We continue to introduce the talks at JSAC2024. This third issue covers workshops and lightning talks. Workshop Introduction to Investigation of Unauthorised Access to Cloud Speakers: Hayate Hazuru and Takahiro Yamamoto (ITOCHU Cyber & Intelligence Inc.), Norihide Saito (Flatt Security Inc.), Daisuke Miyashita (Sterra Security Co.,Ltd.) Hayate, Takahiro, Norihide, and Daisuke explained how the cloud works and the attack methods targeting cloud in their workshop, followed by a log investigation demonstration based on a real security incident. First, they explained the resource manipulation ..read more

This TSUBAME Report Overflow series discuss monitoring trends of overseas TSUBAME sensors and other activities which the Internet Threat Monitoring Quarterly Reports does not include. This article covers the monitoring results for the period of October to December 2023. The scan trends observed with TSUBAME sensors in Japan are presented in graphs here . Packets observed from products under development JPCERT/CC analyzes the data collected by TSUBAME on a daily basis. In this article, I will focus on a product developed by a Japanese developer that we found while analyzing the data and investi ..read more

JPCERT/CC held JSAC2024 on January 25 and 26, 2024. The purpose of this conference is to raise the knowledge and technical level of security analysts, and we aimed to bring them together in one place where they can share technical knowledge related to incident analysis and response. The conference was held for the seventh time and, unlike last year, returned to a completely offline format. 17 presentations, 3 workshops, and 6 lightning talks were presented in the 2-day programme, and most of the presentation slides are available on JSAC Website. JPCERT/CC Eyes introduces the conference in thre ..read more

JPCERT/CC has confirmed that Lazarus has released malicious Python packages to PyPI, the official Python package repository (Figure 1). The Python packages confirmed this time are as follows: pycryptoenv pycryptoconf quasarlib swapmempool The package names pycryptoenv and pycryptoconf are similar to pycrypto, which is a Python package used for encryption algorithms in Python. Therefore, the attacker probably prepared the malware-containing malicious packages to target users' typos in installing Python packages. This article provides details on these malicious Python packages. Figure 1: Pytho ..read more

This TSUBAME Report Overflow series discuss monitoring trends of overseas TSUBAME sensors and other activities which the Internet Threat Monitoring Quarterly Reports does not include. This article covers the monitoring results for the period of July to September 2023. The scan trends observed with TSUBAME sensors in Japan are presented in graphs here . Suspicious packets sent from routers sold by a Japanese manufacturer Focus on routers sold by a Japanese manufacturer that I found while investigating the source IP addresses of the scans. Routers are used for a variety of purposes all over the ..read more

In early July 2023, JPCERT/CC confirmed a case of domain hijacking in which a domain used in Japan was unauthorizedly transferred to another registrar. This blog post describes the attack case. Attack overview Figure 1 shows the attack flow. The attacker first prepared a phishing site, which pretended to be a registrar on search site advertisements. Figure 1: the attack flow An attacker can steal account information and password (hereafter referred to as "credential") when a domain administrator accesses a phishing site and enters the credential. After the victim enters their credential on th ..read more

This TSUBAME Report Overflow series discuss monitoring trends of overseas TSUBAME sensors and other activities which the Internet Threat Monitoring Quarterly Reports does not include. This article covers the monitoring results for the period of April to June 2023. The scan trends observed with TSUBAME sensors in Japan are presented in graphs here. Difference of observed packets in Japan and overseas sent from Japan Along with the renewal of the TSUBAME system, we have also updated our sensors. In particular, the number of overseas sensors has increased. We have installed sensors at overseas ho ..read more

JPCERT/CC has confirmed that a new technique was used in an attack that occurred in July, which bypasses detection by embedding a malicious Word file into a PDF file. This blog article calls the technique “MalDoc in PDF” hereafter and explains the details of and countermeasures against it. Overview of MalDoc in PDF A file created with MalDoc in PDF can be opened in Word even though it has magic numbers and file structure of PDF. If the file has configured macro, by opening it in Word, VBS runs and performs malicious behaviors. In the attack confirmed by JPCERT/CC, the file extension was .doc ..read more

As attacks become more fileless and malware gets more obfuscated, it is getting more difficult to determine whether there is a malicious intent from a file by itself. For this reason, malware detection methods that utilize sandboxes and AI, as well as technologies that detect suspicious behavior after malware infection, such as EDR, have now become common. Even so, malware that antivirus software cannot detect is often found during actual incident responses. When such unknown malware is found, an exhaustive analysis to find the same type of malware, which may be hiding in the network, is requi ..read more

At the end of May 2023, JPCERT/CC confirmed an attack targeting developers of cryptocurrency exchange businesses, and it is considered to be related to the targeted attack group DangerousPassword [1], [2] (a.k.a. CryptoMimic or SnatchCrypto), which has been continuously attacking since June 2019. This attack targeted Windows, macOS, and Linux environments with Python and Node.js installed on the machine. This article explains the attack that JPCERT/CC has confirmed and the malware used. Attacks in the Windows environment starting from Python malware The attacker inserts malicious code into a f ..read more