Cyber attacks aimed at Japan increase -What is the security measure to be done now?

Corona is forced to change in management style and working style

First, I would like to mention the content of the announcement in September 2021 entitled "Transformation into a new management style" (Figure 1).The announcement has given about 10 specific initiatives, such as promoting digital transformation, abolition of paper documents, and appointing women and foreign employees, as aiming for a sustainable society through the aftercona -looking transformation.It is noteworthy here is to use remote work in principle.He states that by distributing organizations in the region or expanding satellite offices, they will be able to select a place where employees will work, and eliminate relocation and relocation.

As you can see from these announcements, companies are being forced to change due to the catastrophe.Remote work has become a natural business style, and workplace communication is becoming online.Such changes in working styles and changes in social conditions related to new colon viruses are a great opportunity for cyber criminals, and has spurred such changes and confusion.

Increased attacks on the theme of new colon virus

An example of such an attack is the Blue Force attack on the RDP (remote desktop protocol).According to ESET (Eset), the trend of the Blue Force Attack Trying to RDP for a single client from December 2019 to May 2020 (Fig. 2) revealed that rock down began overseas.It can be seen that the attack has increased rapidly since the month.Many companies have to do remote work, and it can be presumed that the number of computers and servers that can be connected by RDP has increased, increasing the number of attacks aimed at them.

In addition, an attack based on the new colon virus is an example of an attack that takes place (Fig. 3). An email on the new Coronavirus, which tricked a real health center, was confirmed in January 2020, and patients were reported in a domestic prefecture. This is used to spread Emotet, and when the macro in the attached file is executed, it becomes infected with Emotet. There are also phishing sites, which disguise the information provision site called "Corona vaccine navigation", which are opened by the Ministry of Health, Labor and Welfare, and phishing emails to guide them. In addition to entering personal information such as name, address, and date of birth, such as accepting vaccination reservations, it also presses credit card information as a way to pay for vaccination costs and tries to fraud. 。

These new colonovirus -related attacks block more than 100 million phishing emails every day in Gmail, and in one week of April 2020, 1,800 malware and fishing emails related to the new colon virus are 1,800 a day.There was a lot.It is said that it accounted for 18 % of the entire phishing email.

In addition to this, it has been found that there were 240 million spam emails related to the new Coronavirus in a day, indicating that cyber criminals used to attack the Corona's turmoil every day.In recent years, information on the start of the third vaccination and the drug to prevent the growth of the new colon virus, and it is expected that a new cyber attack will occur.

About the latest threat trends

I would like to introduce the latest threat trends based on detected data by ESET.

The first is the Blue Force attack on the RDP mentioned earlier, indicating the detection of the Blue Force attack on the RDP service that has been published in the worldwide (Fig. 4).The number of detected detected from May to August 2021 has increased by 55 billion times, with an increase of 103.9 % year -on -year, and the Blue Force attack on RDP has been increasing over the past year.It has also been pointed out that RDP is used for many initial invasion of ransomware.

The red folding line indicates the number of cases per day of a single client that detected an attack on the RDP.It can be presumed that the attack target is already repeatedly attacked, rather than expanding the attack target because it has changed within a certain range.

How about in Japan?ESET, an end -point security product, has an IDS function as a network attack protection function, and can analyze network traffic and block threats.The top 10 in the first half of 2021, which was detected with the network attack protection function, shown in the table (Fig. 5).The color -painted part is an attack aimed at RDP, for example, "Incoming.attack.generic", which is the number one detected, is the default port number of RDP, 3389, and other than that.The attack is detecting.Given that the attack on RDP, which is unlikely to notice that it has been infringed, is the highest ranking, the endpoint can be an invasion, so appropriate measures are required in Japan.

The second is information theft malware.Includes malware, which is the main purpose of stealing data, such as banking malware that steals Internet banking login information and credit card information, as well as spyware and back doors.The information theforal malware has increased by 15.7 % from May to August 2021, and has been increasing over the past year.Uematsu analyzes the factors, saying, "There is a situation that is easy to monetize by selling stolen information on the dark web or selling ransomware attacks."

According to the number of detection by country in the information theforal malware, the first place was 9.2 % in Spain, the second place was 6.3 % in Turkey, and Japan was about 6 %, which was exposed to these malware threats.It is one of the high -ranking countries.

Malware, called Agent Tesla, accounted for 22 % and nearly one -quarter of the total number of information theforal malware (Figure 7). Agent Tesla has been active since 2014 (Remote Access Trojan Wood Horse), steals authentication information from multiple browsers, multiple software, and taking key logger and screenshot. Steal information. In addition to sending the acquired information to an email server managed by the attacker, transferring to an FTP server, posting it to the Telegram chat room, sent to the attacker. Then acquire information on the running computer, check for sandboxes and virtual environments in the security tools, or try to avoid security tool detection by strangers and packing. There are many functions to increase the rate. This Agent Tesla is traded in the underground as MaaS (Malware as a Service), and can be used easily at a price of about $ 15 with high functional and constantly upgrade tools, making it extremely popular with attackers. I'm proud.

In Japan, many Agent Tesla have been detected.If the number of detection of Agent Tesla in Japan in January 2020 was 100 %, the number of detection increased from around October and reached 1618 % in May 2021 (Figure 8).The information to steal, that is, the information owned by Japanese organizations is worthwhile, and the perception that buying and selling can be monetized.Once you get the authentication information, you can avoid security solutions with legitimate authority and use it for initial invasion of attacks.Given that situation, we need to be careful about the information theft malware in the future.

Next, I would like to mention the threat of an unauthorized email.This includes an attack that sends malware etc. by e -mail, that is, phishing email and fraudulent email.2021 The number of fraudulent mail detected from May to August has increased by 7.3 % year -on -year, but the configuration has changed, and the downward loder with downloaders that have been used for spreading EMOTET.It is decreasing.This is because EMOTET was taken down in January 2021.Along with that, phishing and fraudulent emails account for most of the miserable emails.

Fishing occupied most of this fraudulent email, but the top three brands that were abused by attacks during the period from May to August 2021 were "Microsoft", "DHL", and "Docusign" in order from the first place.rice field.There are many attacks trying to steal the login information of cloud services, but among them, there are so many credential fishing for Microsoft's services, such as the Microsoft 365, and rank first.The second -largest DHL is a global logistics company, but the number of attacks on logistics companies around the world is increasing, as Yamato Transport and Sagawa Express -flighting are rampant in Japan.The third place is a Docusign attack that provides electronic contracts and electronic signature cloud services used in more than 180 countries around the world.Here, we will explain the attacks of Microsoft and Docusign.

Many business people will find that the penetration of remote work has made it difficult to grasp the members of the members.In response to such issues, the number of cases in which task management tools and project management tools are used to visualize progress and manage.The attacker launches an attack aimed at this situation.

The Microsoft 365 service has a task management tool called Microsoft Planner.It is a tool that allows you to visualize the progress, as if sticking a sticky note with the work content on the board.The person in charge assigned the task will be notified from the tool that a new task has been assigned, and the link in the email can confirm the contents of the task assigned to himself.The Credential Fishing here is an email that pretends to assign these tasks (Fig. 10).

For example, since a new task called "September Tasks" was assigned, it is guided to check the link.When you click the link, it will transition to the login screen of the fake Microsoft account and try to enter your account information.If your account information is stolen, you will naturally be accessed by personal files linked to the linked personal files and important information stored in SharePoint.It is not a familiar tool that has been used for a long time, but such a new service tends to accept such a notification as "such a specification".Such a careless phishing is also born.

Another change is the review of Hanko culture.An electronic contract has been considerably introduced, and a survey on IT -utilization by the Japan Information Economic and Social Promotion Association, which was implemented in January 2021, said about 70 % of respondents "using electronic contracts.(Fig. 11).

With the spread of electronic contracts, attacks aimed at these are increasing.This is a Credential Fishing of Docusign (Fig. 12).If you upload the document that the client wants to sign an electronic signature on the docusign cloud service, the request source is notified to the request, and after confirming the contents of the document, on the browser or tablet.Electronic signature is possible.When the electronic signature is performed, the content is notified to the client, and the signed document is stored on the cloud.

A third party, Docusign, provides the original storage of the original and provides the original proof as a service.This Credit Fishing will deceive the email of the signature request.It has already occurred since 2016, but has been rejuvenated since April 2021 and has peaked worldwide in August.Most of these detections were Japan, Poland and the United States.

Attacks, information theft, and fraudulent emails mentioned earlier have led to the target ransomware attacks, which are reported on daily damage.The recent ransomware criminals do not complete their own attacks from the beginning to the end as before, but gather experts with know -how in each stage of the attack and create a team.It is characterized by trying to succeed.

First of all, from endpoint security measures

Criminals make various changes.And when Japan is the target, what we need to do with the highest priority is the security measures we use on a daily basis and have many endpoints.The ESET PROTECT solution is proposed as a countermeasure.Introducing a solution that realizes the best practices that ESET thinks, packaging various measures that are essential for endpoint security in order to comprehensively protect the endpoint threats.

Figure 13 shows the overview of the ESET PROTECT solution.Endpoint protection functions that are the center of external threats, as well as cloud sandbox functions that protect from advanced attacks such as targeted attacks and zero -day attacks.And a full -isk encryption function to prevent the loss and the stolen information leakage when taking out the terminal.In addition, security functions for cloud applications that are increasing in new work styles.It is a package that intensively manages these multiple measures with a security management tool in the center.

There are a total of eight ESET PROTECT solution lineups.Classified by company size (for more than 100 people) or for small and medium -sized enterprises (99 or less).And it is possible to select security management according to the needs of wanting to perform the cloud in the cloud or on -premises (Fig. 14).

Here, we introduce solutions for mid -sized and large companies (Fig. 15).There are four solutions for middle and large companies.The base is suitable for the threat surrounding the remote work environment, and if you want to manage security in the cloud and reduce the load on server construction and operation for management tools, the ESET Protect Advanced cloud is suitable.In addition, if you want to operate a management server on your own contract or manage strictly along your own security policy, the on -premises management ESET PROTECT Advanced on -premises are suitable.When using Microsoft 365, the top ESET Protect Complete cloud is suitable.

There are six elements that make up ESET PROTECT solutions for these middle and large companies (Fig. 16).The first is a cloud -type and on -premises security management tool, the second is the basic endpoint protection, and the third is the comprehensive endpoint protection.Comprehensive endpoint protection includes the functions of firewalls, spam, and web control.The fourth is a cloud sandbox, the fifth is full -isk encryption, and the sixth is a cloud application security.The four products are the endpoint protection functions and cloud sandbox functions surrounded by orange, which can be called core technology in ESET's strengths, which are the strengths of ESET.

"The strength of ESET's technology has been in multilayer defense for a long time. For files raccais, implement a multi -layered defense mechanism that specializes in specific threats, such as advanced memory scanners and ransomware protection. So, various third -party evaluation organizations have achieved high -detection power, but recently there are many threats that are difficult to judge, so a new layer that can protect such things is a cloud sandbox. Automatically transmit and analyze to the analysis environment to clarify black and white. If the analysis results are black, they will be blocked automatically. These automation points, there is no security expert, and there is not enough manual. Is solved. By implementing a huge amount of resources necessary for advanced analysis in the cloud, the endpoints do not require load on the endpoint. " Figure 17).

Here are some examples of attacks targeting Japan as an example of the cloud sand box working effectively (Figure 18).It was a downloader called "doc/Agent.dz", which was detected in Japan in Japan, which was clearly intended to aim for Japan.

Excel files will be sent by e -mail in the subject such as "Re: Sending invoice". When this file is executed, the next downloader is read and the following attack continues. The downloader had some obstruction measures to escape antimalewear detection. For example, he was trying to avoid being detected in other language environments, locking the code of VBA so that the code cannot be seen, or to stop execution unless it is in a Japanese environment. The crowd sand box was firmly protected against downloaders with such clever obstruction. Specifically, after the discovery, the file was immediately sent to the cloud analysis environment, and after that eight seconds, it was judged that it was malicious and blocked immediately. It is an example that was definitely effective even if it was an attack targeting Japan.

Next, I would like to explain the cloud application security as an element of the ESET PROTECT solution (Fig. 19).This cloud application security is a function that enhances the security of Microsoft 365, and can take malware measures, phishing mail, and spam emails in Exchange Online, Teams, Onedrive, and SharePoint Online.Detects malware and phishing emails that pass through the standard security of Microsoft 365 with the high detection power of ESET.As we have already explained, there are so many fraudulent emails in Japan, and in a situation where the number of credential fishing aimed at Japan is increasing, it is a very effective measure to protect users and important information.

There are three features of cloud application security (Fig. 20).The first is to protect users from Microsoft 365 standard security features with multi -layered technologies, specifically, malware, fishing, and spam emails.Second, it can be linked with Microsoft 365 with API, and can be used simply by linking the Microsoft 365 administrator account.Because it is a cloud service, it does not require complicated introduction tasks such as server construction and e -mail route change, making it easy to introduce.The third is that you can automatically get Microsoft 365 user information and group information, so you do not need to register this information.Since it is always upgraded to the latest state on the cloud, it can respond to new threats without the hassle of operation management.

One of the functions that constitutes the ESET PROTECT solution is a full -disc encryption (Fig. 21).This is an effective measure for information leaks caused by loss and theft due to the brought out of terminals increased by remote work.Normally, security of endpoints, measures against so -called external threats and encryption are often treated as separate things, but when remote work becomes a natural way of working, comprehensive endpoints are comprehensively protected.From the viewpoint of protecting it, it is desirable to be able to respond to encryption.

Finally, we introduce security management tools that can centrally manage each function and endpoints (Fig. 22).Here, we mention the cloud -type security management tools, but because it is a cloud type, it can be centrally managed regardless of the location, whether there is an end point inside or outside the company.The biggest feature is that it can always use the latest environment with automatic version upgrade.

Cloud security management tools have been launched in July 2021 and have been upgraded three times until today (Figure 23).In July, V2.3 was released immediately after the launch, and the management function of iOS terminals and the management function of full disk encryption was enhanced.In August V2.4, the management target endpoints have been extended to 25,000 units, and the global detection statistics of the cloud sand box can now be confirmed.In October, V3.0 was released, and the function of managing the automatic version of the endpoint protection program was enhanced.In the future, the functions will be enhanced and the functions will be improved in about 9 weeks cycles.

As explained at the beginning, the Corona's evil has changed the work environment and working style, and cyber criminals have considered it as a chance and have been launching various attacks.The necessity of using security solutions that can take comprehensive measures for these threats is even higher.With a view to the Wizkorona era, there is a demand for realizing new work styles, working environments, and work styles, and we should consider the use of ESET PROTECT solutions as such a new environment.

Seminar videos are being released!

Attacks aimed at Japan, what is the current security countermeasure https://youtu.be/nx7kpzd17b0 * Click and the video starts.

※本記事はキヤノンマーケティングジャパンのオウンドメディア「サイバーセキュリティ情報局」から提供を受けております。著作権は同社に帰属します。

Forefront of security

[PR] Provided by Canon Marketing Japan