時44分に復旧しましたが、この影響でデータセンターをご利用いただいている一部のお客様システムに影響がでております。
Doug Madory
Ukrainian incumbent Ukrtelecom has gone offline as a result of a reported cyberattack.

Views from @CloudflareRadar and @gatech_ioda both show a slow decline in connectivity over ~5 hours: an unusual outage profile.
https://t.co/oS8AJlbxi1
https://t.co/uTfPy2x0Vz https://t.co/3c6HZsxr3M
NetBlocks
ℹ️ Update: Internet connectivity is being restored on Ukraine's national provider Ukrtelecom some 15 hours after users started falling offline amid a cyberattack. The company's engineers say they have successfully mitigated the attack.

📰 Report: https://t.co/tcZz71R6Y6 https://t.co/HcwzsK3WWu
NFT ゲーム Axie Infinity で利用されている Ronin ネットワークから 760億円相当の暗号資産が不正に流出
There has been a security breach on the Ronin Network. Earlier today, we discovered that on March 23rd, Sky Mavis’s Ronin validator nodes and Axie DAO validator nodes were compromised resulting in 173,600 Ethereum and 25.5M USDC drained from the Ronin bridge in two transactions (1 and 2). The attacker used hacked private keys in order to forge fake withdrawals. We discovered the attack this morning after a report from a user being unable to withdraw 5k ETH from the bridge. 
ロシアの通信会社 RTcomm による Twitter のアドレスに対する BGP ハイジャック (リーク) が発生
Just like the February 2021 incident, the incident yesterday was likely a failed attempt to block a service in the country or for their own network, and it lead to accidentally leaking those routes to the global routing table. Thankfully, the industry has learned some valuable lessons from the past and is taking strong steps to fix problems like these. Last year, Twitter had not created ROAs for any of its IP resources. This year it has, and it is now much more difficult for a bogus announcement to propagate.
Doug Madory
From 12:05-12:50 UTC, RU telecom RTComm (AS8342) hijacked a prefix (104.244.42.0/24) belonging to Twitter.

The hijack didn't propagate far due to a RPKI ROA which asserted AS13414 was the rightful origin.

This is the same prefix hijacked during the coup in Myanmar last year. https://t.co/mHXssRkQiz
攻撃、脅威
FBI は複数の海外の法執行機関との共同作戦 Operation Eagle Sweep により、ビジネスメール詐欺 (BEC) に関与する容疑者 65人を逮捕
Following on the success of Operation Wire Wire and Operation reWired, the FBI conducted another significant, coordinated effort to disrupt Business Email Compromise (BEC) schemes that intercept and steal wire transfers sent by businesses and individuals. The U.S. Department of Justice and international law enforcement partners carried out Operation Eagle Sweep over a three-month period and arrested 65 suspects in the United States and overseas, including 12 in Nigeria, eight in South Africa, two in Canada, and one in Cambodia. In parallel with Operation Eagle Sweep, Australia, Japan, and Nigeria conducted local operations targeting BEC actors.
Viasat が 2月に発生した KA-SAT ネットワークへの攻撃について報告。また SentinelOne は攻撃に利用された破壊型マルウェア AcidRain について報告。
Subsequent investigation and forensic analysis identified a ground-based network intrusion by an attacker exploiting a misconfiguration in a VPN appliance to gain remote access to the trusted management segment of the KA-SAT network. The attacker moved laterally through this trusted management network to a specific network segment used to manage and operate the network, and then used this network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously. Specifically, these destructive commands overwrote key data in flash memory on the modems, rendering the modems unable to access the network, but not permanently unusable.
On Thursday, February 24th, 2022, a cyber attack rendered Viasat KA-SAT modems inoperable in Ukraine.
Spillover from this attack rendered 5,800 Enercon wind turbines in Germany unable to communicate for remote monitoring or control.
Viasat’s statement on Wednesday, March 30th, 2022 provides a somewhat plausible but incomplete description of the attack.
SentinelLabs researchers discovered new malware that we named ‘AcidRain’.
AcidRain is an ELF MIPS malware designed to wipe modems and routers.
We assess with medium-confidence that there are developmental similarities between AcidRain and a VPNFilter stage 3 destructive plugin. In 2018, the FBI and Department of Justice attributed the VPNFilter campaign to the Russian government
AcidRain is the 7th wiper malware associated with the Russian invasion of Ukraine.
Update: In a statement disseminated to journalists, Viasat confirmed the use of the AcidRain wiper in the February 24th attack against their modems.
Zack Whittaker
Viasat told us that SentinelOne's research is "consistent with the facts in our report," which it released Wednesday, specifically "the destructive executable that was run on the modems using a legitimate management command as Viasat previously described."
cc: @juanandres_gs
Google が東ヨーロッパで観測している攻撃活動について報告
In early March, Google’s Threat Analysis Group (TAG) published an update on the cyber activity it was tracking with regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns. Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links.
脆弱性
Sophos Firewall にリモートコード実行可能な脆弱性 (CVE-2022-1040)。一部の顧客ですでに悪用が確認されている。
An authentication bypass vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall and responsibly disclosed to Sophos. It was reported via the Sophos bug bounty program by an external security researcher. The vulnerability has been fixed.
There is no action required for Sophos Firewall customers with the “Allow automatic installation of hotfixes” feature enabled. Enabled is the default setting.
Sophos has observed this vulnerability being used to target a small set of specific organizations primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.
米 CISA が Known Exploited Vulnerabilities (KEV) カタログに 32+7 個の脆弱性を追加
Apex Central の脆弱性を悪用した攻撃を確認したとして、Trend Micro が注意喚起
Apex Central, およびApex Central (SaaS)において、ファイルに対する不適切な処理により、任意のファイルがアップロードされる脆弱性が確認されました。これにより、さらにリモートから任意のコードが実行される可能性があります。
注意:トレンドマイクロは、この脆弱性を用いた攻撃が行われたことを認知しています。できるだけ早く最新バージョンへ更新することを推奨しています。
Apple は macOS Monterey 12.3.1、iOS 15.4.1、iPadOS 15.4.1 をリリース。すでに悪用が確認されているゼロデイ脆弱性を修正。
GitLab が複数の脆弱性を修正。アカウント乗っ取りが可能な脆弱性 (CVE-2022-1162) を含む。
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. This is a critical severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, 9.1). It is now mitigated in the latest release and is assigned CVE-2022-1162.
その他
IPA が「2021年度情報セキュリティに対する意識調査【倫理編】【脅威編】」報告書を公開
(1)パスワードのセキュリティ対策「できるだけ長いパスワード」「使いまわしをしない」「初期パスワードの変更」のうち、実施率が最も低いのは「使いまわしをしない」で、使いまわす人の割合は4-5割。(脅威調査2021_概要資料.pdf P23)
(2)「プライベートな情報を書き込む」「金銭をやりとりする」など使途の異なるアカウントにおけるパスワード管理方法に差は見られず、ツールなどを使わず「自分で記憶」「紙などにメモ」が2トップ(同 P25、26)
(3)脆弱性対策において、IoT機器の対策はパソコン関連の対策よりも実施率が低く、やり方がわからないという割合が高い(同 P27)
(4)SNS等で知り合った人と1対1で合ったことがない人の割合は平均で7割弱いる一方で、「6回以上会ったことがある」人の割合は約1割(倫理調査2021_概要資料.pdf P27)
(5)SNS等で会った結果「金銭トラブル」「身の危険を感じた」と回答した割合は10代が他世代より顕著に高い(同 P31)
(6)セキュリティ教育の受講経験は10代の割合が最も高く、次いで20代。年齢が上がるにつれ低下する(脅威調査2021_概要資料.pdf P12 、倫理調査2021_概要資料.pdf P11)
Chrome 安定版のバージョン 100 がリリース
Did you enjoy this issue? Yes No
Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi

Security Researcher, IIJ-SECT, SANS Instructor in Japan, OWASP Japan Advisory Board, WASForum Hardening Project, 子供たちが安心して使える安全なネット社会を実現したいですね。

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.