Windows zero‑day CVE‑2019‑1132 exploited in targeted attacks | WeLiveSecurity
ESET research discovers a zero-day exploit that takes advantage of a local privilege escalation vulnerability in Windows In June 2019, ESET researchers identified a zero-day exploit being used in a highly targeted attack in Eastern Europe. The exploit abuses a local privilege escalation vulnerability in Microsoft Windows, specifically a NULL pointer dereference in the win32k.sys component. Once th
US-CERTã®ã€ŒPublicly Available Tools Seen in Cyber Incidents Worldwideã€ã‚’翻訳ã—ã¦ã¿ãŸï¼ï¼ - ã‚»ã‚ュリティコンサルタントã®æ—¥èªŒã‹ã‚‰
先日ã€US-CERTã‹ã‚‰ã‚µã‚¤ãƒãƒ¼çŠ¯ç½ªã«åˆ©ç”¨ã•ã‚Œã‚‹å…¬é–‹ãƒ„ールã«é–¢ã™ã‚‹ã‚¢ãƒŠã‚¦ãƒ³ã‚¹ãŒå‡ºã•ã‚Œã¾ã—ãŸã€‚ Publicly Available Tools Seen in Cyber Incidents Worldwide | US-CERT ITMediaã«ã‚‚å–り上ã’られã¦ã„ã¾ã™ãŒã€æ¯”較的é¢ç™½ã„記事ã ã£ãŸã®ã§å‹æ‰‹ã«ç¿»è¨³ã—ã¦ã¿ã¾ã—ãŸã€‚(アメリカåˆè¡†å›½æ”¿åºœæ©Ÿé–¢ã®è‘—作物ã¯ãƒ‘ブリックドメインã¨ã—ã¦æ‰±ã‚れるã®ã§ç¿»è¨³ã—ã¦å…¬é–‹ã—ã¦ã‚‚å•é¡Œãªã„ã¨åˆ¤æ–ã—ã¦ã„ã¾ã™ã€‚é–“é•ã£ã¦ã„ãŸã‚‰æ•™ãˆã¦ãã ã•ã„。) www.itmedia.co.jp 利用ã«éš›ã™ã‚‹æ³¨æ„äº‹é …ã¯ä»¥ä¸‹ã®é€šã‚Šã§ã™ã€‚ 翻訳上ã®èª¤ã‚Šã¯å¤šã€…ã‚ã‚‹ã¨æ€ã„ã¾ã™ãŒã€è‡ªå·±è²¬ä»»ã§ã”活用ãã ã•ã„。 記事ã®æ„図をåæ˜ ã™ã‚‹ãŸã‚ã€æ„訳をã—ã¦ã„るケースãŒå¤šã€…ã‚ã‚Šã¾ã™ã—ã€çœç•¥ã—ãŸã‚Šè¿½åŠ ã§è¨€è‘‰ã‚’æ·»ãˆã¦ã„ã‚‹å ´åˆãŒã‚ã‚Šã¾ã™ã€‚ ã„ã¾ã„ã¡æ„図ãŒã‚ã‹ã‚‰ãªã„æ–‡ç« ã‚‚ã‚ã£ãŸã®ã§ã€ãã®å ´åˆã¯æŽ¨æ¸¬ã§è¨³ã‚’ã—ã¦ã„ã‚‹å ´åˆ
ä¸å›½ã®ã€ŒAPT10ã€ãŒæœ€æ–°ã®TTP(戦術ã€æŠ€è¡“ã€ãŠã‚ˆã³æ‰‹é †ï¼‰ã‚’用ã„ã€æ—¥æœ¬ä¼æ¥ã‚’標的ã«
ファイア・アイã¯ä»Šå¹´7月ã€ã€ŒAPT10ã€ï¼ˆåˆ¥å:MenuPass)ã¨æ€ã‚れるグループã«ã‚ˆã‚‹ã€æ—¥æœ¬ã®ãƒ¡ãƒ‡ã‚£ã‚¢æ¥ç•Œã‚’標的ã«ã—ãŸã‚¢ã‚¯ãƒ†ã‚£ãƒ“ティを検知・阻æ¢ã—ã¾ã—ãŸã€‚APT10ã¯ã€ãƒ•ã‚¡ã‚¤ã‚¢ãƒ»ã‚¢ã‚¤ãŒ2009年より追跡ã—ã¦ã„ã‚‹ä¸å›½ã®ã‚µã‚¤ãƒãƒ¼ãƒ»ã‚¹ãƒ‘イ・グループã§ã€ã“ã‚Œã¾ã§ã‚‚日本ã®ä¼æ¥ãƒ»çµ„織を標的ã¨ã—ã¦ãã¾ã—ãŸã€‚今回ã®æ”»æ’ƒã‚ャンペーンã§ã¯ã€UPPERCUTãƒãƒƒã‚¯ãƒ‰ã‚¢ã‚’インストールã™ã‚‹ã€æ‚ªæ„ã‚る文書を添付ã—ãŸã‚¹ãƒ”アフィッシング・メールãŒã€æ—¥æœ¬ã®ãƒ¡ãƒ‡ã‚£ã‚¢æ¥ç•Œã«ãŠã‘ã‚‹ã•ã¾ã–ã¾ãªä¼æ¥ãƒ»å›£ä½“ã«é€ä»˜ã•ã‚Œã¾ã—ãŸã€‚ã“ã®ãƒãƒƒã‚¯ãƒ‰ã‚¢ã¯ã€ã‚³ãƒŸãƒ¥ãƒ‹ãƒ†ã‚£ã§ã¯ANEL ã®åã§çŸ¥ã‚‰ã‚Œã¦ãŠã‚Šã€æœ€æ–°ãƒãƒ¼ã‚¸ãƒ§ãƒ³ãŒç™ºè¡¨ã•ã‚Œã‚‹ã¾ã§ã¯ã€ãƒ™ãƒ¼ã‚¿ç‰ˆã¾ãŸã¯RC(リリース候補版)ã®å½¢ã§æä¾›ã•ã‚Œã¦ã„ã¾ã—ãŸã€‚本ブãƒã‚°ã§ã¯ã€ãƒãƒ¼ã‚¸ãƒ§ãƒ³é–“ã®æ›´æ–°å†…容や差異ã«ã¤ã„ã¦åˆ†æžã—ã¦ã„ã¾ã™ã€‚ 攻撃ã®æ¦‚è¦ æœ€åˆã®æ”»æ’ƒãƒ™ã‚¯ãƒˆãƒ«ã§ã¯ã€æ‚ªæ„ã‚ã‚‹VBAマクãƒã‚’æ ¼ç´ã—ãŸMicrosoft
プラグインをダウンãƒãƒ¼ãƒ‰ã—ã¦å®Ÿè¡Œã™ã‚‹ãƒžãƒ«ã‚¦ã‚¨ã‚¢TSCookie (2018-03-01) | JPCERTコーディãƒãƒ¼ã‚·ãƒ§ãƒ³ã‚»ãƒ³ã‚¿ãƒ¼ï¼ˆJPCERT/CC)
2018å¹´1月17æ—¥é ƒã€æ–‡éƒ¨ç§‘å¦çœã«å½è£…ã—ãŸä¸æ£ãªãƒ¡ãƒ¼ãƒ«ãŒé€ä¿¡ã•ã‚Œã¦ã„ãŸã“ã¨ãŒä¸€éƒ¨ã§ç¢ºèªã•ã‚Œã¦ã„ã¾ã™[1]。ã“ã®ãƒ¡ãƒ¼ãƒ«ã«ã¯URLãŒè¨˜è¼‰ã•ã‚Œã¦ãŠã‚Šã€ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹ã¨ãƒžãƒ«ã‚¦ã‚¨ã‚¢TSCookieãŒãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã•ã‚Œã¾ã—ãŸã€‚(トレンドマイクãƒç¤¾ã¯ã“ã®ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã‚’PLEADã¨å‘¼ã‚“ã§ã„ã¾ã™[2]。PLEADã¯ã€æ”»æ’ƒã‚ャンペーンåã¨ã—ã¦ä½¿ã‚れるã“ã¨ã‚‚ã‚ã‚‹ãŸã‚ã€ã“ã“ã§ã¯ã“ã®ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã‚’TSCookieã¨è¨˜è¼‰ã—ã¾ã™ã€‚)TSCookieã¯ã€2015å¹´é ƒã‹ã‚‰ç¢ºèªã•ã‚Œã¦ãŠã‚Šã€BlackTech[3]ã¨å‘¼ã°ã‚Œã‚‹æ”»æ’ƒã‚°ãƒ«ãƒ¼ãƒ—ã¨ã®é–¢é€£ãŒç–‘ã‚ã‚Œã¦ã„ã¾ã™ã€‚JPCERT/CCã§ã¯ã“ã®ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã‚’使用ã—ãŸæ”»æ’ƒã‚°ãƒ«ãƒ¼ãƒ—ãŒã€éŽåŽ»ã«æ—¥æœ¬ã®çµ„織をターゲットã«æ¨™çš„型攻撃を行ã£ã¦ã„ã‚‹ã“ã¨ã‚’確èªã—ã¦ã„ã¾ã™ã€‚ 今回ã¯ã€TSCookieã®è©³ç´°ã«ã¤ã„ã¦ç´¹ä»‹ã—ã¾ã™ã€‚ TSCookieã®æ¦‚è¦ å›³1ã¯ã€TSCookie実行時ã®å‹•ä½œã®æµã‚Œã‚’示ã—ã¦ã„ã¾ã™ã€‚ 図
攻撃グループBlackTechãŒä½¿ã†ãƒžãƒ«ã‚¦ã‚¨ã‚¢PLEADダウンãƒãƒ¼ãƒ€ (2018-05-28) - JPCERTコーディãƒãƒ¼ã‚·ãƒ§ãƒ³ã‚»ãƒ³ã‚¿ãƒ¼ï¼ˆJPCERT/CC)
å‰å›žã®åˆ†æžã‚»ãƒ³ã‚¿ãƒ¼ã より ã§ã¯æ”»æ’ƒã‚°ãƒ«ãƒ¼ãƒ—BlackTech[1]ãŒä½¿ç”¨ã—ã¦ã„ã‚‹ã¨è€ƒãˆã‚‰ã‚Œã‚‹ãƒžãƒ«ã‚¦ã‚¨ã‚¢TSCookie ã«ã¤ã„ã¦ç´¹ä»‹ã—ã¾ã—ãŸã€‚ã“ã®æ”»æ’ƒã‚°ãƒ«ãƒ¼ãƒ—ã¯ãã®ä»–ã«ã‚‚PLEADã¨å‘¼ã°ã‚Œã‚‹ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã‚’使用ã™ã‚‹ã“ã¨ãŒåˆ†ã‹ã£ã¦ã„ã¾ã™ã€‚(PLEADã¯è¤‡æ•°ã®ãƒžãƒ«ã‚¦ã‚¨ã‚¢ç¨®åˆ¥å(TSCookieã‚’å«ã‚€ï¼‰ã¨ãã®ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã‚’使用ã—ãŸæ”»æ’ƒã‚ャンペーンåã¨ã—ã¦ä½¿ç”¨ã•ã‚Œã¦ã„ã¾ã™[2]。ã“ã“ã§ã¯PLEADã‚’TSCookieã¨ã¯ç•°ãªã‚‹ãƒžãƒ«ã‚¦ã‚¨ã‚¢ç¨®åˆ¥åã¨ã—ã¦ä½¿ç”¨ã—ã¾ã™ã€‚)PLEADã«ã¯RATタイプã¨ã€ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ€ã‚¿ã‚¤ãƒ—(以é™ã€PLEADダウンãƒãƒ¼ãƒ€ã¨è¨˜è¼‰ã™ã‚‹ï¼‰ãŒå˜åœ¨ã—ã¾ã™ã€‚RATタイプã¯è¤‡æ•°ã®ã‚³ãƒžãƒ³ãƒ‰ã‚’æŒã¡ã€å‘½ä»¤ã‚’å—ä¿¡ã™ã‚‹ã“ã¨ã«ã‚ˆã£ã¦å‹•ä½œã—ã¾ã™ã€‚(詳ã—ãã¯ã€LAC社ãŒå…¬é–‹ã—ã¦ã„るブãƒã‚°[3]ã®ã€Œæ”»æ’ƒæ‰‹å£3ã€ã‚’ã”覧ãã ã•ã„。)PLEADダウンãƒãƒ¼ãƒ€ã¯ã€TSCookieã¨åŒã˜ãモジュールをダウンãƒãƒ¼ãƒ‰ã—ã€ãƒ¡ãƒ¢ãƒªä¸Šã§å®Ÿè¡Œ
Linuxã¨Windowsã‚’ç‹™ã†ãƒžãƒ«ã‚¦ã‚¨ã‚¢WellMess(2018-06-28) | JPCERTコーディãƒãƒ¼ã‚·ãƒ§ãƒ³ã‚»ãƒ³ã‚¿ãƒ¼ï¼ˆJPCERT/CC)
マルウエアã®ä¸ã«ã¯ãƒžãƒ«ãƒãƒ—ラットフォームã§å‹•ä½œã™ã‚‹ã“ã¨ã‚’æ„図ã—ã¦ä½œæˆã•ã‚ŒãŸã‚‚ã®ãŒå˜åœ¨ã—ã€ãã®éš›ã«ä½¿ç”¨ã•ã‚Œã‚‹ãƒ—ãƒã‚°ãƒ©ãƒŸãƒ³ã‚°è¨€èªžã¨ã—ã¦ä»£è¡¨çš„ãªã‚‚ã®ãŒJavaã§ã™ã€‚ãŸã¨ãˆã°ã€ä»¥å‰åˆ†æžã‚»ãƒ³ã‚¿ãƒ¼ã よりã§ç´¹ä»‹ã—ãŸAdwindã¯Javaã§ä½œæˆã•ã‚ŒãŸãƒžãƒ«ã‚¦ã‚¨ã‚¢ã§ã€Windows以外ã®OSã§ã‚‚動作ã—ã¾ã™ã€‚ã”å˜çŸ¥ã®é€šã‚Šã€Java以外ã«ã‚‚マルãƒãƒ—ラットフォームã§å‹•ä½œã™ã‚‹ã“ã¨ã‚’想定ã—ãŸãƒ—ãƒã‚°ãƒ©ãƒŸãƒ³ã‚°è¨€èªžã¯å˜åœ¨ã—ã€Golangã‚‚ãã®ï¼‘ã¤ã§ã™ã€‚Javaã§ä½œæˆã•ã‚ŒãŸãƒžãƒ«ã‚¦ã‚¨ã‚¢ã«æ¯”ã¹ã‚‹ã¨å°‘ãªã„ã§ã™ãŒã€Golangã§ä½œæˆã•ã‚ŒãŸã‚‚ã®ã‚‚確èªã•ã‚Œã¦ã„ã¾ã™ã€‚ãŸã¨ãˆã°ã€Linuxã«æ„ŸæŸ“ã™ã‚‹ãƒžãƒ«ã‚¦ã‚¨ã‚¢ã¨ã—ã¦æœ‰åãªMiraiもコントãƒãƒ¼ãƒ©ãƒ¼ã«ã¯GolangãŒä½¿ç”¨ã•ã‚Œã¦ã„ã¾ã™ã€‚ 今回ã¯ã€JPCERT/CC ã§ç¢ºèªã—ãŸãƒžãƒ«ã‚¦ã‚¨ã‚¢WellMessã«ã¤ã„ã¦ç´¹ä»‹ã—ã¾ã™ã€‚WellMessã¯ã€Golangã§ä½œæˆã•ã‚Œã€ã‚¯ãƒã‚¹ã‚³ãƒ³ãƒ‘イルã«ã‚ˆã£ã¦Linux
SynAck targeted ransomware uses the Doppelgänging technique
The Process Doppelgänging technique was first presented in December 2017 at the BlackHat conference. Since the presentation several threat actors have started using this sophisticated technique in an attempt to bypass modern security solutions. In April 2018, we spotted the first ransomware employing this bypass technique – SynAck ransomware. It should be noted that SynAck is not new – it has been
BadRabbit: a closer look at the new version of Petya/NotPetya | Malwarebytes Labs
Petya/NotPetya (aka EternalPetya), made headlines in June, due to it’s massive attack on Ukraine. Today, we noted an outbreak of a similar-looking malware, called BadRabbit, probably prepared by the same authors. Just like the previous edition, BadRabbit has an infector allowing for lateral movements, using SMB to propagate laterally. Unlike NotPetya, it doesn’t use EternalBlue and is more widely
韓国ã§ç¢ºèªã•ã‚ŒãŸã‚µã‚¤ãƒãƒ¼æ”»æ’ƒã€ŒOnionDog 作戦ã€ã‚’綿密調査 | トレンドマイクムセã‚ュリティブãƒã‚°
本記事ã§ã¯ã€æ¯”較的å°è¦æ¨¡ã®æ¨™çš„型サイãƒãƒ¼æ”»æ’ƒã€ŒOnionDog(オニオンドッグ)作戦ã€ã«ã¤ã„ã¦è§£èª¬ã—ã¾ã™ã€‚ã“ã®æ”»æ’ƒã‚ャンペーンã¯ã€éŸ“国ã®é›»åŠ›ãŠã‚ˆã³è¼¸é€æ¥ç•Œã®é‡è¦äººç‰©ã‚’標的ã¨ã—ã¦3 年以上ã«ã‚ãŸã£ã¦æ¯Žå¹´å®Ÿè¡Œã•ã‚ŒãŸã¨ã•ã‚Œã¦ãŠã‚Šã€å ±é“æ©Ÿé–¢ã‹ã‚‰ã‚‚ã‚る程度ã®æ³¨ç›®ã‚’集ã‚ã¾ã—ãŸã€‚ è¿‘å¹´ã€ãƒ¡ãƒ‡ã‚£ã‚¢ã‚„ã‚»ã‚ュリティæ¥ç•Œã§æ³¨ç›®ã‚’集ã‚るワード㮠1 ã¤ã«ã€ŒåŒ—æœé®®ã€ãŒã‚ã‚Šã¾ã™ã€‚最近ã§ã¯ã€å„国ã®éŠ€è¡Œã‹ã‚‰å¤šé¡ã®è³‡é‡‘を窃å–ã—ãŸã‚µã‚¤ãƒãƒ¼çŠ¯ç½ªè€…集団「Lazarusã€ã¨åŒ—æœé®®ã¨ã®é–¢é€£ãŒå™‚ã•ã‚Œã€å¤šãã®é–¢å¿ƒã‚’集ã‚ã¦ã„ã¾ã™ãŒã€ã“ã® OnionDog 作戦ã«ã¤ã„ã¦ã‚‚北æœé®®ã¨é–¢é€£ä»˜ã‘ã‚‹å ±é“ãŒè¦‹ã‚‰ã‚Œã¦ã„ã¾ã™ã€‚ã—ã‹ã—ã€OnionDog 作戦ã®æ”»æ’ƒæ‰‹æ³•ã«ã¤ã„ã¦ãƒˆãƒ¬ãƒ³ãƒ‰ãƒžã‚¤ã‚¯ãƒãŒç¶¿å¯†ã«èª¿æŸ»ã—ãŸçµæžœã€æ¨™çš„型サイãƒãƒ¼æ”»æ’ƒã ã¨è€ƒãˆã‚‰ã‚Œã¦ã„㟠OnionDog 作戦ãŒã€å®Ÿã¯ã‚µã‚¤ãƒãƒ¼æ”»æ’ƒæ¼”ç¿’ã ã£ãŸã¨ã„ã†èˆˆå‘³æ·±ã„事実ã«åˆ°é”ã—ã¾ã—ãŸã€‚ â– OnionDog 作
「BlackTechã€ã«ã‚ˆã‚‹ã‚µã‚¤ãƒãƒ¼è«œå ±æ´»å‹•ã®è¶³è·¡ã‚’追ㆠ|
サイãƒãƒ¼æ”»æ’ƒè€…集団「BlackTech(ブラックテック)ã€ã¯ã€å°æ¹¾ã‚’ä¸å¿ƒã¨ã—ãŸæ±ã‚¢ã‚¸ã‚¢åœ°åŸŸã§ã‚µã‚¤ãƒãƒ¼è«œå ±æ´»å‹•ã™ã‚‹æ”»æ’ƒè€…集団ã§ã€æ—¥æœ¬ã‚„香港ã§ã®æ´»å‹•ã‚‚確èªã•ã‚Œã¦ã„ã¾ã™ã€‚彼らãŒåˆ©ç”¨ã™ã‚‹ã‚³ãƒžãƒ³ãƒ‰&コントãƒãƒ¼ãƒ«ï¼ˆC&C)サーãƒã® Mutex やドメインåã‹ã‚‰ã€BlackTech ã®ç›®çš„ã¯æ¨™çš„者ãŒæ‰€æœ‰ã™ã‚‹æŠ€è¡“ã®çªƒå–ã«ã‚ã‚‹ã¨æŽ¨æ¸¬ã•ã‚Œã¦ã„ã¾ã™ã€‚ BlackTech ãŒåˆ©ç”¨ã™ã‚‹æ‰‹æ³•ãªã©ã®å¤‰åŒ–を追跡ã—ãŸã¨ã“ã‚ã€åˆ¥ã€…ã®ã‚µã‚¤ãƒãƒ¼è«œå ±æ´»å‹•ã ã¨æ€ã‚ã‚Œã¦ã„ãŸã€ã€ŒPLEAD(プリード)ã€ã€ã€ŒShrouded Crossbow(シュラウディッド・クãƒã‚¹ãƒœã‚¦ï¼‰ã€ã€ã€ŒWaterbear(ウォーターベア)ã€ã®é–“ã«ã€ã‚る共通点ãŒæµ®ã‹ã³ä¸ŠãŒã£ã¦ãã¾ã—ãŸã€‚ 本記事ã§ã¯ã€å„攻撃ã‚ャンペーンã®æ‰‹å£ã‚’比較ã—ã€åˆ©ç”¨ã•ã‚ŒãŸãƒ„ールを解æžã—ãŸçµæžœåˆ¤æ˜Žã—ãŸ3ã¤ã®æ”»æ’ƒã‚ャンペーンãŒåŒä¸€ã®æ”»æ’ƒé›†å›£ã«ã‚ˆã£ã¦å®Ÿè¡Œã•ã‚ŒãŸã“ã¨ã‚’示ã™å…±é€šç‚¹ã«ã¤ã„ã¦è§£èª¬ã—ã¾ã™ã€‚ â–
OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group
OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group Unit 42 has discovered activity involving threat actors responsible for the OilRig campaign with a potential link to a threat group known as GreenBug. Symantec first reported on this group back in January 2017, detailing their operations and using a custom information stealing Trojan called ISMDoor. In July 2017, we observed an
Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY) « Threat Research Blog | FireEye Inc
Dissecting One of APT29's Fileless WMI and PowerShell Backdoors (POSHSPY) Written by: Matthew Dunwoody Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY. POSHSPY leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation (WMI). In the investigations Mandiant has conducted, it appeared that APT29 deployed POSHSPY as a secondary b
リリースã€éšœå®³æƒ…å ±ãªã©ã®ã‚µãƒ¼ãƒ“スã®ãŠçŸ¥ã‚‰ã›
最新ã®äººæ°—エントリーã®é…ä¿¡
j次ã®ãƒ–ックマーク
kå‰ã®ãƒ–ックマーク
lã‚ã¨ã§èªã‚€
eコメント一覧を開ã
oページを開ã
https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf
Ammyy Admin hit by malware again with World Cup used as camouflage
Malware Analysis – PlugX
Redirecting...
“Fileless†UAC Bypass Using eventvwr.exe and Registry Hijacking
Evading Microsoft ATA for Active Directory Domination
[PDF] ISFB Still Live and Kicking
GitHub - gentilkiwi/mimikatz: A little tool to play with Windows security
{{#tags}}- {{label}}
{{/tags}}