View profile

今週の気になるセキュリティニュース - Issue #62

Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi
事件、事故
Atlassian が 4/4 に発生したサービス障害について報告
On Monday, April 4th, approximately 400 Atlassian Cloud customers experienced a full outage across their Atlassian products. We have now restored 78% of users impacted by the outage as we continue to move with more speed and accuracy (this is as of 1:42 UTC on April 15 – you can track our progress on our Statuspage). Our teams will continue to restore sites through the weekend, and we expect to have all sites restored no later than end of day Tuesday, April 19 PT. As we restore sites and hand them over to our customers for validation, please reach out to our teams if there are any issues so that our support engineers can work to get everyone affected fully restored.
To be clear, this incident was not a cyber attack nor was it a failure of our systems to scale. Additionally, the majority of restored customers have had no data loss, while some have reported data loss for up to 5 minutes prior to the incident.
欧米の法執行機関による共同作戦 Operation TOURNIQUET により、RaidForums が摘発。フォーラムの管理者らも逮捕される。
The illegal marketplace ‘RaidForums’ has been shut down and its infrastructure seized as a result of Operation TOURNIQUET, a complex law enforcement effort coordinated by Europol to support independent investigations of the United States, United Kingdom, Sweden, Portugal, and Romania. The forum’s administrator and two of his accomplices have also been arrested. 
The Department of Justice today announced the seizure of the RaidForums website, a popular marketplace for cybercriminals to buy and sell hacked data, and unsealed criminal charges against RaidForums’ founder and chief administrator, Diogo Santos Coelho, 21, of Portugal. Coelho was arrested in the United Kingdom on Jan. 31, at the United States’ request and remains in custody pending the resolution of his extradition proceedings.
GitHub が不正アクセスを報告。Heroku と Travis-CI に対して発行された OAuth トークンが不正に取得され利用された。これらのアプリケーションを利用している多数のユーザに影響。
On April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm. The applications maintained by these integrators were used by GitHub users, including GitHub itself. We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems, because the tokens in question are not stored by GitHub in their original, usable formats. Following immediate investigation, we disclosed our findings to Heroku and Travis-CI on April 13 and 14; more detail is available below and we will update this blog as we learn more.
攻擊、脅威
ESET がウクライナの制御系システムを狙った Industroyer2 マルウェアの活動について報告
ESET researchers collaborated with CERT-UA to analyze the attack against the Ukrainian energy company
The destructive actions were scheduled for 2022-04-08 but artifacts suggest that the attack had been planned for at least two weeks
The attack used ICS-capable malware and regular disk wipers for Windows, Linux and Solaris operating systems
We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine
We assess with high confidence that the APT group Sandworm is responsible for this new attack
Cloudflare から 2022年第 1四半期の DDoS 攻擊に関するレポート
The first quarter of 2022 saw a massive spike in application-layer DDoS attacks, but a decrease in the total number of network-layer DDoS attacks. Despite the decrease, we’ve seen volumetric DDoS attacks surge by up to 645% QoQ, and we mitigated a new zero-day reflection attack with an amplification factor of 220 billion percent.
In the Russian and Ukrainian cyberspace, the most targeted industries were Online Media and Broadcast Media. In our Azerbaijan and Palestinian Cloudflare data centers, we’ve seen enormous spikes in DDoS activity — indicating the presence of botnets operating from within.
Microsoft が他のセキュリティベンダーなどと協力し、ZLoader ボットネットをテイクダウン
Today, we’re announcing that Microsoft’s Digital Crimes Unit (DCU) has taken legal and technical action to disrupt a criminal botnet called ZLoader. ZLoader is made up of computing devices in businesses, hospitals, schools, and homes around the world and is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money.
360 Netlab が新たな DDoS ボットネット Fodcha の活動について報告
Recently, CNCERT and 360netlab worked together and discovered a rapidly spreading DDoS botnet on the Internet. The global infection looks fairly big as just in China there are more than 10,000 daily active bots (IPs) and alsomore than 100 DDoS victims beingtargeted on a daily basis. We named the botnet Fodcha because of its initial use of the C2 domain name folded.in and its use of the chacha algorithm to encrypt network traffic.
公安調査庁がサイバーパンフレット「サイバー空間における脅威の概況2022」を公開
公安調査庁
【サイバーパンフレット2022本日公開】
公安調査庁では、昨年の主なサイバー脅威の概況や #サイバー攻撃 の手法等について解説した「サイバー空間における脅威の概況2022」を作成しました。
社内研修等でぜひご活用ください。

パンフレットはこちら
https://t.co/fw5LYJdyYX https://t.co/pG9hZ6Ri7o
脆弱性
米 CISA が Known Exploited Vulnerabilities (KEV) カタログに 8+10+1+9 個の脆弱性を追加
(コメント) このところ更新頻度がやたら高いが、古い脆弱性の追加も目立つ
Microsoft が 2022年 4月の月例パッチを公開
CVE-2022-24521 Windows Common Log File System Driver における特権昇格の脆弱性は、既に、脆弱性の悪用が行われていることを確認しています。なお、この脆弱性詳細の一般への公開は、セキュリティ更新プログラムの公開時点では確認されていません。お客様においては、早急に、更新プログラムの適用を行ってください。詳細は、CVE-2022-24521を参照してください。
今月のセキュリティ更新プログラムで修正した脆弱性のうち、CVE-2022-26904 (Windows User Profile Service) は、セキュリティ更新プログラムの公開よりも前に、脆弱性の情報が一般に公開されていたことを確認しています。なお、この脆弱性の悪用は、セキュリティ更新プログラムの公開時点では確認されていません。
今月のセキュリティ更新プログラムで修正した脆弱性のうち、CVE-2022-24491 (Microsoft ネットワーク ファイル システム)、CVE-2022-24497 (Microsoft ネットワーク ファイル システム) および CVE-2022-26809 (リモート プロシージャ コール ランタイム)、は、CVSS 基本値が 9.8 と高いスコアで、認証やユーザーの操作なしで悪用が可能な脆弱性です。これらの脆弱性が存在する製品、および悪用が可能となる条件については、各CVEのページの「よく寄せられる質問」 を参照してください。セキュリティ更新プログラムが公開されるよりも前に、脆弱性の情報の一般への公開、脆弱性の悪用はありませんが、脆弱性の特性を鑑み、企業組織では早急なリスク評価とセキュリティ更新プログラムの適用を推奨しています。
The stand-out vulnerability for this month’s Microsoft Patch Tuesday was CVE-2022-26809 [msft]. An integer overflow in MSRPC that, if exploited, allows for arbitrary code execution over the network without requiring authentication or user interaction. There is no doubt that the vulnerability is critical, and the patch must be applied quickly. But how big of an issue is it? How soon should we expect an exploit? And what other mitigation techniques may be helpful? Let me summarize what we know so far:
Google が Chrome のゼロデイ脆弱性を修正
This update includes 2 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
[$NA][1315901] High CVE-2022-1364: Type Confusion in V8. Reported by Clément Lecigne of Google’s Threat Analysis Group on 2022-04-13
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Google is aware that an exploit for CVE-2022-1364 exists in the wild.
その他
ラック、NRIセキュア、GSXが合同で「サイバーセキュリティイニシアティブジャパン」を設立
CSI/Jは、これからのデジタル社会にふさわしい「セキュリティ対策」と「セキュリティ人材」に関する効果的なフレームワークを策定し、会員企業に提供します。会員企業はそれらのフレームワークを利用することで、自社が提供するサービスのさらなる高度化や安全性の向上を図ることができます。
Did you enjoy this issue? Yes No
Weekly newsletter of Masafumi Negishi
Weekly newsletter of Masafumi Negishi

Security Researcher, IIJ-SECT, SANS Instructor in Japan, OWASP Japan Advisory Board, WASForum Hardening Project, 子供たちが安心して使える安全なネット社会を実現したいですね。

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.