ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。

---

• 事件、事故
  • 欧米の法執行機関や Microsoft などの協力により Lumma Stealer マルウェアのインフラを摘発
  • 欧米の法執行機関の Operation Endgame 作戦により、DanaBot など複数のマルウェアを摘発
  • DeFi サービスの Cetus から $223M 相当のトークンが不正に流出
• 攻撃、脅威
  • KrebsOnSecurity で 6.3 Tbps の DDoS 攻撃を観測
  • CISA などがロシアの情報機関 GRU による攻撃活動について注意喚起
• 脆弱性
  • CISA が Known Exploited Vulnerabilities (KEV) カタログに 6+1 個の脆弱性を追加
• その他
  • NIST が脆弱性の悪用に関する新たな指標 Likely Exploited Vulnerabilities (LEV) のホワイトペーパーを公開
  • IPA が「セキュリティ要件適合評価及びラベリング制度（JC-STAR）」による「★１適合ラベル」の交付を開始

事件、事故

欧米の法執行機関や Microsoft などの協力により Lumma Stealer マルウェアのインフラを摘発

(5/21) Europol and Microsoft disrupt world’s largest infostealer Lumma | Europol

Between 16 March and 16 May 2025, Microsoft identified over 394 000 Windows computers globally infected by the Lumma malware. In a coordinated follow-up operation this week, Microsoft’s Digital Crimes Unit (DCU), Europol, and international partners have disrupted Lumma’s technical infrastructure, cutting off communications between the malicious tool and victims. In addition, over 1 300 domains seized by or transferred to Microsoft, including 300 domains actioned by law enforcement with the support of Europol, will be redirected to Microsoft sinkholes.

(5/21) Office of Public Affairs | Justice Department Seizes Domains Behind Major Information-Stealing Malware Operation | United States Department of Justice

As alleged in the affidavits filed in support of the government’s seizure warrants, the administrators of LummaC2 used the seized websites to distribute LummaC2, an information-stealing malware, to their affiliates and other cyber criminals. According to court documents, common targets for cybercriminals using malware like LummaC2 include browser data, autofill information, login credentials for accessing email and banking services, as well as cryptocurrency seed phrases, which permit access to virtual currency wallets. As alleged in the affidavits, the FBI has identified at least 1.7 million instances where LummaC2 was used to steal this type of information.

(5/21) Threat Actors Target U.S. Critical Infrastructure with LummaC2 Malware | CISA

(5/21) Disrupting Lumma Stealer: Microsoft leads global action against favored cybercrime tool - Microsoft On the Issues

Microsoft’s Digital Crimes Unit (DCU) and international partners are disrupting the leading tool used to indiscriminately steal sensitive personal and organizational information to facilitate cybercrime. On Tuesday, May 13, Microsoft’s DCU filed a legal action against Lumma Stealer (“Lumma”), which is the favored info-stealing malware used by hundreds of cyber threat actors. Lumma steals passwords, credit cards, bank accounts, and cryptocurrency wallets and has enabled criminals to hold schools for ransom, empty bank accounts, and disrupt critical services.

Via a court order granted in the United States District Court of the Northern District of Georgia, Microsoft’s DCU seized and facilitated the takedown, suspension, and blocking of approximately 2,300 malicious domains that formed the backbone of Lumma’s infrastructure. The Department of Justice (DOJ) simultaneously seized the central command structure for Lumma and disrupted the marketplaces where the tool was sold to other cybercriminals. Europol’s European Cybercrime Center (EC3) and Japan’s Cybercrime Control Center (JC3) facilitated the suspension of locally based Lumma infrastructure.

(5/21) Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer | Microsoft Security Blog

欧米の法執行機関の Operation Endgame 作戦により、DanaBot など複数のマルウェアを摘発

(5/23) Operation ENDGAME strikes again: the ransomware kill chain broken at its source | Europol

The operation focused on initial access malware – the tools cybercriminals use to infiltrate systems unnoticed before deploying ransomware. By disabling these entry points, investigators have struck at the very start of the cyberattack chain, damaging the entire cybercrime-as-a-service ecosystem.

The following malware strains were neutralised during the action:

• Bumblebee
• Lactrodectus
• Qakbot
• Hijackloader
• DanaBot
• Trickbot
• Warmcookie

(5/22) Office of Public Affairs | Leader of Qakbot Malware Conspiracy Indicted for Involvement in Global Ransomware Scheme | United States Department of Justice

(5/22) Central District of California | 16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide | United States Department of Justice

DeFi サービスの Cetus から $223M 相当のトークンが不正に流出

(5/22) Cetus Protocol hacked for more than $200 million

(5/23) Hacker steals $223 million in Cetus Protocol cryptocurrency heist

🚨ANNOUNCEMENT

As of earlier today, we have confirmed that an attacker has stolen approximately $223M from Cetus Protocol. We have took immediate action to lock our contract preventing further theft of funds.

$162M of the compromised funds have been successfully paused. We are…

— Cetus🐳 (@CetusProtocol) May 22, 2025

攻撃、脅威

KrebsOnSecurity で 6.3 Tbps の DDoS 攻撃を観測

(5/20) KrebsOnSecurity Hit With Near-Record 6.3 Tbps DDoS – Krebs on Security

KrebsOnSecurity last week was hit by a near record distributed denial-of-service (DDoS) attack that clocked in at more than 6.3 terabits of data per second (a terabit is one trillion bits of data). The brief attack appears to have been a test run for a massive new Internet of Things (IoT) botnet capable of launching crippling digital assaults that few web destinations can withstand. Read on for more about the botnet, the attack, and the apparent creator of this global menace.

Last week, KrebsOnSecurity was hit by a massive DDoS attack peaking at 6.3 Tbps. Reports suggest that the attack may be linked to the Airashi botnet. Observations from #XLAB confirm that the Airashi botnet was indeed involved, with the attack occurring in the UTC+8 time zone. pic.twitter.com/KcJ7tdbrU5

— Xlab (@Xlab_qax) May 21, 2025

CISA などがロシアの情報機関 GRU による攻撃活動について注意喚起

(5/21) Russian GRU Cyber Actors Targeting Western Logistics Entities and Tech Companies | CISA

Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, military unit 26165 cyber actors are using a mix of previously disclosed tactics, techniques, and procedures (TTPs) and are likely connected to these actors’ widescale targeting of IP cameras in Ukraine and bordering NATO nations.

脆弱性

CISA が Known Exploited Vulnerabilities (KEV) カタログに 6+1 個の脆弱性を追加

(5/19) CISA Adds Six Known Exploited Vulnerabilities to Catalog | CISA

• CVE-2025-4427 Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability
• CVE-2025-4428 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
• CVE-2024-11182 MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability
• CVE-2025-27920 Srimax Output Messenger Directory Traversal Vulnerability
• CVE-2024-27443 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
• CVE-2023-38950 ZKTeco BioTime Path Traversal Vulnerability

(5/22) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

• CVE-2025-4632 Samsung MagicINFO 9 Server Path Traversal Vulnerability

その他

NIST が脆弱性の悪用に関する新たな指標 Likely Exploited Vulnerabilities (LEV) のホワイトペーパーを公開

(5/19) CSWP 41, Likely Exploited Vulnerabilities: A Proposed Metric for Vulnerability Exploitation Probability | CSRC

IPA が「セキュリティ要件適合評価及びラベリング制度（JC-STAR）」による「★１適合ラベル」の交付を開始

(5/21) 「セキュリティラベリング制度（JC-STAR）」★1適合ラベルの交付を開始 | プレスリリース | IPA 独立行政法人 情報処理推進機構