-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

$B3F0L(B

                                                   JPCERT-AT-2024-0013
                                                             JPCERT/CC
                                                            2024-06-25

                  <<< JPCERT/CC Alert 2024-06-25 >>>

         Operation Blotless$B967b%-%c%s%Z!<%s$K4X$9$kCm0U4-5/(B

           https://www.jpcert.or.jp/at/2024/at240013.html


$BK\Cm0U4-5/$N8x3+D>A0$K!"9qFbAH?%$N%5%$%P!<967bHo32$K4X$9$kJsF;$,=P$F$$(B
$B$^$9$,!"K\Cm0U4-5/$H$N4X78$O$"$j$^$;$s!#(B  

I. $B35MW(B
2023$BG/(B5$B7n$K=EMW%$%s%U%i$J$I$rA@$&!V(BVolt Typhoon$B!W$N967b3hF0$,8xI=$5$l$F(B
$B0JMh!"(BLiving off the Land$B@o=Q$rMQ$$$FD94|4V!&CGB3E*$K967b%-%c%s%Z!<%s(B
$B$r9T$&(BAPT$B%"%/%?!<$N3hF0$KBP$7$F7Y2|$,9b$^$C$F$$$^$9!#(BJPCERT/CC$B$G$O(B2023
$BG/$+$iF|K\$NAH?%$bA@$&F1MM$N967b3hF0!J(BOperation Blotless$B!K$rCm;k$7$F$*(B
$B$j!"F1967b%-%c%s%Z!<%s$N<B9T<T$O%^%$%/%m%=%U%H<R$J$I$,<($9(BVolt Typhoon
$B$HB?$/$N6&DLE@$,$"$k$H9M$($F$$$^$9$,!"(BVolt Typhoon$B$K$h$k967b3hF0$@$1$J(B
$B$N$+!"$3$l0J30$KF1MM$N@o=Q$rMQ$$$kJL$N%"%/%?!<$K$h$k3hF0$b4^$^$l$F$$$k(B
$B$N$+!"8=;~E@$G$O@:::$7$-$l$F$$$^$;$s!#(B

$B$3$&$7$?967b3hF0$G$O!"(BLiving off the Land$B@o=Q$rMQ$$$k967b$NFCD'$+$i!"(B
$BBP:v$d8!CN$NFq$7$5$,%U%)!<%+%9$5$l$,$A$G$"$j!"6qBNE*$K$I$N$h$&$JBP:v$r(B
$B$H$k$Y$-$+:$OG$7$F$$$kAH?%$bB?$$$+$H;W$$$^$9!#(BLiving off the Land$B@o=Q(B
$B$O!":G6a$N%H%l%s%I$H$7$FJ#?t$N(BAPT$B%"%/%?!<$,;HMQ$9$k@o=Q$G!"%i%s%5%`%&%'(B
$B%"967b$N%"%/%?!<$bB?MQ$7$F$$$^$9!#FCDj$N(BAPT$B%"%/%?!<$K8B$i$:!"$5$^$6$^(B
$B$J6<0R$X$NBP:v$K$b$J$k$3$H$+$i!"967b$N<jK!$d<j=g!J(BTTP$B!K$K$D$$$FB?$/$N(B
$B8x3+>pJs$,=P$F$$$k!V(BVolt Typhoon$B!W$N(BTTP$B>pJs$r%Y!<%9$K!"(BJPCERT/CC$B$,$3$l(B
$B$^$G$KBP1~$7$?4XO";v0F$r4^$a!"%5%$%P!<%;%-%e%j%F%#6(5D2q$N3hF0$J$I$rDL(B
$B$8$FGD0.$7$F$$$kF1967b3hF0$X$NBP1~J}K!$K$D$$$F2r@b$7$^$9!#(B

** $BK\Cm0U4-5/$r$4Mw$$$?$@$/$K$"$?$C$F(B *********************************
$B0J2<!"<+AH?%$N>u67$dL\E*$K1~$8$F!"8e=R$N>pJs$d;29M>pJs$r$43NG'$/$@$5$$!#(B

$B!J(BA$B!K967bHo32$r$9$G$K<u$1$F$$$k2DG=@-$,9b$$!?Ho32$r<($9>pJs$rF@$F$$$k(B
$B>l9g!'(B  
$B!&!V(BIII. $B967b3hF0$N;vNc!W$K<($9F1%0%k!<%W$N967b3hF0;~4|$rF'$^$(!"$9$G$K(B
$B8xI=$5$l$F$$$k%;%-%e%j%F%#%Y%s%@!<$J$I$N%l%]!<%H$K7G:\$5$l$F$$$k>pJs$J$I(B
$B$r$b$H$K!"?/32M-L5$ND4::$r9T$C$F$/$@$5$$!#(B  
 ---------------------------------------------------------------------  
$B!J(BB$B!K?/32$5$l$?$+ITL@$G$"$k$,!"?/32M-L5$rD4::$7$?$$$H9M$($F$$$k>l9g!'(B  
$B!&!V(BIV. $B?d>)D4::9`L\!W$K<($9!"4pK\E*$JD4::%]%$%s%H$K$D$$$FD4::$r9T$C$F(B
$B$/$@$5$$!#(B  
 ---------------------------------------------------------------------  
$B!J(BC$B!K?/32$r<u$1$F$$$k2DG=@-$O$3$l$^$G$K$J$$$,!":#8e$N967b$KHw$($FBP:v$r(B
$B<h$j$?$$>l9g!'(B  
$B!&!V(BV. $B?d>)BP:v!W$K<($9!"CfD94|E*$JBP:v$NF3F~$r$48!F$$/$@$5$$!#(B  
***********************************************************************


II. $B967b35MW$H4pK\E*$JBP=h%3%s%;%W%H(B
$BA0=R$N$H$*$j!"K\Cm0U4-5/$G$O(BOperation Blotless$B967b%-%c%s%Z!<%s$N$&$A!"(B
$B8x3+>pJs$,B?$/=P$F$$$k!"(BVolt Typhoon$B$N967b3hF0$rCf?4$K<h$j>e$2$^$9!#:#(B
$B8e!"(BVolt Typhoon$B0J30$N%"%/%?!<$K4X$9$k>pJs$,3NG'$5$l$?>l9g!">pJs$r99?7(B
$B$9$k2DG=@-$,$"$j$^$9!#(B

 ---------------------------------------------------------------------  
$B!J(B1$B!K(BVolt Typhoon$B$N967b3hF0$NFCD'(B  
 ---------------------------------------------------------------------  
Volt Typhoon$B$K$h$k967b3hF0$K$D$$$F!"8=;~E@$G9qFb30$N@lLgAH?%$,GD0.$7$F(B
$B$$$kHO0O$G$O!"$=$N3hF0L\E*$O!"@/I\5!4X$d=EMW%$%s%U%i4k6H$X$N>-Mh$N:F?/(B
$BF~$KHw$($F!"!V?/F~J}K!$r3+Bs!W$9$k$3$H$G$"$j!"4pK\E*$K$OG'>Z>pJs$N@`<h(B
$B!J(BNTDS$B%U%!%$%k$N@`<h$J$I!K$,$3$3$^$G$N3hF0$NCf?4$G$9!#0lIt$NHo32$K$D$$(B
$B$F$O!"G'>Z>pJs0J30$N5!Hy>pJs$N@`<h$,5?$o$l$F$$$k$b$N$N!"D94|4V$K$o$?$k(B
$B@xIz!&>pJs<}=8$O$[$H$s$I9T$o$l$F$$$^$;$s!#(B  
$B!V?/F~J}K!$r3+Bs!W$9$kL\E*$H$7$F!"(B2024$BG/(B2$B7n$K%"%a%j%+!&%$%.%j%9!&%+%J%@!&(B
$B%*!<%9%H%i%j%"!&%K%e!<%8!<%i%s%I$N3FEv6I$+$i9gF1$GH/I=$5$l$?%"%I%P%$%6(B
$B%j$K$h$l$P!"!V=EBg$J4m5!$^$?$OJ6Ah$,H/@8$7$?>l9g$K!"=EMW%$%s%U%i$KBP$9(B
$B$kGK2uE*$J%5%$%P!<967b$N$?$a!W$G$"$k$H$5$l$F$$$^$9!#(B

$B4pK\E*$K8GM-$N%^%k%&%'%"$r%P%C%/%I%"$H$7$FD94|4V46@w$5$;B3$1$k$H$$$&@o(B
$B=Q$O$H$i$l$F$*$i$:!"8e=R$N$H$*$jG'>Z>pJs$r@`<h$9$k$3$H$G!">-Mh!"I,MW$J%?(B
$B%$%_%s%0$G:F$SHo32AH?%!JI8E*AH?%!K$X!J:F!K?/F~$9$k$3$H$r4k?^$7$F$$$k$H(B
$BA[Dj$5$l$^$9!#(B  
$BB>J}$G!"$3$3$^$G$N967b3hF0$O?/322U=j$,8BDjE*$G$"$j!"$^$?!"8GM-$N%^%k%&%'(B
$B%"$J$I$rMQ$$$J$$$3$H$+$i!"!V<+AH?%$,?/32$5$l$?$+$I$&$+!W$K$D$$$F!"(BIoC
$B>pJs$rCf?4$H$7$?DL>o$N(BAPT$B;v0FBP1~$N$h$&$JD4::$,Fq$7$/$J$k$3$H$,A[Dj$5(B
$B$l$^$9!#(B

https://www.jpcert.or.jp/at/2024/at240013_001.png
$B!N?^(B1$B!'(BVolt Typhoon$B$N967b3hF0$N%$%a!<%8?^!O(B

 ---------------------------------------------------------------------  
$B!J(B2$B!K(BVolt Typhoon$B$N967b$X$NBP=h$N4pK\%3%s%;%W%H(B  
 ---------------------------------------------------------------------  
$B"#(B $B?/32M-L5D4::$,Fq$7$$GX7J(B  
 ------------------------------------  
$BK\967b3hF0$O(BLiving off the Land$B@o=QG!2?$K4X$o$i$:!"0J2<$N$h$&$J!"K\967b(B
$B3hF0$NFCD'$d!"I8E*$H$J$k%"%;%C%H$N1?MQ;v>p$+$i!"$3$l$^$G$N3hF0$KBP$9$k(B
$B?/32M-L5$ND4::$,Fq$7$/$J$C$F$$$^$9!#(B

$B!J(Ba$B!K(BActive Directory$B$N3F<o%m%0$N>/$J$5(B  
$B8e=R$N!V(BIII. $B967b3hF0$N;vNc!W$K5-:\$N$H$*$j!"(BVolt Typhoon$B$K$h$k2a5n$N(B
$B967b3hF0$G$O!"(BActive Directory$B%G!<%?%Y!<%9%U%!%$%k!J(BNTDS$B%U%!%$%k!K$N<h(B
$BF@$K$h$jBgNL$NG'>Z>pJs$r@`<h$7$F$*$j!"(BActive Directory$B$rCf?4$H$7$?D4::(B
$B$,I,MW$K$J$j$^$9!#$7$+$7$J$,$i!"(BActive Directory$B$N3F<o%m%0$K$D$$$F$O!"(B
$BAH?%5,LO!J%"%+%&%s%H?t!K$,B?$1$l$PB?$$$[$I!"D94|4V$N%m%0J]B8$,$G$-$J$$(B
$B$?$a!"2>$K?/32$5$l$F$$$?$H$7$F$b?/32Ev;~$NA`:n%m%0$,;D$C$F$$$J$$%1!<%9(B
$B$,BgH>$G$9!#(B

$B!J(Bb$B!K=i4|?/F~7PO)$H$J$C$?5!4o$N3F<o%m%0$N>/$J$5(B  
$B8e=R$N!V(BIII. $B967b3hF0$N;vNc!W$K5-:\$N$H$*$j!"(BVolt Typhoon$B$K$h$k2a5n$N96(B
$B7b3hF0$G$O!"$3$l$^$G$N967b$G$O!"=i4|?/F~7PO)$H$7$F(BSSL-VPN$B@=IJ$N@H<e@-$r(B
$B0-MQ$7$?967b$rB?MQ$7$F$$$^$9!#$7$+$7$J$,$i!"$3$&$7$?@=IJ$N1?MQ$G$O3F<o(B
$B%m%0$r5!4oFb0J30$NJL%7%9%F%`$KJ]B8$7$F$$$J$$$3$H$,B?$$$?$a!"2>$K?/32$5(B
$B$l$F$$$?$H$7$F$b?/32Ev;~$NA`:n%m%0$,;D$C$F$$$J$$%1!<%9$,BgH>$G$9!#(B

$B!J(Bc$B!K?/322U=j$,8BDjE*$G$"$k$3$H(B  
$B4pK\E*$K$O%$%s%?!<%M%C%H$KLL$7$?%"%W%i%$%"%s%97PM3$G?/F~$7!"(BNTDS$B%U%!%$(B
$B%k$r@`<h$9$k3hF0$,3NG'$5$l$F$$$^$9!#$3$N$[$+2#E83+$NF0$-$J$I$H$7$F$O!"(B
Web$B%5!<%P!<$r?/32$7$F(BWebshell$B$r@_CV$7$F$$$k%1!<%9$,3NG'$5$l$F$$$^$9!#(B
$BB>$NI8E*7?%5%$%P!<967b$N;vNc$N$h$&$K!"B??t$NC<Kv!?%5!<%P!<$X$N2#E83+(B
$B$d(BAD$B%5!<%P!<$=$N$b$N$X$N?/32$J$I$,$J$/!"!V:/@W$,;D$k2U=j$,>/$J$$!W$?(B
$B$a$KD4::$G$-$k2U=j$,>/$J$$$H$$$&FCD'$,$"$j$^$9!#(B

$B"#(B $BBP=h$N4pK\%3%s%;%W%H(B  
 ------------------------------------  
$B0J>e$N$H$*$j!"(BVolt Typhoon$B$K$h$k2a5n$N967b3hF0$KBP$9$k?/32M-L5$ND4::$O!"(B
$BDL>o$N(BAPT$B;v0FBP1~$h$j$b:$Fq$G$"$k$3$H$,A[Dj$5$l$^$9!#$3$&$7$?!"!V2a5n(B
$B$K?/32$5$l$?$+$I$&$+!W$rD4::$9$k$3$H$N8B3&$rG'<1$7$?>e$G!"K\967b3hF0$N(B
$BA[Dj$5$l$kL\E*$rF'$^$(!"!V2>$K2a5n$K?/32$5$l$F$$$?$H$7$F$b!">-Mh$NGK2u(B
$BE*3hF0$K$*$1$k:F?/F~$r$5$l$J$$$3$H!W$rL\;X$9$3$H$,?d>)$5$l$^$9!#(B


III. $B967b3hF0$N;vNc(B
$B$3$l$^$G$K%;%-%e%j%F%#%Y%s%@!<$,8xI=$7$?3F%l%]!<%H$rF'$^$($k$H!"967b3h(B
$BF0;~4|$O?^(B2$B$K5-:\$N(B3$B$D$N%U%'!<%:$KBgJL$G$-$^$9!#$^$?!"3F%U%'!<%:$N967b(B
$B%-%c%s%Z!<%s$G<g$K4QB,$5$l$F$$$kFCD'E*$J967bJ}K!$r?^(B2$B$K<($7$F$$$^$9!#(B
$B>\:Y$O8e=R$9$k!V(BVI. $B;29M>pJs!WFb$N%j%s%/$N>pJs$r$4;2>H$/$@$5$$!#(B

https://www.jpcert.or.jp/at/2024/at240013_002.png
$B!N?^(B2$B!'(BVolt Typhoon$B$N967b3hF0;~4|$dFCD'E*$J967bJ}K!!O(B


IV. $B?d>)D4::9`L\!JC;4|E*$JBP1~!K(B
$B!V(BIII. $B967b3hF0$N;vNc!W$G>R2p$N$H$*$j!"$3$l$^$G$K%;%-%e%j%F%#%Y%s%@!<$,(B
$B4QB,$7$F$$$k967b;vNc$d(BJPCERT/CC$B$,BP1~$7$?;vNc$rF'$^$($F!"C;4|E*$JBP1~(B
$B$H$7$F?/32M-L5D4::$r9T$&>l9g!"0J2<$N$h$&$J9`L\$ND4::$,?d>)$5$l$^$9!#(B
$B$?$@$7!"!V(BII. $B967b$N35MW$H4pK\E*$JBP=h%3%s%;%W%H!W$G2r@b$N$H$*$j!"BP>]$H(B
$B$J$k%5!<%S%9!?5!4o$N%m%0$NITB-Ey$K$h$j!"L@3N$K?/32M-L5$rH=CG$G$-$J$$%1!<(B
$B%9$,A[Dj$5$l$^$9$N$G!"!V(BV. $B?d>)BP:v!JCfD94|E*$JBP:v!K!W$r$"$o$;$F$48!(B
$BF$$/$@$5$$!#(B

 ---------------------------------------------------------------------  
$B!J(B1$B!K%I%a%$%s%3%s%H%m!<%i!<$G$N%m%0$J$I$ND4::(B  
 ---------------------------------------------------------------------  
$B"#(B Active Directory$B%G!<%?%Y!<%9%U%!%$%k!J(BNTDS$B%U%!%$%k!K$N;}$A=P$7;n9T$N3NG'(B  

  - $BFCDj%W%m%0%i%`$N<B9T3NG'!'(Bntdsutil.exe$B!"(Bvssadmin.exe
  $B"(;q;:4IM}%=%U%H$d(BEDR$B!"(BPrefetch$B$r<hF@$9$k@_Dj$r$7$F$$$k>l9g$J$I$K3NG'2DG=(B

  - Event Log$B!J(BSecurity$B!K$N3NG'!'%$%Y%s%H(BID 8222$B!J%7%c%I%&%3%T!<$N:n@.!K(B
  - Event Log$B!J(BSystem$B!K$N3NG'!'%$%Y%s%H(BID 7036$B!J(BVolume Shadow Copy$B%5!<%S%9$,BP>]$N>l9g!K(B
  $B"(967b<T$,(Bntdsutil$B0J30$r;H$C$F$$$?>l9g!":/@W$O;D$j$^$;$s(B

  - Event Log$B!J(BApplication$B!K$N3NG'!'%$%Y%s%H(BID 216$B!J(BVolume Shadow Copy$B$+$i(Bntds.dit$B$N<hF@$r9T$C$F$$$k>l9g!K(B

$B"#(B Windows$B%$%Y%s%H%m%0$N:o=|;n9T$N3NG'(B  
  - Event Log$B!J(BSystem/Security/Application$B!K$N3NG'!'%$%Y%s%H(BID 104
  $B"(>C5n$5$l$?%$%Y%s%H%m%0L>$+$i!"0U?^$7$?$b$N$+$r3NG'$9$k(B

$B"#(B Powershell$B$N<B9TFbMF$ND4::!J%I%a%$%s%3%s%H%m!<%i!<!K(B
  - Event Log$B!J%"%W%j%1!<%7%g%s$H%5!<%S%9%m%0!'(BMicrosoft - Windows - Powershell - Operational$B!K$N3NG'(B
  $B"(<B9TFbMF$N%m%0$+$i!"0U?^$7$?$b$N$+$r3NG'$9$k(B

    $B;29M>pJs!'(BJPCERT/CC $B%D!<%kJ,@O7k2L%7!<%H(B ntdsutil / wevtutil
    https://jpcertcc.github.io/ToolAnalysisResultSheet_jp/details/ntdsutil.htm
    https://jpcertcc.github.io/ToolAnalysisResultSheet_jp/details/wevtutil.htm

 ---------------------------------------------------------------------  
$B!J(B2$B!K(BWeb$B%5!<%P!<$d%M%C%H%o!<%/5!4o$J$I$X$N(BWebshell$B@_CVM-L5D4::(B  
 ---------------------------------------------------------------------  
$B%&%$%k%9BP:v%=%U%H$J$I$r;HMQ$7$F$$$k>l9g!"(BWeb$B%5!<%P!<$K@_CV$5$l$?$3$l(B
$B$^$G$N967b3hF0$G;H$o$l$?(BWebshell$B$r8!=P$9$k$3$H$,$G$-$k>l9g$,$"$j$^$9!#(B
$B$^$?!"8e=R$N%M%C%H%o!<%/%"%W%i%$%"%s%9$N@H<e@-0-MQ;v0F$K4X$9$k%a!<%+!<(B
$B$d%;%-%e%j%F%#%Y%s%@!<$+$i$N%l%]!<%H$G$O!"Ev3:(BWebshell$B$ND4::$N;29M$H$J(B
$B$k>pJs$,7G:\$5$l$F$$$k>l9g$,$"$j$^$9$N$G!"$4;2>H$/$@$5$$!#(B

 ---------------------------------------------------------------------  
$B!J(B3$B!K%j%P!<%9%W%m%-%7%D!<%k$ND4::(B  
 ---------------------------------------------------------------------  
$BJF(BCISA$B$J$I$,8x3+$7$?6&F1%"%I%P%$%6%j$K$h$k$H!"(BVolt Typhoon$B$N?/32;v0F$K(B
$B$*$$$F!"Ho32AH?%$H967b<T$N(BC2$B%5!<%P!<$N4V$NDL?.$rCf7Q$9$k%j%P!<%9%W%m%-(B
$B%7%D!<%k!J(BFRP$B%D!<%k!K$N;HMQ$,3NG'$5$l$F$*$j!"(BIoC$B>pJs$,8x3+$5$l$F$$$^$9!#(B
$BHo32AH?%$4$H$KF1%O%C%7%eCM$N%D!<%k$,8+$D$+$k$H$O8B$j$^$;$s$,!"D4::;~$N(B
$B;29M$H$7$F$/$@$5$$!#(B

    $B;29M>pJs!'JF(BCISA$B8x3+$N(BIoC$B>pJs(B
    https://www.cisa.gov/news-events/analysis-reports/ar24-038a
    $B"(F1%D!<%k$r;H$C$?967b<jK!$d;H$o$l$?2U=j$J$I$N>\:Y$K$D$$$F$O6&F1%"%I%P%$%6%j$N>pJs$r$4;2>H$/$@$5$$!#(B

    $B;29M>pJs!'(BFRP$B$r;H$C$?967b$N:/@W3NG'Nc!J"(I,$:$7$b(BVolt Typhoon$B$N967b;vNc$G$O$"$j$^$;$s!K(B
    $B3t<02q<R%i%C%/!V%*!<%W%s%=!<%9$N%]!<%HE>Aw!?%H%s%M%j%s%0%D!<%k$r0-MQ$9$kI8E*7?967b$KCm0U!W(B
    https://www.lac.co.jp/lacwatch/people/20200212_002127.html

 ---------------------------------------------------------------------  
$B!J(B4$B!K(BSSL-VPN$B5!4o$J$I$K$*$1$k%m%0D4::$d4IM}<T8"8B%"%+%&%s%H$ND4::(B  
 ---------------------------------------------------------------------  
$B%m%0$ND4::$N$[$+!"3F5!4o$K(BDomain admin$B$J$I$N4IM}<T%"%+%&%s%H$,ITE,@Z$K(B
$BJ]B8$5$l$F$$$J$$$+$r$43NG'$/$@$5$$!#$^$?Ev3:%"%+%&%s%H$,IT@5$K;HMQ$5$l(B
$B$?:/@W$,$J$$$+$43NG'$/$@$5$$!#>\:Y$J3NG'J}K!$O$4;HMQ$N@=IJ5!4o$N3+H/85(B
$B$N>pJs$r$43NG'$/$@$5$$!#2<5-!"0lIt$N@=IJ5!4o$ND4::;~$NCm0UE@$r<($7$^$9!#(B

$B$J$*!":#8e!"0-MQ$5$l$?2DG=@-$N$"$k@=IJ$N@H<e@->pJs$J$I$K$D$$$F>pJs$r(B
$B99?7$9$k2DG=@-$,$"$j$^$9!#>pJs$r3NG'<!Bh!"=g<!99?7$7$^$9!#(B

$B"#!J(Ba$B!K(BFortigate$B!'%/%i%C%7%e%m%0M-L53NG'(B  
 ------------------------------------  
Fortigate$B$K$D$$$F!"JF(BCISA$B$O(BCVE-2022-42475$B$,=i4|?/F~$K0-MQ$5$l$F$$$k$H(B
$B;XE&$7$F$$$^$9!#!J"(967b;~4|$OITL@!K(B  
$B$^$?!"(BLumen$B<R$O(B2023$BG/2F:"$N;v0F$K$D$$$F!"(BVolt Typhoon$B4XO"$G$O$J$$$H?d(B
$BB,$7$F$$$^$9!#!J"((BFortinet$B<R$,(BCVE-2023-27997$B$H(BVolt Typhoon$B$K$h$k0-MQ$N(B
$B2DG=@-$K$D$$$F8@5Z$7$?%l%]!<%H$r0zMQ$7$F$$$k$b$N$N!"Ev3:;v0F$G(B
CVE-2023-27997$B$,0-MQ$5$l$F$$$?$+$K$D$$$F$OITL@!K(B  
$B?/32$,5?$o$l$k;~4|$K$*$1$k(BFortigate$B$N(BOS$B$N%P!<%8%g%s>u67$+$i!"(B
CVE-2022-42475$B$b$7$/$O!"(BCVE-2023-27997$B0-MQ$N2DG=@-$,9b$$$H$$$&$3$H$G$"(B
$B$l$P!"(Bsslvpnd$B$N%/%i%C%7%e%m%0$r$43NG'$/$@$5$$!#(B

    JPCERT/CC$B!'(BFortiOS$B$N%R!<%W%Y!<%9$N%P%C%U%!!<%*!<%P!<%U%m!<$N@H<e@-!J(BCVE-2022-42475$B!K$K4X$9$kCm0U4-5/(B
    https://www.jpcert.or.jp/at/2022/at220032.html
    Lumen Black Labs$B!'(BRouters Roasting on an Open Firewall: the KV-botnet Investigation
    https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/

$B"#!J(Bb$B!K(BIvanti Connect Secure$B!'(BIntegrity Checker Tool$B$N;HMQ$J$I(B  
 ------------------------------------  
$B$3$l$^$G$K$bJ#?t$NCm0U4-5/$G<($7$F$$$k$H$*$j!"(BIvanti$B<R$,FbIt%A%'%C%/(B
$B%D!<%k$H30It%A%'%C%/%D!<%k$rDs6!$7$F$$$^$9!#%m%0$NJ]B8$@$1$G$J$/!"$=$b(B
$B$=$b%m%0$N=PNO@_Dj$,E,@Z$K$J$5$l$F$$$J$$>l9g!"==J,$JD4::$,$G$-$J$$2DG=(B
$B@-$,$"$k$?$a!"$4Cm0U$/$@$5$$!#(B

    JPCERT/CC$B!'(BIvanti Connect Secure$B$*$h$S(BIvanti Policy Secure$B$N@H<e@-!J(BCVE-2023-46805$B$*$h$S(BCVE-2024-21887$B!K$K4X$9$kCm0U4-5/(B
    https://www.jpcert.or.jp/at/2024/at240002.html

$B"#!J(Bc$B!K(BCitrix Netscaler ADC$B!'%m%0$N=PNO@_Dj$N8+D>$7(B  
 ------------------------------------  
Citrix NetScaler$B@=IJ$K$D$$$F$b!"DL?.85(BIP$B%"%I%l%9$,%m%0$K=PNO$5$l$k$+$I(B
$B$&$+$K$D$$$F$O=PNO@_Dj$N3NG'$,I,MW$G$9!#@_Dj$KITHw$,$"$k>l9g$OI,MW$JD4(B
$B::$r9T$($J$$2DG=@-$,$"$j$^$9!#$J$*!"D>6a$G(BJPCERT/CC$B$+$i$O(B2023$BG/(B7$B7n$K%j(B
$B%b!<%H%3!<%I<B9T$N@H<e@-!J(BCVE-2023-3519$B!K$K4X$9$kCm0U4-5/$r8xI=$7$F$$(B
$B$^$9$,!"K\967b3hF0$G=i4|?/F~$K0-MQ$5$l$?%1!<%9$,Ev3:@H<e@-$N0-MQ$K$h$k(B
$B$b$N$@$1$G$"$k$HH=CG$O$G$-$F$$$^$;$s!#(B

    Citrix$B!'(BNs.log File in /var/log Directory Does Not Log the SOURCE IP Address of Any Client Request Going Through the NetScaler Appliance
    https://support.citrix.com/article/CTX134939/nslog-file-in-varlog-directory-does-not-log-the-source-ip-address-of-any-client-request-going-through-the-netscaler-appliance
    JPCERT/CC$B!'(BCitrix ADC$B$*$h$S(BCitrix Gateway$B$N@H<e@-!J(BCVE-2023-3519$B!K$K4X$9$kCm0U4-5/(B
    https://www.jpcert.or.jp/at/2023/at230013.html

$B"#!J(Bd$B!K(BManageEngine ADSelfSerivice Plus$B!'?/328!=P%D!<%k$N<B9T(B  
 ------------------------------------  
$BJF(BZoho Corporation$B$O!"G'>Z%P%$%Q%9$N@H<e@-!J(BCVE-2021-40539$B!K$r0-MQ$9$k(B
$B967b$d?/32$r8!=P$9$k%D!<%k$r8x3+$7$F$$$^$9!#>\:Y$OF1<R$,Ds6!$9$k>pJs$r(B
$B$43NG'$/$@$5$$!#(B

    ADSelfService Plus $B%J%l%C%8%Y!<%9!Z=EMW![4{CN$N@H<e@-(B CVE-2021-40539 $B$K$D$$$F(B
    https://www.manageengine.jp/support/kb/ADSelfService_Plus/?p=4222


V. $B?d>)BP:v!JCfD94|E*$JBP:v!K(B
$B:#8e$N967b$KHw$($F!"2<5-$N$h$&$JBP:v6/2=$r$48!F$$$$?$@$/$3$H$r?d>)$7$^$9!#(B

 ---------------------------------------------------------------------  
$B!J(B1$B!K967b$N?/F~7PO)$K$J$jF@$k%$%s%?!<%M%C%H$K@\B3$5$l$?%"%W%i%$%"%s%9!J(BSSL-VPN$BEy!K$N@_Dj$d1?MQ$NE@8!(B  
 ---------------------------------------------------------------------  
$B"#!J(Ba$B!K2TF/>u67$d@_Dj$N3NG'(B  
$B!V(BIV. $B?d>)D4::9`L\!JC;4|E*$JBP1~!K!W$G2r@b$N$H$*$j!"$=$b$=$b%m%0$N=PNO@_(B
$BDj$,$J$5$l$F$$$J$$$^$^1?MQ$7$F$$$k%1!<%9$,B?$/3NG'$5$l$F$$$^$9!#$5$i$K$O(B
$B%i%$%;%s%9$,<:8z$7$?$^$^2TF/$5$;$F$*$j!"@H<e@-BP1~$d%$%s%7%G%s%HBP1~$K(B
$B$*$$$F%a!<%+!<$+$i$N%5%]!<%H$,<u$1$i$l$J$$%1!<%9$b$"$j$^$9!#(B
$B<+AH?%$d%0%k!<%WFb$G$I$N$h$&$J%"%W%i%$%"%s%9$r;HMQ$7$F$$$k$N$+GD0.$G$-(B
$B$F$$$J$$AH?%$b8+<u$1$i$l$k$3$H$+$i!"(BASM$B!J(BAttack Surface Management$B!K$J(B
$B$I$r3hMQ$7$?@Q6KE*$J%"%;%C%H$NGD0.$b?d>)$5$l$^$9!#(B

    $B;29M>pJs!'7P:Q;:6H>J!V(BASM$B!J(BAttack Surface Management$B!KF3F~%,%$%@%s%9!W(B
    https://www.meti.go.jp/press/2023/05/20230529001/20230529001.html

$B"#!J(Bb$B!K%m%0J]B8$*$h$S3NG'$N1?MQ8!F$(B  
$B:#8e$N967b$KHw$($F!"4pK\E*$K$O3F<o%m%0$NJ]B89`L\$dJ]B84|4V$NDj4|E*$J8+(B
$BD>$7$d3NG'$,?d>)$5$l$^$9$,!"J]B8$G$-$k%5%$%:$K$O8BEY$,$"$j$^$9!#$=$N$?(B
$B$a!"Nc$($P!V(B3$B%+7nJ,$7$+J]B8$G$-$J$$!W>l9g!"Dj4|E*$J%m%0%A%'%C%/$r(B3$B%+7n(B
$B$K0lEY9T$&$3$H$G!"J]B84|4V$NITB-$rJd$&$3$H$,$G$-$^$9!#$^$?!"G/4V$rDL$8(B
$B$F!"2DG=$J8B$j%m%0%A%'%C%/$NIQEY$r9b$/$9$k$3$H$G!"3NG'O3$l$rKI$0$3$H$b(B
$B$G$-$^$9!#(B

https://www.jpcert.or.jp/at/2024/at240013_003.png
$B!N?^(B3$B!'%m%0$NJ]4I4|4V$K1~$8$?%m%0%A%'%C%/$N1?MQ%$%a!<%8?^!O(B

$B"#!J(Bc$B!K@H<e@->pJs$NF~<j7PO)$N3NG'(B  
$B%$%s%?!<%M%C%H$+$iD>@\@\B3$G$-$k(BSSL-VPN$B5!4o$d%M%C%H%o!<%/5!4o$J$I$N%"%W(B
$B%i%$%"%s%9$K$D$$$F!"@H<e@->pJs$NF~<jJ}K!$dBP1~BN@)$N3NN)$r?d>)$7$^$9!#(B
$B$3$&$7$?5!4o$K$D$$$F$O!"%a!<%+!<$+$i$N@H<e@->pJs$,D>@\%(%s%I%f!<%6!<$K(B
$BFO$+$J$$%1!<%9$d!"BeM}E9$J$I$r7PM3$7$FEAC#$,CY1d$9$k%1!<%9$b$"$k$?$a!"(B
$B2DG=$J8B$jB.$d$+$K=EMW$J@H<e@->pJs$rF~<j$G$-$k$h$&!"EAC#7PO)$d3NG'J}K!(B
$B$N8+D>$7$r9T$C$F$/$@$5$$!#$^$?!"@H<e@->pJs$rF~<j$7$?8e!"B.$d$+$KBP:v$d(B
$B2sHr:v$NE,MQ$J$I$NH=CG$dBP1~$,$G$-$k$h$&!"1?MQJ]<i$rC4Ev$9$kAH?%$d%0%k!<(B
$B%W$NCf$G$NBP1~BN@)$N3NG'$r?d>)$7$^$9!#(B

 ---------------------------------------------------------------------  
$B!J(B2$B!K(BActive Directory$B$N3F<o%m%0J]B8@_Dj$N8+D>$7!"?/32C{8u$K4X$9$k%"%i!<%H@_DjEy$NF3F~(B  
 ---------------------------------------------------------------------  
Active Directory$B$N3F<o%m%0$NJ]B8@_Dj$r8+D>$7!"?/32C{8u$G$"$k2DG=@-$,$"(B
$B$k%$%Y%s%H$rAa4|8!CN$9$k;EAH$_$J$I$NF3F~$N8!F$$r?d>)$7$^$9!#(B

    $B;29M>pJs!'(BMicrosoft Active Directory $B$N%;%-%e%j%F%#J]8n$K4X$9$k%Y%9%H(B $B%W%i%/%F%#%9(B
    https://learn.microsoft.com/ja-jp/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

    $B;29M>pJs!'(BJPCERT/CC
    $B%m%0$r3hMQ$7$?(BActive Directory$B$KBP$9$k967b$N8!CN$HBP:v(B
    https://www.jpcert.or.jp/research/AD.html
    $B9bEY%5%$%P!<967b$X$NBP=h$K$*$1$k%m%0$N3hMQ$HJ,@OJ}K!(B
    https://www.jpcert.or.jp/research/apt-loganalysis.html
    $B%D!<%kJ,@O7k2L%7!<%H(B
    https://jpcertcc.github.io/ToolAnalysisResultSheet_jp/

 ---------------------------------------------------------------------  
$B!J(B3$B!K4IM}<T8"8B$NC*27$7(B  
 ---------------------------------------------------------------------  
$B%$%s%?!<%M%C%H$+$iD>@\@\B3$G$-$k(BSSL-VPN$B5!4o$d%M%C%H%o!<%/5!4o$J$I$N%"%W(B
$B%i%$%"%s%9$K$D$$$F!"ITMW$J4IM}<T%"%+%&%s%H$d4IM}<T8"8B$rM-$9$k%f!<%6!<$,(B
$B;DN1$7$F$$$J$$$+$43NG'$/$@$5$$!#$^$?!"ITMW$J4IM}<T%"%+%&%s%H$d8"8B$,B8:_(B
$B$7$F$$$k>l9g!"%"%+%&%s%H$d8"8B$N:o=|$r9T$$!"4IM}<T8"8B$O:G>.8B$G1?MQ$9$k(B
$B$h$&$48!F$$/$@$5$$!#(B


VI. $B;29M>pJs(B
    SecureWorks$B!J(B2023$BG/(B5$B7n(B24$BF|8x3+!K(B
    Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations
    https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations

    Microsoft$B!J(B2023$BG/(B5$B7n(B24$BF|8x3+!K(B
    Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
    https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

    CISA$B!J(B2024$BG/(B2$B7n8x3+!K(B
    AA24-038A:PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
    https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

    Palo Alto Networks Unit 42$B!J(B2024$BG/(B2$B7n8x3+!K(B
    Threat Brief: Attacks on Critical Infrastructure Attributed to Insidious Taurus (Volt Typhoon)
    https://unit42.paloaltonetworks.com/volt-typhoon-threat-brief/


$B:#2s$N7o$K$D$-$^$7$FDs6!$$$?$@$1$k>pJs$,$4$6$$$^$7$?$i!"(BJPCERT/CC$B$^$G(B
$B$4O"Mm$/$@$5$$!#(B

======================================================================
$B0lHL<RCDK!?M(BJPCERT$B%3!<%G%#%M!<%7%g%s%;%s%?!<!J(BJPCERT/CC$B!K(B
$BAa4|7Y2|%0%k!<%W(B
Email$B!'(Bew-info@jpcert.or.jp
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJmel94AAoJEDoQgdvpn3qqtUsQAKIXlx75Luoy/CoExtvBb0sF
48j2EeaP80qsG5WoTDv4R6gQ7fls3CdMiNBRI8fWY8I34MD9XeupZYcjnPtL8F1C
nejJXpgQWEI+4/O/mzbaMEtKhqX7qMgZVkty8+w4x1aeHjPV+DnMqAuKzI55pOCn
Jo63mmYWB8xkP1lfjkGe0lUMkJPUwXPFDkXMwjyHA0pw9tQ0ufURGvil4+ZfEAL9
Gg3K9+a6/q+IMkdWnVQbOCPcHvjpaYwIiBHplDHdZLt66PIxOWvBHIQX3qNsTBLz
aaNq0gNaL2iZLPD50ZwBE7FPNeX8E+fdPXOUszqwjuusPvhrxFsixOLUTiC8Z61d
c5uvwOS3MEU3j5qU1CowgA7xlY46FFTzFZJ3VSsUNY8pG73ZXG4Od6fPyCh0h/Qp
L15sajFxkEUONePnvUUwOFf3yo3HaR+DirI2J9myNjq2L4drUOU+vqrXkKDvlxPc
6Icpv5KtvQixrcyps5CKjVPsIp75MHWD3u9a3caVT6xd9JE4h+aJxs+m/3KYMmsc
BKhL1GFYzV6TjSykvV2q6qs4TEeMTw9ipQDh4hqSjEqoRdrnTsopzO1pEET8Hctt
+jDQB9stLyNAXLKWI8fqxgLEnlcXOPM+QJ6u/h/LOA49E2blbiQhDnizbYaf9CSx
YRJiIjkmmx2YJkUCtRGq
=dPAK
-----END PGP SIGNATURE-----