[Security Weekly] Japanese Government Agencies Breached Due to Cyberattack at Fujitsu

4th Week of May 2021

 

1. Japanese government bodies suffer data breaches from cyberattack at Fujitsu

A number of government agencies and public infrastructure in Japan had their data stolen after hackers gained access to Fujitsu’s ProjectWEB platform, a cloud-based project collaboration and file sharing tool used by various organizations in the public sector.

Fujitsu said that it first discovered the intrusion on May 24, and immediately suspended ProjectWEB and its online portal the following day, while notifying all government agencies to protect their project data. ProjectWEB hosts thousands of work projects.

Among the victims were the Ministry of Land, Infrastructure, Transport, and Tourism (MLIT), the Cabinet Secretariat, and Narita Airport. Later in the week, MLIT, with the help of Japan’s cybersecurity agency NISC, confirmed that attackers had accessed projects and obtained confidential information, which included 76,000 email addresses of its employees and business partners. The Cabinet Secretariat also confirmed that data relating to the agency was stolen in the attack.

The NISC is currently investigating the attack. As of now, it is unclear whether the attack was a pure scan of vulnerabilities or a coordinated supply chain attack against the government.

Sources: Threatpost, SC Media, Kyodo News

 

2. Bose reveals ransomware attack exposing sensitive employee information

High-end audio equipment manufacturer Bose disclosed a ransomware attack incident in a letter to the New Hampshire Attorney General. The attack took place on March 7, only to be discovered on April 29, when the company noticed unauthorized access to its HR database.

Bose revealed that IT systems across its network were infected with ransomware, but did not specify which ransomware variant it was. After forensic analysis, the company was able to confirm that the attackers had gained access to several HR files, which included the names, addresses, social security numbers (SSN), and compensation information of six current and former employees.

A spokesperson from Bose later stated that the company denied the attackers’ ransom demand and was able to regain control of its IT systems on its own. Bose is currently working with the FBI to search the dark web for potential leaks of the exposed data.

Sources: ZDNet, Infosecurity

 

3. Iranian hacker group Agrius uses wiper disguised as ransomware to hide motive

Cybersecurity researchers at SentinelOne recently discovered that Agrius, an Iranian hacker group and APT, has been using custom-made wipers disguised as ransomware to deceive its victims. The group pretends to encrypt files for a ransom, but destroys them instead.

A newly emerged APT, Agrius originally attacked targets using a destructive wiper dubbed Deadwood, which was capable of destroying files. However, it gradually developed its own wiper named Apostle, which was customized with ransomware functionalities. In many attacks, Agrius appeared to have encrypted data in exchange for a ransom, but the data was destroyed instead.

Apostle was first seen in Agrius’ attacks against Israeli targets in 2020. In a typical attack, Agrius exploits web vulnerabilities using techniques such as SQL injection to gain access into a victim’s network, then installs a custom .NET backdoor called IPsec Helper, which connects the systems to its command and control (C2) server, after which Apostle gets deployed.

Agrius is suspected to be a state-sponsored hacker group with a focus on espionage and destruction. This explains why it disguises itself as a financially motivated ransomware group to mislead the victim from finding out its goals.

Agrius’ entry point of exploiting web vulnerabilities can be easily sealed off with an AI-based web application firewall (WAF) like WAPPLES. By using detection rules based on machine learning, WAPPLES protects all kinds of zero-day and known web vulnerabilities from exploits.

Sources: SentinelLabs, ZDNet, Threatpost

 

4. Canada Post confirms data breach due to cyberattack at supplier firm

Canada Post, a Crown corporation and the largest postal service of Canada, disclosed on May 26 that it had suffered a data breach as a result of a cyberattack at its supplier Commport Communications. Commport, a digital data solutions provider, was in charge of managing the shipping data for Canada Post.

After gaining access to Commport’s IT systems, the hackers accessed the manifest of 44 commercial senders. A manifest contains sender and recipient names, shipping addresses, and contact information. As such, the information of over 950,000 recipients was exposed. Specifically, the leaked data contained information recorded between July 2016 and March 2019.

Sources: Infosecurity, Bleeping Computer, The Daily Swig

 

Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: ISign+ 

Car, Energy, Factory, City Solutions: Penta IoT Security