• JSAC2024 -Workshop & Lightning talk- Event
    JSAC2024 -Workshop & Lightning talk-
    We continue to introduce the talks at JSAC2024. This third issue covers workshops and lightning talks. Workshop Introduction to Investigation of Unauthorised Access to Cloud Speakers: Hayate Hazuru and Takahiro Yamamoto (ITOCHU Cyber Intelligence Inc.), Norihide Saito (Flatt Security Inc.), Daisuke Miyashita (Sterra Security Co.,Ltd.) Hayate, Takahiro, Norihide, and Daisuke explained how the cloud works and the attack methods targeting cloud in their workshop, followed by a log investigation demonstration...

    Read more

  • JSAC2024 -Day 2- Event
    JSAC2024 -Day 2-
    This second blog post features the Main Track talks on the Day 2 of JSAC. XFiles: Large-Scale Analysis of Malicious MSIX/APPX Speakers: Kazuya Nomura, Teruki Yoshikawa, Masaya Motoda (NTT Security Japan) Slides (Japanese) The speakers discussed Microsoft’s new packaged files, MSIX and APPX, which have been exploited in recent years in attack campaigns. They explained the points to focus on when analyzing the structure, operation mechanisms, and characteristics of the...

    Read more

  • TSUBAME Report Overflow (Oct-Dec 2023) Tags
    TSUBAME Report Overflow (Oct-Dec 2023)
    This TSUBAME Report Overflow series discuss monitoring trends of overseas TSUBAME sensors and other activities which the Internet Threat Monitoring Quarterly Reports does not include. This article covers the monitoring results for the period of October to December 2023. The scan trends observed with TSUBAME sensors in Japan are presented in graphs here . Packets observed from products under development JPCERT/CC analyzes the data collected by TSUBAME on a daily...

    Read more

  • JSAC2024 -Day 1- Event
    JSAC2024 -Day 1-
    JPCERT/CC held JSAC2024 on January 25 and 26, 2024. The purpose of this conference is to raise the knowledge and technical level of security analysts, and we aimed to bring them together in one place where they can share technical knowledge related to incident analysis and response. The conference was held for the seventh time and, unlike last year, returned to a completely offline format. 17 presentations, 3 workshops, and...

    Read more

  • New Malicious PyPI Packages used by Lazarus Malware
    New Malicious PyPI Packages used by Lazarus
    JPCERT/CC has confirmed that Lazarus has released malicious Python packages to PyPI, the official Python package repository (Figure 1). The Python packages confirmed this time are as follows: pycryptoenv pycryptoconf quasarlib swapmempool The package names pycryptoenv and pycryptoconf are similar to pycrypto, which is a Python package used for encryption algorithms in Python. Therefore, the attacker probably prepared the malware-containing malicious packages to target users' typos in installing Python packages....

    Read more

  • TSUBAME Report Overflow (Jul-Sep 2023) TSUBAME
    TSUBAME Report Overflow (Jul-Sep 2023)
    This TSUBAME Report Overflow series discuss monitoring trends of overseas TSUBAME sensors and other activities which the Internet Threat Monitoring Quarterly Reports does not include. This article covers the monitoring results for the period of July to September 2023. The scan trends observed with TSUBAME sensors in Japan are presented in graphs here . Suspicious packets sent from routers sold by a Japanese manufacturer Focus on routers sold by a...

    Read more

  • Credential Theft and Domain Name Hijacking through Phishing Sites Incident
    Credential Theft and Domain Name Hijacking through Phishing Sites
    In early July 2023, JPCERT/CC confirmed a case of domain hijacking in which a domain used in Japan was unauthorizedly transferred to another registrar. This blog post describes the attack case. Attack overview Figure 1 shows the attack flow. The attacker first prepared a phishing site, which pretended to be a registrar on search site advertisements. Figure 1: the attack flow An attacker can steal account information and password (hereafter...

    Read more

  • TSUBAME Report Overflow (Apr-Jun 2023) TSUBAME
    TSUBAME Report Overflow (Apr-Jun 2023)
    This TSUBAME Report Overflow series discuss monitoring trends of overseas TSUBAME sensors and other activities which the Internet Threat Monitoring Quarterly Reports does not include. This article covers the monitoring results for the period of April to June 2023. The scan trends observed with TSUBAME sensors in Japan are presented in graphs here. Difference of observed packets in Japan and overseas sent from Japan Along with the renewal of the...

    Read more

  • MalDoc in PDF - Detection bypass by embedding a malicious Word file into a PDF file – Malware
    MalDoc in PDF - Detection bypass by embedding a malicious Word file into a PDF file –
    JPCERT/CC has confirmed that a new technique was used in an attack that occurred in July, which bypasses detection by embedding a malicious Word file into a PDF file. This blog article calls the technique “MalDoc in PDF” hereafter and explains the details of and countermeasures against it. Overview of MalDoc in PDF A file created with MalDoc in PDF can be opened in Word even though it has magic...

    Read more

  • YAMA-Yet Another Memory Analyzer for malware detection Malware
    YAMA-Yet Another Memory Analyzer for malware detection
    As attacks become more fileless and malware gets more obfuscated, it is getting more difficult to determine whether there is a malicious intent from a file by itself. For this reason, malware detection methods that utilize sandboxes and AI, as well as technologies that detect suspicious behavior after malware infection, such as EDR, have now become common. Even so, malware that antivirus software cannot detect is often found during actual...

    Read more