Nowadays, many people probably recognize exploit of vulnerabilities in publicly exposed assets such as VPN and firewalls as the attack vector. In fact, many security incidents reported to JPCERT/CC also involve such devices. This is because vulnerabilities in VPN devices are exploited not only by APT groups but also by many other groups such as ransomware actors and cyber crime actors, and the number of incidents is high accordingly. As...
List of “Incident”
-
-
JPCERT/CC has confirmed an attack against an organization in Japan in ...
-
JPCERT/CC has been observing attack activities by MirrorFace LODEINFO ...
-
In early July 2023, JPCERT/CC confirmed a case of domain hijacking in which a domain used in Japan was unauthorizedly transferred to another registrar. This blog post describes the attack case. Attack overview Figure 1 shows the attack flow. The attacker first prepared a phishing site, which pretended to be a registrar on search site advertisements. Figure 1: the attack flow An attacker can steal account information and password (hereafter...
-
Around May 2022, JPCERT/CC confirmed an attack activity against Japanese organizations that exploited F5 BIG-IP vulnerability (CVE-2022-1388). The targeted organizations have confirmed that data in BIG-IP has been compromised. We consider that this attack is related to the activities by BlackTech attack group. This blog article describes the attack activities that exploit this BIG-IP vulnerability. Attack code that exploits the BIG-IP vulnerability Below is a part of the attack code...
-
JPCERT/CC releases a URL dataset of phishing sites confirmed from January 2019 to June 2022, as we received many requests for more specific information after publishing a blog article on trends of phishing sites and compromised domains in 2021. The list is available in the following GitHub repository. Phishing URL dataset from JPCERT/CC https://github.com/JPCERTCC/phishurl-list/ Each column contains the following: date: Date confirmed by JPCERT/CC URL: Entire URL of a phishing...
-
JPCERT/CC received 44,242 incident reports in 2021 and of that 23,104 ...
-
On 28 April 2021, Trend Micro reported the details of attacks exploiti...
-
JPCERT/CC continues to observe cases of website being compromised and embedded with a malicious page. Visitors are redirected to a scam site or suspicious shopping site by malicious PHP script (hereafter, “PHP malware”). This article explains the details of PHP malware which is often found in websites in Japan. Cases observed On PHP malware-embedded websites, there are many malicious webpages that redirect visitors to a scam site or suspicious shopping...
-
Publicly-accessible servers have been often targeted for attacks. In recent years, there are cases where these servers are compromised and embedded with a cryptocurrency mining tool. JPCERT/CC confirmed cases with XMRig [1] in February 2021. This article introduces the details of the cases and the tools used.Initial access/Lateral movementIn one of the recent cases, the attacker made several attempts to access the server with SSH protocol, and eventually logged in...
.png)
