中心公告
2021/05/29
新駭客組織發起新一波全球性釣魚攻擊行動
內容說明:
資安業者FireEye揭露自2020年底開始之新全球性釣魚攻擊行動,其串聯3種不同惡意程式進行攻擊,目前全球已逾50個公私單位受駭。
此釣魚攻擊行動分為2波進行,第1波時間為2020年12月2日,第2波時間則為2020年12月11日至18日期間。據FireEye統計,第1波攻擊中有74%之攻擊目標位於美國境内,產業別包括服務業、金融業、醫療業、零售業、軍用航太業、製造業、政府單位、教育機構及運輸業等,另各有13%之攻擊目標分布於歐非地區與亞太地區,同樣遍及各種産業;第2波攻擊中,攻擊目標位於歐非地區之占比提高至22%,美國與亞太地區占比則分別為68%與11%,攻擊之產業別則新增能源産業與電信業。FireEye將此駭客組織命名為UNC2529,其中UNC代表「無法歸類」(Uncategorized),意旨其為全新駭客組織。
經分析,駭客組織UNC2529使用逾50個不同網域名稱寄送魚叉式釣魚郵件,內容包括經高度混淆之JavaScript下載器(Downloader)「DOUBLEDRAG」,其會下載經高度混淆之PowerShell指令碼「DOUBLEDROP」,最後安裝後門程式「DOUBLEBACK」。
資料來源:
https://www.fireeye.com/blog/threat-research/2021/05/unc2529-triple-double-trifecta-phishing-campaign.html
https://threatpost.com/global-phishing-attacks-new-malware-strains/165857/
https://www.zdnet.com/article/researchers-find-three-new-malware-families-used-in-global-finance-phishing-campaign/
技術服務中心整理
2021/04/19
漏洞預警:
VMware vCenter存在安全漏洞(CVE-2021-21985~ 21986),允許攻擊者遠端執行任意程式碼,請儘速確認並進行更新
內容說明:
研究人員發現VMware vCenter存在安全漏洞(CVE-2021-21985~21986),遠端攻擊者可使用vSphere客戶端軟體(HTML5)藉由埠號443發送特定格式封包,利用此漏洞進而執行任意程式碼。
影響平台:
vCenter Server 7.0版本至7.0 U2b版本(不包含)
vCenter Server 6.7版本至6.7 U3n版本(不包含)
vCenter Server 6.5版本至6.5 U3p版本(不包含)
Cloud Foundation (vCenter Server) 4.0版本至4.2.1版本(不包含)
Cloud Foundation (vCenter Server) 3.0版本3.10.2.1版本(不包含)
建議措施:
VMware官方已發布平台修補版本並提供解決方案,請各機關聯絡設備維護廠商或參考以下網址進行更新:
1. https://www.vmware.com/security/advisories/VMSA-2021-0010.html
2. https://kb.vmware.com/s/article/83829
參考資料:
1. https://www.vmware.com/security/advisories/VMSA-2021-0010.html
2. https://kb.vmware.com/s/article/83829
2021/04/19
漏洞預警:
Adobe Acrobat與Reader應用程式存在多個安全漏洞,允許攻擊者遠端執行任意程式碼,請儘速確認並進行更新
內容說明:
Adobe釋出的安全性公告中提出Adobe Acrobat與Reader存在下列多項漏洞,攻擊者可藉由誘騙使用者點擊含有惡意程式碼之連結或檔案,進而利用漏洞執行任意程式碼。
1. 越界寫入(Out-of-Bounds Write)漏洞:CVE-2021-28564、CVE-2021-21044、CVE-2021-21038及CVE-2021-21086。
2. 越界讀取(Out-of-Bounds Read) 漏洞:CVE-2021-28555、CVE-2021-28557及CVE-2021-28565。
3. 使用釋放後記憶體(Use After Free) 漏洞:CVE-2021-28550、CVE-2021-28553及CVE-2021-28562。
4. 堆積型緩衝區溢位(Heap-based Buffer Overflow) 漏洞:CVE-2021-28558與CVE-2021-28560。
5. 緩衝區溢位(Buffer Overflow) 漏洞:CVE-2021-28561。
6. 暴露私人資訊(Exposure of Private Information) 漏洞:CVE-2021-28559。
影響平台:
以下所有程式之Windows與MacOS版本:
1.Continuous track versions:
•Acrobat DC Continuous track
Windows:versions 2021.001.20150(含)以前版本
MacOS:versions 2021.001.20149(含)以前的版本
•Acrobat Reader DC Continuous track
Windows:versions 2021.001.20150(含)以前的版本
MacOS:versions 2021.001.20149(含)以前的版本
2.Classic 2017 versions:
•Acrobat 2017 Classic 2017 versions 2017.011.30194(含)以前版本
•Acrobat Reader 2017 Classic 2017 versions 2017.011.30194(含)以前版本
3. Classic 2020 versions:
•Acrobat 2020 Classic 2020 versions 2020.001.30020(含)以前版本
•Acrobat Reader 2020 Classic 2020 versions 2020.001.30020(含)以前版本
建議措施:
1.請確認電腦目前使用版本,若為上述影響版本,請儘速更新至以下版本,檢查方式:啟動Acrobat或Reader程式,點選「說明」→「關於」,確認版本後可點選「說明」→「檢查更新」安裝更新程式。
2. Windows與MacOS版本亦可至下列網址進行更新:
(1)Continuous track version更新至2021.001.20155以後版本:
Acrobat DC:https://www.adobe.com/devnet-docs/acrobatetk/tools/ReleaseNotesDC/index.html#continuous-track
Acrobat Reader DC:https://www.adobe.com/devnet-docs/acrobatetk/tools/ReleaseNotesDC/index.html#continuous-track
(2)Classic 2017 versions更新至2017.011.30196 以後版本:
Acrobat 2017:https://www.adobe.com/devnet-docs/acrobatetk/tools/ReleaseNotesDC/index.html#id3
Acrobat Reader 2017:https://www.adobe.com/devnet-docs/acrobatetk/tools/ReleaseNotesDC/index.html#id3
(3) Classic 2020 versions更新至2020.001.30025以後版本:
Acrobat 2020:https://www.adobe.com/devnet-docs/acrobatetk/tools/ReleaseNotesDC/index.html#classic-track
Acrobat Reader 2020:https://www.adobe.com/devnet-docs/acrobatetk/tools/ReleaseNotesDC/index.html#classic-track
參考資料:
1. https://helpx.adobe.com/security/products/acrobat/apsb21-29.html
2. https://thehackernews.com/2021/05/alert-hackers-exploit-adobe-reader-0.html
3. https://www.ithome.com.tw/news/144348
2021/04/19
漏洞預警:
微軟Hyper-V、HTTP通訊協定堆疊及Object Linking and Embedding(OLE)存在安全漏洞(CVE-2021-28476、CVE-2021-31166及CVE-2021-31194),允許攻擊者遠端執行任意程式碼,請儘速確認並進行更新
內容說明:
微軟Hyper-V、HTTP通訊協定堆疊及Object Linking and Embedding(OLE)存在安全漏洞(CVE-2021-28476、CVE-2021-31166及CVE-2021-31194),可能遭遠端攻擊者藉由發送特製封包或誘騙受害者存取特製網頁,進而利用漏洞執行任意程式碼。。
影響平台:
受影響版本如下:
CVE-2021-28476:
Windows 7 for x64-based Systems Service Pack 1
Windows 8.1 for x64-based systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Windows Server, version 2004 (Server Core installation)
Windows Server, version 20H2 (Server Core Installation)
CVE-2021-31166:
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server, version 2004 (Server Core installation)
Windows Server, version 20H2 (Server Core Installation)
CVE-2021-31194:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Windows Server, version 2004 (Server Core installation)
Windows Server, version 20H2 (Server Core Installation)
建議措施:
目前微軟官方已針對此漏洞釋出更新程式,請各機關聯絡設備維護廠商或參考以下網址進行更新:
1. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28476
2. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31166
3. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31194
參考資料:
1. https://www.ithome.com.tw/news/144350
2. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28476
3. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31166
4. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31194
2021/04/25
主旨:
漏洞預警:
微軟Microsoft Exchange Server存在安全漏洞(CVE-2021-28480~28483),允許攻擊者遠端執行任意程式碼,請儘速確認並進行更新
內容說明:
研究人員發現Microsoft Exchange Server因輸入驗證不正確而導致存在安全漏洞(CVE-2021-28480~28483),遠程攻擊者可藉由發送特製請求,利用此漏洞進而執行任意代碼。
影響平台:
Microsoft Exchange Server 2013
Microsoft Exchange Server 2016
Microsoft Exchange Server 2019
建議措施:
目前微軟官方已針對此漏洞釋出更新程式,請各機關聯絡設備維護廠商或參考以下網址進行更新:
1. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28480
2. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28481
3. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28482
4. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28483
參考資料:
1. https://thehackernews.com/2021/04/nsa-discovers-new-vulnerabilities.html
2. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28480
3. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28481
4. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28482
5. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28483
6. https://www.cybersecurity-help.cz/vdb/SB2021041327