Dec 28, 2020

メモ、malware: GoldenSpy/GoldenHelper embedded in the Golden Tax Invoicing Software

中国公認ソフトで窃取か ドイツ情報機関が警鐘 外資企業、情報漏洩リスク (12/10)

https://www.nikkei.com/article/DGKKZO67178650Q0A211C2EA1000


中国進出した企業に義務化されている税務ソフトにスパイウェア。ドイツとの関係も悪化 (12/11)

https://security.srad.jp/story/20/12/11/0041219/

「中国公認の税務ソフトには、航天信息と百望雲という2社の企業のものが提供されているが、いずれもGoldenSpyをインストールする機能が備わっているという。スパイウェアは税務ソフトをインストールしてから2時間後に自動インストールされ、検知しにくくしている」

「日経の書き方も悪いんですが、TrustwaveのSpiderLabs blog [trustwave.com]によると、全く別の機能を持ちながら配信方法が酷似しているマルウェアということで、片方はGoldenHelperと名付けられています。

航天信息→GoldenSpy

百望雲→GoldenHelpler 」


一次情報はこちら(↓)

GoldenSpy Chapter 4: GoldenHelper Malware Embedded in Official Golden Tax Software (07/14)

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/


他に中国二大会計パッケージ、用友(yonyou)、金蝶(Kingdee) あたりが有名。それぞれ +malware でググったが、怪しいとする記事は無さげ(↓)

360 anti-virus software accidentally killed Kingdee K3

https://titanwolf.org/Network/Articles/Article?AID=bd76878e-45e8-49e7-a3d0-78338d30db34


Incident Response Case Study for the Manufacturing Industry (06/16)

https://www.sangfor.com/source/blog-network-security/1582.html

ハックされたPCにたまたま金蝶(Kingdee)も入っていた模様。


その他、気になった記事(↓)

中国輸出管理法草案についての留意点(CISTEC Journal 2017.11 No.172)

https://www.cistec.or.jp/service/china_law/cistec-03_journal1711.pdf

「中国の原産性を問わず、中国から輸入した規制対象品を再輸出する場合に、中国政府の許可が必要

 ...

輸出規制は、国際法的にも問題ありとして、日欧政府及び産業界は米国に対して指摘し(日本は不公正貿易白書等で指摘)、CISTECでもその撤廃(輸出管理制度が整備されている国については当該国に委ねる)を要請してきています。」

 


Dec 6, 2020

Cybersecurity Tool Kit、米選挙システムへの警告、クラウド脆弱性、Baiduアプリが無断情報収集

Cybersecurity Tool Kit (10/01)

https://securityboulevard.com/2020/10/cybersecurity-tool-kit/

  • Educate About Cybersecurity
  • Test Your Defenses
  • Adopt Proactive Cybersecurity
  • Prioritize, Remediate, Report

手元で動画閲覧不可


Election Systems Under Attack via Microsoft Zerologon Exploits (10/13)

https://threatpost.com/election-systems-attack-microsoft-zerologon/160021/

『While the CISA and FBI’s advisory did not detail what type of elections systems were targeted, it did note that there is no evidence to support that the “integrity of elections data has been compromised.”』

選挙システム以外への侵害シナリオ2020版にも言及した分かりやすい記事。


Palo Alto Networks Report Finds Poor Security Hygiene Leads to Escalating Cloud Vulnerabilities (02/05)

https://www.prnewswire.com/news-releases/palo-alto-networks-report-finds-poor-security-hygiene-leads-to-escalating-cloud-vulnerabilities-300999159.html

  • 199,000+ insecure templates in use: .. 65% of cloud incidents were due to simple misconfigurations ..
  • 43% of cloud databases not encrypted: .. it is a requirement of compliance standards, such as HIPAA
  • 60% of cloud storage services have logging disabled:
  • Cybercrime groups are using the cloud for cryptojacking:


Baidu apps in Google Play Store left users vulnerable to tracking, Palo Alto finds (11/24-25)

https://www.cyberscoop.com/baidu-maps-search-app-data-google/

『both the Baidu Search Box and Baidu Maps applications used a software development kit (SDK) that would collect users’ MAC address, carrier information and international mobile subscriber identity (IMSI) number.

  ..

IMSI numbers, for instance, could allow cybercriminals or state-linked actors to track someone, even if they switch to a new device, as IMSI numbers can be used to uniquely identify a user.』


Dec 5, 2020

中国AutoX 第5世代車 深圳で、Fortinet いろいろ、Virtual Patching

中国AutoXが完全無人の自動運転車を使った配車サービスを深センで開始! (12/04)

https://techable.jp/archives/143725

『第5世代の自動運転システム

  歩行者に道を譲ったり、路肩に停まっている車を避けるためにレーンを変更したり、と誰もいない運転席のハンドルが自動で動く』


その様子がこれ(↓)

AutoX puts fully driverless RoboTaxis on the roads in China (12/02)

https://www.youtube.com/watch?v=7GVL9Na1_9Q


CVE-2018-13379の件、

前にもここで取り上げた(1, 2)が、続報が先週から色々挙がっている。


6.7 GB worth of sensitive details citing Fortinet SSL VPNs vulnerability have been leaked on a prominent hacker forum. (11/25)

https://www.hackread.com/hacker-leaks-vulnerable-fortinet-ssl-vpns-login-credentials/


Hacker publishes credentials stolen from Fortinet’s FortiGate VPNs (11/25)

https://siliconangle.com/2020/11/25/hacker-publishes-credentials-stolen-fortinet-fortigate-vpns/

『Sridhara added that about 50,000 records belonging to banks, telecoms and government organizations were exposed by this data leak, including session-related information and plain-text usernames and passwords of Fortinet VPN users. “What’s most concerning is that even if the vulnerability is patched, the credentials are still at risk for credential stuffing attacks,” he said.』


2018の発表以降にパッチ適用した or これからする所は、全員パスワード変更した方が良い。

また、同じIDを他のサイトで使っている人は、そっちのパスワード変更もした方が良い。


FortiGate VPN Default Config Allows MitM Attacks (09/25)

https://threatpost.com/fortigate-vpn-default-config-mitm-attacks/159586/

『more than 230,000 vulnerable FortiGate appliances using the VPN functionality, researchers found. Out of those, a full 88 percent, or more than 200,000 businesses, are using the default configuration and can be easily breached in an MitM attack.』


解決には『manually replace the certificate in order to secure their connections appropriately』すれば良い。


また『Fortinet strongly recommends adhering to its provided installation documentation and process, paying close attention to warnings throughout that process to avoid exposing the organization to risk.』にも留意すべし。


Fortinet VPN with Default Settings Leave 200,000 Businesses Open to Hackers (09/25)

https://thehackernews.com/2020/09/fortigate-vpn-security.html

『"The Fortigate issue is only an example of the current issues with security for the small-medium businesses, especially during the epidemic work-from-home routine," Hertz and Tashimov noted.

"These types of businesses require near enterprise grade security these days, but do not have the resources and expertise to maintain enterprise security systems. Smaller businesses require leaner, seamless, easy-to-use security products that may be less flexible, but provide much better basic security."』

IT共同組合のような組織化を行い、多くの中小企業が加盟、インフラは共通化、サポート人員も共通化、ビジネスそのもので勝負、という体制ができれば良いのだろうが。


How to better defend your organization against remote access threats (03/08)

https://www.techrepublic.com/article/how-to-better-defend-your-organization-against-remote-access-threats/

次の脅威への対抗策紹介

  • DDoS attacks
  • VPNs : Palo Alto Networks, Fortinet, Pulse Secure それぞれアップデート他
  • Bluekeep exploits
  • Remote Desktop Protocol Attacks : 停止を安直に呼びかける代わりに、モニタリングを提案
  • Phishing


Why Virtual Patching is Essential for Vulnerability Mitigation (06/26)

https://www.fortinet.com/blog/business-and-technology/why-virtual-patching-essential-for-vulnerability-mitigation

『 A virtual patching is similar to a patch released by a vendor because it provides protection against a specific exploit. But in this case, the difference is that this patch is deployed at the network level using a IPS rule rather than on the device itself. It is sometimes also referred to as a proximity control as it stops a threat before it reaches its intended target.

  ..

In today’s dynamically changing environments, the traditional patch cycle simply cannot scale to keep pace with the sophistication and frequency of attacks, and the rate at which new vulnerabilities are being discovered and exploited as a result of the expansion of the digital attack surface.

Virtual patching should be considered an integral component of every organization’s patch management strategy. 』



Dec 1, 2020

memo .. responder video

興味深いYouTubeビデオのメモ。

・LLMNR and NBT-NS Poisoning Using Responder (2016/06/06)
 https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/
 先にこれ(↑)を読んでおくとよさげ。

・RedTeam Security Live Hacking Demonstration (2020/08/11)
 https://www.youtube.com/watch?v=k6EOhO3JKCQ
 これ(↑)は 1.5時間の長尺もの。時間があったら見てみる。

・Capture Password Hashes with Responder (2016/08/28)
 https://www.youtube.com/watch?v=sAr4PBR7EUE

 初学者向けに丁寧に説明していて分かり易い。 

 LLMNR (Link-Local Multicast Name Resolution) にしろ NBT-NS (NetBIOS Name Service)にしろ、名前解決の為だけに 名前解決の結果だけに依拠して(or 結果を安易に信頼して)パスワードハッシュを投げまくる仕様が、なんだかなぁ。

 WPAD、有効にしていると拙い事が良く分かる。