äžè¬çãªåŸå
COVID-19ããŒãã®æŽ»çš
2020幎ã®ç¬¬2ååæã«ããµã€ããŒç¯çœªè ã¯ãœãŒã·ã£ã«ãšã³ãžãã¢ãªã³ã°ã䜿çšããæ»æã§ãã³ãããã¯ã®ãããã¯ãç©æ¥µçã«æªçšããŸããïŒäºæããªãã§ããïŒïŒãååãšããŠãæªæã®ããé»åã¡ãŒã«ã¯ãã³ãããŠã€ã«ã¹ã«é¢ããæ å ±ãå«ãå ¬åŒã®ã¡ãŒãªã³ã°ãªã¹ããæš¡å£ããŸãããããã«ãããäžè¬çãªãããã¯ãšç·åŒµã®æéäžã«ããã®ãããªæ»æã®æå¹æ§ãå€§å¹ ã«åäžããŸãããããã«ãããã«ãŒã¯å€§èŠæš¡ãªãŠã€ã«ã¹ïŒã©ã³ãµã ãŠã§ã¢ããã³ãã³ã°ããã€ã®æšéŠ¬ãRATãªã©ïŒã䜿çšããã ãã§ãªããAPTã°ã«ãŒãã«ãããã³ãããã¯ã®äœ¿çšäŸããããŸããã圌ãã¯ã»ãŒãã¹ãŠã®æ¥çãšã¿ã€ãã®é¡§å®¢ïŒSMBããäŒæ¥ãåœå¶äŒæ¥ãŸã§ïŒãæ»æããŸããã
ç±³åœçŸç 管çäºé²ã»ã³ã¿ãŒããã®ãã£ãã·ã³ã°ã¡ãŒã«ã®äŸïŒ
ãã«ãã©ã³ãµã ãŠã§ã¢ãšRDPæ»æ
ãã³ãããã¯ã®éãå€ãã®äŒæ¥ãäž»ã«RDPãä»ããŠãªã¢ãŒãæäœãçµç¹ããŸããã誰ã圌ãã§ãã
ããã«ã2020幎3ææ«ã«ãDharmaã©ã³ãµã ãŠã§ã¢ã®ãœãŒã¹ã³ãŒãã2,000ãã«ã§è²©å£²ãããšããçºè¡šãã·ã£ããŠãã©ãŒã©ã ã«è¡šç€ºãããŸããããããŠããã§ã«4æãš5æã«ãæ»æè ïŒããã³èª¿æ»ã®çµæããå€æãããšããããã¯ããã€ãã®ç°ãªãæ»æè ã§ããïŒãRDPãããã³ã«ã䜿çšããŠããŒã«ã«ç®¡çè ã¢ã«ãŠã³ããããã¹ã¯ãŒããè©Šè¡ããããšã«ãã£ãŠè¢«å®³è ã®ã€ã³ãã©ã¹ãã©ã¯ãã£ã«äŸµå ¥ããäºä»¶ã®èª¿æ»ã«çŽé¢ããŸããããã®åŸã圌ã¯ã·ã³ãã«ã ãå¹æçãªæ¹æ³ã§ã¢ã³ããŠã€ã«ã¹ããã€ãã¹ããããšã«æ±ºããŸããã圌ã¯ããŸããŸãªã·ã§ã«ã§ã©ã³ãµã ãŠã§ã¢ã®æ°åã®ã³ããŒãèµ·åããŸãããã»ãšãã©ã®ãã¡ã€ã«ã¯ã¢ã³ããŠã€ã«ã¹ã«ãã£ãŠæ€åºããã³åé€ãããŸããããæå·åãæåãããã«ã¯ãæ€åºãããªãã£ããµã³ãã«ã1ã€ããã°ååã§ãããäŸµå ¥è ã«ããä¿è·ã®åé¿ã®è©Šã¿ã¯ãã¢ã³ããŠã€ã«ã¹ãã°ã«è¡šç€ºãããŸãã
ãã®äºå®ã¯ã誰ããDharmaã®ãœãŒã¹ã³ãŒããè³Œå ¥ãããããå·§ã¿ã«äœ¿çšããŠãæå·åããŒã«ãããŸããŸãªã©ãããŒã§èŠã£ãŠããããšã瀺åããŠããŸãã
æ£åœãªãµãŒãã¹ã®äœ¿çš
ãã®åŸåã¯ãæŽæ°ãããŠããªãWebãµãŒãã¹ãå±éºã«ãããããã«ããããªãã¯ãã¡ã€ã³ã®ãšã¯ã¹ããã€ãã䜿çšãç¶ããŠããŸããããšãã°ãåãShellShockã¯ãäŸç¶ãšããŠå ¬å ±éšéãžã®æ»æã§ãã䜿çšãããŠããŸããåæ§ã®ãã¯ãã«ã¯ããšãã«ã®ãŒãçæããšãã«ã®ãŒã»ã¯ã¿ãŒãžã®æ»æã«ãèŠãããŸããäžæ¹ãEã³ããŒã¹ãšéè¡ã¯ãç¬èªã®Webã¢ããªã±ãŒã·ã§ã³ã®ä¿è·ãæ§ç¯ããã®ã«éåžžã«åªããŠããããããã®ãããªåé¡ãçºçããããšã¯ãã£ãã«ãããŸããã
調æ»ã®1ã€ã§ãJBoss Web ApplicationServerã®è匱æ§ã®çµã¿åããã®äœ¿çšã«ééããŸãããæªçšã®çµæãæ»æè ã¯ãµãŒããŒã«ã·ã§ã«ïŒjcmd.warïŒãé 眮ããWebLogicãµãŒããŒã®SSRFè匱æ§ã䜿çšããŠããã®ã·ã§ã«ã«ã³ãã³ããéä¿¡ããŸããã
ããŒã ã¯ãã¯ãŒã·ã§ã«ã¹ã¯ãªããã§ãããããŸããŸãªã¢ã¯ã·ã§ã³ã®ã·ã¹ãã ã§å®è¡ãããDNSãã³ãã«ã®ã³ãã³ããæ£åœãªãµã€ãceye.ioã«éä¿¡ãããšã³ã¿ãŒãã©ã€ãºã¢ããªã±ãŒã·ã§ã³ããã¹ãããããã®æ å ±ã»ãã¥ãªãã£ã®å°é家ã確ç«ããŸããïŒ
æ»æè ã®ã¢ã«ãŠã³ãã®ãµã€ãã§ã次ã®ãããªãã®ã確èªããŸããïŒ
çµå±ã圌ã¯æåãŸãã¯ã¹ã¯ãªããã䜿çšããŠå¿çãã©ã°ã¡ã³ããåéããããšã«ããã³ãã³ãå®è¡ã®çµæã
åºæ¬çãªæ»æãšå žåçãªæ»æè
以äžã¯ã
CitrixCVEã®è匱æ§-2019-19781
2019幎ã®çµããã«CitrixNetScalerã§èŠã€ãã£ãRCEã¯ã©ã¹ã®è匱æ§ã¯ãè¿å¹Žæã倧ãããæãç°¡åã«æªçšããããã®ã®1ã€ã«ãªã£ãŠããŸãããã¥ãŒã¹ãšPoCãäžè¬ã«å ¬éãããåŸãåé¡ã®èŠæš¡ãããã«æããã«ãªããŸãããäžçäžã§æ°äžã®ã·ã¹ãã ãè匱ã§ããããšãå€æããŸããã
ç§ãã¡ã®åŽã§ã¯ãã¯ã¬ãžããããã³éèã»ã¯ã¿ãŒãçæããã³ãšãã«ã®ãŒè€åäœããšãã«ã®ãŒããã³ç£æ¥ã®çµç¹ã«å¯Ÿãã倧èŠæš¡ãªæ»æãèšé²ããŠããŸããç¹ã«ãç§ãã¡èªèº«ã®èª¿æ»ã®1ã€ã§ããã®è匱æ§ãæ»æè ã®ã€ã³ãã©ã¹ãã©ã¯ãã£ãžã®å ¥ãå£ã«ãªããšããäºå®ã«ééããŸãããCitrix NetScalerã·ã¹ãã ã«Webã·ã§ã«ãã€ã³ã¹ããŒã«ããããšã«ããã圌ã¯7ãæéã¢ã¯ã»ã¹ãç¶æããããšãã§ããŸããã
CVE-2019-19781ã®è匱æ§ã®æªçšã®çè·¡ã¯æ¬¡ã®ããã«ãªããŸãã
æ°ããRTMã¹ãã³
ãµã€ããŒç¯çœªè ã¯ãéåžžã«åçŽãªæ§é ã§3段éã§æ©èœããæ°ããã·ã§ã«ã§æåãªãã³ãã³ã°ããã€ã®æšéŠ¬RTMãéä¿¡ãå§ããŸããã以äžã¯ãã·ã§ã«ã³ãŒãã埩å·åããŠå¶åŸ¡ãæž¡ãæåã®ã©ãããŒã¬ã€ã€ãŒã§ãã
次ã«ãã»ãŒåãåçŽãªæ§é ãæã€ã·ã§ã«ã³ãŒããå®è¡å¯èœãã¡ã€ã«ã埩å·åããŠèµ·åãã次ã«RtlDecompressBufferé¢æ°ã䜿çšããŠRTMã解åããŠèµ·åã
ãŸãããåç¥ã®ããã«ãRTMã¯è¿å¹Žã®ãã£ãã·ã³ã°ã¡ãŒã«æ°ã§ãã·ã¢ã®åéã®ãªãŒããŒã§ããæ»æã¯ãã€ã³ãã©ã¹ãã©ã¯ãã£ã®ãã£ããã£ãšãã®çµ±åãæ倧åããããšãç®çãšããŠããããã®åŸãè³éã®åŒãåºããéããŠåçåãè©Šã¿ãŸãã
ãšã¢ããã掻åãåéãã
æšå¹Žã¯ãã·ã¢ã§ã¯ã»ãšãã©äœ¿çšãããŠããªãã£ãEmotetããŠã³ããŒããŒãã2020幎7æã«åã³ã¢ã¯ãã£ãã«ãªããä»åã¯QBotãã³ãã³ã°ããã€ã®æšéŠ¬ãé åžããŠããŸããããšãã«ã®ãŒãå ¬å ±éšéãã¯ã¬ãžãããéèãªã©ãããŸããŸãªæ¥çã®ã客æ§ãšäžç·ã«èšé²ããŠããŸããåæã«ãQbotã¢ãžã¥ãŒã«ã®1ã€ã䜿çšãããšãã¡ãŒã«ã¡ãã»ãŒãžãçãããšãã§ããŸããã¡ãŒã«ã¡ãã»ãŒãžã¯ãEmotetãé åžãããªãã¬ãŒã¿ãŒããã£ãã·ã³ã°ã¡ãŒã«ã«äœ¿çšããŸããããã«ãããåä¿¡è ã®ä¿¡é Œã¬ãã«ãå€§å¹ ã«åäžããææã®å¯èœæ§ãé«ãŸããŸãã
ãã«ãŠã§ã¢ã¯ãMFCã¢ããªã±ãŒã·ã§ã³ãè£ ã£ãã·ã§ã«ã«åºãããŸããã
ä¿è·å±€ã®1ã€ã¯ãå¶åŸ¡ãããŒã®é£èªåã䜿çšããŸãã
MassLoggerã¹ãã£ãŒã©ãŒã¡ãŒãªã³ã°
æè¿ãæµ·å€ã®ã客æ§ã®1人ã«æ°ããMassLoggerã¹ãã£ãŒã©ãŒãç»é²ããŸããããŸããé »ç¹ã«çºéãããªããŠãããã§ã«æ å ±ã»ãã¥ãªãã£ã®å°é家ã®æ³šç®ãéããŠããŸããã¡ãªã¿ã«ã圌ã¯ãã·ã¢äŒæ¥ãžã®éµéã§ã¯ãŸã æ°ã¥ãããŠããŸããã
ãã®ãŠã€ã«ã¹ã¯.NETå®è¡å¯èœãã¡ã€ã«ã§ãããå€ãã®ä»®æ³ç°å¢ãã§ãã¯ãåããã·ã§ã«ã«ãã£ãŠä¿è·ãããé£èªåãããŠããŸãã䜿çšãããäž»ãªé£èªåæ¹æ³ã«ã¯ãå¶åŸ¡ãããŒã®é£èªåãæååã®æå·åãããã³åçããªã²ãŒãã®åæåã®3ã€ããããŸãã
ã³ã³ãããŒã«ãããŒã®é£èªåã®äŸã以äžã«ç€ºããŸãã
å®è¡ã®éå§æã«ããªãœãŒã¹ã®1ã€ã埩å·åãããŸããããã«ã¯ãç¹å¥ãªèŸæžãå«ãŸããŠããŸããããŒã¯ããããã®ã¯ã©ã¹ã®ãã£ãŒã«ãã®ããŒã¯ã³ã§ãããå€ã¯é¢æ°ã®ããŒã¯ã³ã§ããããã®ããªã²ãŒãã¯ãã®ãã£ãŒã«ããåæåããããšã§ããããã«ãå€ãã®é¢æ°ã¯ããããã®åçã«åæåããããã£ãŒã«ããä»ããŠåŒã³åºãããŸãã
以äžã¯ãèŸæžãå ¥åããããã£ãŒã«ããããªã²ãŒãã«ãã£ãŠåæåãããã³ãŒãã¹ããããã§ãã
MassLoggerãã¡ããªãŒã¯ã被害è ã®ã³ã³ãã¥ãŒã¿ãŒããåéããããŒã¿ããã³ã³ãããŒã«ããã«ïŒhttpïŒãFTPãµãŒããŒããŸãã¯ã¡ãŒã«ããã¯ã¹ã®3ã€ã®æ¹æ³ã§éä¿¡ã§ããŸãããŠã€ã«ã¹æ§æã«ã¯ãFTPããã³ã¡ãŒã«ãµãŒããŒã«å¿ èŠãªè³æ Œæ å ±ãå«ãŸããŠããŸãïŒäœ¿çšããéä¿¡æ¹æ³ã«ãã£ãŠç°ãªããŸãïŒããã®ç¹ã§ãMassLoggerã¯ãä»ã®.netã¹ãã£ãŒã©ãŒïŒHawkeyeãAgent TeslaïŒãšé¡äŒŒããŠããŸãã以äžã¯ãæ§æãå ¥åããã³ãŒãã¹ããããã§ãã
Visual BasicShellã®NetWireã¡ãŒãªã³ã°ãªã¹ã
ããŸããŸãªæ¥çã§ãRATNetWireã®å€§éã¡ãŒã«éä¿¡ã¯VisualBasicã§èšè¿°ãããã·ã§ã«ã«èšé²ãããŠããŸãããã€ãã£ãã³ãŒããšpã³ãŒãã®äž¡æ¹ã®ããªãšãŒã·ã§ã³ãèŠãŠããŸãããã·ã§ã«ã®ã¿ã¹ã¯ã¯ãä»®æ³ç°å¢ããã§ãã¯ããç¹å®ã®ããŒãã¯ã€ã€ãŒãã¢ãã¬ã¹ããNetWireããããã°ããŠããŒãããããšã§ããæšå¹Žãåæ§ã®ã·ã§ã«ã§å€ãã®ç°ãªãã¹ãã£ãŒã©ãŒãã¡ããªãŒãèŠãŠããŸãããããã®ãµã³ãã«ã«ã¯ãããå€ãã®é£èªåãšä»®æ³ç°å¢æ€åºæè¡ãå«ãŸããŠããŸãã
ãã®VBããã«ãŒã®äžè¬çãªã³ãŒãã¹ããããã以äžã«ç€ºããŸãã
ãµãŒãã¹åã®èšç®ãããããã·ã¥ã䜿çšããŠäžèŠãªãµãŒãã¹ãæ€åºããäŸïŒãVMwareToolsãããVMwareSnapshotProviderããªã©ïŒïŒ
Excel4.0ãã¯ãã䜿çšããZloaderã¡ãŒãªã³ã°ãªã¹ã
ã¯ã¬ãžããããã³éèã»ã¯ã¿ãŒã®äžéšã®ã客æ§ã¯ãZloaderãã«ãŠã§ã¢ã®ã¡ãŒã«ãç»é²ããŸããããŠãŒã¶ãŒã¯Excelããã¥ã¡ã³ããåãåããéããšãã¢ã³ãã¢ããªã·ã¹ããã«ãŠã§ã¢ã®ããŠã³ããŒããªã©ãå¿ èŠãªã¢ã¯ã·ã§ã³ãå®è¡ããã»ã«ã§ç¹å®ã®åŒãèµ·åãããŸãããæ°åŒèªäœã巚倧ãªçŽã«æ£ãã°ã£ãŠãããããèŠã€ããŠåæããã®ãé£ãããªã£ãŠããŸããMacro 4.0ãã¯ãããžãŒã¯å»æ¢ããããšèŠãªãããŠãããçŸåšã»ãšãã©äœ¿çšãããŠããªãããšã¯æ³šç®ã«å€ããŸãã
é«åºŠãªæŽŸé¥ãšæŽç·ŽãããããŒã«
é«åºŠãªãµã€ããŒã°ã«ãŒãã«ãšã£ãŠéèŠãªã¿ã¹ã¯ã¯ãã€ã³ãã©ã¹ãã©ã¯ãã£ã«äŸµå ¥ããã ãã§ãªããã€ã³ãã©ã¹ãã©ã¯ãã£å ã«ã§ããã ãé·ãç®ç«ããªãããã«ããé·æçãªå¶åŸ¡ãšæ©å¯ããŒã¿ãžã®ã¢ã¯ã»ã¹ïŒãµã€ããŒã¹ãã€æŽ»åïŒãè¡ãããšã§ããå ±åæéäžã圌ãã¯ä»¥äžã®ããã«æŽ»åããã
ããã«ãããé ãããã®å¥ã®æ¹æ³
ç§ãã¡ã®èª¿æ»ã®1ã€ã§ã¯ãååã«é«ãæè¡ã¬ãã«ã®ãµã€ããŒç¯çœªè ãèå³æ·±ãææ³ã䜿çšããŠãã¢ã³ããŠã€ã«ã¹ããã€ãã¹ããMimikatzãèµ·åããŸãããæå·åããã圢åŒã®Mimikatzã¯ãã³ãã³ãã©ã€ã³ãã2ã€ã®ãã©ã¡ãŒã¿ãŒïŒããŒãšåæåãã¯ãã«ïŒãååŸããã·ã§ã«ã«é 眮ãããŸããã次ã«ãCryptoPPã©ã€ãã©ãªã䜿çšããŠãMimikatzã埩å·åãããå¶åŸ¡ã圌ã«ç§»ãããŸããã以äžã¯ãããŒãšãã¯ã¿ãŒã®ã€ã³ã¹ããŒã«ãããã³ããŒã¿ã埩å·åããããã®ãããã¡ãŒã®æºåãå«ãã³ãŒãã®ãã©ã°ã¡ã³ãã§ãã
ãã®çµæãMimikatzãŠãŒãã£ãªãã£ãèµ·åãããæ»æè ãè³æ Œæ å ±ãååŸã§ãããšããã¢ã³ããŠã€ã«ã¹ä¿è·ã¯ç¡é³ã§ããã
æ°ããããã«ãŒã°ã«ãŒãTinyScouts
2020幎ã®å€ã«ãéè¡ããšãã«ã®ãŒäŒç€Ÿãæ»æããæ°ãããµã€ããŒç¯çœªã°ã«ãŒããç¹å®ããŸãããTinyScoutsã¯ãé«åºŠãªæè¡ã¹ãã«ãšæ»æã·ããªãªã®å€æ§æ§ã«ãã£ãŠåºå¥ãããŸããTinyScoutsã«ã€ããŠè©³ããã¯ãã¡ããã芧ãã ããã
ããã§å šéšã§ããæ°ãã調æ»ã
Igor ZalevskyãJSOC CERT
ãµã€ããŒã€ã³ã·ãã³ã調æ»éšéãããã¢ã¹ã«ãŒJamirzeãJSOC CERTæè¡èª¿æ»ãšãã¹ããŒã