Macnica, together with Kanagawa Prefectural Police, provides information on vulnerability risks to companies in Kanagawa Prefecture - Contributing to preventing security incidents caused by poorly managed VPN devices -

Macnica (Headquarters: Yokohama City, Kanagawa Prefecture, President: Kazumasa Hara, hereinafter Macnica) conducted a joint effort with the Kanagawa Prefectural Police to prevent security incidents targeting externally disclosed assets at companies in Kanagawa Prefecture. We would like to announce this today.

■ Background
In recent years, there has been a series of ransomware attacks that not only encrypt the data held by companies, but also steal the data and demand money, such as "if you don't pay the price, the data will be made public." Behind this is the fact that companies' poorly managed external assets (network devices and servers) are being exploited as the fourth intrusion route following conventional USB, WEB, and email. In particular, damage triggered by intrusion from VPN devices accounts for more than half of the total damage, and poses a major threat to companies.

Source: Created by processing charts 1 and 6 of the National Police Agency website “About threats surrounding cyberspace in 2022”
(https://www.npa.go.jp/publications/statistics/cybersecurity/data/R04_cyber_jousei.pdf)

Macnica and the Kanagawa Prefectural Police have previously conducted educational activities on cybersecurity measures for companies in Kanagawa Prefecture. This time, Macnica will investigate specific VPN products with urgent vulnerabilities that have been disclosed externally as a new initiative to address the threats that have become a big problem these days. We provided information and alerted companies.

■Activities
Specifically, Macnica and the Kanagawa Prefectural Police implemented the following joint initiatives:

① Survey by Macnica
Our company provides the "Attack Surface Management" service. ^*1”, we conducted a survey of companies using specific VPN products in Japan. After that, identify the version of each VPN device and determine whether it has vulnerabilities. ^*2 We conducted a survey to identify companies and organizations in Kanagawa Prefecture that own the target products.

*1: Click here for details (https://www.macnica.co.jp/business/security/manufacturers/mpressioncss/asm.html)
*2: This survey did not perform vulnerability scans, but used a method of identifying vulnerabilities from public information.

② Contact from Kanagawa Prefectural Police to companies
Based on the results of Macnica 's investigation, the Kanagawa Prefectural Police contacted each company that had vulnerable VPN products. At that time, they provided information and issued warnings, and checked the status of countermeasures as much as possible.

■Activity results summary
Macnica conducted a target product survey between February and March 2023, and identified more than 100 target companies/organizations and device information. Thereafter, we provided information and alerted the target companies through the Kanagawa Prefectural Police between March and July 2023.

The status of each company obtained through this initiative is as follows.

At the time of this alert, 12% of companies were unaware of the necessity of version upgrades to address vulnerabilities, but 58% of companies recognized the need and had already taken action. It was being handled sequentially.
Also, some companies were behind in version upgrades for some reason, but the main reasons were as follows.

・I was aware that I had a maintenance contract with the management vendor that included device upgrades, but when I checked again, I found that upgrade work was not covered by the contract.
・Due to the influence of COVID-19, distant vendors were unable to respond.
・Both vendors and internal staff forgot to respond.
・Although we were responding to the instructions of the relevant ministries and agencies in order, due to our busy schedules, updates were delayed.
・There was a maintenance contract, but it was not renewed even once after the introduction.
・As a result of an internal investigation, it was found that the device was used by an affiliated company, so we instructed to take action. When we conducted further investigations after receiving this alert, we found other devices that were not well managed.
・Because it costs money to upgrade, it is used as it is. Other companies were also aware of such a response.

Through this effort, we were able to understand the actual situation where measures were not progressing for various reasons for the surveyed VPN devices. In particular, it is okay to re-inspect whether there are any devices that are not compatible with version upgrades, including affiliated companies, and whether version upgrades are within the scope of your company's response, and whether it is included in the scope of maintenance contracts with contractors. I realized once again that it is important to actually check, not just assume that it is.

Macnica will continue to cooperate with the Kanagawa Prefectural Police in quickly implementing activities against new threats in cyberspace, and will contribute to improving the security level of companies in Kanagawa Prefecture. In addition, we are considering collaborating with police departments in other prefectures in the future.
Cybersecurity attacks that exploit publicly available assets are expected to continue in the future. Macnica will continue to conduct awareness-raising activities to reduce the probability of incidents caused by publicly available assets by even 1%.

*Company names and product names mentioned in this text are trademarks or registered trademarks of Macnica and each company.
*The information published in the news release (including product price, specifications, etc.) is current as of the date of announcement. Please note that the information may be subject to change without prior notice.