Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Japan. Show all posts
MirrorFace
Cyber Defence Cyber Security DDoS Hacker attack Hacker group Japan Japan Cyber Security MirrorFace

Japan’s New Active Cyber Defence Strategy to Counter Growing Threats

 

Japan is taking decisive steps to enhance its cybersecurity through a new strategy of “active cyber defence.” This approach enables authorized hackers working for the police or Self-Defence Forces (SDF) to infiltrate servers and neutralize cyber-attack sources before they cause significant damage. The ruling Liberal Democratic Party (LDP), led by Prime Minister Shigeru Ishiba, plans to introduce relevant legislation during the current parliamentary session. The urgency for stronger cybersecurity measures has escalated due to recent attacks. 

The National Police Agency (NPA) revealed that the Chinese state-linked hacking group MirrorFace was responsible for over 200 cyberattacks targeting Japan’s foreign ministries and semiconductor industry between 2019 and 2024. Additionally, cyber incursions since late December 2024 disrupted financial services, delayed flights, and exposed vulnerabilities in Japan’s critical infrastructure. Japan’s revised 2022 National Security Strategy identifies cyberattacks as a growing threat, likening cross-border hacks of civilian infrastructure to intimidation tactics that stop short of war. 

This has prompted Japan to expand its SDF cyber unit from 620 members in March 2024 to about 2,400 today, with plans to reach 4,000 personnel by 2028. However, this remains small compared to China’s estimated 30,000-member cyber-attack force. The proposed active defence strategy aims to bolster cooperation between public and private sectors, focusing on safeguarding critical infrastructure, such as energy, transportation, finance, and telecommunications. Japan also plans to establish a National Cyber Security Office in 2025 to coordinate cybersecurity policy, identify vulnerabilities, and advise private sector organizations. 

To prevent misuse, strict safeguards will accompany the strategy. Hackers will need prior approval to break into servers unless immediate action is required during active attacks. Penalties will address excessive monitoring or personal data leaks, ensuring transparency and public trust. Trend Micro’s recent findings underscore the importance of these measures. The security firm attributed recent cyberattacks to distributed denial-of-service (DDoS) campaigns launched by botnets. These attacks overwhelmed network servers with data, causing widespread disruptions to services like Japan Airlines and major banks. 

While Japan’s proactive approach is a significant step forward, experts like Professor Kazuto Suzuki caution that it may not deter all attackers. He notes that cyber deterrence is challenging due to the unpredictability of attackers’ methods. However, this strategy is expected to instill some fear of retaliation among hackers and strengthen Japan’s cybersecurity posture. As cyber threats evolve, Japan’s active defence initiative represents a critical effort to protect its infrastructure, economy, and national security from escalating digital risks.
Read more »
Threat Landscape
Chinese Hackers Cyber Attacks Japan MirrorFace Threat Landscape

Japan Attributes Ongoing Cyberattacks to China-Linked MirrorFace Group

 


Japan's National Police Agency (NPA) and the National Centre of Incident Readiness and Strategy for Cybersecurity (NISC) have officially attributed a prolonged cyberattack campaign targeting Japanese organizations and individuals since 2019 to the China-linked threat actor MirrorFace, also known as Earth Kasha.

The cyberattacks were designed to steal sensitive information related to Japan's national security and emerging technologies. MirrorFace is reportedly a subgroup of the Chinese state-sponsored hacking collective APT10, notorious for deploying malware tools such as ANEL, LODEINFO, and NOOPDOOR.

Authorities have identified three distinct phases in MirrorFace's attack operations:
  • December 2019 – July 2023: Spear-phishing emails carrying malware like LODEINFO, LilimRAT, and NOOPDOOR targeted government agencies, think tanks, politicians, and media outlets.
  • February – October 2023: Malware such as Cobalt Strike Beacon, LODEINFO, and NOOPDOOR was deployed through vulnerabilities in network devices to infiltrate sectors like semiconductors, aerospace, and academic institutions.
  • June 2024 – Present: Phishing emails loaded with ANEL malware were sent to think tanks, political figures, and media organizations.

Sophisticated Cyberattack Techniques

MirrorFace utilized advanced methods to evade detection and maintain persistence, including:
  • Windows Sandbox Deployment: Malware was executed within the Windows Sandbox, a virtualized environment that limits malware persistence by erasing data upon system reset.
  • Evasion of Security Tools: This technique allowed malware to operate undetected by antivirus software.

Scale and Impact of the Cyberattacks

The NPA has connected MirrorFace to over 200 cyber incidents spanning five years. The affected sectors include:
  • Government Agencies
  • Defense Organizations
  • Space Research Centers
  • Private Enterprises in Advanced Technologies

Phishing emails often used compelling subjects like "Japan-US alliance" and "Taiwan Strait" to deceive recipients into downloading malicious attachments. Notable attacks linked to similar tactics include:
  • Japan Aerospace Exploration Agency (JAXA): Targeted in a sophisticated cyberattack.
  • Port of Nagoya (2023): Disrupted by a ransomware incident.

In response to these threats, the NPA issued a public warning:

“This alert aims to raise awareness among targeted organizations, businesses, and individuals about the threats they face in cyberspace by publicly disclosing the methods used in the cyber-attacks by ‘MirrorFace.’ It also seeks to encourage the implementation of appropriate security measures to prevent the expansion of damage from cyber-attacks and to avert potential harm.”

The warning underscores the need for heightened cybersecurity practices across sectors to mitigate risks from increasingly sophisticated cyber threats.
Read more »
MirrorFace
CISA cyber espionage Cyber Security Japan MirrorFace

CISA Urges Immediate Fix for Critical Array Networks Flaw

 


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a critical security flaw in Array Networks AG and vxAG secure access gateways. The flaw, identified as CVE-2023-28461, has been under active exploitation by attackers. CISA has advised the federal agencies to install patches before December 16, 2024, in order to protect their systems. 


Understanding the Vulnerability

The flaw, rated with a critical severity score of 9.8, is caused by missing authentication in the software, enabling attackers to remotely execute harmful commands or access sensitive files without proper authorization. According to Array Networks, the vulnerability can be triggered by sending specific HTTP headers to vulnerable URLs.

A patch for this weakness was issued in March 2023 (version 9.4.0.484), but follow-up attacks indicate many systems have not been patched yet. Organizations using this application should update now to ensure the integrity of their network.


Who is attacking this flaw?

A cyber espionage group known as Earth Kasha, or MirrorFace, has been identified as actively exploiting this flaw. Tied to China, the group usually targets entities in Japan, but its activities have also been seen in Taiwan, India, and Europe.

In one attack, Earth Kasha used the weakness to spearhead a campaign of compromise against a European diplomatic body. The attackers were phishing emails referencing the future World Expo 2025 to be held in Japan that would lure victims to download a backdoor called ANEL. 


Vulnerability of Systems 

The cyber security firm VulnCheck stated that more than 440,000 devices with internet access may be prone to attack because of this type of vulnerability. Also, it was indicated in the report that in 2023 alone, 15 Chinese-linked hacking groups targeted at least one of the top 15 commonly exploited flaws. 


How Can Organizations Protect Themselves 

To minimize such threats, organizations must:

  1. Ensure all systems that implement Array Networks software are maintained on the latest patched version. 
  2. Reduce your exposure to sensitive devices on the internet whenever possible.
  3. Use robust patch management and monitoring systems to augment your defenses.
  4. Educate yourself through threat intelligence reports to understand emerging risks.


CISA Message to Agencies

Such direction has been given to agencies of the federal government for immediate action. By the utilization of these patches, they are capable of avoiding possible security breaches and further strengthening themselves against more complex cyber attacks. This reminder underscores a very critical point in proactive cybersecurity.


Read more »
ransomware attacks
Conti Ransomware Cyber Security Cyberattack Japan Japan Cyber attack Logs Malware Detection ransomware attacks

JPCERT Shares Tips for Detecting Ransomware Attacks Using Windows Event Logs

 

Japan’s Computer Emergency Response Center (JPCERT/CC) recently revealed strategies to detect ransomware attacks by analyzing Windows Event Logs, offering vital early detection before the attack spreads. JPCERT’s insights focus on identifying digital traces left behind by ransomware within four key types of event logs: Application, Security, System, and Setup logs. These logs reveal valuable clues about the entry points used by attackers and can assist in quicker mitigation. Ransomware attacks often target system vulnerabilities and attempt to encrypt files, delete backups, or modify network settings, leaving detectable traces within the event logs. 

For example, the notorious Conti ransomware can be recognized by multiple event logs connected to the Windows Restart Manager, showing event IDs 10000 and 10001. Other ransomware variants like Akira, Lockbit3.0, and HelloKitty, which share similar encryptor technology, leave comparable logs. Additionally, ransomware such as Phobos records when system backups are deleted, a key indicator of malicious activity. Detecting these logs promptly allows administrators to intervene before damage escalates. Midas ransomware, known for spreading infection via network changes, logs event ID 7040. Similarly, BadRabbit leaves event ID 7045 when installing its encryption component, while Bisamware logs events during the beginning and end of a Windows Installer transaction (event IDs 1040 and 1042). 

Other ransomware strains, like Shade, GandCrab, and Vice Society, create errors related to accessing COM applications and deleting Volume Shadow Copies, which are pivotal for restoring encrypted data. JPCERT’s findings illustrate that monitoring for these specific event IDs in combination with a broader security framework could be a game-changer in ransomware defense. Though older ransomware variants like WannaCry and Petya left no such traces in Windows logs, modern ransomware often does. As a result, tracking these logs offers an effective layer of protection against new threats, helping to prevent encryption and data loss. 

It is important to note that no single method of detection is foolproof. A multi-layered approach that combines monitoring event logs with other security tools and protocols remains crucial for protecting systems from ransomware attacks. By using this event log analysis strategy, organizations can significantly reduce the chances of ransomware spreading undetected, giving them the edge in stopping an attack before it cripples their network.
Read more »
Ransomware
Businesses Data Breach data security Japan Kadokawa Group Ransomware

Kadokawa Group Hit by Major Ransomware Attack


 

Kadokawa Group, the parent company of renowned game developer FromSoftware, has fallen victim to a gruesome ransomware attack. The Japanese conglomerate, known for its diverse involvement in book publishing, the video-sharing service Niconico, and various other media enterprises, revealed the breach on Thursday. While the extent of the damage is still being assessed, the company is actively investigating potential information leaks and their impact on its business operations for the upcoming year.

The cyberattack, which occurred on Saturday, June 8, targeted the servers located in Kadokawa Group’s data centre. Niconico and its related services were the primary targets of this attack. Kadokawa Group stated that they are working on solutions and workarounds on a company-wide basis to restore normalcy to their systems and business activities. Despite the attack, Kadokawa assured that they do not store credit card information in their systems, which provides some relief regarding financial data security.

FromSoftware, the acclaimed studio behind hits like Dark Souls and Elden Ring, has not been specifically mentioned in Kadokawa’s disclosure about the affected businesses. This leaves some uncertainty about whether FromSoftware’s data and systems were compromised. However, Kadokawa’s broad approach to addressing the issue suggests a company-wide effort to mitigate any potential damage.

This incident is not an isolated one in the gaming industry. FromSoftware’s publishing partner, Bandai Namco, experienced a ransomware attack in 2022. Other prominent gaming companies, including Capcom, CD Projekt Red, and Insomniac Games, have also faced similar breaches. Notably, Rockstar Games suffered a major data breach in 2022, which resulted in the leak of an in-development build of Grand Theft Auto VI. In response, Rockstar took measures to enhance security, including limiting remote work.

Kadokawa Group is expected to provide further updates on the ransomware attack and the status of their systems in July. The company’s ongoing efforts to investigate and resolve the issue are crucial in determining the full impact of the breach.

While FromSoftware’s next project remains a mystery, fans eagerly anticipate the possibility of a Bloodborne sequel. Despite the current uncertainties surrounding the ransomware attack, the gaming community continues to look forward to future announcements from the esteemed game studio.

Kadokawa Group’s handling of this cyberattack will be closely watched as it unfolds, with implications for both their media operations and the wider industry’s approach to cybersecurity.


Read more »
Security Breach
Cyber Security Fujitsu Japan malware ProjectWEB Tool Security Breach

Is Your Data Safe? Fujitsu Discovers Breach, Customers Warned

 


Fujitsu, a leading Japanese technology company, recently faced a grave cybersecurity breach when it discovered malware on some of its computer systems, potentially leading to the theft of customer data. This incident raises concerns about the security of sensitive information stored by the company.

With a workforce of over 124,000 and an annual revenue of $23.9 billion, Fujitsu operates globally, providing a wide range of IT services and products, including servers, software, and telecommunications equipment. The company has a strong presence in over 100 countries and maintains crucial ties with the Japanese government, participating in various public sector projects and national security initiatives.

The cybersecurity incident was disclosed in a recent announcement on Fujitsu's news portal, revealing that the malware infection compromised several business computers, possibly allowing hackers to access and extract personal and customer-related information. In response, Fujitsu promptly isolated the affected systems and intensified monitoring of its other computers while continuing to investigate the source and extent of the breach.

Although Fujitsu has not received reports of customer data misuse, it has taken proactive measures by informing the Personal Information Protection Commission and preparing individual notifications for affected customers. The company's transparency and swift action aim to mitigate potential risks and restore trust among stakeholders.

This is not the first time Fujitsu has faced cybersecurity challenges. In May 2021, the company's ProjectWEB tool was exploited, resulting in the theft of email addresses and proprietary data from multiple Japanese government agencies. Subsequent investigations revealed vulnerabilities in ProjectWEB, leading to its discontinuation and replacement with a more secure information-sharing tool.

Fujitsu's response to the recent breach highlights the urgency of safeguarding sensitive data in these circumstances. The company's commitment to addressing the issue and protecting customer information is crucial in maintaining trust and credibility in the digital age.

As Fujitsu continues to investigate the incident, it remains essential for customers and stakeholders to remain careful and implement necessary precautions to mitigate potential risks. The company's efforts to enhance security measures and improve transparency are essential steps towards preventing future breaches and ensuring the integrity of its services and systems.


Read more »
Python Package
App Developers Japan Malicious Package malware North Korea Hackers Python Package

Japan Blames Lazarus for PyPi Supply Chain Attack

 

Japanese cybersecurity officials issued a warning that North Korea's infamous Lazarus Group hacking group recently launched a supply chain attack on the PyPI software repository for Python apps. 

Threat actors disseminated contaminated packages with names like "pycryptoenv" and "pycryptoconf" that are comparable to the real "pycrypto" encryption tools for Python. Developers who are duped into installing the malicious packages onto their Windows workstations are infected with a severe Trojan called "Comebacker.” 

"The malicious Python packages confirmed this time have been downloaded approximately 300 to 1,200 times," Japan CERT noted in a warning issued late last month. "Attackers may be targeting users' typos to have the malware downloaded.” 

Comebacker is a general-purpose Trojan that can be used to deliver ransomware, steal passwords, and infiltrate the development pipeline, according to analyst and senior director at Gartner Dale Gardner. 

The trojan has been used in multiple attacks linked to North Korea, including one against a npm software development repository. 

Impacting Asian Developers

Since PyPI is a centralised service with a global reach, developers worldwide should be aware of the most recent Lazarus Group campaign. 

"This attack isn't something that would affect only developers in Japan and nearby regions," Gardner explains. "It's something for which developers everywhere should be on guard." 

Several experts believe non-native English speakers may be more vulnerable to the Lazarus Group's most recent attack. Due to communication issues and limited access to security information, the attack "may disproportionately impact developers in Asia," stated Taimur Ijlal, a tech specialist and information security leader at Netify. 

According to Academic Influence's research director, Jed Macosko, app development groups in East Asia "tend to be more tightly integrated than in other parts of the world due to shared technologies, platforms, and linguistic commonalities." He believes intruders may be looking to take advantage of regional ties and "trusted relationships." 

Small and startup software businesses in Asia often have lower security budgets than their Western counterparts, according to Macosko. "This means weaker processes, tools, and incident response capabilities — making infiltration and persistence more attainable goals for sophisticated threat actors.” 

Cyber Defence

Protecting application developers from software supply chain threats is "difficult and generally requires a number of strategies and tactics," Gartner's Gardner explained. 

Developers should use extra caution and care while downloading open source dependencies. Given the amount of open source used today and the pressures of fast-paced development environments, it's easy for even a well-trained and vigilant developer to make a mistake, Gardner added. 

Gardner recommends using software composition analysis (SCA) tools to evaluate dependencies and detect fakes or legitimate packages that have been compromised. He also suggests "proactively testing packages for the presence of malicious code" and validating packages using package managers to minimise risk.
Read more »
Shipping Port
Cyber Attacks Japan Japanese Port Ransomware attack Russian Hackers Shipping Port

Ransomware Attack Forces Major Japanese Port to Halt its Operation

 

A ransomware attack was launched against Japan's biggest and busiest trading port by a cybercriminal outfit believed to be based in Russia. 

Following the incident, the Port of Nagoya paused all cargo operations, including the loading and unloading of containers onto trailers. The Port of Nagoya handles some vehicle exports for businesses like Toyota and represents 10% of Japan's total trade volume. Multiple Japanese media outlets were informed by the port authorities of Nagoya that it intended to quickly restore operations. 

The attack was attributed by the Nagoya Harbour Transportation Association to the LockBit ransomware group, which is thought to be the most active ransomware gang at the moment. According to the FBI and the U.S. Cybersecurity and Infrastructure Security Agency, LockBit was the cause of one out of every six ransomware incidents in 2022. The organisation has not made a formal admission of guilt for the Nagoya attack.

The five cargo terminals in the port's computer system were impacted by the event. According to the Japanese television network FNN, which cited the port's administration, some terminals are currently running manually without the system, but if it is not repaired, ship entry into the port may be banned.

Toyota told Japanese media that the cyber attack has made it impossible to load or unload auto parts, but that car manufacturing has not been affected.

The incident was discovered early on Tuesday, according to the port authority, when a port employee couldn't start a computer. According to reports, hackers remotely delivered an English-language ransom letter to a printer, demanding payment in exchange for the system's restoration. 

Series of attacks

This is not the port of Nagoya's first cyber attack; in September, a distributed denial-of-service (DDoS) attack by the Russian group Killnet temporarily took down the website of the port.

And the attack on the Port of Nagoya is only the most recent incident to have an impact on the shipping industry. A major ship software supplier was the target of a ransomware attack in January that affected around 1,000 vessels. In 2022, LockBit targeted the Port of Lisbon, and throughout the year, ports throughout Europe were the victim of several ransomware attacks. 

Alejandro Mayorkas, secretary of the U.S. Department of Homeland Security, stated to Congress in November that cyber attacks pose the greatest threat to U.S. ports.
Read more »
Subscribe to: Posts (Atom)