podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。

事件、事故

Hulu で第三者による不正ログインが発生

(9/12) ［重要］不正アクセス検知によるパスワード強制リセット実施のお知らせ（9/12更新） – Hulu ヘルプセンター

弊社サービスにご登録いただいている一部のアカウントにおきまして、2024 年 9 月 11 日（水）にご登録者以外の第三者による不正なログイン操作が実施されたことを確認いたしました。現在詳細について調査中ではございますが、現時点で確認できている状況をお知らせいたします。

発生日：2024 年 9 月 11 日（水）

対象アカウント：296 件（※ご契約中、解約済みなど、ご契約状況に関わらず）

Fortinet が不正アクセスを受け、一部の顧客情報が漏洩

(9/12) Notice of Recent Security Incident | Fortinet Blog

An individual gained unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party cloud-based shared file drive, which included limited data related to a small number (less than 0.3%) of Fortinet customers.

攻撃、脅威

FBI が "2023 Cryptocurrency Fraud Report" を公開

(9/10) 2023 Cryptocurrency Fraud Report Released — FBI

Losses related to cryptocurrency fraud totaled over $5.6 billion in 2023, a 45% increase in losses since 2022, according to a report from FBI’s Internet Crime Complaint Center (IC3) published on September 9, 2024. The number of complaints from the public regarding cryptocurrency fraud continues to steadily increase, reaching 69,000 in 2023.

Sophos が中国の攻撃者グループによる東南アジア諸国の政府を狙う攻撃活動について報告

(9/10) Crimson Palace returns: New Tools, Tactics, and Targets – Sophos News

After a brief break in activity, Sophos X-Ops continues to observe and respond to what we assess with high confidence as a Chinese state-directed cyberespionage operation targeting a prominent agency within the government of a Southeast Asian nation.

Trellix が Excel ファイルを利用したマルウェアキャンペーンについて報告

(9/11) Unmasking the Hidden Threat: Inside a Sophisticated Excel-Based Attack Delivering Fileless Remcos RAT

In the rapidly evolving landscape of cybersecurity, attackers are continuously refining their methods to bypass detection and deliver malicious payloads. This blog dissects a recent advanced malware campaign that leverages a seemingly benign Excel file delivered via phishing that exploits CVE-2017-0199, a critical vulnerability in Microsoft Office and WordPad that allows attackers to execute arbitrary code when a user opens a specially crafted document. Specifically, this vulnerability occurs in the handling of Object Linking and Embedding (OLE) objects, enabling an attacker to embed malicious code within a file that appears benign. This sophisticated campaign utilizes encrypted Microsoft Office documents, Object Linking and Embedding (OLE) objects, and multiple layers of obfuscated scripts to execute a fileless variant of the Remcos Remote Access Trojan (RAT) on the victim's system. We will explore each stage of the attack chain and provide actionable insights for cybersecurity professionals.

マクニカと富士通ディフェンス & ナショナルセキュリティが共同で、フィッシングサイトに悪用されるドメイン名に関する調査レポートを公開

(9/12) マクニカ、富士通ディフェンス & ナショナルセキュリティとの共同研究を通じフィッシングサイトURLにおけるドメイン悪用の傾向に関する調査レポートを本日公開 - セキュリティ事業 - マクニカ

Akamai が 1.3 Tbps の DDoS 攻撃を観測

(9/13) Akamai Prevents Record-Breaking DDoS Attack on Major U.S. Customer | Akamai

脆弱性

SonicWall SonicOS の脆弱性 CVE-2024-40766 が悪用されている可能性が高いとの報告

(9/6 更新) Security Advisory

Update - SSLVPN was added as another possible point of impact. "This vulnerability is potentially being exploited in the wild." paragraph has been added to advisory summary. A section for SSLVPN has been added to the advisory workaround.

(9/6) Arctic Wolf Observes Akira Ransomware Campaign Targeting SonicWall SSLVPN Accounts | Arctic Wolf

In recent threat activity observed by Arctic Wolf, Akira ransomware affiliates carried out ransomware attacks with an initial access vector involving the compromise of SSLVPN user accounts on SonicWall devices. In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory. Additionally, MFA was disabled for all compromised accounts, and the SonicOS firmware on the affected devices were within the versions known to be vulnerable to CVE-2024-40766.

(9/9) Critical Improper Access Control Vuln Affecting SonicWall Devices | Rapid7 Blog

As of September 9, 2024, Rapid7 is aware of several recent incidents (both external and Rapid7-observed) in which SonicWall SSLVPN accounts were targeted or compromised, including by ransomware groups; evidence linking CVE-2024-40766 to these incidents is still circumstantial, but given adversary interest in the software in general, Rapid7 strongly recommends remediating on an emergency basis. Vulnerabilities like CVE-2024-40766 are frequently used for initial access to victim environments.

CISA が Known Exploited Vulnerabilities (KEV) カタログに 3+4+1 個の脆弱性を追加

(9/9) CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA

CVE-2016-3714 ImageMagick Improper Input Validation Vulnerability

CVE-2017-1000253 Linux Kernel PIE Stack Buffer Corruption Vulnerability

CVE-2024-40766 SonicWall SonicOS Improper Access Control Vulnerability

(9/10) CISA Adds Four Known Exploited Vulnerabilities to Catalog | CISA

CVE-2024-38226 Microsoft Publisher Security Feature Bypass Vulnerability

CVE-2024-43491 Microsoft Windows Update Remote Code Execution Vulnerability

CVE-2024-38014 Microsoft Windows Installer Privilege Escalation Vulnerability

CVE-2024-38217 Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability

(9/13) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

CVE-2024-8190 Ivanti Cloud Services Appliance OS Command Injection Vulnerability

Microsoft が 2024年 9月の月例パッチを公開。すでに悪用が確認されている脆弱性を含む。

(9/10) 2024 年 9 月のセキュリティ更新プログラム (月例) | MSRC Blog | Microsoft Security Response Center

今月のセキュリティ更新プログラムで修正した脆弱性のうち、以下の脆弱性は更新プログラムが公開されるよりも前に悪用や脆弱性の詳細が一般へ公開されていることを確認しています。お客様においては、更新プログラムの適用を早急に行ってください。脆弱性の詳細は、各 CVE のページを参照してください。

CVE-2024-43491 Microsoft Windows Update のリモートでコードが実行される脆弱性

CVE-2024-38014 Windows インストーラーの特権の昇格の脆弱性

CVE-2024-38217 Windows Mark Of The Web セキュリティ機能のバイパスの脆弱性

CVE-2024-38226 Microsoft Publisher のセキュリティ機能のバイパスの脆弱性

(9/10) Zero Day Initiative — The September 2024 Security Update Review

Ivanti Endpoint Manager に複数の脆弱性

(9/10) Security Advisory EPM September 2024 for EPM 2024 and EPM 2022

Ivanti has released updates for Ivanti Endpoint Manager 2024 and 2022 SU6 which addresses medium and high vulnerabilities. Successful exploitation could lead to unauthorized access to the EPM core server.

We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.

Ivanti Cloud Service Appliance に脆弱性。すでに悪用を確認

(9/10) Security Advisory Ivanti Cloud Service Appliance (CSA) (CVE-2024-8190)

Update September 13: Following public disclosure, Ivanti has confirmed exploitation of this vulnerability in the wild. At the time of this update, we are aware of a limited number of customers who have been exploited.

その他

WordPress.org が 10月1日からプラグインとテーマの開発者アカウントに 2要素認証を義務化

(9/4) Upcoming Security Changes for Plugin and Theme Authors on WordPress.org – Make WordPress Plugins

As part of this ongoing effort, we are introducing a new security requirement: mandatory two-factor authentication (2FA) for plugin and theme authors, starting on October 1st, 2024.

自民党がサイバー安全保障政策の方向性に関する提言を政府に提出

(9/11) 【サイバー安保】速やかな法制化を関係会議が提言申し入れ | 政策 | ニュース | 自由民主党

Yahoo!ショッピングが「安全・安心への取り組みレポート」を公開

(9/12) Yahoo!ショッピング、「安全・安心への取り組みレポート」を初公開。2024年上半期の不正決済による被害金額は前年比約70％減、やらせレビューは2024年9月までに約60万件を削除｜LINEヤフー株式会社

LINEヤフー株式会社（以下、LINEヤフー）が運営する「Yahoo!ショッピング」は、これまでの安全・安心への取り組みと実績をまとめた2024年上半期（1月～6月）版の「安全・安心への取り組みレポート」（以下、本レポート）を公開しました。本レポートは今回が初めての公開となり、今後も定期的に公開する予定です。

CISA が 2023年に米国の政府機関や重要インフラに対して行ったリスク評価に関する分析結果を報告

(9/13) CISA Releases Analysis of FY23 Risk and Vulnerability Assessments | CISA