今週の気になるセキュリティニュース - Issue #167


podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。


富士通 Japan の「Fujitsu MICJET コンビニ交付」で再び証明書の誤交付が発生。総務省富士通に対して行政指導

(4/16) 高松市様における「Fujitsu MICJET コンビニ交付」での証明書の誤交付発生について : 富士通Japan株式会社

2024年4月4日に高松市様において、「Fujitsu MICJET コンビニ交付」で、申請された方とは異なる住民の方の住民票の写しが発行される事象が発生いたしました。高松市様および住民の皆様、関係者の皆様には多大なるご迷惑、ご心配をお掛けしましたことをお詫び申し上げます。

(4/16) 総務省|報道資料|コンビニ交付サービスにおける証明書誤交付に関する原因究明及び再発防止対策等の徹底について(指導)

総務省は、本日、富士通株式会社(代表取締役社長 時田 隆仁、法人番号 1020001071491、本社 東京都港区)に対し、同社の子会社である富士通Japan株式会社における、香川県高松市のコンビニ交付において別人の住民票の写しが交付された事案に関し、原因究明及び再発防止対策等の徹底を図るとともに、その実施状況を報告するよう、文書による行政指導を行いました。

LINE ヤフーに対して総務省が再度行政指導

(4/16) 総務省|報道資料|LINEヤフー株式会社に対する通信の秘密の保護及び サイバーセキュリティの確保の徹底に向けた措置(指導)

総務省は、LINEヤフー株式会社(代表取締役社長CEO 出澤 剛)に対し令和6年3月5日付けで行政指導を実施し、同年4月1日、同社から再発防止等に向けた取組に関する報告書の提出を受けました。同報告書を踏まえ、総務省は、同行政指導において求めた措置の早期実施等を求めるとともに、その実施状況や実施計画を報告するよう、本日、文書による行政指導を行いました。

(4/16) 当社に対する総務省からの行政指導について|LINEヤフー株式会社

欧米の法執行機関の協力により、phishing-as-a-service のプラットフォーム LabHost を摘発

(4/18) International investigation disrupts phishing-as-a-service platform LabHost | Europol

This week, law enforcement from 19 countries severely disrupted one of the world’s largest phishing-as-a-service platform, known as LabHost. This year-long operation, coordinated at the international level by Europol, resulted in the compromise of LabHost’s infrastructure.

(4/18) Law enforcement infiltrates fraud platform used by thousands of criminals worldwide | Metropolitan Police

(4/18) The Fall of LabHost: Law Enforcement Shuts Down Phishing Service Provider | Trend Micro (US)

MITRE が外部からの不正侵入を受けたことを公表

(4/19) MITRE Response to Cyber Attack in One of Its R&D Networks | MITRE

MITRE today disclosed that despite its fervent commitment to safeguarding its digital assets, it experienced a breach that underscores the nature of modern cyber threats. After detecting suspicious activity on its Networked Experimentation, Research, and Virtualization Environment (NERVE), a collaborative network used for research, development, and prototyping, compromise by a foreign nation-state threat actor was confirmed.

(4/19) Advanced Cyber Threats Impact Even the Most Prepared | by Lex Crumpton | MITRE-Engenuity | Apr, 2024 | Medium

Starting in January 2024, a threat actor performed reconnaissance of our networks, exploited one of our Virtual Private Networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities, and skirted past our multi-factor authentication using session hijacking. From there, they moved laterally and dug deep into our network’s VMware infrastructure using a compromised administrator account. They employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials.

MITRE followed best practices, vendor instructions, and the government’s advice to upgrade, replace, and harden our Ivanti system, but we did not detect the lateral movement into our VMware infrastructure. At the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient.


Cloudflare が 2024年第 1四半期の DDoS 攻撃レポートを公開

(4/16) DDoS threat report for 2024 Q1

Key insights from the first quarter of 2024 include:

  • 2024 started with a bang. Cloudflare’s defense systems automatically mitigated 4.5 million DDoS attacks during the first quarter — representing a 50% year-over-year (YoY) increase.
  • DNS-based DDoS attacks increased by 80% YoY and remain the most prominent attack vector.
  • DDoS attacks on Sweden surged by 466% after its acceptance to the NATO alliance, mirroring the pattern observed during Finland's NATO accession in 2023.

Coveware が 2024年第 1四半期のランサムウェアレポートを公開

(4/17) RaaS devs hurt their credibility by cheating affiliates in Q1 2024

Mandiant が攻撃者グループ APT44 (Sandworm) の活動について報告

(4/18) Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit Sandworm | Google Cloud Blog

Given the active and diffuse nature of the threat posed by Sandworm globally, Mandiant has decided to graduate the group into a named Advanced Persistent Threat: APT44. As part of this process, we are releasing a report, “APT44: Unearthing Sandworm”, that provides additional insights into the group’s new operations, retrospective insights, and context on how the group is adjusting to support Moscow’s war aims.

CISAAkira ランサムウェアに関する注意喚起

(4/18) #StopRansomware: Akira Ransomware | CISA



(4/15) oss-security - CVE-2024-31497: Secret Key Recovery of NIST P-521 Private Keys Through Biased ECDSA Nonces in PuTTY Client

The PuTTY client and all related components generate heavily biased ECDSA nonces in the case of NIST P-521. To be more precise, the first 9 bits of each ECDSA nonce are zero. This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques. These signatures can either be harvested by a malicious server (man-in-the-middle attacks are not possible given that clients do not transmit their signature in the clear) or from any other source, e.g. signed git commits through forwarded agents. The nonce generation for other curves is slightly biased as well. However, the bias is negligible and far from enough to perform lattice-based key recovery attacks (not considering cryptanalytical advancements).

(4/16) 「PuTTY」に秘密鍵が復元できてしまう深刻な脆弱性 ~「WinSCP」など他ツールにも影響 - 窓の杜

PAN-OS の脆弱性 CVE-2024-3400 の PoC が公開され、悪用が拡大

(4/16) Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400)

(4/17) CVE-2024-3400 | AttackerKB

(4/17 更新) CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect

Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability. Proof of concepts for this vulnerability have been publicly disclosed by third parties.

(4/19) More on the PAN-OS CVE-2024-3400

(参考) PAN-OS GlobalProtect の脆弱性 CVE-2024-3400 についてまとめてみた - piyolog


CISA、FBI ほか Five Eyes が共同で、AI システムの安全な導入および運用に関するガイダンスを公開

(4/15) Joint Guidance on Deploying AI Systems Securely | CISA

The guidance provides best practices for deploying and operating externally developed artificial intelligence (AI) systems and aims to:

  • Improve the confidentiality, integrity, and availability of AI systems.
  • Ensure there are appropriate mitigations for known vulnerabilities in AI systems.
  • Provide methodologies and controls to protect, detect, and respond to malicious activity against AI systems and related data and services.

Bitcoin が 4回目の半減期に到達

(4/20) ビットコイン、4度目の半減期完了 報酬が3.125 BTCに

(4/20) ビットコイン 4回目の半減期を成功裏に完了 | 「25万ドルにまで上昇する」との強気予測も | Cointelegraph | コインテレグラフ ジャパン

今週の気になるセキュリティニュース - Issue #166


podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。



(4/5) 当社基幹システムトラブルに関するお詫び | 【公式】江崎グリコ(Glico)

(4/12) 当社基幹システムトラブルに関するお詫び | 【公式】江崎グリコ(Glico)



(4/9) 当社元社員によるお客さまの個人情報の漏えいに関するお詫びとお知らせ

CISA が Sisense からの情報漏洩に関する注意喚起

(4/11) Compromise of Sisense Customer Data | CISA

CISA is taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations. We will provide updates as more information becomes available.

(4/11) Why CISA is Warning CISOs About a Breach at Sisense – Krebs on Security

Roku で Credential Stuffing 攻撃による不正ログインが発生。対応として、影響を受けたアカウントのパスワードはリセットされ、全ユーザのアカウントで 2要素認証が有効にされた

(4/12) Protecting your Roku account

(4/12) Roku warns 576,000 accounts hacked in new credential stuffing attacks



(4/10) About Apple threat notifications and protecting against mercenary spyware - Apple Support

Apple threat notifications are designed to inform and assist users who may have been individually targeted by mercenary spyware attacks, likely because of who they are or what they do. Such attacks are vastly more complex than regular cybercriminal activity and consumer malware, as mercenary spyware attackers apply exceptional resources to target a very small number of specific individuals and their devices. Mercenary spyware attacks cost millions of dollars and often have a short shelf life, making them much harder to detect and prevent. The vast majority of users will never be targeted by such attacks.

(4/11) Apple drops term 'state-sponsored' attacks from its threat notification policy | Reuters

(4/12) Apple swaps 'state-sponsored' lingo for 'mercenary spyware' • The Register

CISA が緊急指令 ED 24-02 を発出

(4/11) CISA Issues Emergency Directive 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System | CISA

Today, CISA publicly issued Emergency Directive (ED) 24-02 to address the recent campaign by Russian state-sponsored cyber actor Midnight Blizzard to exfiltrate email correspondence of Federal Civilian Executive Branch (FCEB) agencies through a successful compromise of Microsoft corporate email accounts. This Directive https://www.cisa.gov/news-events/directives/ed-24-02-mitigating-significant-risk-nation-state-compromise-microsoft-corporate-email-system requires agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to secure privileged Microsoft Azure accounts.

(4/2) ED 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System | CISA

Trend Micro が攻撃者グループ Earth Hundun の攻撃活動について報告

(4/11) Cyberespionage Group Earth Hundun's Continuous Refinement of Waterbear and Deuterbear | Trend Micro (US)

  • Earth Hundun is a cyberespionage-motivated threat actor that has been active for several years in the Asia-Pacific region, targeting the technology and government sectors.
  • The group has been known for employing several tools and techniques, including Waterbear, a malware entity that has had over 10 versions since 2009.
  • Waterbear is known for its complexity, as it uses a number of evasion mechanisms to minimize the chance of detection and analysis. Succeeding versions have added enhancements that make it even more troublesome to deal with.
  • In 2022, Earth Hundun began using the latest version of Waterbear — also known as Deuterbear — which has several changes, including anti-memory scanning and decryption routines, that make us consider it a different malware entity from the original Waterbear.
  • Our blog entry provides an in-depth analysis of these two malware types in Earth Hundun’s bag of tools.


(3/26) Command Injection and Backdoor Account in D-Link NAS Devices

The described vulnerability affects multiple D-Link NAS devices, including models DNS-340L, DNS-320L, DNS-327L, and DNS-325, among others. The vulnerability lies within the nas_sharing.cgi uri, which is vulnerable due to two main issues: a backdoor facilitated by hardcoded credentials, and a command injection vulnerability via the system parameter. This exploitation could lead to arbitrary command execution on the affected D-Link NAS devices, granting attackers potential access to sensitive information, system configuration alteration, or denial of service, by specifying a command,affecting over 92,000 devices on the Internet.

(4/4) D-Link Technical Support

(4/8) CVE-2024-3273: D-Link NAS RCE Exploited in the Wild | GreyNoise Blog

(4/8) Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks

Microsoft が 2024年 4月の月例パッチを公開。すでに悪用が確認されている脆弱性を含む。

(4/9) 2024 年 4 月のセキュリティ更新プログラム (月例) | MSRC Blog | Microsoft Security Response Center

今月のセキュリティ更新プログラムで修正した脆弱性のうち、以下の脆弱性は更新プログラムが公開されるよりも前に悪用や脆弱性の詳細が一般へ公開されていることを確認しています。お客様においては、更新プログラムの適用を早急に行ってください。脆弱性の詳細は、各 CVE のページを参照してください。

  • CVE-2024-26234 プロキシ ドライバ スプーフィングの脆弱性

(4/9) Smoke and (screen) mirrors: A strange signed backdoor – Sophos News

(4/9) Zero Day Initiative — The April 2024 Security Updates Review

CISA が Known Exploited Vulnerabilities (KEV) カタログに 2+1 個の脆弱性を追加

(4/11) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA

  • CVE-2024-3272 D-Link Multiple NAS Devices Use of Hard-Coded Credentials Vulnerability
  • CVE-2024-3273 D-Link Multiple NAS Devices Command Injection Vulnerability

(4/12) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

  • CVE-2024-3400 Palo Alto Networks PAN-OS Command Injection Vulnerability

Palo Alto Networks の PAN-OS にリモートコード実行可能な脆弱性。すでに悪用が確認されている。

(4/12) CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway

Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability.

(4/12) Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400) | Volexity

(4/12) Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400

(4/13) Palo Alto Networks社製PAN-OS GlobalProtectのOSコマンドインジェクションの脆弱性(CVE-2024-3400)に関する注意喚起


X (旧 Twitter) が全世界の iOS ユーザ向けに passkeys によるログインをサポート

CISAマルウェア解析システム Malware Next-Gen を公開

(4/10) CISA Announces Malware Next-Gen Analysis | CISA

The Cybersecurity and Infrastructure Security Agency (CISA) announces today a new release of our malware analysis system, called Malware Next-Gen, which allows any organization to submit malware samples and other suspicious artifacts for analysis. Malware Next-Gen allows CISA to more effectively support our partners by automating analysis of newly identified malware and enhancing the cyber defense efforts.

DuckDuckGoVPN など 3つのサービスがバンドルされた Privacy Pro サービスを開始

(4/11) Privacy Pro: DuckDuckGo's New 3-in-1 Subscription Service

今週の気になるセキュリティニュース - Issue #165


podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。



(4/1) 那覇市役所ネットワーク障害について|那覇市公式ホームページ

(4/1) 人的ミスで利用者に影響が 那覇市役所でシステム障害 – QAB NEWS Headline



(4/1) 運転免許センターでシステム障害 ほぼ復旧 東京・大阪など19都府県 警察庁が原因調査 | NHK | IT・ネット

HOYA グループでシステム障害が発生し、レンズ出荷などに影響

(4/1) 当社グループにおけるシステム障害について - HOYA株式会社

(4/4) 当社グループにおけるシステム障害について

2024 年 3 月 30 日未明、海外の事業所においてシステム挙動に不信な点あったことから調査をしたところ、当社グループの国内外の事業所においてシステム障害が起きていることを確認しました。当社は障害が起きたサーバーの隔離などの対応を直ちに行うとともに関係当局へ報告しました。外部の専門家を交えた調査の結果によれば、本件は第三者による当社サーバーへの不正アクセスに起因する可能性が高いとみられています。

(参考) HOYAのシステム障害についてまとめてみた - piyolog



(3/27) パソコンで警告が出たらサポート詐欺に注意!-70歳以上で大幅に増加-(発表情報)_国民生活センター



国土安全保障省が昨年発生した Microsoft Exchange Online への侵害事案に関する報告書を公開

(4/2) Cyber Safety Review Board Releases Report on Microsoft Online Exchange Incident from Summer 2023 | Homeland Security

Today, the U.S. Department of Homeland Security (DHS) released the Cyber Safety Review Board’s (CSRB) findings and recommendations following its independent review of the Summer 2023 Microsoft Exchange Online intrusion. The review detailed operational and strategic decisions that led to the intrusion and recommended specific practices for industry and government to implement to ensure an intrusion of this magnitude does not happen again. Secretary of Homeland Security Alejandro N. Mayorkas received the CSRB report from the Board and delivered it to President Biden. This is the third review completed by the CSRB since the Board was announced in February 2022.


Pixel に複数のゼロデイ脆弱性

(4/2) Pixel Update Bulletin—April 2024 | Android Open Source Project

Ivanti Connect Secure と Ivanti Policy Secure に複数の脆弱性

(4/2) New CVE-2024-21894 (Heap Overflow), CVE-2024-22052 (Null Pointer Dereference), CVE-2024-22053 (Heap Overflow) and CVE-2024-22023 (XML entity expansion or XXE) for Ivanti Connect Secure and Ivanti Policy Secure Gateways

(4/5) New Ivanti RCE flaw may impact 16,000 exposed VPN gateways

複数の HTTP/2 プロトコル実装に脆弱性

(4/3) HTTP/2 CONTINUATION Flood - nowotarski.info

tl;dr: The CONTINUATION Flood is a class of vulnerabilities within numerous HTTP/2 protocol implementations. In many cases, it poses a more severe threat compared to the Rapid Reset: a single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation. Remarkably, requests that constitute an attack are not visible in HTTP access logs.

CISA が Known Exploited Vulnerabilities (KEV) カタログに 2 個の脆弱性を追加

(4/4) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA


今週の気になるセキュリティニュース - Issue #164


podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。



(3/25) 株式会社エムケイシステムに対する個人情報の保護に関する法律に基づく行政上の対応について(令和6年3月25日) |個人情報保護委員会

(3/26) 当社に対する個人情報保護委員会からの指導等について|株式会社エムケイシステム


(3/25) Treasury Designates Russian Companies Supporting Sanctions Evasion Through Virtual Asset Services and Technology Procurement | U.S. Department of the Treasury

Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned thirteen entities and two individuals for operating in the financial services and technology sectors of the Russian Federation economy including persons developing or offering services in virtual assets that enable the evasion of U.S. sanctions. Five entities were designated for being owned or controlled by OFAC-designated persons.

米司法省が暗号資産取引所 KuCoin とその創業者 2人を起訴

(3/26) Southern District of New York | Prominent Global Cryptocurrency Exchange KuCoin And Two Of Its Founders Criminally Charged With Bank Secrecy Act And Unlicensed Money Transmission Offenses | United States Department of Justice

Damian Williams, the United States Attorney for the Southern District of New York, and Darren McCormack, the Acting Special Agent in Charge of the New York Field Office of Homeland Security Investigations (“HSI”), announced today the unsealing of an Indictment against global cryptocurrency exchange KuCoin and two of its founders, CHUN GAN, a/k/a “Michael,” and KE TANG, a/k/a “Eric,” for conspiring to operate an unlicensed money transmitting business and conspiring to violate the Bank Secrecy Act by willfully failing to maintain an adequate anti-money laundering (“AML”) program designed to prevent KuCoin from being used for money laundering and terrorist financing, failing to maintain reasonable procedures for verifying the identity of customers, and failing to file any suspicious activity reports. KuCoin was also charged with operating an unlicensed money transmitting business and a substantive violation of the Bank Secrecy Act. GAN and TANG remain at large.


米司法省が中国の攻撃者グループ APT31 の活動に関与した中国人 7人を起訴

(3/25) Office of Public Affairs | Seven Hackers Associated with Chinese Government Charged with Computer Intrusions Targeting Perceived Critics of China and U.S. Businesses and Politicians | United States Department of Justice

An indictment was unsealed today charging seven nationals of the People’s Republic of China (PRC) with conspiracy to commit computer intrusions and conspiracy to commit wire fraud for their involvement in a PRC-based hacking group that spent approximately 14 years targeting U.S. and foreign critics, businesses, and political officials in furtherance of the PRC’s economic espionage and foreign intelligence objectives.

(3/25) Treasury Sanctions China-Linked Hackers for Targeting U.S. Critical Infrastructure | U.S. Department of the Treasury

(3/25) UK holds China state-affiliated organisations and individuals responsible for malicious cyber activity - GOV.UK

The United Kingdom, supported by allies globally, have today identified that Chinese state-affiliated organisations and individuals were responsible for 2 malicious cyber campaigns targeting democratic institutions and parliamentarians. Partners across the Indo-Pacific and Europe also express solidarity with the UK’s efforts to call out malicious cyber activities targeting democratic institutions and electoral processes.


(3/26) 北朝鮮IT労働者に関する企業等に対する注意喚起について|警察庁Webサイト

Black Lotus Labs が TheMoon マルウェアの活動について報告

(3/26) The Darkside of TheMoon - Lumen

The Black Lotus Labs team at Lumen Technologies has identified a multi-year campaign targeting end-of-life (EoL) small home/small office (SOHO) routers and IoT devices, associated with an updated version of “TheMoon” malware. TheMoon, which emerged in 2014, has been operating quietly while growing to over 40,000 bots from 88 countries in January and February of 2024. As our team has discovered, the majority of these bots are used as the foundation of a notorious, cybercriminal-focused proxy service, known as Faceless. While Lumen has previously documented this malware family, our latest tracking has shown TheMoon appears to enable Faceless’ growth at of a rate of nearly 7,000 new users per week.

CiscoCisco 製品など VPN 機器への Password Spray 攻撃に関する注意喚起

(3/26) Password Spray Attacks Impacting Remote Access VPN Services - Cisco

Cisco was made aware of multiple reports related to password spraying attacks aimed at RAVPN services. It has been noted by Talos that these attacks are not limited to Cisco products but also third-party VPN concentrators.

Depending on your environment, the attacks can cause accounts to be locked, resulting in Denial of Service (DoS)-like conditions.

This activity appears to be related to reconnaissance efforts.

XZ Utils の 5.6.0 / 5.6.1 にバックドアが混入

(3/29) oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

(3/29) Urgent security alert for Fedora 41 and Fedora Rawhide users

(3/29) Everything I know about the XZ backdoor

(3/29) Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094 | CISA


CISA が Known Exploited Vulnerabilities (KEV) カタログに 3+1 個の脆弱性を追加

(3/25) CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA

  • CVE-2023-48788 Fortinet FortiClient EMS SQL Injection Vulnerability
  • CVE-2021-44529 Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability
  • CVE-2019-7256 Nice Linear eMerge E3-Series OS Command Injection Vulnerability

(3/26) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

Google が 2023年に悪用が確認されたゼロデイ脆弱性に関するレポートを公開

(3/27) A review of zero-day in-the-wild exploits in 2023

In 2023, Google observed 97 zero-day vulnerabilities exploited in-the-wild. That’s over 50 percent more than in 2022, but still shy of 2021’s record of 106. Today, Google published its fifth annual review of zero-days exploited in-the-wild, marking the first time Google’s Threat Analysis Group (TAG) and Mandiant teamed up on the report.



(3/25) はてなへのログインがパスキーと多要素認証に対応し、よりセキュアになりました - はてなの告知

NICT が新しい NOTICE の開始を発表

(3/29) IoT機器のセキュリティ向上を推進する新しい「NOTICE」を開始|2024年|NICT-情報通信研究機構

サイバー攻撃手段の高度化による新たな脅威の登場などの環境変化によりIoT機器を悪用したサイバー攻撃の発生が継続していることを踏まえ、IoT機器のセキュリティ向上を推進するプロジェクトとして、新しい「NOTICE(National Operation Towards IoT Clean Environment)」を開始します。

今週の気になるセキュリティニュース - Issue #163


podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。


ドイツの法執行機関が "Nemesis Market" を摘発

(3/21) BKA - Meldungen - Illegaler Darknet-Marktplatz „Nemesis Market“ abgeschaltet

(3/22) Darknet marketplace Nemesis Market seized by German police

The German police have seized infrastructure for the darknet Nemesis Market cybercrime marketplace in Germany and Lithuania, disrupting the site's operation.

The Federal Criminal Police Office in Germany (BKA) and the Frankfurt cybercrime combating unit (ZIT) conducted the action on Wednesday, March 20, 2024, with law enforcement taking down the website and confiscating approximately $100,000 in cash.


(3/21) Office of Public Affairs | Justice Department Sues Apple for Monopolizing Smartphone Markets | United States Department of Justice

ウクライナの複数の小規模 ISP で 3/13 以降に障害。ロシアの攻撃者グループが犯行声明。

(3/21) Russian military intelligence may have deployed wiper against multiple Ukrainian ISPs | CyberScoop

(3/21) AcidPour | New Embedded Wiper Variant of AcidRain Appears in Ukraine - SentinelOne

On March 16th, 2024, we identified a suspicious Linux binary uploaded from Ukraine. Initial analysis showed surface similarities with the infamous AcidRain wiper used to disable KA-SAT modems across Europe at the start of the Russian invasion of Ukraine (commonly identified by the ‘Viasat hack’ misnomer). Since our initial finding, no similar samples or variants have been detected or publicly reported until now. This new sample is a confirmed variant we refer to as ‘AcidPour’, a wiper with similar and expanded capabilities.

(3/22) Sandworm-linked group likely knocked down Ukrainian internet providers


CISA などが共同で、DDoS 攻撃への対応ガイドラインを更新

(3/21) Understanding and Responding to Distributed Denial-Of-Service Attacks | CISA

Mandiant が F5 BIG-IP と ConnectWise ScreenConnect の脆弱性を悪用する攻撃者グループの活動を報告

(3/22) Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect | Mandiant

During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be unique to a People's Republic of China (PRC) threat actor, UNC5174.

Mandiant がロシアの攻撃者グループ APT29 による攻撃活動について報告

(3/22) APT29 Uses WINELOADER to Target German Political Parties | Mandiant

In late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure.


AppleiOS 16.7.7 / iPadOS 16.7.7, iOS 17.4.1 / iPadOS 17.4.1, visionOS 1.1.1 をリリース

(3/21) Apple security releases - Apple Support

Horizon3.ai が FortiClientEMS の脆弱性 CVE-2023-48788 の PoC を公開

(3/21) CVE-2023-48788: Fortinet FortiClient EMS SQL Injection Deep Dive – Horizon3.ai


日本クレジット協会が「クレジットカード・セキュリティガイドライン【5.0 版】」を公表

(3/15) クレジットカード・セキュリティガイドライン【5.0 版】

経済産業省が IoT製品に対するセキュリティ適合性評価制度構築に向けた検討会の最終とりまとめを公表

(3/15) IoT製品に対するセキュリティ適合性評価制度構築に向けた検討会の最終とりまとめを公表し、制度構築方針案に対する意見公募を開始しました (METI/経済産業省)

商用スパイウェアの拡散、悪用を防止する国際的な取り組みに、日本など 6ヶ国が参加

(3/18) Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware | The White House

At the third Summit for Democracy on March 18, 2024, Finland, Germany, Ireland, Japan, Poland, and Republic of Korea joined this first-of-its-kind international commitment to work collectively to counter the proliferation and misuse of commercial spyware. This joint statement, which was originally announced at the second Summit for Democracy on March 30, 2023, has been updated to reflect these additional countries.


(3/20) Found means fixed: Introducing code scanning autofix, powered by GitHub Copilot and CodeQL - The GitHub Blog

Starting today, code scanning autofix will be available in public beta for all GitHub Advanced Security customers. Powered by GitHub Copilot and CodeQL, code scanning autofix covers more than 90% of alert types in JavaScript, Typescript, Java, and Python, and delivers code suggestions shown to remediate more than two-thirds of found vulnerabilities with little or no editing.

今週の気になるセキュリティニュース - Issue #162


podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。



(3/14) Undersea cable failures cause Internet disruptions for multiple African countries

Internet connectivity in several African countries was disrupted today, March 14, 2024. Beginning at approximately 05:00 UTC, west and central African countries were most impacted, as was South Africa. Based on published reports and social media posts from impacted network providers, the disruption is believed to be due to multiple undersea cable failures in the region. From The Gambia to Côte d'Ivoire, including a major network in South Africa (Vodacom), a total of 11 African countries were impacted, based on our observations.


(3/15) Update on Global Technology System Outage

At approximately midnight CDT on Friday, McDonald’s experienced a global technology system outage, which was quickly identified and corrected. Many markets are back online, and the rest are in the process of coming back online. We are closely working with those markets that are still experiencing issues. Notably, this issue was not directly caused by a cybersecurity event; rather, it was caused by a third-party provider during a configuration change.

(3/15) McDonald's: Global outage was caused by "configuration change"

(3/15) マクドナルド システム障害で営業取りやめの一部店舗で再開 | NHK | IT・ネット

(3/16) McDonald's outage shuts some restaurants globally | AP News



(3/14) 令和5年におけるサイバー空間をめぐる脅威の情勢等について

Sekoia と Orange Cyberdefense が共同で、Residential Proxies (RESIP) サービスに関する調査結果を報告

(3/14) Unveiling the depths of Residential Proxies providers - Sekoia.io Blog


Microsoft が 2024年 3月の月例パッチを公開

(3/12) 2024 年 3 月のセキュリティ更新プログラム (月例) | MSRC Blog | Microsoft Security Response Center

今月のセキュリティ更新プログラムで修正した脆弱性のうち、CVE-2024-21334 Open Management Infrastructure のリモートでコードが実行される脆弱性 は、CVSS 基本値が9.8 と高いスコアで、認証やユーザーの操作なしで悪用が可能な脆弱性です。これらの脆弱性が存在する製品、および悪用が可能となる条件については、各CVEのページの「よく寄せられる質問」 を参照してください。セキュリティ更新プログラムが公開されるよりも前に、脆弱性の情報の一般への公開、脆弱性の悪用はありませんが、脆弱性の特性を鑑み、企業組織では早急なリスク評価とセキュリティ更新プログラムの適用を推奨しています。

(3/12) Zero Day Initiative — The March 2024 Security Update Review

Arcserve UDP に複数の脆弱性

(3/12) P00003059 | Arcserve UDP 8.1 | Console & Agent Vulnerabilities: CVE-2024-0801, CVE-2024-0800, CVE-2024-0799

(3/12) P00003050 | Arcserve UDP 9.2 | Console Vulnerabilities: CVE-2024-0801, CVE-2024-0800, CVE-2024-0799

(3/13) Arcserve Unified Data Protection 9.2 Multiple Vulnerabilities - Research Advisory | Tenable®


KeePassXC 2.7.7 がリリース。Passkeys をサポートし、1Password と Bitwarden からのデータのインポートに対応。

(3/10) KeePassXC 2.7.7 released – KeePassXC

Tor Project が新たなブリッジとして WebTunnel をリリース

(3/12) Hiding in plain sight: Introducing WebTunnel | The Tor Project

Today, March 12th, on the World Day Against Cyber Censorship, the Tor Project's Anti-Censorship Team is excited to officially announce the release of WebTunnel, a new type of Tor bridge designed to assist users in heavily censored regions to connect to the Tor network. Available now in the stable version of Tor Browser, WebTunnel joined our collection of censorship circumvention tech developed and maintained by The Tor Project.

今週の気になるセキュリティニュース - Issue #161


podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。



(3/5) 総務省|報道資料|LINEヤフー株式会社に対する通信の秘密の保護及びサイバーセキュリティの確保に係る措置(指導)

AI 関連の営業秘密を不正に持ち出したとして、米司法省が中国国籍の元グーグル社員を逮捕、起訴

(3/6) Office of Public Affairs | Chinese National Residing in California Arrested for Theft of Artificial Intelligence-Related Trade Secrets from Google | United States Department of Justice

According to the indictment, returned on March 5 and unsealed earlier today, Ding, 38, a national of the People’s Republic of China and resident of Newark, California, transferred sensitive Google trade secrets and other confidential information from Google’s network to his personal account while secretly affiliating himself with PRC-based companies in the AI industry. Ding was arrested earlier this morning in Newark.


FBI が Internet Crime Report 2023 を公開

(3/) Internet Crime Report 2023

Microsoft からロシアの攻撃者グループ Midnight Blizzard による攻撃についての続報

(3/8) Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard | MSRC Blog | Microsoft Security Response Center

In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.


JetBrains TeamCity に複数の脆弱性

(3/4) TeamCity 2023.11.4 Is Out | The TeamCity Blog

(3/4) Additional Critical Security Issues Affecting TeamCity On-Premises (CVE-2024-27198 and CVE-2024-27199) – Update to 2023.11.4 Now | The TeamCity Blog

(3/6) Insights and Timeline: Our Approach to Addressing the Recently Discovered Vulnerabilities in TeamCity On-Premises | The TeamCity Blog

(3/4) CVE-2024-27198 and CVE-2024-27199: JetBrains TeamCity Multiple Authentication Bypass Vulnerabilities (FIXED) | Rapid7 Blog

(3/6) Critical TeamCity flaw now widely exploited to create admin accounts

CISA が Known Exploited Vulnerabilities (KEV) カタログに 1+2+2 個の脆弱性を追加

(3/4) CISA Adds One Known Exploited Vulnerability to Catalog | CISA

(3/5) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA

  • CVE-2023-21237 Android Pixel Information Disclosure Vulnerability
  • CVE-2021-36380 Sunhillo SureLine OS Command Injection Vulnerablity

(3/6) CISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA

ApplemacOS Monterey 12.7.4, macOS Ventura 13.6.5, macOS Sonoma 14.4, iOS 15.8.2 / iPadOS 15.8.2, iOS 16.7.6 / iPadOS 16.7.6, iOS 17.4 / iPadOS 17.4, tvOS 17.4, watchOS 10.4, visionOS 1.1, Safari 17.4 をリリース。すでに悪用が確認されている脆弱性の修正を含む。

(3/5) Apple security releases - Apple Support

VMware ESXi などに複数の脆弱性

(3/5) VMSA-2024-0006.1

SKYSEA Client View に複数の脆弱性

(3/7) 特定フォルダにおけるアクセス制限不備の脆弱性(CVE-2024-21805) / 常駐プロセスにおけるアクセス制限不備の脆弱性(CVE-2024-24964)|セキュリティ・脆弱性について|Sky株式会社

平素より、当サイトをご利用いただきありがとうございます。弊社商品「SKYSEA Client View」において、下記2件の脆弱性が確認されました。


SKYSEA Client View のサービス起動時、サービスプロセスに任意のDLLをロードさせ、任意のコードを実行することができる脆弱性 (2)常駐プロセスにおけるアクセス制限不備の脆弱性

SKYSEA Client View の常駐プロセスを利用して、ユーザー権限のプロセスから管理者権限のプロセスが起動できる脆弱性


(3/7) JVN#54451757: SKYSEA Client View における複数の脆弱性


X で音声通話とビデオ通話が全ユーザで利用可能となり、デフォルトで有効に。

(3/2) The Twitter Settings You Should Change Now To Block Unwanted Calls

(3/5) Elon Musk switched on X calling by default: Here’s how to switch it off | TechCrunch

(参考) Audio and Video Calls