新たに公開されたゼロデイ脆弱性により、物理的なアクセス権を持つ攻撃者がWindows 11デバイスのBitLocker暗号化を数秒で回避できることが判明した。「YellowKey」と名付けられたこの攻撃は、デフォルトのTPMのみを使用する構成を標的としており、シンプルなUSBベースの手法で暗号化ドライブへのフルアクセスを可能にする。
この脆弱性は、今週初めにNightmare-Eclipseというハンドルネームの研究者によって公開された。この攻撃は、NTFSまたはFATでフォーマットされたUSBドライブ上にカスタムのFsTxフォルダーを配置することで機能する。ドライブを接続してWindows回復環境を強制的に起動すると、システムはコマンドプロンプトを開き、通常のBitLocker回復キーの入力を要求されることなく、ドライブの内容に制限なくアクセスできるようになる。
AIによるレポート AIによって生成された画像
A critical Linux vulnerability known as CopyFail, tracked as CVE-2026-31431, allows attackers to gain root access on systems running kernels since 2017. Publicly released exploit code has heightened risks for data centers and personal devices. Ubuntu's infrastructure has been offline for over a day due to a DDoS attack, hampering security communications.
Daemon Tools, a popular disk image mounting app, was compromised in a supply-chain attack starting April 8, delivering malware through official updates. Security firm Kaspersky reported infections on thousands of machines across over 100 countries. Users are urged to scan their systems immediately.
AIによるレポート
New research from ETH Zurich and USI Lugano reveals vulnerabilities in popular password managers, challenging their assurances that servers cannot access user vaults. The study analyzed Bitwarden, Dashlane, and LastPass, identifying ways attackers with server control could steal or modify data, particularly when features like account recovery or sharing are enabled. Companies have begun patching the issues while defending their overall security practices.
The Hacker News has released its latest ThreatsDay Bulletin, focusing on various cybersecurity issues. The bulletin covers topics such as Kali Linux combined with Claude, Chrome crash traps, WinRAR flaws, and activities related to LockBit. It also includes over 15 additional stories on emerging threats.
AIによるレポート
Developers of the gacha RPG Duet Night Abyss have apologized for a cybersecurity incident that distributed malware to players' PCs via a launcher update on March 18. The malware, identified as Trojan:MSIL/UmbralStealer.DG!MTB, targets passwords and cryptocurrency. Players receive in-game compensation as the team implements security enhancements.