About reports
Macnica aims to raise awareness about attack campaigns observed in the first half of 2018 (April to September) that attempt to steal confidential information (personal information, policy-related information, manufacturing data, etc.) from Japanese organizations. We have created a report.
It describes new attack methods and the detection of their threats, focusing on incidents using remote-controlled malware (RAT) with high stealth. Finally, we present the indicators used in the attack campaigns introduced in the text.
Publicly available blogs and research papers provide many perspectives on malware reverse engineering, cryptanalysis, and attacker identification, which are of great help to analysts conducting sample analysis and research. On the other hand, information security personnel who are considering countermeasures in their organization and responding to detected alerts on a daily basis may find this information difficult to understand. This report presents a table of observed attack groups, TTPs of their attacks, target industries, and considerations regarding threat detection, in order to effectively alert those involved in the security of information systems in organizations. doing. It was created with the hope that it would be freed from the endless investment associated with the evolution of technology for countermeasures, and that it would be helpful for effective countermeasures that focus on attack groups that target industries related to the company.
攻撃が観測された業種
In the first half of 2018, we observed an increase in attempts to steal intellectual property, including manufacturing data, from internationally competitive companies such as chemical/fuel, high-tech manufacturing companies, and marine-related companies.Our analysis is that more attention is needed especially in advanced fields where international technology competition is fierce. Attacks targeting telecommunications carriers have also occurred, and as was revealed in the CloudHopper attack campaign in the past, we are paying attention to the possibility of leading to large-scale attack campaigns that target the large networks under their control. I am analyzing that there is a need to do so. Our analysis is that attack campaigns targeting public offices, think tanks, and the media are continuing at a certain level, targeting information that could be used for diplomatic and political decisions before high-ranking government officials meet. increase.
Figure 1. Target tissue pie chart
attack timeline
Below is a timeline chart of targeted attack campaigns using RATs that we have identified and observed. We believe that the incidents shown here are just the tip of the iceberg, because the nature of targeted attacks that target intellectual property is highly stealthy, and we cannot think that we cover all targeted attacks against Japan. I will. In terms of attack trends, observations of attacks using PLEAD and Taidoor, which were often observed in attacks targeting Taiwan in the past, are increasing in Japan. Many of the attachments to the e-mails that attempt new infections are office files and macros are frequently used. Some office files used old vulnerabilities such as CVE-2017-8759, and we have not observed any new vulnerabilities exploited in attacks.
In addition, our analysis is that the detection is delayed, but on public servers with global IP addresses, Winnti group attacks that accept remote control from listening ports without communicating with C&C have continued secretly for a long time. I am doing.
Table 1. Timeline chart
Efforts against targeted attacks targeting Japan
As described in ``Trends in cyber espionage (targeted attacks) targeting Japan, first half of 2018,'' attacks targeting Japan have been observed. Cyber attacks targeting Japan do not necessarily match the characteristics of attacks targeting Western countries.
Macnica believes that attacks targeting Japanese companies need to be analyzed in Japan, and has established a security research center that analyzes attacks on a daily basis.
We provide Mpression Cyber Security Service™ that utilizes threat intelligence on attackers and support countermeasures against attacks targeting Japan.
What is Mpression Cyber Security Service™?
This is a unique cyber security service that utilizes threat intelligence related to attacks targeting Japan to solve the cyber security issues faced by customers.
We offer the following three types of services.
- Threat Hunting & Incident Response Service
- Threat matching portal
- Incident response service
What is Threat Hunting & Incident Response Service?
We provide comprehensive services including endpoint investigation tools, monitoring services during normal times, investigation services when incidents occur, and reports on investigation results and countermeasures. It improves the ability to detect advanced attacks during the detection phase, and helps ensure proper and rapid implementation during the investigation, analysis, and response phases.
feature
- Leverage industry-leading threat intelligence on attacks targeting only Japanese organizations
- Threat detection by security-savvy elite hunters