Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Japan. Show all posts
Ransomware
Data Breach Data Theft eCommerce Japan MFA Ransomware

Askul Discloses Scope of Customer Data Theft Following October Ransomware Incident

 



Japanese e-commerce firm Askul Corporation has officially confirmed that a ransomware attack earlier this year led to the unauthorized access and theft of data belonging to nearly 740,000 individuals. The company made the disclosure after completing a detailed investigation into the cyber incident that occurred in October.

Askul operates a large-scale online platform that provides office supplies and logistics services to both corporate clients and individual consumers. The company is part of the Yahoo! Japan corporate group and plays a significant role in Japan’s business-to-business supply chain.

The cyberattack caused serious disruptions to Askul’s internal systems, resulting in an operational shutdown that forced the company to suspend product shipments. This disruption affected a wide range of customers, including major retail partners such as Muji.

Following the conclusion of its internal review, Askul clarified the categories of data that were compromised. According to the company, service-related records of approximately 590,000 business customers were accessed. Data connected to around 132,000 individual customers was also involved. In addition, information related to roughly 15,000 business partners, including outsourcing firms, agents, and suppliers, was exposed. The incident further affected personal data linked to about 2,700 executives and employees, including those from group companies.

Askul stated that it is deliberately limiting the disclosure of specific details related to the stolen data to reduce the risk of further exploitation. The company confirmed that affected customers and business partners will be informed directly through individual notifications.

Regulatory authorities have also been notified. Askul reported the data exposure to Japan’s Personal Information Protection Commission and has implemented long-term monitoring measures to identify and prevent any potential misuse of the compromised information.

System recovery remains ongoing. As of December 15, shipping operations had not fully returned to normal, and the company continues to work toward restoring all affected services.

Responsibility for the attack has been claimed by the ransomware group known as RansomHouse. The group publicly disclosed the breach at the end of October and later released portions of the stolen data in two separate leaks in November and December.

Askul shared limited technical findings regarding how the attackers gained access. The company believes the intrusion began through stolen login credentials associated with an administrator account belonging to an outsourced partner. This account did not have multi-factor authentication enabled, making it easier for attackers to exploit.

After entering the network, the attackers conducted internal reconnaissance, collected additional authentication information, and expanded their access to multiple servers. Askul reported that security defenses, including endpoint detection and response tools, were disabled during the attack. The company also noted that several ransomware variants were deployed, some of which bypassed existing detection mechanisms despite recent updates.

The attack resulted in both data encryption and widespread system failures. The ransomware was executed simultaneously across multiple servers, and backup files were deliberately erased to prevent rapid system recovery.

In response, Askul disconnected affected networks, restricted communication between data centers and logistics facilities, isolated compromised devices, and strengthened endpoint security controls. Multi-factor authentication has since been enforced across critical systems, and all administrator account passwords have been reset.

The financial consequences of the incident have not yet been determined. Askul has postponed its earnings report to allow additional time for a comprehensive assessment of the impact.



Read more »
RaaS
Cloud Cyber Attacks Cyber Attacks. Ransomware Extortion Japan RaaS

Firms in Japan at Risk of Ransomware Threats, Government Measures Insufficient


There is no indication that ransomware assaults against Japanese businesses will stop. Major online retailer Askul Corp. experienced a cyberattack in October that resulted in system interruptions, following an attack on Asahi Group Holdings Ltd. Government authorities are finding it difficult to keep up with the situation.

The ransomware profit 

According to some estimates, a complete system recovery could take several months. Asahi is thought to have been employing a large-scale operations system that linked ordering, shipping, human resources, and accounting administration. 

A hacker collective known as Qilin claimed responsibility for this most recent attack in a statement released on a dark web website on October 27. The group claimed to have stolen approximately 9,300 files totaling at least 27 gigabytes, and they shared 29 photos that they felt showed Asahi's internal documents and employee personal information.

About Quilin

Qilin is thought to be a hacker collective with ties to Russia that was established around 2022. The gang reportedly released over 700 statements claiming responsibility for ransomware attacks in 2025 alone, when it started to become more active. 

Additionally, Qilin uses a business model called "Ransomware as a Service" (RaaS), whereby it offers third parties ransomware programs and attack techniques as a service. Even anyone without a high level of technological competence can conduct assaults utilizing RaaS. 

The creation of ransomware and the implementation of the attacks have been split between many players who split ransom payments, whereas in the past, virus writers frequently carried out the operations individually. These company strategies seem to have gained popularity in recent years.

Attack tactics

Hackers typically breach a company's networks to prevent access to data and threaten to release it. This is referred regarded as a double extortion strategy. 

To make businesses pay, some hackers even go so far as to use triple or quadruple extortion. These include direct threats to the targeted company's clients and business partners or frequent distributed denial-of-service (DDoS) attacks that flood servers with data.  

According to reports, these techniques are become more malevolent. The majority of specialists concur that payments should not be made in principle, and even if a business pays the ransom, there is no assurance that the data would be released.




Read more »
Pop-ups
Call Center Call Center Scam CBI Cyber Fraud Cyber Scam Fake Calls Fake IT Support Financial Fraud Japan Pop-ups

CBI Uncovers Tech Support Scam Targeting Japanese Nationals in Multi-State Operation

 

The Central Bureau of Investigation (CBI) has uncovered a major international scam targeting Japanese citizens through fake tech support schemes. As part of its nationwide anti-cybercrime initiative, Operation Chakra V, the CBI arrested six individuals and shut down two fraudulent call centres operating across Delhi, Haryana, and Uttar Pradesh. 

According to officials, the suspects posed as representatives from Microsoft and Apple to deceive victims into believing their electronic devices were compromised. These cybercriminals manipulated their targets—mainly Japanese nationals—into transferring over ₹1.2 crore (approximately 20.3 million Japanese Yen) under the pretense of resolving non-existent technical issues. 

The investigation, carried out in collaboration with Japan’s National Police Agency and Microsoft, played a key role in tracing the culprits and dismantling their infrastructure. The CBI emphasized that international cooperation was vital in identifying the criminal network and its operations. 

Among those arrested were Ashu Singh from Delhi, Kapil Ghakhar from Panipat, Rohit Maurya from Ayodhya, and three Varanasi residents—Shubham Jaiswal, Vivek Raj, and Adarsh Kumar. These individuals operated two fake customer support centres that mirrored legitimate ones in appearance but were in fact used to run scams. 

The fraud typically began when victims received pop-up messages on their computers claiming a security threat. They were prompted to call a number, which connected them to scammers based in India pretending to be technical support staff. Once in contact, the scammers gained remote access to the victims’ systems, stole sensitive information, and urged them to make payments through bank transfers or by purchasing gift cards. In one severe case, a resident of Hyogo Prefecture lost over JPY 20 million after the attackers converted stolen funds into cryptocurrency. 

Language discrepancies during calls, such as awkward Japanese and audible Hindi in the background, helped authorities trace the origin of the calls. Investigators identified Manmeet Singh Basra of RK Puram and Jiten Harchand of Chhatarpur Enclave as key figures responsible for managing lead generation, financial transfers, and the technical setup behind the fraud. Harchand has reportedly operated numerous Skype accounts used in the scam. 

Between July and December 2024, the operation used 94 malicious Japanese-language URLs, traced to Indian IP addresses, to lure victims with fake alerts. The scheme relied heavily on social engineering tactics and tech deception, making it a highly sophisticated cyber fraud campaign with international implications.
Read more »
Ransomware
Cyber Attacks Japan KWE Ransomware

Japanese Logistics Firm KWE Faces Ransomware Attack, Causing Service Delays

 



Kintetsu World Express (KWE), a large logistics and freight company based in Japan, recently experienced a ransomware attack that caused trouble with some of its systems. As a result, certain customers are facing interruptions in service.

The company has not shared many details yet. The name of the group responsible for the attack remains unknown. However, KWE said that work is ongoing to bring systems back to normal and to find out if any data was accessed without permission.

This incident has raised concerns because it follows a similar case that happened about a year ago. In that earlier situation, a hacker group called “888” claimed to have stolen data from many of KWE’s clients. It is not clear if the two events are connected.


A Growing Pattern of Cyberattacks in Japan

KWE is not the only major business in Japan facing cyberattacks. Over the past year, several well-known Japanese companies have also been targeted. According to reports from cybersecurity experts, at least 46 organizations in Japan were hit by such attacks since late 2024.

Some of the most well-known victims include NTT Docomo, which is a leading mobile network operator, and Kadokawa, a large media company. Other businesses hit include Casio, which is known for its watches, and major banks such as Mizuho Bank, Resona Bank, and Mitsubishi UFJ Bank.

These attacks are part of a larger problem where cybercriminals try to gain control over systems or steal private data. In many ransomware cases, hackers lock important files and ask the company to pay money to get access back. These attacks can cause serious damage, disrupt operations, and lead to loss of trust.


What’s Next for KWE

KWE is continuing to fix the affected systems and investigate what happened. The company said it will keep its customers informed as it works on solutions.

Cybersecurity professionals are warning all companies, not just in Japan but around the world, to take steps to improve their digital security. Setting up strong defenses and preparing for emergencies can help reduce the damage caused by such attacks.

For now, it’s unclear how long the recovery will take, but this event shows how no company is completely safe from online threats.

Read more »
MirrorFace
Cyber Defence Cyber Security DDoS Hacker attack Hacker group Japan Japan Cyber Security MirrorFace

Japan’s New Active Cyber Defence Strategy to Counter Growing Threats

 

Japan is taking decisive steps to enhance its cybersecurity through a new strategy of “active cyber defence.” This approach enables authorized hackers working for the police or Self-Defence Forces (SDF) to infiltrate servers and neutralize cyber-attack sources before they cause significant damage. The ruling Liberal Democratic Party (LDP), led by Prime Minister Shigeru Ishiba, plans to introduce relevant legislation during the current parliamentary session. The urgency for stronger cybersecurity measures has escalated due to recent attacks. 

The National Police Agency (NPA) revealed that the Chinese state-linked hacking group MirrorFace was responsible for over 200 cyberattacks targeting Japan’s foreign ministries and semiconductor industry between 2019 and 2024. Additionally, cyber incursions since late December 2024 disrupted financial services, delayed flights, and exposed vulnerabilities in Japan’s critical infrastructure. Japan’s revised 2022 National Security Strategy identifies cyberattacks as a growing threat, likening cross-border hacks of civilian infrastructure to intimidation tactics that stop short of war. 

This has prompted Japan to expand its SDF cyber unit from 620 members in March 2024 to about 2,400 today, with plans to reach 4,000 personnel by 2028. However, this remains small compared to China’s estimated 30,000-member cyber-attack force. The proposed active defence strategy aims to bolster cooperation between public and private sectors, focusing on safeguarding critical infrastructure, such as energy, transportation, finance, and telecommunications. Japan also plans to establish a National Cyber Security Office in 2025 to coordinate cybersecurity policy, identify vulnerabilities, and advise private sector organizations. 

To prevent misuse, strict safeguards will accompany the strategy. Hackers will need prior approval to break into servers unless immediate action is required during active attacks. Penalties will address excessive monitoring or personal data leaks, ensuring transparency and public trust. Trend Micro’s recent findings underscore the importance of these measures. The security firm attributed recent cyberattacks to distributed denial-of-service (DDoS) campaigns launched by botnets. These attacks overwhelmed network servers with data, causing widespread disruptions to services like Japan Airlines and major banks. 

While Japan’s proactive approach is a significant step forward, experts like Professor Kazuto Suzuki caution that it may not deter all attackers. He notes that cyber deterrence is challenging due to the unpredictability of attackers’ methods. However, this strategy is expected to instill some fear of retaliation among hackers and strengthen Japan’s cybersecurity posture. As cyber threats evolve, Japan’s active defence initiative represents a critical effort to protect its infrastructure, economy, and national security from escalating digital risks.
Read more »
Threat Landscape
Chinese Hackers Cyber Attacks Japan MirrorFace Threat Landscape

Japan Attributes Ongoing Cyberattacks to China-Linked MirrorFace Group

 


Japan's National Police Agency (NPA) and the National Centre of Incident Readiness and Strategy for Cybersecurity (NISC) have officially attributed a prolonged cyberattack campaign targeting Japanese organizations and individuals since 2019 to the China-linked threat actor MirrorFace, also known as Earth Kasha.

The cyberattacks were designed to steal sensitive information related to Japan's national security and emerging technologies. MirrorFace is reportedly a subgroup of the Chinese state-sponsored hacking collective APT10, notorious for deploying malware tools such as ANEL, LODEINFO, and NOOPDOOR.

Authorities have identified three distinct phases in MirrorFace's attack operations:
  • December 2019 – July 2023: Spear-phishing emails carrying malware like LODEINFO, LilimRAT, and NOOPDOOR targeted government agencies, think tanks, politicians, and media outlets.
  • February – October 2023: Malware such as Cobalt Strike Beacon, LODEINFO, and NOOPDOOR was deployed through vulnerabilities in network devices to infiltrate sectors like semiconductors, aerospace, and academic institutions.
  • June 2024 – Present: Phishing emails loaded with ANEL malware were sent to think tanks, political figures, and media organizations.

Sophisticated Cyberattack Techniques

MirrorFace utilized advanced methods to evade detection and maintain persistence, including:
  • Windows Sandbox Deployment: Malware was executed within the Windows Sandbox, a virtualized environment that limits malware persistence by erasing data upon system reset.
  • Evasion of Security Tools: This technique allowed malware to operate undetected by antivirus software.

Scale and Impact of the Cyberattacks

The NPA has connected MirrorFace to over 200 cyber incidents spanning five years. The affected sectors include:
  • Government Agencies
  • Defense Organizations
  • Space Research Centers
  • Private Enterprises in Advanced Technologies

Phishing emails often used compelling subjects like "Japan-US alliance" and "Taiwan Strait" to deceive recipients into downloading malicious attachments. Notable attacks linked to similar tactics include:
  • Japan Aerospace Exploration Agency (JAXA): Targeted in a sophisticated cyberattack.
  • Port of Nagoya (2023): Disrupted by a ransomware incident.

In response to these threats, the NPA issued a public warning:

“This alert aims to raise awareness among targeted organizations, businesses, and individuals about the threats they face in cyberspace by publicly disclosing the methods used in the cyber-attacks by ‘MirrorFace.’ It also seeks to encourage the implementation of appropriate security measures to prevent the expansion of damage from cyber-attacks and to avert potential harm.”

The warning underscores the need for heightened cybersecurity practices across sectors to mitigate risks from increasingly sophisticated cyber threats.
Read more »
MirrorFace
CISA cyber espionage Cyber Security Japan MirrorFace

CISA Urges Immediate Fix for Critical Array Networks Flaw

 


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a critical security flaw in Array Networks AG and vxAG secure access gateways. The flaw, identified as CVE-2023-28461, has been under active exploitation by attackers. CISA has advised the federal agencies to install patches before December 16, 2024, in order to protect their systems. 


Understanding the Vulnerability

The flaw, rated with a critical severity score of 9.8, is caused by missing authentication in the software, enabling attackers to remotely execute harmful commands or access sensitive files without proper authorization. According to Array Networks, the vulnerability can be triggered by sending specific HTTP headers to vulnerable URLs.

A patch for this weakness was issued in March 2023 (version 9.4.0.484), but follow-up attacks indicate many systems have not been patched yet. Organizations using this application should update now to ensure the integrity of their network.


Who is attacking this flaw?

A cyber espionage group known as Earth Kasha, or MirrorFace, has been identified as actively exploiting this flaw. Tied to China, the group usually targets entities in Japan, but its activities have also been seen in Taiwan, India, and Europe.

In one attack, Earth Kasha used the weakness to spearhead a campaign of compromise against a European diplomatic body. The attackers were phishing emails referencing the future World Expo 2025 to be held in Japan that would lure victims to download a backdoor called ANEL. 


Vulnerability of Systems 

The cyber security firm VulnCheck stated that more than 440,000 devices with internet access may be prone to attack because of this type of vulnerability. Also, it was indicated in the report that in 2023 alone, 15 Chinese-linked hacking groups targeted at least one of the top 15 commonly exploited flaws. 


How Can Organizations Protect Themselves 

To minimize such threats, organizations must:

  1. Ensure all systems that implement Array Networks software are maintained on the latest patched version. 
  2. Reduce your exposure to sensitive devices on the internet whenever possible.
  3. Use robust patch management and monitoring systems to augment your defenses.
  4. Educate yourself through threat intelligence reports to understand emerging risks.


CISA Message to Agencies

Such direction has been given to agencies of the federal government for immediate action. By the utilization of these patches, they are capable of avoiding possible security breaches and further strengthening themselves against more complex cyber attacks. This reminder underscores a very critical point in proactive cybersecurity.


Read more »
ransomware attacks
Conti Ransomware Cyber Security Cyberattack Japan Japan Cyber attack Logs Malware Detection ransomware attacks

JPCERT Shares Tips for Detecting Ransomware Attacks Using Windows Event Logs

 

Japan’s Computer Emergency Response Center (JPCERT/CC) recently revealed strategies to detect ransomware attacks by analyzing Windows Event Logs, offering vital early detection before the attack spreads. JPCERT’s insights focus on identifying digital traces left behind by ransomware within four key types of event logs: Application, Security, System, and Setup logs. These logs reveal valuable clues about the entry points used by attackers and can assist in quicker mitigation. Ransomware attacks often target system vulnerabilities and attempt to encrypt files, delete backups, or modify network settings, leaving detectable traces within the event logs. 

For example, the notorious Conti ransomware can be recognized by multiple event logs connected to the Windows Restart Manager, showing event IDs 10000 and 10001. Other ransomware variants like Akira, Lockbit3.0, and HelloKitty, which share similar encryptor technology, leave comparable logs. Additionally, ransomware such as Phobos records when system backups are deleted, a key indicator of malicious activity. Detecting these logs promptly allows administrators to intervene before damage escalates. Midas ransomware, known for spreading infection via network changes, logs event ID 7040. Similarly, BadRabbit leaves event ID 7045 when installing its encryption component, while Bisamware logs events during the beginning and end of a Windows Installer transaction (event IDs 1040 and 1042). 

Other ransomware strains, like Shade, GandCrab, and Vice Society, create errors related to accessing COM applications and deleting Volume Shadow Copies, which are pivotal for restoring encrypted data. JPCERT’s findings illustrate that monitoring for these specific event IDs in combination with a broader security framework could be a game-changer in ransomware defense. Though older ransomware variants like WannaCry and Petya left no such traces in Windows logs, modern ransomware often does. As a result, tracking these logs offers an effective layer of protection against new threats, helping to prevent encryption and data loss. 

It is important to note that no single method of detection is foolproof. A multi-layered approach that combines monitoring event logs with other security tools and protocols remains crucial for protecting systems from ransomware attacks. By using this event log analysis strategy, organizations can significantly reduce the chances of ransomware spreading undetected, giving them the edge in stopping an attack before it cripples their network.
Read more »
Subscribe to: Comments (Atom)