List of “2021”

  • Malware Gh0stTimes Used by BlackTech Malware
    Malware Gh0stTimes Used by BlackTech
    An attack group BlackTech has been actively conducting attacks against Japanese organisations since 2018. Although it is not as prominent as before, JPCERT/CC is still seeing some cases as of now. This article introduces the details of the malware Gh0stTimes, which is used by this group. Gh0stTimes overview Gh0stTimes is customised based on Gh0st RAT and has been used in some attack cases since 2020. Figure 1 shows the comparison...

    Read more

  • TSUBAME Report Overflow (Apr-Jun 2021) Other
    TSUBAME Report Overflow (Apr-Jun 2021)
    Hello, I am Keisuke from Cyber Metrics Group. This blog article shows findings and news not covered in our Internet Threat Monitoring Quarterly Report for Apr-Jun 2021, such as differences in TSUBAME monitoring results in Japan and overseas. Number of packets compared between Japan and overseas The figure 1 and 2 show the daily average of packets sent to TSUBAME sensors each month. Overseas sensors received more packets than those...

    Read more

  • How to Use Volatility 3 Offline Forensic
    How to Use Volatility 3 Offline
    Volatility 3 had long been a beta version, but finally its v.1.0.0 was released in February 2021. Since Volatility 2 is no longer supported [1], analysts who used Volatility 2 for memory image forensics should be using Volatility 3 already. In this blog post, I introduce a tip for Volatility 3: how to use Volatility 3 offline. This instruction focuses on analyzing Windows OS memory image. What is the problem...

    Read more

  • Attack Exploiting XSS Vulnerability in E-commerce Websites Incident
    Attack Exploiting XSS Vulnerability in E-commerce Websites
    On 28 April 2021, Trend Micro reported the details of attacks exploiting cross-site scripting (hereafter “XSS”) vulnerability on e-commerce websites [1]. JPCERT/CC has also confirmed similar cases, which originate in XSS vulnerability in websites developed with EC-CUBE products (an open source CMS for e-commerce websites). This attack does not target vulnerabilities which is specific to EC-CUBE products but affects any e-commerce websites which have XSS vulnerability on its administrator page....

    Read more

  • CSIRT Training to VNCERT/CC with JICA Event
    CSIRT Training to VNCERT/CC with JICA
    Hello, I am Takumi from Global Coordination Division. I believe many of you have been working from home for long due to COVID-19 pandemic, and so have we. Many conferences, forums, seminars, and trainings went online in the past year and a half. Today, I would like to report on our international online CSIRT training delivered to VNCERT/CC in Vietnam recently. This 4-day-long online CSIRT training program was conducted from...

    Read more

  • PHP Malware Used in Lucky Visitor Scam Incident
    PHP Malware Used in Lucky Visitor Scam
    JPCERT/CC continues to observe cases of website being compromised and embedded with a malicious page. Visitors are redirected to a scam site or suspicious shopping site by malicious PHP script (hereafter, “PHP malware”). This article explains the details of PHP malware which is often found in websites in Japan. Cases observed On PHP malware-embedded websites, there are many malicious webpages that redirect visitors to a scam site or suspicious shopping...

    Read more

  • Attacks Embedding XMRig  on Compromised Servers Incident
    Attacks Embedding XMRig on Compromised Servers
    Publicly-accessible servers have been often targeted for attacks. In recent years, there are cases where these servers are compromised and embedded with a cryptocurrency mining tool. JPCERT/CC confirmed cases with XMRig [1] in February 2021. This article introduces the details of the cases and the tools used.Initial access/Lateral movementIn one of the recent cases, the attacker made several attempts to access the server with SSH protocol, and eventually logged in...

    Read more

  • JPCERT/CC participated in the Locked Shields 2021 Event
    JPCERT/CC participated in the Locked Shields 2021
    JPCERT/CC participated in the cyber exercise “Locked Shields” organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) during 13 – 16 April 2021. We joined as a member of Japan's Blue Team. This article describes how JPCERT/CC and other members participated in Locked Shields, its objectives, the value of the exercise, and challenges. What is “Locked Shields”? Locked Shields is the largest and most complex international live-fire cyber...

    Read more

  • ICS Security Conference 2021 Event
    ICS Security Conference 2021
    JPCERT/CC held the ICS Security Conference on 12 February (Japanese website). This annual conference started in 2009 in the hope of developing security measures and the best practices for ICS. Since then, the conference has been facilitating the exchange of up-to-date knowledge on both domestic and worldwide threats against ICS and the latest security practices in the related industries. In its 12 years of history, this year was the first...

    Read more

  • Lazarus Attack Activities Targeting Japan (VSingle/ValeforBeta) Incident
    Lazarus Attack Activities Targeting Japan (VSingle/ValeforBeta)
    The attack group Lazarus (also known as Hidden Cobra) conducts various attack operations. This article introduces malware (VSingle and ValeforBeta) and tools used in attacks against Japanese organisations. VSingle overview VSingle is a HTTP bot which executes arbitrary code from a remote network. It also downloads and executes plugins. Once launched, this malware runs Explorer and executes its main code through DLL injection. (Some samples do not perform DLL injection.)...

    Read more