4 Infrastructure Security agencies are still continuing (OpChina). Similarly, website defacements, information leaks, and DDoS attacks are occurring occurring are attacks DDoS and leaks, information defacements, website Similarly, (OpChina). continuing still are agencies related and government Chinese the on Attacks China. and Philippines the between disputes territorial to relation in occurred attacks DDoS and defacements May, In website month. same the in Pakistan and India between made also were Attacks (OpIsrael). Israel in websites government-related of anumber affected leaks information and defacements website April In causes. and incidents of a variety from stemming countries of number a large in sites corporate and at government-related occurred leaks information and attacks DDoS period. this during continued Anonymous as such hacktivists by Attacks Hacktivists Other and Anonymous of Activities n The *1 period* this during handled incidents of distribution the 1shows Figure 2014. 30, June 1and April between occurred that incidents to response and handling IIJ the discuss we Here 1.2 Internet. the on occur to continue incidents security-related many that show examples These games. online on also and Kong Hong in system e-voting an on attacks DDoS large-scale were there June, In providers. CDN of servers the on located content altered through malware with infected were Japan in services Web of anumber of users which in incidents also were There effect. awidespread had and discovered, also were attacks MITM through intercepted be to communications encrypted allowed that vulnerabilities OpenSSL New groups. other and Anonymous by made were attacks hacktivism-based of anumber period, survey last the from on Continuing 2014. 30, June 1through April from time of period the covers volume This relationships. cooperative has IIJ which with organizations and companies from obtained and information services, our through acquired information incidents, of observations from information Internet, the of operation stable the to related itself IIJ by obtained information general on based responded, IIJ which to incidents summarizes report This 1.1 security. computing cloud for systems auditing at alook take We also etc. banking, online for information authentication steals that malware the Vawtrak examine and impact, a significant had have that vulnerabilities OpenSSL of aseries of discovery the discuss we report, this In VulnerabilitiesOpenSSL 1.

Infrastructure Security Infrastructure Introduction Other: Security-related information, and incidents not directly associated with security problems, including highly concentrated traffic associated with a with associated traffic concentrated highly including problems, security with notable event. associated directly not incidents and information, Security-related Other: against attacks DDoS malware; other and worms network of websites. propagation wide as certain such responses related and incidents Unexpected a Incidents: with Security connection in attacks to related etc., response, in taken measures fact. historical incidents, of past detection warning/alarms, dates; significant Historically History: disputes. international international in as such originating events attacks and international and VIPs by attended circumstances foreign and conferences domestic to related incidents to Responses Situations: Social and Political in or Internet the over used commonly software or equipment server user equipment, environments. network with other. and associated incidents security vulnerabilities to history, Responses situation, social and Vulnerabilities: political vulnerabilities, as categorized are report this in discussed Incidents

Incident Summary Incident 1 . Figure 1: Incident Ratio by Category (April 1 to June 30, 2014) 30, June 1to (April Category by Ratio Incident 1: Figure Social Situation0.6% Political and History 0.6% Other 37.5% Security Incidents47.0% Vulnerabilities 14.3% *13 *12 *11 *10 *9 *9 *8 *7 *7 *6 *6 *5 *5 *4 *4 *3 project that aims to develop a more secure implementation* secure amore develop to aims that project websites to take measures such as the application of fixes. A number of attacks that actually exploited this vulnerability were were confirmed* also vulnerability this exploited actually that attacks of number A fixes. of application the as such measures take to websites several on suspended temporarily was service 2013, in ended already had support 1, which for Struts Apache affected also vulnerability this that established was it After bypassed. been had March in issued apatch as manipulated, be to ClassLoader allowed that framework application Web Struts Apache the in vulnerability a for released also was fix Another or that may facilitate MITM attacks* MITM facilitate may that or leak, to keys private as such data sensitive allow could that library software cryptographic OpenSSL the in Vulnerabilities fixed. and discovered also were requests DNS crafted specially receiving when abnormally terminate to named caused that servers DNS BIND in Vulnerabilities vulnerabilities. many fixing server, database Oracle the including products, Oracle of a number for released was update a quarterly applications, server Regarding patches were released. before wild the in exploited were vulnerabilities these of Several vulnerabilities. many fixing SE, Java Oracle’s for released was update Aquarterly Acrobat. Adobe and Reader, Adobe Player, Flash Adobe Systems’ Adobe to made also were Updates There were a large number of unauthorized login attempts, thought to use lists of IDs and passwords, on sites including including sites on passwords, and IDs of lists use to thought attempts, login unauthorized of number alarge were period. There survey current the in continued activities These passwords. and IDs these of lists using presumably fraud identity through authorization without in log and passwords, and IDs user steal to attempts many been have there year last Since n Unauthorized Login Fraud Through Identity During this period fixes were released for Microsoft products including Windows* including products Microsoft for released were fixes period this During n Vulnerabilities and their Handling Reuters. and Journal Street Wall The as such organizations media of those including accounts affected with websites, deface and accounts SNS hijack to continued Army Electronic Syrian the with affiliation claiming attackers Unknown world. the around websites government-related and government on continued Anonymous as such hacktivists by attacks Other scale. in large very were none end the in but planned, also were Cup World the sponsoring companies on Attacks stations. TV and agencies government Brazilian including websites, of anumber targeted These Brazil. in held tournament soccer Cup World FIFA the to related attacks were there June In Vietnam. and China between *2 *2 of the Core Infrastructure Initiative* Infrastructure Core the of establishment the as such issues, resolve to taken being are approaches of anumber aresult, As broad. is impact the this, like library used a widely in found are vulnerabilities when and past, the in discovered been have vulnerabilities OpenSSL serious Several information. more for Vulnerabilities” See “1.4.1OpenSSL occurred. also exploited actually was flaw this which in attacks of Anumber Heartbleed. as known vulnerability, former the IPA regarding the including organizations

For example, see the following National Police Agency announcement. “Regarding the detection of communications targeting an Apache Struts Struts Apache an targeting (in Japanese). communications of 2 detection vulnerability” the (http://www.npa.go.jp/cyberpolice/detect/pdf/20140427.pdf) “Regarding announcement. Agency Police National following the see example, For LibreSSL (http://www.libressl.org/). LibreSSL (http://www.linuxfoundation. Initiative” Infrastructure Core on org/news-media/blogs/browse/2014/06/announcing-rapid-progress-core-infrastructure-initiative). Progress Rapid “Announcing details. more for post (http://ccsinjection.lepidum.co.jp). blog Foundation Vulnerability” Linux following Injection the “CCS See details. more for Ltd., Co. Lepidum of Mr. Kikuchi discoverer, the by article following the See (https://technet. (2969261)” Execution Code Remote Allow Could Word microsoft.com/library/security/ms14-034). Microsoft in Vulnerability -Important: MS14-034 Bulletin Security “Microsoft “Microsoft Security Bulletin MS14-017 - Critical: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660)” (2949660)” Execution Code Remote Allow Could Apps Web Office and Word (https://technet.microsoft.com/library/security/ms14-017). Microsoft in Vulnerabilities -Critical: MS14-017 Bulletin Security “Microsoft (2961033)” Bypass Feature Security Allow Could Control Common (https://technet.microsoft.com/library/security/ms14-024). aMicrosoft in Vulnerability -Important: MS14-024 Bulletin Security “Microsoft “Microsoft Security Bulletin MS14-035 - Critical: Cumulative Security Update for Internet Explorer (2969262)” (https://technet.microsoft.com/library/ (2969262)” Explorer Internet for security/ms14-035). Update Security Cumulative - Critical: MS14-035 Bulletin Security “Microsoft “Microsoft Security Bulletin MS14-029 - Critical: Security Update for Internet Explorer (2962482)” (https://technet.microsoft.com/library/security/ms14-029). (2962482)” Explorer Internet for Update Security -Critical: MS14-029 Bulletin Security “Microsoft “Microsoft Security Bulletin MS14-021 - Critical: Security Update for Internet Explorer (2965111)” (https://technet.microsoft.com/library/security/ms14-021). (2965111)” Explorer Internet for Update Security -Critical: MS14-021 Bulletin Security “Microsoft “Microsoft Security Bulletin MS14-018 - Critical: Cumulative Security Update for Internet Explorer (2950467)” (https://technet.microsoft.com/library/ (2950467)” Explorer Internet for security/ms14-018). Update Security Cumulative -Critical: MS14-018 Bulletin Security “Microsoft (https:// (2962486)” Privilege of Elevation Allow Could Preferences technet.microsoft.com/library/security/ms14-025). Policy Group in Vulnerability -Important: MS14-025 Bulletin Security “Microsoft 13 . 11 for supporting key open source projects like OpenSSL, and the launch of the LibreSSL LibreSSL the of launch the and OpenSSL, like projects source open key supporting for 10 , were also discovered and fixed. In particular, alerts were issued by a number of number by a issued were alerts particular, In fixed. and discovered also , were 12 . 2 , Internet Explorer* 3 * 4 * 5 * 6 , and Office* , and 7 * 8 * 9 .

5 Infrastructure Security 6 Infrastructure Security April Incidents *Dates areinJapanStandardTime [Legend] 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 O O O O O V V V V V V V V V V S S (https://www.jpcert.or.jp/pr/2014/PR20140401-jvn.pdf) (inJapanese). “JVN adoptstheCommon Vulnerability Scoring System (CVSS)internationalstandardfor displaying vulnerabilityseverity” the JVNvulnerabilitycountermeasureinformationportal sitetousingtheCommon Vulnerability Scoring System (CVSS). 1st: TheJPCERT CoordinationCenterannounced theywouldtransitionfromdisplayingtheirownmetricsfortheseverityofvulnerabilitieson (https://technet.microsoft.com/library/security/2963983). “Microsoft Security Advisory (2963983) Vulnerability inInternetExplorerCould Allow Remote CodeExecution” Internet Explorer. 28th: Microsoft announcedtherewas of avulnerabilitywithnofixavailablethatcouldallowremotecodeexecutioninnumberofversions (http://www.ipa.go.jp/security/ciadr/vul/20140417-struts.html) (inJapanese) formoredetails. vulnerabilities. See “Security Alert for Vulnerabilities in Apache Struts2(CVE-2014-0094) (CVE-2014-0112) (CVE-2014-0113)” Alerts wereissuedregarding CVE-2014-0094, forexamplebytheIPA on April 17, andsubsequentlyalerts wereupdatedtoincludethese that allowedspecificmanipulationsbythirdparties werediscovered andfixed. 24th: Afixforan Apache Struts2vulnerability(CVE-2014-0094) was deemedinadequate,andvulnerabilities(CVE-2014-0112) (CVE-2014-0113) “NIST Removes Cryptography Algorithm fromRandom NumberGeneratorRecommendations” (http://www.nist.gov/itl/csd/sp800-90-042114.cfm). pseudorandom numbergeneratoralgorithmforwhich securityconcernshadbeenraised. 22nd: TheU.S. NationalInstituteofStandards and Technology (NIST) thatomitted presentedadraft theDual_EC_DRBG ofSP800-90/90A (http://www.nih.go.jp/niid/ja/maintenance/4575-incidence140416.html) (inJapanese). “Regarding theunauthorized useofNationalInstituteInfectiousDiseasesemailaccounts,andthesendingspam” awebmailadministrator,impersonating resulting inspambeingsent. 16th: TheNationalInstituteofInfectiousDiseasesannouncedthatemailaccountusernamesandpasswordshadbeenstolenthroughema ils (http://www.cra-arc.gc.ca/gncy/sttmnt2-eng.html). See thefollowingofficial announcementbytheCanadaRevenue Agency formoredetails. “Notice -Heartbleed bugvulnerability” carrying outtheattack. Revenue On hadleaked. taxpayers Agency,April 17 astudentwas ofaround900 arrested andthesocialsecuritynumbers onsuspicionof 15th: Itwas announcedanattack thatexploitedanOpenSSLvulnerability(CVE-2014-0160) hadbeenmadeonthewebsiteofCanada (http://jprs.jp/tech/security/2014-04-15-portrandomization.html) (inJapanese). “(Critical) Regarding thedoublechecking ofDNSserverconfigurationsinlighttheincreasingdangercache poisoningattacks” 15th: JPRSissuedanalert duetoanincrease incache poisoningattacks targetingcache withoutsourceport DNSservers randomizationenabled. (http://officialandroid.blogspot.com/2014/04/expanding-googles-security-services-for.html). See thefollowingGoogle Android Official Blogpostformoredetails. “Expanding Google’s securityservicesfor Android” installed apps. 13th: Googleimproved the Verify Apps featurein Android tooffer whethertherearesecurityissuesin afunctionthatconstantly monitors “Windows XPsupport hasended”(http://windows.microsoft.com/en-us/windows/end-support-help). 9th: Microsoft endedsupport for Windows XP, Microsoft andInternetExplorer6. Office 2003, Internet-based attacks” (http://www.rtpro.yamaha.co.jp/RT/FAQ/Security/attack-from-internet-201404.html) (inJapanese). For example, Yamaha Corporationissuedthefollowingannouncement. “Regarding rebootsandotherissueson Yamaha causedby routers 8th: Issuessuch asrebootsorhang-upswerereported withoutdatedfirmware, onrouters causedbycommunicationssentfromunspecifiedhosts. (http://www.soumu.go.jp/main_sosiki/joho_tsusin/eng/Releases/Telecommunications/140402_01.html). “Announcement ofInformationSecurity GuidelinesforCloudService” shouldimplement,andtemplatesfortermsofagreementthatbeestablishedwithusers. security measuresthatcloudserviceproviders 2nd: TheMinistryofInternal Affairs andCommunicationsannouncedtheir “Information Security GuidelinesforCloudServices,” which describes “Security updatesavailablefor Adobe FlashPlayer” (http://helpx.adobe.com/security/products/flash-player/apsb14-13.html). discovered andfixed. 29th: Anumberofvulnerabilitiesin Adobe FlashPlayerthatcouldallowunauthorized terminationandarbitrarycodeexecutionwere “Oracle CriticalPatch Update Advisory - April 2014” (http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html). 37 inJava SE. 15th: Oraclereleasedtheirquarterly scheduled updateforanumberofproductsincludingOracle,fixing atotalof104 vulnerabilities,including “APSB14-12: Security updateavailablefor Adobe Reader Mobile” (http://helpx.adobe.com/security/products/reader-mobile/apsb14-12.html). 14th: Avulnerabilityinthe of Android version Adobe Reader Mobilethatcouldallowremotearbitrarycodeexecutionwas discovered andfixed. “Microsoft Security BulletinSummaryfor April 2014” (https://technet.microsoft.com/library/security/ms14-apr). as welltwoimportant updates. 9th: Microsoft publishedtheirSecurity BulletinSummaryfor April 2014, andreleasedtwocriticalupdatesincludingMS14-017 andMS14-018, See thefollowingexplanationformoredetails. “The Heartbleed Bug”(http://heartbleed.com/). extension processingwas discovered andfixed. 8th: Avulnerability(CVE-2014-0160) inOpenSSLthatcouldallowdatamemorytoleakathirdparty duetoaflawinthe TLS Heartbeat Vulnerabilities S Security Incidents P Political andSocialSituation H History O Other *20 *19 *18 *17 *16 issued an alert regarding theft and investment fraud in relation to virtual currencies including Bitcoin* including currencies virtual to relation in fraud investment and theft regarding alert an issued A number of large-scale DDoS attacks occurred during this period. In May a DDoS attack was made on UltraDNS* on made was attack aDDoS May In period. this during occurred attacks DDoS large-scale of A number n DDoS Attacks through compromises. server currency virtual of thefts and websites, their on attacks DDoS many including continued, also services management account and exchanges currency virtual on attacks of Astring elections. during donations Bitcoin allow to voting States United the of Commission Election Federal the as such transactions, Bitcoin regarding world the around debate lively was of legitimate software for industrial control systems* control industrial for software legitimate of point distribution the altering through infections malware of reports include cases Similar malware. containing files install to users get to attempt an in service, the using companies by servers the on placed files update as such content of legitimate alteration the involved also incidents these revealed was it software, malicious install to sites other to visitors redirecting to addition In sites. corporate of anumber of alteration the in May, in resulting compromised was server service A CDN software. malicious to visitors redirect to altered were websites which in incidents many were there period, survey this During Software Legitimate Targeting Attacks and Alterations Web in Increase n An techniques. latest the of abreast stay and use, you passwords and IDs of management the review to taken be must care continued so ongoing, are passwords and IDs of lists use to thought attempts access unauthorized that demonstrates This currency. digital purchase they suggesting friends to owners account hijacked impersonating messages of sending the as such techniques involved authorization without used were accounts app messaging which in incidents Other authorization. without sites other on points gift for points site of exchange the as such caused, was damage tangible incidents these of anumber In SNS. and sites, game sites, e-commerce sites, support user phone mobile *15 *14 made* were money for demands cases some in and DDoS, in targeted also were Feedly and Evernote as such services June In Salesforce. including companies of anumber of services the affected it and Gbps, 100 of amagnitude had have to said is Internet-based virtual of currencies such use as and Bitcoin* trading the regarding alert an issued Agency Affairs Consumer the events, these of a result as partly Also, Act. Rehabilitation Civil the under rebuilding for filing its abandoned it after Court District Tokyo the by order administration aprovisional with issued was February in bankrupt went that exchange Bitcoin Gox Mt. the period, survey current the During occurred. have incidents of avariety transactions, more and more in used becomes currency virtual Bitcoin the As n Bitcoin future. the in continue will software legitimate in trust exploits that activity malware of kind this We believe Japan. in distribution for U.S. the in provider advertising another from received those with in mixed malicious program* a of download the prompted that site download Player Flash Adobe an as masquerading website amalicious to provider servers for an online game, causing service to be suspended for several days among other damages* other among days several for suspended be to service causing game, online an for servers game and servers Web the targeting attacks DDoS large-scale were there June In ISPs. of anumber at outages causing Japan, in ISPs multiple at queries DNS in increase asharp also was there May In democratization. for pushing organization

For example, see the following announcement (http://pso2.jp/players/news/?id=3835) (in Japanese). (in (http://pso2.jp/players/news/?id=3835) announcement following the see example, For (http://blog.feedly. [Neutralized]” attack service of “Denial com/2014/06/11/denial-of-service-attack/). details. more for affected, companies the of one Feedly, of blog the on post following the See (https://isc.sans.edu/diary/ DDOS” “UltraDNS UltraDNS+DDOS/18051). incident. this about details more for post Blog Diary Handlers InfoSec following the See (http://investor.gov/news-alerts/ Investments” Currency-Related investor-alerts/investor-alert-bitcoin-other-virtual-currency-related-investments#.U4RTq_l_v24). Virtual Other and Bitcoin Alert: “Investor Commission, Exchange and Securities U.S. (http://www.caa.go.jp/adjustments/ Bitcoin” as such (in Japanese). pdf/140428adjustments_1.pdf) currency virtual Internet-based of use the “Regarding Agency, Affairs Consumer (http://www.symantec.com/connect/blogs/nico-nico-users-redirected-fake- flash-player). Player” Flash Fake to Redirected Users Nico “Nico blog Response Security Symantec involves compromising an ICS vendor site and using a software installer containing a Trojan. “Havex Hunts For ICS/SCADA Systems” (http://www.f- Systems” ICS/SCADA For Hunts “Havex aTrojan. secure.com/weblog/archives/00002718.html). containing technique installer infection one that asoftware using and site demonstrates It vendor ICS an systems. compromising ICS/SCADA involves targets that malware Havex the explains post blog F-Secure following the example, For 19 . In Hong Kong, a large-scale DDoS attack that reached a peak of 300 Gbps was made on the voting system site of an an of site system voting the on made was Gbps 300 of a peak reached that attack DDoS a large-scale Kong, Hong . In 15 . This happened when the advertising provider in question received specific malicious advertisements advertisements malicious specific received question in provider advertising the when happened . This 16 . In the United States, the U.S. Securities and Exchange Commission Commission Exchange and Securities U.S. the States, United the . In 14 . In June there were also incidents of redirection from an advertising advertising an from redirection of incidents also were there June . In 20 . 17 . Meanwhile, there there . Meanwhile, 18 . The attack attack . The

7 Infrastructure Security 8 Infrastructure Security May Incidents *Dates areinJapanStandardTime [Legend] 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 O O O O O O O V V V V V V V S S S S (https://technet.microsoft.com/library/security/ms14-021). “Microsoft Security BulletinMS14-021 -Critical:Security UpdateforInternetExplorer(2965111)” ofInternetExplorer.versions 2nd: Microsoft releasedanupdateforavulnerabilitypublishedseveraldaysbeforethatcouldallowremotecodeexecutioninnumberof 29th: Outagesoccurred duetoasuddenincrease inqueriestotheirDNSservers. atanumberofproviders (2969262)” (https://technet.microsoft.com/library/security/ms14-035). This vulnerabilitywas fixedonJune 11 in “Microsoft Security BulletinMS14-035 Security -Critical:Cumulative UpdateforInternetExplorer 22nd: AvulnerabilityinMicrosoft’s InternetExplorer8withnofixavailablethatcouldallow arbitrarycodeexecutionwas discovered and disclosed. “Press Release: Team forpreparing a‘CyberRescue Squad’ establishedonMay20”(https://www.ipa.go.jp/about/press/20140520.html) (inJapanese). targeted attacks bylimitingdamages,deterring and reducingreoccurrence, andimplementing swift countermeasures. 20th: TheIPA announceditwouldputtogethera teamforpreparingaCyberRescue Squad(provisional) tosupport organizations affected by (http://www.meti.go.jp/policy/netsecurity/default.htm) (inJapanese). “Regarding amendmentstotheStandardsforHandlingSoftware Vulnerability InformationandOthers” including theadditionofcriteriafordisclosingvulnerabilitieswhenproductdevelopercannotbecontacted. 20th: TheMinistryofEconomy, Trade andIndustryamendedtheStandardsforHandlingSoftware Vulnerability InformationandOthers, Control (http://www.justice.gov/usao/nys/pressreleases/May14/BlackshadesPR.php).Victims’ Computers” Announce ChargesInConnection With Blackshades MaliciousSoftware That EnabledUsers Around The World To Secretly And Remotely See thefollowingFBIannouncementformoreinformationaboutthisincident. “Manhattan U.S. Attorney And FBI Assistant Director-In-Charge account information. 20th: TheFBIannouncedtheyhadarrested over oftheBlackshades 100 people,includingthesuspected co-creators RAT thatstealsfilesand The suspectlaterconfessedhewas behindtheincidents,admitting responsibilityforthecrime. Remote Control Virus after revoked bail hadhis wasit perpetrator. asthe author the trialthatidentified the during emails hehadsent found 19th: “JPCERT/CC Alert 2014-05-15 Alert regarding ofMovable theusageofoldversions Type” (https://www.jpcert.or.jp/english/at/2014/at140024.html). to placemaliciousfilesonsitesorembediframesobfuscatedJavaScript thatredirectstoattack sites. 15th: TheJPCERT CoordinationCenterissuedanalert duetomany confirmedincidentsofattacks usingknownvulnerabilitiesinMovable Type Upper House, “Bill onCyberSecurity” (http://www.sangiin.go.jp/japanese/joho1/kousei/gian/186/meisai/m18605186035.htm) (inJapanese). 20 itwasforfurther marked examination. 14th: TheBillonCyberSecurity was passedbytheLower HouseofJapan’s Diet.Itwas subsequentlyreferred totheUpperHouse,butonJune “APSB14-14: Security updatesavailablefor Adobe FlashPlayer” (http://helpx.adobe.com/security/products/flash-player/apsb14-14.html). discovered andfixed. 14th: Anumberofvulnerabilitiesin Adobe FlashPlayerthatcouldallowunauthorized terminationandarbitrarycodeexecutionwere (http://www.ftc.gov/news-events/press-releases/2014/05/snapchat-settles-ftc-charges-promises-disappearing-messages-were). “Snapchat Settles FTCCharges That Promises ofDisappearingMessages Were False” informationinJanuary.of personal did notactuallydisappear, informationregarding andpointedoutproblemswiththeirmanagementofpersonal theleak4.6millionpieces service thatcanbeconfiguredtoremove photodatafromotherparties’ devices.Itallegedthatfalseclaimshadbeenmadebecausethisdata 9th: TheFederal Trade Commission(FTC)oftheUnitedStatesissuedacomplaintregarding theSnapchat photosharingapp,which provides a (http://jprs.jp/tech/security/2014-05-09-bind9-vuln-prefetch.html) (inJapanese). “Critical: BIND9.10.0 vulnerability(DNSserviceoutage)(disclosedMay9,2014) 9th: AvulnerabilityinBIND9.10.0 thatcouldallowDoSattacks fromexternalsourcesduetoimplementationissueswas discovered andfixed. (http://investor.gov/news-alerts/investor-alerts/investor-alert-bitcoin-other-virtual-currency-related-investments). “Investor Alert: BitcoinandOther Virtual Currency-Related Investments” being caughtupincrimessuch asinvestment fraud. 8th: TheU.S. Securities andExchange Commissionissuedanalert regarding investment invirtual currencies such asBitcoinduetotheriskof been revealed. It isbelievedthattheFindMyiPhonefeature that Apple provides was exploited intheseincidents,butdetailsofthetechnique usedhave not including Australia. countries 27th: Anincidentoccurred inwhich Apple devicessuch asiPhoneswereremotelylocked anddemandsformoneymadeinanumberof “APSB14-15: Security Updatesavailablefor Adobe Reader and Acrobat” (http://helpx.adobe.com/security/products/reader/apsb14-15.html). discovered andfixed. 14th: Anumberofvulnerabilitiesin Adobe Reader and Acrobat thatcouldallowunauthorized terminationandarbitrarycodeexecutionwere “Microsoft Security BulletinSummaryforMay2014” (https://technet.microsoft.com/library/security/ms14-may). as wellsiximportant updates. 14th: Microsoft publishedtheirSecurity BulletinSummaryforMay2014, andreleasedtwocriticalupdatesincludingMS14-022 andMS14-029, (http://thomas.loc.gov/cgi-bin/bdquery/z?d113:HR03361:@@@L&summ2=m&). Librarian ofCongress, “Bill Summary&Status113th Congress(2013 -2014) H.R.3361 All Information” 22nd: The “USA Freedom Act” NSA surveillancereformbillpassedintheU.S. HouseofRepresentatives. Vulnerabilities A suspectarrested andcharged withcrimessuch tothe astheforcibleobstructionofbusinessinrelationtoaseriesincidentslinked S Security Incidents P Political andSocialSituation H History O Other *23 *23 *22 phishing sites and phishing emails targeting a number of financial institutions have been uncovered* been have institutions financial of anumber targeting emails phishing and sites phishing Additionally, bank. a regional at lists of use the involve to believed login unauthorized of incidents were there April In attention. attracted information banking online target to malware or phishing used that attacks period survey current the During n Attacks Targeting Online Banking experts. of panel independent an of opinion the on based made be will disclosed be should information vulnerability the not or whether on adecision time, of period extended an for contacted be cannot they when as such developer, product the with made be can disclosure on agreement no when that decided was It Others.” and Information Vulnerability Software Handling for “Standards the to amendments announced Industry Trade and Economy, of Ministry The authority. third-party independent an of development the through system the enforcing of ways effective as well as this, supplement to initiatives sector private voluntary of utilization the and framework system afundamental detailed also outline The conditions. certain under consent auser’s without parties third to provided be to information allowing for aframework of introduction the covering announced, was Data” Personal of Utilization for Revision Institutional the of Outline A “Policy Data.” Personal on Commission “Investigative the at place took also data personal of application and use the promoting with issues resolving for measures legal of Discussion session. next the to over carried been has it so session, Diet current the in passed not was but House, Upper the in deliberated later was bill This countermeasures. with assistance provide infrastructure providers critical sector private having as such collaboration, public-private through attacks cyber for capability response improve that initiatives promoted also bill The implement. to countermeasures regarding agencies government to made be to recommendations enabling as such functionality, and capability response government to improvements and Secretary, Cabinet Chief the by headed Headquarters” Strategic Security a“Cyber of establishment the are examples Some attacks. cyber with deal to ability the with governments local and Japan furnishing on focused initiatives included This House. Lower the passed attacks cyber to response government the improve to aims that Security Cyber on Bill the June, in Also regarding Internet usage. ISPs of efforts the for stipulations new established and individuals, by pornography child of video or photos of possession mere the banned revisions These passed. was Pornography and Prostitution Child Prohibiting Act Amended the June, In SaaS. and ASP as such provide that applications services cloud and IaaS, and PaaS as such services cloud infrastructure-based between coordination as such providers, and services cloud multiple covering usage of spread the to due done was This incorporated. been also now providers have between practices and users with agreements regarding providers cloud for Recommendations implement. should Japanese financial institutions was also identified* Security MeasuresSecurity for ASP/SaaS”* Information for “Guidelines previous The April. in Services” Cloud for Guidelines Security “Information their announcing Communications and Affairs Internal of Ministry the included activities countermeasure security agency Government n Government Agency Initiatives *21 *21 is required. vigilance ongoing refined, more and more becoming are used methods the because and continue, gain in monetary for users of Japan information authentication banking online and card credit the as such details targeting attacks that demonstrates This used. is site banking Internet an when sites fraudulent display that infections virus through stolen was incident this in uncovered information the that thought is It Japan. in aserver on stored illegally been had passwords and IDs Internet banking 13,000 around including information account that reported was it April, In attacks. malware-based about information more for Institutions” Financial Japanese for Information Authentication Steals That Malware Vawtrak The “1.4.2 See used.

card information in Japan” (http://blog.trendmicro.co.jp/archives/9192) (in Japanese). (in credit targets that tool fraud banking (http://blog.trendmicro.co.jp/archives/9192) online Japan” in ‘VAWTRAK’ the information of card detection the of reports campaigns. phishing “Increasing various post on blog Micro alerts Trend for following Japanese) the (in see example, For (http://www.antiphishing.jp/) site Japan Anti-Phishing of Council the See (http://www.soumu.go.jp/main_sosiki/ (in Japanese). ASP/SaaS” for Measures joho_tsusin/policyreports/chousa/asp_saas/) Security Information for “Guidelines Communications and Affairs Internal of Ministry 21 put together in 2008 stipulated information security measures that cloud providers providers cloud that measures security information stipulated 2008 in together put 23 , demonstrating that increasingly sophisticated methods are being being are methods sophisticated increasingly that , demonstrating 22 . Malware that targets targets that . Malware

9 Infrastructure Security 10 Infrastructure Security June Incidents *Dates areinJapanStandardTime [Legend] 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 O O O O V V V V V S S S S S S (http://www.moj.go.jp/keiji1/keiji11_00008.html) (inJapanese). the Act onPunishment of RelatingActivities toChildProstitution andChildPornography, andtheProtection ofChildren” The revisedactcameintoeffect on July 15. See thefollowingMinistryofJustice explanationformoredetails. “The billforamendingpart of 18th: The Amended Act Prohibiting ChildProstitution andPornography was passed,addingitemsprohibitingmerepossession. (https://blogs.law.harvard.edu/internetmonitor/2014/06/20/ddos-attacks-in-hong-kong-attack-silence-pro-democracy-websites/). Hong Kong Target Pro-Democracy Websites” InternetMonitorBerkmanCenterfor&SocietySee formoredetails. thefollowingblogpostofHarvardUniversity “DDoS Attacks in 13th: Alarge-scaleDDoSattack was madeonthee-voting systemofanorganization workingtowards thedemocratizationofHongKong. “APSB14-16: Security updatesavailablefor Adobe FlashPlayer”(http://helpx.adobe.com/security/products/flash-player/apsb14-16.html). 11th: 11th: A numberofvulnerabilitiesin Adobe FlashPlayerthatcouldallowarbitrarycodeexecutionwerediscovered andfixed. “OpenSSL Security Advisory [05Jun 2014] SSL/TLSMITMvulnerability(CVE-2014-0224)” (https://www.openssl.org/news/secadv_20140605.txt). 6th: Avulnerability(CVE-2014-0224) inOpenSSLthatcouldallowman-in-the-middle(MITM)attacks was discovered andfixed. “International Botnet Takedown Operation” (http://www.npa.go.jp/cyber/goz/index.html) (inJapanese) foradescriptionofthisoperation. Administrator” (http://www.justice.gov/opa/pr/2014/June/14-crm-584.html). The NationalPolice Agency provided assistanceinJapan. See Department ofJustice, “U.S. Leads Multi-National Action Against Ransomware, Botnetand‘Cryptolocker’ ‘Gameover Zeus’ ChargesBotnet administrator was arrested. information inajointoperationinvolving lawenforcementagenciesinover 10 countries.Related siteswereseized andthealleged 3rd: TheUnitedStatesDepartment ofJusticetodisrupttheGameOverZeusmalware announcedatakedown thatstealsonlinebanking (https://www.noip.com/blog/2014/06/30/ips-formal-statement-microsoft-takedown/). also issuedby Vitalwerks InternetSolutions, LLC,which operatesNO-IP. “No-IP’s Formal StatementonMicrosoft Takedown (http://blogs.microsoft.com/blog/2014/06/30/microsoft-takes-on-global-cybercrime-epidemic-in-tenth-malware-disruption/). A statementwas The Official Microsoft Blog, “Microsoft onglobalcybercrimeepidemicintenthmalware takes disruption” Bladabindi (NJrat)andJenxcus (NJw0rm)malware families. 30th: Microsoft ofthe23domainsNO-IPdynamic DNSservice,which announcedithadinitiatedatakedown hadbeenusedbythe (http://www.pnas.org/content/111/24/8788.full). See thepaperinquestion, emotionalcontagionthroughsocialnetworks” “Experimental evidenceofmassive-scale Itraisedethicalconcerns,attracting users. alotofinterest. feeds ofapproximately 700,000 29th: Apublishedresearch paperrevealedthatFacebook hadcarried outpsychological experimentsinvolving themanipulationofnews (http://blog.kaspersky.co.jp/obsolete-japanese-cms-targeted-by-criminals/) (inJapanese). Labblogpostformoreinformation. See thefollowingKaspersky “Japanese blogcreationtoolstargetedbyattackers!” were beingoperatedinaproblematicconfiguration,causingthemtobetargetedbyattackers. 12th: Analert was issuedbecauseapproximately 80%ofblogsitesthatuseaJapan-oriented blogcreationtoolforwhich support hadended (https://kb.isc.org/article/AA-01166/). Internet Systems Consortium, “CVE-2014-3859: BINDnamedcancrashduetoadefectinEDNSprintingprocessing” 12th: Avulnerability(CVE-2014-3859) inBIND9.10.x thatcouldallowdenial-of-service(DoS)attacks fromoutsidewas discovered andfixed. were duetothecompromiseofCDNserviceprovider theyhadbeenusing. 3rd: Itwas establishedthatincidentsofunauthorized accessandthealterationofcontentfilesaffecting anumberofsitesfromlateMay See thefollowingreport formoredetails(http://icontherecord.tumblr.com/transparency/odni_transparencyreport_cy2013). 27th: TheU.S. government publishedtheir2013 Transparency Report. (http://www.kantei.go.jp/jp/singi/it2/pd/dai12/gijisidai.html) (inJapanese). Office ofthePrime Minister, “12th Investigative CommissiononPersonal Data- Agenda” Personal Data(commissionproposal)”was laidout. 19th: The12th Investigative CommissiononPersonal Datawas held,anda “Policy OutlineoftheInstitutionalRevision forUtilizationof “<>”(http://www.microad.co.jp/news/detail.php?News_ID=252) (inJapanese). that presenteditselfasanoticepromptingtheupdateof Adobe FlashPlayer. 19th: Anincidentoccurred inwhich anadvertisement distributionserverdisplayedadvertisements toamalicioussite thatredirectedvisitors “Microsoft Security BulletinSummaryforJune 2014” (https://technet.microsoft.com/library/security/ms14-jun). importantas wellfive updates. 11th: Microsoft publishedtheirSecurity BulletinSummaryforJune 2014, andreleasedtwocriticalupdatesincludingMS14-035 andMS14-036, Vulnerabilities S Security Incidents P Political andSocialSituation H History O Other *30 *30 increase in cache DNS server access* server DNS cache in increase such as those as companies, collide with newly added domain names* domain added newly with collide companies, as those as such networks, internal in used names domain the when occur may that outages service and leaks information regarding alert an personal information will continue to emerge. to continue will information personal deleting links to sites containing personal information in search results when requested by users* by requested when results search in information personal containing sites to links deleting for responsible were Inc. Google and Spain Google that ruled Union European the of Justice of Court May, in the Also lost. is adevice when used service amanagement for accounts using illegally entity unknown an involved this believed is It made. demands ransom and locked were iPads and iPhones as such devices Apple which in Australia as such regions in incidents of anumber were there May In crimes. the behind was he confessed later He trial. the during sent were that culprit true the be to claiming someone from emails to linked was he after revoked bail his had last, before year the attention of alot garnered which Virus, Control Remote the involving incidents of aseries to relation in business of obstruction forcible the with charged and arrested suspect May,In the future. the in these as such systems business with taken be to need will care so Japan, part of the EU General Data Protection Regulation* Protection Data EU General the of part as Europe in debate under currently Forgotten”) be to “Right so-called (the individuals relevant the by requested when data said delete to information personal of administrators for requirement the with information, personal containing data of United States involved the use of malware that targeted POS terminals, so US-CERT issued an alert in January* in alert an issued US-CERT so terminals, POS targeted that malware of use the involved States United the in incident The year. last of November in retailer U.S. amajor at occurred that leak information an include terminals POS as such systems business involving incidents Other 2013. December in occurred that company management terminal aPOS at compromise aserver into investigation an through light to came This leaked. had companies card credit of multiple users 200,000 about of information card credit the that announced Service Supervisory Financial Korea’s South April, In *29 *29 *28 *28 *27 *26 *26 method* attack Kaminsky-type the regarding alert an issued JPRS April, In n Other *25 *25 *24 organization for sharing and analyzing security information* security and for sharing analyzing organization aretail-oriented as May, in serving established was (R-CISC) Center Sharing Intelligence Cyber Retail the incident, this of

and Information Technology Industries Association “Survey and analysis report regarding revision of EU data protection directives” (http://home.jeita. directives” protection data EU of revision regarding or.jp/page_file/20120427161714_ljwGedIUnB.pdf) report (in Japanese). analysis and “Survey Electronics Japan Association following the see on, Industries worked being Technology currently is Information that and (proposed) Regulation Protection Data General EU the about information more For Court of Justice of the European Union, “An internet search engine operator is responsible for the processing that it carries out of personal data which which data personal of out carries it that processing the for appear on web pages published by third responsible is parties” (http://curia.europa.eu/jcms/upload/docs/application/pdf/2014-05/cp140070en.pdf). operator engine search “An internet Union, European the of Justice of Court Retail Cyber Intelligence Sharing Center (R-CISC), “Retailers Launch Comprehensive Cyber Intelligence Sharing Center” (http://www.rila.org/rcisc/ Center” Sharing Intelligence Cyber home/Pages/default.aspx). Comprehensive Launch “Retailers (R-CISC), Center Sharing Intelligence Cyber Retail US-CERT, “Alert (TA14-002A) Malware Targeting Point of Sale Systems” (http://www.us- cert.gov/ncas/alerts/TA14-002A). cert.gov/ncas/alerts/TA14-002A). (http://www.us- Systems” Sale of Point Targeting Malware (TA14-002A) “Alert US-CERT, countermeasures” their and gTLD, new (in of Japanese). numbers large of adoption the (https://www.nic.ad.jp/ja/dom/new-gtld/name-collision/name-collision-report.pdf) from resulting issues collision “Name (JPNIC), Center Information Network Japan Japan Registry Services, “(Critical) Regarding the double checking of DNS server configurations in light of the increasing danger of cache poisoning poisoning cache of danger (in Japanese). increasing the of light in configurations (http://jprs.jp/tech/security/2014-04-15-portrandomization.html) server attacks” DNS of checking double the Regarding “(Critical) Services, Registry Japan See “1.4.1 DNS Cache Poisoning” in IIR Vol.2 (http://www.iij.ad.jp/development/iir/pdf/iir_vol02.pdf) (in Japanese) for more information. more for Japanese) (in (http://www.iij.ad.jp/development/iir/pdf/iir_vol02.pdf) Vol.2 IIR in Poisoning” Cache “1.4.1 DNS See 25 . Additionally, many new gTLD are currently being approved. As a result, JPNIC issued issued JPNIC aresult, As approved. being currently gTLD are new many . Additionally, 30 , we believe a range of initiatives aimed at improving the protection of of protection the improving at aimed initiatives of arange believe , we 28 . There have also been reports of POS malware infections in in infections malware POS of reports been also have . There 26 . 24 , which was thought to have been behind an an behind been have to thought was , which 29 . Regarding the handling handling the . Regarding 27 . As a result aresult . As 11 Infrastructure Security 12 Infrastructure Security *34 *34 *32 *32 *33 *33 Figure 2: Trends in DDoS Attacks DDoS in Trends 2: Figure accounted for by the use of IP spoofing* IP of use the by for accounted is this We believe foreign. or domestic whether addresses, IP of number large extremely an observed we cases, most In necessary. is vigilance continued so spotlight, international the in currently are NTP and DNS exploiting attacks DrDoS of incidents sporadic However, period. survey previous the to compared attacks of bandwidth and number the in decrease adramatic was there shows This minutes. 57 and 15 hours lasted for that attack aserver was attack sustained longest The hours. 24 over lasted none and hours, 24 and minutes 30 lasted between 5.2% commencement, of minutes 30 within ended 94.8% attacks, all Of packets. pps 9,000 to up using bandwidth Mbps of 72.9 in resulted and attack, compound as a classified was study under period the during observed attack largest The 5.2%. attacks capacity bandwidth and 16.2%, for accounted attacks compound while all of incidents, 78.6% for accounted attacks Server report. prior our to compared attacks of number daily average the in decrease a day, indicating per attacks 4.3 to averages This attacks. DDoS 388 with dealt IIJ study, under months three the During time). same the at conducted (No. ofAttacks) *31 *31 types: onattacks bandwidth three into capacity* attacks DDoS 2categorizes Figure impact. of degree the determine largely will performance) server and (bandwidth attacked environment the of capacity the and attack, a DDoS out carry to used be can that methods many are There situation. each of the facts ascertaining accurately in difficulty the to due figure the from excluded are incidents these but attacks, DDoS responds other also to IIJ standards. Service Defense DDoS IIJ on based attacks be to judged anomalies traffic shows information This 2014. 30, June 1and April between Service Defense DDoS IIJ the by handled attacks DDoS of circumstances the 2shows Figure n Direct Observations services. hindering of purpose the for processes server or bandwidth network overwhelm to traffic unnecessary of large volumes cause rather but vulnerabilities, of that as such knowledge advanced utilizes that type the not are attacks these of most However, widely. vary involved methods the and occurrence, adaily almost are servers corporate on attacks Today, DDoS 1.3.1 1.3 12 10 18 14 16 2014.4.1 0 2 8 4 6

A “bot” is a type of malware that institutes an attack after receiving a command from an external C&C server. A network constructed of a large number number alarge of constructed abotnet. Anetwork called is server. C&C concert in acting external an bots of from acommand receiving after attack an institutes that individuals. of malware of number atype is alarge A “bot” from or location, the of adifferent address from IP coming is actual the than attack other the if as address an appear it given make to been has that attacker packet attack an sends and Creates address. IP asender’s of Misrepresentation Attack that overwhelms the network bandwidth capacity of a target by sending massive volumes of larger-than-necessary IP packets and fragments. The The flood. ICMP an fragments. called is and packets packets IP ICMP of use the while flood, aUDP larger-than-necessary called of is volumes packets UDP of massive use sending by a target of capacity bandwidth network the overwhelms that Attack volumes of HTTP GET protocol commands, wasting processing capacity and memory. memory. and mass send capacity then and server, processing Web ona wasting connections TCP commands, establish protocol GET HTTP attacks of flood volumes GET HTTP connection TCP connections. TCP memory. and actual of volumes capacity mass processing establish of wastage attacks the flood causing connections, TCP of start incoming major the for signal that prepare to packets target SYN the of volumes forcing mass send attacks connections, flood SYN TCP attacks. flood GET HTTP and flood, connection TCP flood, SYN TCP

DDoS Attacks DDoS Incident SurveyIncident 31 , attacks on servers* on , attacks 2014.5.1 33 and botnet* and 34 32 usage as the method for conducting DDoS attacks. DDoS conducting for method the as usage , and compound attacks (several types of attacks on a single target target asingle on attacks of types (several attacks compound , and 2014.6.1 Server Attacks Capacity AttacksBandwidth Compound Attacks (Date) Next we present our observations of DDoS attack backscatter using the honeypots* the using backscatter attack DDoS of observations our present we Next n Backscatter Observations *36 *36 *35 Port) by Trends Packets, (Observed Attacks DDoS by Caused Backscatter of Observations 4: Figure  3: Figure (No. ofPackets) observation project operated by IIJ* by operated project observation attacks on 3477/TCP were observed, but the attack target was not identified because the source IP address of the backscatter backscatter the of address IP source the because identified not was target attack the but observed, were 3477/TCP on attacks 8 April 6and April Between 30. June on observed also were U.S. the in provider aCDN of servers the on Attacks 16. April on Russia in provider ahosting 15, and April on Japan to services provided mainly that U.S. the in provider ahosting (80/TCP) targeting servers Web on attacks were there port, by observed packets backscatter of numbers large particularly at Looking respectively. 8.3%, and 9.0% at followed China and Canada 17.3%. at ratio largest the for accounted States United the 3, Figure in country by DDoS by targeted addresses IP indicate to thought backscatter of origin the at Looking future. the in attacks poisoning cache DNS and attacks DDoS to regard with taken be must Care packets. 1,500 around of average daily at a hovering while fluctuating continued, last the in report observed backscatter (53/UDP) DNS The used. not normally are which 5000/TCP, and 3477/TCP used as well as SSH, for 22/TCP and DNS, for used 53/TCP and 53/UDP on observed also were Attacks period. target the during for total the of accounting 22.6% services, Web for used port 80/TCP the was observed attacks DDoS the by targeted commonly most port The port. by numbers packet in trends 4shows Figure and country, by classified addresses IP sender’s the 3shows Figure 2014, 30, June 1and April between observed backscatter the For interposition. any without party athird as networks external on FR 5.2% TR 4.9% TW 2.5% NL 2.4% IN 2.0% Other 34.7% 10,000 15,000 20,000 25,000 30,000 30,000 40,000 45,000 5,000

2014.4.1 ad.jp/en/company/development/iir/pdf/iir_vol08_EN.pdf) under “1.4.2 Observations on Backscatter Caused by DDoS Attacks.” DDoS by Caused Backscatter on Observations “1.4.2 under (http://www.iij. Vol.8 IIR in presented are observations, IIJ’s of ad.jp/en/company/development/iir/pdf/iir_vol08_EN.pdf) results the of some as well as method, observation this of limitations and mechanism The Honeypots established by the MITF, a malware activity observation project operated by IIJ. See also “1.3.2 Malware Activities.” Activities.” Malware “1.3.2 also See IIJ. by operated project observation activity amalware MITF, the by established Honeypots 0 Backscatter Observations to According Country by Targets Attack DDoS 36 . By monitoring backscatter it is possible to detect some of the DDoS attacks occurring occurring attacks DDoS the of some detect to possible is it backscatter monitoring . By 2014.5.1 US 17.3% CN 8.3% CA 9.0% KR 6.1% RU 7.6% ports targeting a specific server in Russia were observed. observed. were Russia in server aspecific targeting ports TCP of a range on 15 attacks May On 23. June on observed also were (22/TCP) SSH on 21. Attacks June on occurred 6005/TCP and 5001/TCP, 5000/TCP, targeting provider same the on attacks and provider, hosting aCanadian on attacks (53/TCP) DNS were there 23 April On address. aprivate was 2014.6.1 35 set up by the MITF, a malware activity activity MITF, amalware the by up set (Date) 80/TCP 53/TCP 3477/TCP 53/TCP 5000/TCP 5001/TCP 22/TCP 6005/TCP 25565/TCP 2272/TCP other 13 Infrastructure Security 14 Infrastructure Security MITF uses honeypots* uses MITF DNS, and 23/TCP used for telnet. for used for used 23/TCP and DNS, 53/UDP SSH, for used 22/TCP requests, echo ICMP Windows, for function login remote RDP the by used Server, SQL 3389/TCP Microsoft’s by used 1433/TCP targeting behavior scanning observed We also systems. operating Microsoft by utilized ports TCP targeting behavior scanning demonstrated honeypots the at arriving communications the of Much MSRPC. on attacks as such port, aspecific to connections multiple involved attack the when attack asingle as connections TCP multiple count to data corrected we observations these in Additionally, study. to subject period entire the over ten) (top types packet incoming for trends the showing honeypot, per average the taken We have observation. of purpose the for honeypots numerous up set has MITF The packets). (incoming volumes total the in trends 6 shows Figure 2014. 30, June 1 and April between honeypots the into coming communications for country by addresses IP sender’s of distribution the 5shows Figure of Randomn Status Communications attack. for atarget locate to attempting scans or random, at atarget selecting malware by communications be to appear Most Internet. the over arriving (No. ofPackets) Figure 6: Communications Arriving at Honeypots (by Date, by Target Port, per Honeypot) per Port, Target by Date, (by Honeypots at Arriving Communications 6: Figure  5: Figure MITF* the of observations the of results the discuss will we Here, 1.3.2 11. June on 21, Evernote May on and site on SNS Canadian 1, May amajor on detected U.S. the in also were UltraDNS attacks Other reported. were they after intermittently observed be to continued attacks These April. early in sites news of anumber by reported were that Kansas of state U.S. the in site testing online an on attacks included DDoS backscatter of observations IIJ’s via detected were that period survey current the during attacks DDoS Notable *38 *38 *37 1,000 1,500 2,000 2,500 3,000 500 2014.4.1 CN US IR TW NL RU KR IN FR BR Other 17.8% Outside Japan 97.0% 0

A system designed to simulate damages from attacks by emulating vulnerabilities, recording the behavior of attackers, and the activities of malware. of activities the and attackers, of behavior the recording vulnerabilities, emulating by attacks from damages simulate to designed A system for countermeasures. information actual to technical findings gather to these link to and activities, malware of countermeasures, state the understand to attempt an in malware honeypots observing of 2007, use May in the through activities began activity (MITF) network Force Task Investigation Malware The Force. Task Investigation Malware of abbreviation An 45.6% 12.8%

5.4% 4.1% 2.8% 2.3% 1.8% 1.6% 1.4% 1.4% Malware Activities under Study) Period Entire Country, (by Distribution Sender 38 connected to the Internet in a manner similar to general users in order to observe communications communications observe to order in users general to similar amanner in Internet the to connected 2014.5.1 Within Japan 3.0% S 0.2% ISPC 0.3% ISPB 1.2% ISPA Company D S 0.1% ISPI Other0.6% 0.1% ISPH 0.1% ISPG IIJ 0.1% ISPF 0.1% ISPE 0.1% 0.1% 37 , a malware activity observation project operated by IIJ. The The IIJ. by operated project observation activity , amalware 500 IP addresses allocated to China communicating with with communicating China to allocated addresses IP 500 over of agroup 4involved April 3and April on detected requests echo 1. ICMP June on China and 4, May on China and 12, Thailand April on China to allocated addresses IP from made were communications such example, For occurred sporadically during the current survey period. also attacks dictionary SSH be to thought Communications 2014.6.1 (Date) ICMP Echorequest 22/TCP 445/TCP 1433/TCP 3395/UDP 3389/TCP 23/TCP 139/TCP 135/TCP 53/UDP other (Total No.ofSpecimensAcquired) In Figure 8 and Figure 9, the number of acquired specimens show the total number of specimens acquired per day* per acquired specimens of number total the show specimens acquired of number the 9, Figure 8and Figure In specimens. unique of number the in trends 9shows Figure acquired. specimens malware of number total the in trends shows 8 Figure while study, under period the during malware for source acquisition specimen the of distribution the 7shows Figure Activity Network n Malware sent. been had length in bytes hundred several to dozen several from data random that found we communications, these investigating Upon Iran. to allocated addresses IP from honeypot aspecific of address IP the to made were 3395/UDP targeting 17, 12 May and April communications On address. IP a single *40 *40 *39 Conficker) (Excluding Specimens Unique of Number the in Trends 9: Figure Conficker) (Excluding Acquired Specimens Malware of Number Total the in Trends 8: Figure  7: Figure 100 120 100 200 300 400 500 600 140 (No. ofUniqueSpecimens) 20 40 60 80 2014.4.1 2014.4.1 0 0 TW BR US IN RO CN HK RU PL VE Other 32.2% Outside Japan 99.1%

fact into consideration when using this methodology as a measurement index. this take to ameasurement as efforts methodology best this its using when expended has MITF the consideration values, into hash fact different having that given malware same value, the of hash by specimens in specimens of result may uniqueness padding the and guarantee cannot obfuscation we While to inputs. designed is different for function hash The possible as input. outputs various for value different many as fixed-length a produce outputs that function) (hash function one-way a utilizing by derived is figure This This indicates the malware acquired by honeypots. by acquired malware the indicates This 22.6% 9.4% 8.8% 5.2% 4.9% 4.7% 3.7% 3.7% 2.0% 1.9% Excluding Conficker) Excluding Study, under Period Entire Country, (by Source by Specimens Acquired of Distribution 2014.5.1 2014.5.1 Within Japan 0.9% Other 0.1% 0.3% ISP B 0.5% ISP A removed any Conficker results when totaling data. totaling when results Conficker any removed and packages, software anti-virus multiple using Conficker detected have 9we Figure 8and Figure for report, previous our with As name. malware by coded color displayed is 10 variants top the of a breakdown and software, anti-virus of a hash function* ahash of digest their to according categorized variants specimen of number the is specimens unique of number the while 2014.6.1 2014.6.1 40 . Specimens are also identified using using identified also are . Specimens (Date) (Date) NotDetected Trojan.Dropper-18535 Worm.Allaple-2 Win.Trojan.Agent-171842 Trojan.Spy-78857 Trojan.Agent-71049 Worm.Allaple-306 Trojan.Agent-71228 Worm.Agent-194 Trojan.Downloader-73594 other Empty file Trojan.Dropper-18535 NotDetected Trojan.Dropper-20380 Trojan.Agent-230163 Trojan.Agent-71049 Trojan.Spy-78857 Trojan.Agent-173287 Worm.Allaple-2 Worm.Agent-194 other 39 , 15 Infrastructure Security 16 Infrastructure Security 2011, but it demonstrates that infections are still widespread. still are infections that 2011, demonstrates it but November in observed PCs million 3.2 the of 32% about to adrop indicates This infected. are addresses IP unique 1,020,045 the MITF confirmed the presence of 7 botnet C&C servers* C&C botnet of 7 presence the confirmed MITF the addition, In downloaders. were 4.2% and bots, were 1.0% worms, were acquired specimens malware of 94.8% observation under period current the during analysis, independent MITF’s the Under malware. download to access PCs newly-infected that sites download of closure the despite continuing worms old as such malware of behavior infection to due was this believe we servers, Web from responses error 403 or 404 HTML were specimens format text these of many Because format. text in were specimens undetected of 54% about Additionally, India. and China, States, United the including countries, of As previously shown, attacks of various types were properly detected and dealt with in the course of service. However, attack ongoing attention. requiring continue, attack attempts However, service. of course the in with dealt and detected properly were types various of attacks shown, previously As server. on a Web vulnerabilities find to attempts been have to thought are attacks These and observed. Korea was South China in sources attack specific from targets specific on attack 27, June On large-scale a targets. specific on China other in sources specific from attacks with along targets, specific at directed States United the and Europe in sources multiple from observed were attacks 30, May On targets. specific at directed China and Europe in sources of made anumber were from attacks 25, May On place. took also targets specific at directed China in sources attack of anumber from attacks May on May On 12, 7. place took targets specific at directed Europe in sources attack multiple from attacks period, this During report. previous the to compared servers Web against made attacks injection SQL of number the in drop aslight was There order. in following countries other with respectively, 13.1%, and 24.6% for accounted Japan and China while observed, attacks of 35.3% for source the was States United The IPS Service. Managed IIJ the on signatures by detected attacks of asummary are These attacks. of numbers the in trends 11 shows Figure 2014. 30, June 1and April between detected servers Web against attacks injection SQL of distribution the 10 shows Figure content. Web rewrite to attempt that those and servers, database overload to attempt that those data, steal to attempt that those patterns: attack three of one in occur to known are injections SQL security. Internet in topic major a remain and past, the in times numerous frequency in up flared have attacks Of the types of different Web server attacks, IIJ conducts ongoing surveys related to SQL injection attacks* injection SQL to related surveys ongoing conducts IIJ attacks, server Web different of types the Of 1.3.3 investigating the undetected specimens more closely, worms* closely, more specimens undetected the investigating After malware. different 22 representing study, under period the during day per acquired were 121 specimens average, On *44 *44 *43 *42 *41 also down by about 9%. According to the observations of the Conficker Working Group* Working Conficker the of observations the to According 9%. about by down also were specimens Unique period. survey previous the to 11% compared approximately by decreased report this by covered period the during acquired specimens of number total The report. this in figures from it omitted have we far, so by malware prevalent most the remains Conficker that demonstrates This specimens. unique of 96.9% and acquired, specimens of number total the of 99.6% for accounts Conficker periods, short over fall and rise figures While malware. 718 different representing report, this by covered period the during day per acquired were specimens of 31,955 average an Conficker, Including n Conficker Activity DGA. used specimens the of one because is this rose, sites distribution malware

without proper authorization, and steal sensitive information or rewrite Web content. Web rewrite or content information database the alter or sensitive steal access and Attackers authorization, proper database. without underlying an manipulating thereby commands, SQL send to server a Web accessing Attacks An abbreviation of Command & Control Server. A server that provides commands to a botnet consisting of a large number of bots. of number alarge of consisting Conficker Working Group abotnet (http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking). Observations to commands provides that Aserver Server. &Control Command of abbreviation An WORM_ATAK (http://about-threats.trendmicro.com/archiveMalware.aspx?language=jp&name=WORM_ATAK.D).

SQL Injection Attacks Injection SQL 42 and 123 malware distribution sites. Although the number of of number the Although sites. distribution 123 malware and 41 were observed from IP addresses allocated to a number anumber to allocated addresses IP from observed were 43 , as of June 30, 2014, a total of of atotal 2014, 30, June of , as 44 . SQL injection injection . SQL Here we show the status of website alterations as surveyed through the MITF Web crawler (client honeypot)* (client crawler Web MITF the through surveyed as alterations website of status the show we Here 1.3.4 Figure 12: Rate of Drive-By Download Incidence When Viewing Websites (%) (by Exploit Kit) Exploit (by (%) Websites Viewing When Incidence Download Drive-By of Rate 12: Figure Type) Day, Attack by (by Attacks Injection SQL in 11: Trends Figure Source by Attacks Injection SQL of Distribution 10: Figure (No. Detected) is that it also targets Silverlight vulnerabilities (CVE-2013-0074/CVE-2013-3896). (CVE-2013-0074/CVE-2013-3896). vulnerabilities Silverlight targets also it that is Angler of feature distinctive one but Flash, and Java as such plug-ins in vulnerabilities exploiting for functions feature Both 12). 2014 (Figure June and April between observed attacks download drive-by the of many behind were Nuclear or Angler and malware distributed. exploited vulnerabilities the as well as sites, altered of number the in fluctuations regarding trends on speculate to is easier it Japan, in users typical by frequently viewed be to thought websites surveying By numbers. access in increases term short- seen have that websites monitor temporarily we this, to addition In basis. aregular on sites target new add We also Japan. in sites popular and well-known on afocus with basis, adaily on websites of thousands of tens accesses crawler *45 *45 12,000 16,000 18,000 *Because the Web crawlerwas notoperatingbetween June 26andJune 30,noattacks weredetectedduringthatperiod. downloadshavebeen configuredtochange severaltensofthousandssitesinJapan. drive-by *Covers Inrecentyears, attack detailsandwhetherornotattacks aremadebasedontheclient 14,000 10,000 JP 13.1% KR 4.3% FR 3.1% NL 2.4% DE 2.2% RU 1.9% IN 1.5% EU 1.3% Other 10.3% (%) 0.002 0.004 0.006 0.008 0.010 0.012 2,000 4,000 6,000 8,000 depending onthetestenvironment andcircumstances. system environment orsessioninformation,sourceaddress attributes, andthequotaachievement such statusoffactors asnumberofattacks. This meansthatresultscanvarywildlyattimes 2014.4.1 2014.4.1 0

0 See “1.4.3 Website Defacement Surveys Using Web Crawlers” in IIR Vol.22 (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol22_EN.pdf) for for methods. observation crawler Web of explanation an (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol22_EN.pdf) Vol.22 IIR in Crawlers” Web Using Surveys Defacement Website “1.4.3 See

Website Alterations 2014.5.1 2014.5.1 CN 24.6 US 35.3 ％ ％ weeks after their alteration was first observed. observed. first was alteration their after weeks six over for intermittently state same the in remained had that redirection for used and altered websites of number a identified We also executed. be will malware the execution, permits carelessly auser if However, download. adrive-by not technically is it redirection, of kind this for execute to not or whether confirm to users prompting box adialog display browsers Because kit. exploit an using without property Location the via JavaScript redirector the in (exe) malware execute directly to attempts of anumber included observed attacks Small-scale 2014.6.1 2014.6.1 (Date) SQL_Injection HTTP_GET_SQL_UnionAllSelect MySQL_User_Root UHTTP_POST_SQL_WaitForDelay URL_Data_SQL_1equal1 HTTP_GET_SQL_UnionSelect HTTP_GET_SQL_Convert_Int HTTP_GET_SQL_Select_Top_1 MySQL_Check_Scramble_Auth_Bypass URL_Data_SQL_char_CI Other (Date) 45 . This Web Web . This Angler GongDa Infinity Nuclear Other 17 Infrastructure Security 18 Infrastructure Security and ironically only the servers that supported new protocol versions for enhanced security were affected. Specifically, an Specifically, affected. were security enhanced for versions protocol new supported that servers the only ironically and vulnerable, one only the was OpenSSL of version This algorithms. cryptographic strong of addition the and the specifications, in problems discovered previously for fixes including functions, security enhanced of arange with versions protocol are v1.2 v1.1 TLS TLS and versions. protocol v1.2 v1.1 TLS TLS and the use to required is 1.0.1 of later or version OpenSSL An involved. implementations server and client of combination the of regardless vulnerability, the by affected were versions corresponding All case. this in affected were 1.0.1 later and versions OpenSSL Only implementation. each affects it how There are other implementations with similar functions, for example, GnuTLS* example, for functions, similar with implementations other are There Table 1: List of Implementations Affected by Heartbleed by Affected Implementations of List 1: Table OpenSSL* 1.4.1 services. cloud of safety the confirming and auditing for systems examine also We Japan. in institutions financial for information authentication steals that malware “Vawtrak” the of discussion and vulnerabilities, OpenSSL at a look including undertaken, have we research on based topics three on information present we Here, incidents. prevalent of analyses and surveys independent perform to continuing by countermeasures implementing toward works IIJ Accordingly, next. the to minute one from scope and type in change Internet the over occurring Incidents 1.4 careful. be to continue must visitors and operators website so attackers, of intentions the on based change abruptly may trend this However, decline. the on still is downloads drive-by for rate incidence the that estimated is it Overall, *49 *49 *48 *47 *46 This vulnerability was disclosed in an OpenSSL security advisory (CVE-2014-0160)* advisory security OpenSSL an in disclosed was vulnerability This n About Heartbleed were by them. not affected implementations other so specifications, SSL/TLS the or algorithms cryptographic specific with problems than rather implementations, OpenSSL with issues from stem vulnerabilities Both attention. significant drawn have they aresult As decrypted. be to communications encrypted allowing latter the and leak, to servers on saved data and keys private allowing former the with impact, acritical had have vulnerabilities Injection CCS and Heartbleed discovered recently the Meanwhile, impact. serious immediate any hardly there was so attack, asuccessful through gained be could information of fragments only and made, be could attack an before met be to had prerequisites of avariety vulnerabilities these of most for However, past. the in disclosed been have used be can SSL/TLS on that algorithms cryptographic specific on attacks efficient and library OpenSSL the in vulnerabilities of A number online. shopping when details card credit as such information payment of input the during as well as authentication, user in utilized are They of services. Web confidentiality the protecting in is use common most Their data. confidential highly handle they so certificates, server of processing the as well as communications, other and Web-based of encryption the perform libraries These standard functions. as OS in built are (CNG) Generation Next API Cryptography and (CryptoAPI) API Cryptographic environments, Windows “OpenSSL Security Advisory [07 Apr 2014] TLS heartbeat read overrun (CVE-2014-0160)” (http://www.openssl.org/news/secadv_20140407.txt). (http://www.openssl.org/news/secadv_20140407.txt). (CVE-2014-0160)” overrun read heartbeat TLS 2014] Apr [07 Advisory Security “OpenSSL (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS). Network SecurityServices (http://www.gnutls.org/). Library Security Layer Transport GnuTLS The (http://www.openssl.org/). SSL/TLS for toolkit Source Open The OpenSSL:

OpenSSL Vulnerabilities Focused Research Focused Other implementations OpenSSL 0.9.8family OpenSSL 1.0.0family OpenSSL 1.0.1family Implementation 46 is an open source cryptographic software library implementation that is widely used in Unix environments. environments. Unix in used widely is that implementation library software cryptographic source open an is Vulnerabilities Not affected Not affected Not affected Affected requests containing specially crafted data were sent. were data crafted specially containing requests when responses in included be to unreadable, normally is which space, memory process the of parts caused processing heartbeat of implementation the with issue 47 and Network Security Services (NSS)* and Services Security Network 49 released on April 7, 2014. Table 1 shows 7, Table 1 shows April 2014. on released 48 . For . For *53 *53 *52 key information is not stolen in its entirety, it could be recovered from partial information* partial from recovered be could it entirety, its in stolen not is information key private the when even that out pointed been also has It threat. arealistic was keys private of leak the that indicating stolen, successfully been had key the that reports of anumber were there began it after Soon aserver. on stored key aprivate steal This vulnerability was disclosed in an OpenSSL security advisory (CVE-2014-0224)* advisory security OpenSSL an in disclosed was vulnerability This Injection CCS n About leaked. already have keys which in private scenarios account in take must countermeasures so past, the in attacked been have servers that disprove is to it because is difficult This certificates. existing revoke and them, using certificates reissue pairs, key new create to necessary be also will it keys, private of leak the considering and vulnerability, this with deal to required is version afixed to upgrade An to this alteration detection, allowing injections via MITM attacks on OpenSSL implementations. OpenSSL on attacks MITM via injections allowing detection, alteration this to subject not were vulnerability new the in used messages Spec Cipher Change the However, later. and v3 SSL in negotiation during communications of alteration the detecting for asystem introducing by resolved was problem This decrypted. be could that one aweaker to communications in used algorithm cryptographic the downgrade forcibly to attackers for possible was it Consequently, easily. altered be could they v2, SSL in negotiation during protected not were communications Because v2. SSL with issues the was way same the in decryption full allowed have that vulnerabilities past of example One complete. is negotiation SSL/TLS after communications encrypted to switching when sent are which messages, Spec Cipher Change of processing the aproblem to with due content alter or communications encrypted decrypt fully could that attacks MITM allowed vulnerability This 1.0.1 later. or version server and later or version 0.9.8 client of combinations affected only vulnerability The vulnerability. this by affected combinations implementation the Table 2shows versions. supported all covered disclosure of time the at which affected, are OpenSSL of later and 0.9.8 After this vulnerability was disclosed, CloudFlare held the Heartbleed Challenge* Heartbleed the held CloudFlare disclosed, was vulnerability this After users. other of information authentication the or server, the on stored keys private as such externally, disclosed normally not data include could obtained information the that out pointed been has It times. of number any be can it attempted so methods, non-destructive uses attack this However, procured. always not is data target the so state, process and implementation, application allocator, memory OS, the on depends attack an through obtained memory in data The issue. aserious became it attack, an after behind left being logs no in results and read, be to data of amounts large allows networks, over exploitable is vulnerability Heartbleed the because However, possible. attacks local make only that vulnerabilities driver or kernel of form the in past, the in discovered been have accessed be cannot usually that memory in data of reading the allow that this like vulnerabilities Many *51 *51 *50 Injection CCS by Affected Implementations of List 2: Table

Implementation Injection Vulnerability” (http://ccsinjection.lepidum.co.jp/) and “How the CCS Injection vulnerability (CVE-2014-0224) was discovered” (https://lepidum. discovered” was (CVE-2014-0224) vulnerability Injection (in Japanese). CCS the “How and co.jp/blog/2014-06-05/CCS-Injection/) “CCS see Ltd., Co. (http://ccsinjection.lepidum.co.jp/) Lepidum Ltd. Co. Vulnerability” Lepidum Injection discoverer, the of blog the see discovered, was it how and vulnerability this on information more For “OpenSSL Security Advisory [05 Jun 2014] SSL/TLS MITM vulnerability (CVE-2014-0224)” (http://www.openssl.org/news/secadv_20140605.txt). (http://www.openssl.org/news/secadv_20140605.txt). (CVE-2014-0224)” vulnerability MITM SSL/TLS 2014] Jun Japanese). [05 (in Advisory Security “OpenSSL leaking keys private of reality (https://sect.iij.ad.jp/d/2014/04/159520.html) “The bug” blog, Heartbleed IIJ-SECT the blog. through IIJ-SECT the on information partial from keys private of recovery the examined also have We The Heartbleed Challenge (https://www.cloudflarechallenge.com/heartbleed). ChallengeThe Heartbleed (https://www.cloudflarechallenge.com/heartbleed). Server Other implementations OpenSSL 0.9.8family OpenSSL 1.0.0 family OpenSSL 1.0.1 family OpenSSL 1.0.1 family Not affected Not affected Not affected Affected Client Implementation OpenSSL 1.0.0 family Not affected Not affected Not affected Affected 50 , which involved using the vulnerability to to vulnerability the using involved , which 52 OpenSSL 0.9.8family * 53 Not affected Not affected Not affected released on June 5, 2014. Versions Versions 2014. 5, June on released Affected 51 . Other implementations Not affected Not affected Not affected Not affected 19 Infrastructure Security 20 Infrastructure Security that had been altered, and IIJ has extracted and analyzed Vawtrak specimens collected through the MITF Web crawler* Web MITF the through collected specimens Vawtrak analyzed and extracted has IIJ and altered, been had that Japan in websites through spread It protocol. VNC the using source external an from computers manipulating directly for functions as well as banking, online in used or computers infected on saved information authentication stealing for functions are shown below. shown are question in specimens the of hashes The countermeasures. discuss and analysis our of results the present we section, this The OpenBSD project has also launched the LibreSSL project* LibreSSL the launched also has project OpenBSD The support. this for acandidate of example the Core Infrastructure Initiative* establish to companies IT major with up teamed Foundation Linux the problem, amajor became bug Heartbleed the After significant. naturally is impact the information, important involves often encryption requires that communication because Also, effects. far-reaching have they OpenSSL, like library used awidely in discovered are vulnerabilities When n Summary version. afixed to upgrade an requires only it so etc., aserver, on saved keys private of leak the cause not does vulnerability this Heartbleed, Unlike *60 *60 *59 *58 *57 *56 *55 *54 2013* around since overseas infections caused have to reported is that malware is Pony, etc.) Based ZeuS and Snifula, Neverquest, as known (also Vawtrak 1.4.2 site* Diary Security IIJ the on discussed also are these and affected, is aconfiguration whether determine that details other are There affected. not are OpenSSL, than other implementation an or vulnerable, not is that aversion uses these of either which in cases vulnerability, the of characteristics the to due client and server the both on made be must an attack Because used. are they where on depending vary versions affected the why is difference This used. is OpenSSL of version same the when even clients, and servers between differs OpenSSL in messages Spec Cipher Change of processing The Similarly, Google also established the BoringSSL project* BoringSSL the established also Google Similarly, security. on focused implementation an create to code and functions unnecessary removing and it stay abreast of vulnerability information that is published, and take appropriate measures when a vulnerability that affects them is disclosed. affects that avulnerability when measures appropriate take and published, is that information vulnerability of also abreast must stay users software result, As a vulnerabilities. and bugs eliminate completely to difficult is it that remains fact the but countermeasures, of avariety implementing also are creators software that demonstrates This again. software the underlying affecting Heartbleed as such issues critical prevent to designed all are they approaches, different use these Although future. the in areas other and Android to use expanding toward eye an with based, is Chrome which on Chromium, to results the apply first will They OpenSSL. replace to intended not is

See “1.3.4 Website Alterations” in this report for more information about the MITF Web crawler. Web MITF 2014. the May late in about peaking information Japan, in more for Vawtrak of report this in detection the in rise Alterations” asharp Website “1.3.4 reported See of week last the in Japan struck that attacks (http://blog.trendmicro.co.jp/archives/9236)” May Internet-based two ‘AIBATOOK’: and “’VAWTRAK’ post blog aTrendMicro observations, IIJ’s to addition In in MayBackdoor:Win32/vawtrak.A)” 2013. (http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name= Center Protection “Malware Microsoft’s by detected first was It BoringSSL (https://boringssl.googlesource.com/). (http://www.libressl.org/). LibreSSL (https://sect.iij.ad.jp/d/2014/06/069806.html). attacks” Core Infrastructure Initiative (http://www.linuxfoundation.org/programs/core-infrastructure-initiative). man-in-the-middle allows that vulnerability OpenSSL the of impact “The blog, IIJ-SECT

The Vawtrak Malware That Steals Authentication Information, etc. for Japanese Financial Institutions 58 . However, between April and June 2014, it also began to be observed in Japan* in observed be to began also it 2014, June and April between . However, 55 , which supports infrastructure-oriented open source projects. The OpenSSL project is an an is project OpenSSL The projects. source open infrastructure-oriented supports , which 57 . This is a derivative project tailored for their own software, and and software, own their for tailored project a derivative is . This 56 . LibreSSL is a fork of the OpenSSL code aimed at refactoring refactoring at aimed code OpenSSL the of afork is . LibreSSL (after unpackingthe32-bitDLL) SHA-1: 7bf386bbf56fbcd16f35e5010f559bbd5cb14634 MD5: aa8422fb8eee6f677cc044212cdd96b9 (Dropper) SHA-1: 3174ee12fad4422a50655727b0d00222e09239ea MD5: 8e8d2a1eafb5c685a02a9adf0890f3bc 54 . 59 . It features features . It 60 . In . In *65 *65 Fareit)* bennimag.com baggonally.com below. shown are to connected specimen this that servers C&C The areboot. of case in registry the to saved also and download, settings, etc. The DynamicConfig is compressed using aPLib* using compressed is DynamicConfig The etc. settings, additional containing file DynamicConfig the downloads and HTTP, via server C&C apreviously-determined to connects Vawtrak communications, Internet begins and Firefox or Explorer Internet as such abrowser launches later user a computer When wininit.exe. and svchost.exe as such processes, a few but all into injected also is explorer.exe into injected code The One of the key characteristics of Vawtrak is that it features functions that closely resemble ZeuS (a.k.a. Zbot)* (a.k.a. ZeuS resemble closely that functions features it that is Vawtrak of characteristics key the of One n Main Functions and Characteristics *64 *64 *63 *62 *61 can be used as indicators of infection with this specimen* this with infection of indicators as used be can they so easily, comparatively found be can entry registry autorun the and file dll dropped the deleted, is dropper the Although with. finish to itself deletes and explorer.exe, into file dll abovementioned the to equivalent Vawtrak of body main the of injection a code performs then It 13). (Figure startup upon it execute automatically to registry the modifies and 7, 8), and Vista, Windows of case the in (C:\ProgramData CSIDL_COMMON_APPDATA into extension .dat the and name file random a with file dll 64-bit or 32-bit a drops this in, executed is it environment the on Based executed. file first the is dropper format exe the infection, Upon of Vawtrak. flow behavioral the with line in specimen the of function each explain we Below code. source this on based implemented been have functions many that likely is it think we past, the in Internet the to leaked been has Pony and ZeuS both of code source the because However, respectively. 20%, and 8% was Pony and ZeuS and obtained we specimen Vawtrak the of code execution the between BinDiff) (via concordance of rate Pony. The by targeted those for match perfect almost an are function this by targeted of applications types The clients. SSH and clients, FTP clients, email browsers, as Web such applications for computer the on saved files configuration from information account collecting for afunction has also It proxy. aSOCKS and server, aVNC reporting, terekilpane.com 146.185.233.80 maxigolon.com 185.13.32.80 185.13.32.67 sandoxon.com

An open source compression library published by Ibsen Software (http://ibsensoftware.com/products_aPLib.html). etc. Software Ibsen by configurations, published different library with variants compression Vawtrak source other open for An indicators as usable be not may they easily, changed be can paths and values these Because of ZeuS,” or IIR Vol.13 (http://www.iij.ad.jp/en/company/development/iir/013.html) under “1.4.2 SpyEye.” “1.4.2 under Variant Citadel The “1.4.2 under Vol.13 (http://www.iij.ad.jp/en/company/development/iir/013.html) IIR or ZeuS,” of A funds. Vol.18misappropriate to (http://www.iij.ad.jp/en/company/development/iir/018.html) IIR in found be attempt to can used is WebInject of information explanation detailed authentication stolen The institution. afinancial to in two- for logs user the apassword when as such information authentication factor additional entering into auser banking deceive to Most this like API. system functions have SpyEye and communication ZeuS as such browser’s Web the malware Trojan for hooks setting by memory browser in content Web for altering for Japanese) (in afunction is WebInject Pony. of explanation (https://sect.iij.ad.jp/d/2013/03/225209.html) ZeuS. on BHEK2” a detailed Exploiting information more Japan in for Incidents Alteration on “Follow-Up Diary Security IIJ the See Vol.16 (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol16_EN.pdf) IIR in Variants” its and ZeuS ”1.4.3 See 62 . Specifically, it is equipped with most of the distinguishing features of ZeuS, such as WebInject* such ZeuS, of features distinguishing the of most with equipped is it . Specifically, 146.185.233.38

mentilix.com humpold.com humpold.com 64 . 65 and encrypted via a unique method. It is decrypted after after decrypted is It method. aunique via encrypted and Figure 13: Registry Modified by Vawtrak Modified Registry 13: Figure 63 61 , DynamicConfig, , DynamicConfig, and Pony (a.k.a. (a.k.a. Pony and 21 Infrastructure Security 22 Infrastructure Security Overseas there have been reports of Vawtrak being distributed via email and other methods* other and email via distributed being Vawtrak of reports been have there Overseas Kit. Exploit Angler or Kit Exploit Nuclear the using drive-by-download through Vawtrak as such malware with infection to leading ultimately tags, iframe these via server Web external an to redirected are visitors Website authorization. without inserted been had tags iframe and altered, been had question in websites the of each of page top the for file HTML The users. Japanese at targeted websites multiple from specimens Vawtrak obtained crawler Web MITF’s Vectors n Infection Pony. and ZeuS to compare Vawtrak of *68 *68 *67 *66 14)* (Figure targets as WebInject Japan, in institutions financial major including cards, credit and banking online to related services for URLs contained it found we DynamicConfig, the analyzing and obtaining Upon Windows OSes’ software restriction policies, and those for attempting to disable Rapport* disable to attempting for those and policies, restriction software OSes’ Windows abusing by software anti-malware blocking for those as Pony, or such ZeuS in found not functions features also Vawtrak these. of each to regard with party third by a impersonation of risk is a there leak certificates when and purposes, multiple have computers on stored certificates digital The server. aC&C to them store sending and OSes certificate Windows on the in provided certificates all extracting for function isa theft certificate Digital computer. the on saved certificates digital steal and version own its upgrade to for Vawtrak commands of receipt the confirmed we analysis, our During server. C&C the from out carry to it for command next the receives also Vawtrak above, mentioned DynamicConfig the from Aside viewed. when information of theft the for targets as listed were abroad and Japan in services file-sharing and services, sharing video services, cloud and SNS known Figure 14:  14: Figure time. of periods extended for state altered an in remaining this, as such ones prominent including websites, of a number observing been We July. have late to mid- from again and mid-June, to April late from intermittently state altered an in observed was which Japan, in provider content awell-known of company group the for was websites altered the of One it spreads mainly through drive-by-downloads via altered websites. *After decryption,acheck ofthe4byte “ECFG” stringatthebeginning(bluebox) was performed,sowethinkthisisusedasamagicwordindicatingthebeginningofDynamicConfig. Incidentally, ECFGisbelievedtobeanabbreviationofExtendedConfigorEncryptedConfig.Informationinthisfigurespecificeach ofthetargeted financialinstitutionshasbeenblacked out.

new-threat/) states that infections were being spread through spam. through spread being were infections that states (http://securelist.com/blog/57881/online-banking-faces-a- new-threat/) Threat” aNew Faces Banking “Online titled blog Lab Kaspersky the on apost example, For that Rapport was not affected as intended by a mechanism in malware known as Carberp that attempts to bypass it like Vawtrak. like it bypass to attempts that Carberp as known malware in amechanism by to intended as Attempt affected “Carberp’s not was titled post Rapport ablog in that stated Trusteer Japanese). (in TrusteerBypass (http://www.trusteer.com/blog/carberps-attempt-to-bypass-trusteer-rapport-is-effectively-resisted)” Resisted is Rapport Effectively phishing and injections Web as such banking, online to threats (http://www.trusteer.com/ja/products/trusteer-rapport-for-online-banking-ja) countering to tailored is that Trusteer by developed software anti-malware is Rapport credit and banks regional of number for a URLs additional included companies. also card 2014) 1 (August report this writing of time the at collected files DynamicConfig The Part of the DynamicConfig for Vawtrak Obtained (decrypted / red boxes indicate URLs for services such as such services for URLs financial institutions in Japan) indicate boxes red / (decrypted Obtained for Vawtrak DynamicConfig the of Part 67 . Table 3 shows how the features features the how . Table 3shows 68 66 . In Japan, it is estimated that that estimated is it Japan, . In . Additionally, URLs for well- for URLs . Additionally, breaches at external resources such as CDN, advertisement services, and access analysis services, which are involved with with involved are which the company’s website* services, analysis access and services, advertisement CDN, as such resources external at breaches security to due infections malware of threat the to exposed been have visitors website which in cases been also have There vulnerabilities. on attacks by affected being from them prevents that away in managed be also must They on. depend these frameworks or plug-ins, their and systems management content servers, Web including used, systems the of understanding acomprehensive have to necessary is It sources. redirection kit exploit as used and altered being from sites prevent to utmost their do to a responsibility have they that mind in bear should administrators and operators website Meanwhile, taken. be must information this deleting or changing as such measures appropriate so leaked, have may services those over exchanged details and information account the question, in computer the on used were SNS or banking online as such services Web if Additionally, computer. the on applications client through used passwords the change and used, were that certificates digital revoke install, aclean performing by computer the restore to necessary be will it occurs, infection aVawtrak that event the In *70 *70 vulnerabilities* of effect the mitigate to EMET install and programs, for area executable the limit to policies restriction software use to effective also is it Windows, is OS client the When vulnerabilities. of free and up-to-date, PC aclient on ins plug- related and browser, OS, the keep always to important is it drive-by-downloads, through infections malware To prevent n Countermeasures *69 *69 Pony and Zeus with Comparison and Functions Vawtrak Characteristic 3: Table Alliance. Promotion Security Information Cloud the by evaluated being System” Audit Security Information “Cloud the discuss We also safely. services cloud utilize to users enable to published guides various the of use at alook take we Here 1.4.3 PC, to detect any problems directly as soon as possible. as soon as directly problems any detect to PC, client the to downloaded actually content the check and client external an from website your view regularly to you encourage we this, evaluating after resources external use to continuing When importance. their to according them discontinuing or in-house them moving consider you recommend we assured, be cannot integrity whose resources external to regard with provided, service the of nature the on depends it Although protection. its improving and system your of diagnosis repeated Attempted disablingofRapport restriction policies Blocks anti-malwaresoftwareusing 32-bit /64-bitsupport VNC server SOCKS proxy Report function Obfuscation ofinternalstrings WebInject DynamicConfig saved onPCs Acquisition ofdigitalcertificateinformation on PCs Acquisition ofauthenticationinformationsaved

services were compromised and exploited. “Recent Exploit for Adobe Flash Vulnerability Targeting Users in Japan for Financial Information” (http:// Information” Financial for Japan in Users Targeting www.symantec.com/connect/blogs/recent-exploit-adobe-flash-vulnerability-targeting-users-japan-financial-information). Vulnerability Flash Adobe CDN for used that Exploit “Recent websites exploited. legitimate and which in compromised incidents of were explanation services adetailed gives post blog Response Security Symantec following the for example, For Attacks” environments. Targeted in client Used in RAT PlugX “1.4.1 The of end the at countermeasures infection malware about information more (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol21_EN.pdf) Vol.21 IIR See

Cloud Security Confirmation and Audit Systems Audit and Confirmation Security Cloud 70 . Threats that stem from external systems such as these cannot be eliminated by merely performing performing merely by eliminated be cannot these as such systems external from stem that . Threats vawtrak Zeus (2.0.8.9) Pony (1.9) Different configurationformats. different. TherearenomatcheswithPony2.0. ZeuS targetsaround20,andthetypesarealso Pony 1.9(about100intotal)arealmostidentical. The client applications targeted by Vawtrak and Notes 69 . 23 Infrastructure Security 24 Infrastructure Security *76 *76 *77 *77 *75 *75 *74 *73 *73 *72 *72 *71 Safely Services Cloud Providing/Using for Guides Samples 4: Table anumber in interpreted be can guides the However, checklists. as used commonly also are they and services, cloud providing or using when considered be should that issues security regarding information of pieces useful many contain guides These Guides Using When Note to n Points past. the in than obtain to easier much now is information that fact the welcome should we purposes, your for guide best the select to harder it makes guides of number large the Although groups. and organizations of arange by issued been have security cloud regarding guides above, mentioned As them. of overview an provides and guides, these of examples Table 4lists organizations. of anumber by published been now has services cloud using and providing safely for guides including information discussions, various through Subsequently, minds. our in fresh still are abroad Japan and in both incidents security information large-scale fact, In them. adopting to obstacle top the been have concerns security and safety, their regarding cast been have doubts various services cloud of inception the since However, public. the by used widely now are and introduced, been have services”) “cloud (henceforth technology computing cloud using services of a range then, Since 2006. in introduced was computing cloud of concept the since passed already have years Eight Guides n Cloud Security services basedonISO/IEC27002* security controlsforcloudcomputing Code ofpracticeforinformation technology --Security techniques -- ISO/IEC CD27017 Information CSA CloudControlMatrix(CCM)* Revision)* Institutions (SupplementtoEighth for ComputerSystems atFinancial Security MeasureStandards/Handbook Services* Guidelines fortheUseofCloud Information Security Management Security/Reliability* Information Pertaining toIaaS/PaaS System forCertifying theDisclosureof andEnsuringCompliance* Users Guide forProtecting CloudService Cloud Services* Information Security Guidelinesfor Title

Center for Financial Industry Information Systems, “Security Measure Standards/Handbook for Computer Systems at Financial Institutions (Supplement (Supplement Institutions Financial at (in Japanese). Systems Computer for to (https://www.fisc.or.jp/publication/disp_target_detail.php?pid=266) Eighth Revision)” Standards/Handbook Measure “Security Systems, Information Industry Financial for Center security controls for cloud computing services based on ISO/IEC 27002” (http://www.iso.org/iso/catalogue_detail.htm?csnumber=43757). 27002” information ISO/IEC for on based practice of Code services -- computing techniques cloud for Security -- controls security technology Information 27017 CD “ISO/IEC Standardization, for Organization International (http://www.cloudsecurityalliance.jp/ is version Japanese The ccm_wg.html). (https://cloudsecurityalliance.org/research/ccm/). CCM” “CSA Alliance, Security Cloud ss/2013/03/20140314004/20140314004.html) (in Japanese). (in ss/2013/03/20140314004/20140314004.html) (http://www. Edition First Services” Cloud of Use the for meti.go.jp/press/2011/04/20110401001/20110401001.html) Guidelines (in Japanese). March 2014 Revised Edition Management and guidelines (http://www.meti.go.jp/pre Security “Information Industry, and Trade Economy, of Ministry Foundation for MultiMedia Communications, “System for Certifying the Disclosure of Information Pertaining to IaaS/PaaS” (http://www.fmmc.or.jp/ip- IaaS/PaaS” to Pertaining Japanese). (in Information of nintei/) Disclosure the Certifying for “System Communications, MultiMedia for Foundation ASP-SaaS-Cloud Consortium, “Guide for Protecting Cloud Service Users and Ensuring Compliance” (http://aspicjapan.org/information/guideline/pdf/ Japanese). (in Compliance” jp_ver1.0.pdf) Ensuring and Users Service Cloud Protecting for “Guide Consortium, ASP-SaaS-Cloud Ministry of Internal Affairs and Communications, “Information Security Guidelines for Cloud Services” (http://www.soumu.go.jp/main_sosiki/joho_ Services” Cloud for tsusin/eng/Releases/Telecommunications/140402_01.html). Guidelines Security “Information Communications, and Affairs Internal of Ministry 74 75 71 73 72 77 76

Communications Ministry ofInternal Affairs and Cloud Security Alliance Cloud Industry InformationSystems The CenterforFinancial Industry Ministry ofEconomy, Trade and Communications Foundation forMultiMedia ASP-SaaS-Cloud Consortium Standardization (ISO) International Organization for Issuing Organization July 2014July V3.0.1 March 2013 revised March 2014 2011,Published April August 2012 July 2011 April 2014 for October2015 Publication planned Date ofIssue information shouldbedisclosedfromapracticalperspective. measures shouldbeimplementedandwhatkindof summarizes pointssuch ashowinformationsecurity that A guidemainlytargetingcloudserviceproviders to variousotherstandards. implementation. The controlslistedinCCMarealsomapped Guidance" issuedbyCSA, aswellpoliciesfortheir Summarizes thecontrolslistedin"CloudSecurity assessment whenfinancialinstitutionsusecloudservices. financial institutions.Itcontainsinformationaboutrisk when usingcloudservicesintoprevioussecurityguidelinesfor A documentthatincorporatespointsshouldbeconsidered user requests. topicssuchalso covers should respondto ashowproviders butit Itismainlytargetedatusers, based onISO/IEC27002. Prescribes standardsforcloudservicesecuritymanagement Data CenterInformationisanothersimilarsystem. The System forCertifying theDisclosureof ASP/SaaS and appropriately disclosinginformationaboutsecurity/reliability. A systemforcertifying thatIaaS/PaaS are providers cloud services. management whencompaniesinparticular usepublic Explains pointstoconsiderforconductingappropriaterisk Overview for implementingcloudsecurity. andproviders with theadditionofcontrolsrequiredbyusers being underdiscussion. They arebasedonISO/IEC27002, Internationalstandards for cloudsecurity that are currently for cloud security that are currently under discussion. under currently are that security cloud for standards international ISO27036-4 and ISO27017 the for proposals making actively also is J-CISPA activities these through gained knowledge the on based and first, aworld is trial This standards. these in rooted are that services cloud to tailored audits system performing by management risk appropriate out carrying for information with users provide to intend They computing. cloud to applied systems audit security information conventional on based are which Standards,” Management Security Information “Cloud its published 2012 JASA September In “J-CISPA).” (henceforth Alliance Promotion Security “JASA Information the -Cloud “JASA”) founded and 2013, April in (henceforth Association Audit Security Information Japan the of leadership the under together came services cloud with involved providers including companies 25 this, of light In services. to cloud to apply difficult are systems corporate on-premise conventional on based concepts assessment risk and security why reason one is That unavoidable. is box” a“black as services cloud of use The users. to system their of entirety the reveal not will providers audit, an out carrying on spent is money if Even workings. inner their at guessing to point no is there change dynamically, environments service cloud because Also, known. made not are structures operational and configurations of details the and user, the for built not is environment system adedicated integration, system unlike Consequently, manner. aset in resources of use joint the for provider service the by prepared systems utilizing users of numbers large involve services Cloud Audit System Security n Cloud Information We out. will this initiative discuss next. carried be to assessment risk proper enabling issues, various these resolves method This information. trustworthy disclose and standards common on based security evaluate to providers cloud enables that started has initiative An broadly. services cloud to it apply to difficult is it fees), service higher to leading (eventually cost ahigher paying up ends provider the and knowledge, IT of level high extremely an have must auditor external the because but providers, and users both for benefits has method This party. athird from organization aprovider’s of evaluation atrustworthy obtain to able are users and auditors, external to information disclose only Providers SSAE16. as such reports use to is method Another responses. of reliability the confirm to difficult be may it for, and looking were you information the get to possible be not may it so vary, granularity its and can disclose providers that information the difficult, or time-consuming not is it while However, services. cloud typical in seen often is method This maintained. be can require they security of level the whether themselves for decide to information published this use can users taken, measures security the and provided features security of kind the regarding information of form some releases provider each Because as-is. it use and providers by disclosed information for search to is method Another like this. queries individual to respond to able be will providers all not so services, cloud of afeature is that automation the hinders this hand, other the On assumptions. false and gaps perception reduces this but required, are effort and time user, and provider the between place takes communication Because page. same the on is everyone that so used, service the maintaining for accounts are accounts” “privileged that provider) or user either (from clarifying example, For understanding. acommon have users and providers that so subject and audience target the clarify to is assessment risk proper performing for method One possible. be not will use service or assessment risk proper that arisk is there interpretations, different on based vary questions checklist of implications the Because (1) (2). or indicate would this providers targeting guides in while (4), or (3) to refer would accounts” “privileged users, at aimed is referenced guide the If (4).” SaaS via users of deletion or registration the as such maintenance conducting for “accounts or (3),” IaaS via using is auser machine virt 25 Infrastructure Security 26 Infrastructure Security Figure 15: Individual Roles During a Cloud Security Audit Security aCloud During Roles Individual 15: Figure services. cloud of use safe the facilitate to rules international and domestic of creation the and this as such systems new promote actively to continue will IIJ results. earlier the on based audits actual conduct to underway are preparations enthusiastic year fiscal This system. this trial to audits” “pilot conducted alliance the in providers service cloud the 2013, fiscal In results. these verified has auditor external an when mark agold and audit, an out carried has auditor internal an which of assertion an for mark asilver with results, the on based marks issues J-CISPA system. this support can services cloud costs more keeping down, By cost. possible lowest the at procedures, auditing accurate with along services, cloud to related information technical of assessment accurate an enable to attempt an in structure two-step the incorporates system audit This correctly. out carried was audit internal the not or whether audit to needs only audit external the produced, is and format procedures uniform with report audit sound atechnically produces audit internal the Because audit. internal the through obtained documents other and report” audit “internal the on based procedures correct the to according out carried was audit internal the whether verifies auditor external an specifically, More auditor. internal the by produced results the of use effective makes that audit external an incorporates system audit the this, To remedy self-assertion. a mere to amounts still this perspective user’s the from procedures, set using auditor internal acertified by out carried is audit the when even However, lessened. is them on burden the service, their about information confidential release to need don’t providers cloud because Additionally, quality. audit of level acertain ensure helps also this and service, the of knowledge accurate their on based decisions make to able is provider a service of auditor internal The correct. is data audit the whether determine to technology IT of knowledge seasoned with specialist a than other anyone for difficult is it moment, to moment from change and developing, still are systems service cloud Because audit. the out carry to auditor internal an requires system This differs. service or provider the when even with, dealt is risk how compare to easier it makes also standards audit common Using used. is auditor different a when even affected not is quality audit the detail, in defined are audit the for procedures and content the Because group. working JASA’s by expert together put procedures standard auditing internal cloud the in specified procedures auditing using audit the conducts auditor internal The results. the records and assertion the of content the audits by JASA determined qualifications auditor with auditor internal an Next, later). (detailed audit apilot for together put IIJ assertion asample 16 shows Figure “assertion.” an called is This risks. these of each handle they how documents and clarifies provider acloud First, 5). (Table services cloud to regard with concern of risks typical the determined has J-CISPA J-CISPA. by envisaged is 15, that Figure in shown system, audit the explain will we Here Users JASA granted CS mark Confirmation Credentials Credentials granted granted External auditor Internal auditor Assertion Audit Assessment Declaration Creation administrator Audit report Silver mark Gold mark Cloud Table 5:  5: Table Severity Risk Medium High Low (taken from J-CISPA materials) J-CISPA from (taken Services Cloud Regarding Concern of Risks Number M11 M10 M09 M08 M07 H06 H05 H04 H03 H02 H01 L21 L20 L19 L18 L17 L16 L15 L14 L13 L12 Licensing risks Data protectionrisks Risk fromchangesofjurisdiction Subpoena ande-discovery Undertaking maliciousprobesorscans Loss ofencryptionkeys Economic denialofservice(EDoS) Supply chainfailure Loss ofgovernance Lock-in DDoS/DoS attacksoncloud Insecure orineffectivedeletionofdata up/download, intra-cloud Intercepting dataintransitorleakageon availability ofinfrastructure) Management interfacecompromise(manipulation, privilege access Cloud providermaliciousinsider-abuseofhigh Compromise ofserviceengine Isolation failure Resource exhaustion(underoroverprovisioning) Loss ofbusinessreputationduetoco-tenantactivities design andoperationphase Mismatches betweenvirtualandphysicalsystemsin resources andinfrastructures Impacts increasedduetohighlyaggregatedcomputing Risk Identifier Figure 16: Sample Assertion for Pilot Audit Pilot for Assertion Sample 16: Figure of use the Internet. secure and safe the allow to countermeasures necessary the provide to striving continue will IIJ this. as such in reports responses associated and incidents publicizing and identifying by usage Internet of dangers the about public the inform to effort every makes IIJ systems. audit and security cloud of confirmation the examined We also Japan. in institutions financial for etc. information, authentication steals that malware “Vawtrak” the at looked and vulnerabilities, OpenSSL of asummary provided we report, this In responded. has IIJ which to incidents security of asummary provided has report This 1.5 Office of Emergency Response and Clearinghouse for Security Information, Service Operation Division, IIJ Division, Operation Service Information, Security for Clearinghouse and Response Emergency of Office Masafumi Negishi, Yuji Suga, Takahiro Haruyama, Minoru Kobayashi, Yasunari Momoi Contributors: IIJ Division, Operation Service Information, Security for Clearinghouse and Response Emergency of Office Masahiko Kato Hisao Nashiwa, Hiroshi Suzuki Tadashi Survey) Kobayashi Incident (1.3 Nashiwa Hisao Suzuki, Hiroshi Nagao, Tadaaki Tsuchiya, Hirohide Hirohide Tsuchiya Authors: Conclusion several industry groups, including Telecom-ISAC Japan, Nippon CSIRT Association, Information Security Operation providers Group Group providers Operation Security others. Information and Japan, Association, CSIRT Nippon Japan, Telecom-ISAC of member including groups, committee industry asteering as several serves Mr. Saito CSIRTs. of group response international an emergency FIRST, in Group IIJ the of participating 2001, in representative IIJ-SECT the team, became Mr. Saito working customers, After IIJ. enterprise for Division, development Operation Service services security in Information, Security for Clearinghouse and Response Emergency of Office the of Manager Mamoru Saito (1.4.3 Cloud Confirmation Security and Audit Systems) (1.2 Incident Summary) Incident (1.2 (1.4.1 OpenSSL Vulnerabilities) (1.4.2 The Vawtrak Malware That Steals Authentication Information, etc. for Japanese Financial Institutions) Financial for Japanese etc. Information, (1.4.2 Authentication Steals MalwareThat TheVawtrak 27 Infrastructure Security