ポッドキャスト収録用のメモですよ。
podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。
事件、事故
宇都宮セントラルクリニックでランサムウェア感染の影響により、診察および健診業務を制限
(2/12) 当面の宇都宮セントラルクリニックの診察および健診業務の制限について|栃木県でがん治療,ガン検査なら宇都宮セントラルクリニック
(2/18) 不正アクセスに伴う情報漏えいの可能性および当面の業務制限について|栃木県でがん治療,ガン検査なら宇都宮セントラルクリニック
Apple がイギリスで新規ユーザへの Advanced Data Protection の提供を中止。既存ユーザも今後利用できなくなる
(2/21) Apple pulls encryption feature from UK over government spying demands | The Verge
“Apple can no longer offer Advanced Data Protection (ADP) in the United Kingdom to new users and current UK users will eventually need to disable this security feature,“ says Apple spokesperson Julien Trosdorf in a statement to The Verge. “We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy.”
(2/21) Apple pulls data protection tool after UK government security row
(2/21) Apple pulls data protection feature in UK amid government demands | Reuters
暗号資産取引所 Bybit で $1.5B 相当の暗号資産が不正に送金
(2/22) Bybit Announcement | Incident Update: Unauthorized Activity Involving ETH Cold Wallet
On February 21, 2025, at approximately 12:30 PM UTC , Bybit detected unauthorized activity within one of our Ethereum (ETH) Cold Wallets during a routine transfer process. The transfer was part of a scheduled move of ETH from our ETH Multisig Cold Wallet to our Hot Wallet. Unfortunately, the transaction was manipulated by a sophisticated attack that altered the smart contract logic and masked the signing interface, enabling the attacker to gain control of the ETH Cold Wallet. As a result, over 400,000 ETH and stETH worth more than $1.5 billion were transferred to an unidentified address.
(2/22) Bybit Launches Recovery Bounty Program with Rewards up to 10% of Stolen Funds | Bybit Press
As part of the investigation and recovery efforts, Bybit is pledging 10% of recovered funds to reward ethical cyber and network security experts who play an active role in retrieving the stolen cryptocurrencies in the incident.
The total amount of the bounty is calculated based on verifiable recovery of the compromised ETH worth over $1.4 billion at the time of the incident.
(2/21) Crypto exchange Bybit says it was hacked and lost around $1.4B | TechCrunch
Bybit ETH multisig cold wallet just made a transfer to our warm wallet about 1 hr ago. It appears that this specific transaction was musked, all the signers saw the musked UI which showed the correct address and the URL was from @safe . However the signing message was to change…
— Ben Zhou (@benbybit) February 21, 2025
Bybit detected unauthorized activity involving one of our ETH cold wallets. The incident occurred when our ETH multisig cold wallet executed a transfer to our warm wallet. Unfortunately, this transaction was manipulated through a sophisticated attack that masked the signing…
— Bybit (@Bybit_Official) February 21, 2025
Safe’s security team is working closely with @Bybit_Official on an ongoing investigation.
— Safe.eth (@safe) February 21, 2025
We have not found evidence that the official Safe frontend was compromised. However, out of caution, Safe{Wallet} is temporarily pausing certain functionalities.
User security is our top…
攻撃、脅威
Orange Cyberdefese および Trend Micro が ShadowPad と PlugX マルウェアを利用してランサムウェア攻撃を行う活動について報告
(2/18) Meet NailaoLocker: a ransomware distributed in Europe by ShadowPad and PlugX backdoors
Last year, Orange Cyberdefense’s CERT investigated a series of incidents from an unknown threat actor leveraging both ShadowPad and PlugX. Tracked as Green Nailao (“Nailao” meaning “cheese” in Chinese – a topic our World Watch CTI team holds in high regard), the campaign impacted several European organizations, including in the healthcare vertical, during the second half of 2024. We believe this campaign has targeted a larger panel of organizations across the world throughout multiple sectors.
(2/20) Updated Shadowpad Malware Leads to Ransomware Deployment | Trend Micro (US)
- Two recent incident response cases in Europe involved Shadowpad, a malware family connected to various Chinese threat actors. Our research suggested that this malware family had targeted at least 21 companies across 15 countries in Europe, the Middle East, Asia, and South America.
- Unusually, in some of these incidents the threat actor deployed ransomware from an unreported family in these attacks.
- The threat actors gained access through remote network attacks, exploiting weak passwords and bypassing multi-factor authentication mechanisms.
CISA などが共同で、Ghost (Cring) ランサムウェアに関する注意喚起
(2/19) CISA and Partners Release Advisory on Ghost (Cring) Ransomware | CISA
Google がロシアの攻撃者グループによる Signal メッセンジャーを狙う攻撃活動について報告
Google Threat Intelligence Group (GTIG) has observed increasing efforts from several Russia state-aligned threat actors to compromise Signal Messenger accounts used by individuals of interest to Russia's intelligence services. While this emerging operational interest has likely been sparked by wartime demands to gain access to sensitive government and military communications in the context of Russia's re-invasion of Ukraine, we anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war.
Cisco Talos が中国の攻撃者グループ Salt Typhoon の攻撃活動について報告
(2/20) Weathering the storm: In the midst of a Typhoon
Public reporting has indicated that the threat actor was able to gain access to core networking infrastructure in several instances and then use that infrastructure to collect a variety of information. There was only one case in which we found evidence suggesting that a Cisco vulnerability (CVE-2018-0171) was likely abused. In all the other incidents we have investigated to date, the initial access to Cisco devices was determined to be gained through the threat actor obtaining legitimate victim login credentials. The threat actor then demonstrated their ability to persist in target environments across equipment from multiple vendors for extended periods, maintaining access in one instance for over three years.
OpenAI が自社の AI モデルを悪用する活動について報告
(2/21) Disrupting malicious uses of AI | OpenAI
It has now been a year since OpenAI became the first AI research lab to publish reports on our disruptions in an effort to support broader efforts by U.S. and allied governments, industry partners, and other stakeholders, to prevent abuse by adversaries and other malicious actors. This latest report outlines some of the trends and features of our AI-powered work, together with case studies that highlight the types of threats we’ve disrupted.
脆弱性
CISA が Known Exploited Vulnerabilities (KEV) カタログに 2+2+1 個の脆弱性を追加
(2/18) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
- CVE-2025-0108 Palo Alto PAN-OS Authentication Bypass Vulnerability
- CVE-2024-53704 SonicWall SonicOS SSLVPN Improper Authentication Vulnerability
(2/20) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
- CVE-2025-23209 Craft CMS Code Injection Vulnerability
- CVE-2025-0111 Palo Alto Networks PAN-OS File Read Vulnerability
(2/21) CISA Adds One Known Exploited Vulnerability to Catalog | CISA
- CVE-2025-24989 Microsoft Power Pages Improper Access Control Vulnerability
その他
NICT が 2024年第 4 四半期の NICTER観測統計を公開
(2/18) NICTER観測統計 - 2024年10月~12月 - NICTER Blog
Let's Encrypt が有効期間 6日間の証明書の発行を開始
(2/20) We Issued Our First Six Day Cert - Let's Encrypt
Earlier this year we announced our intention to introduce short-lived certificates with lifetimes of six days as an option for our subscribers. Yesterday we issued our first short-lived certificate. You can see the certificate at the bottom of our post, or here thanks to Certificate Transparency logs. We issued it to ourselves and then immediately revoked it so we can observe the certificate’s whole lifecycle. This is the first step towards making short-lived certificates available to all subscribers.
