6 posts categorized "#Tsubame" Feed

Nov 16, 2016

APCERT Annual General Meeting & Conference 2016 in Tokyo and JPCERT/CC’s 20th Anniversary

Hi all, this is Yuka from Global Coordination Division and also serving as APCERT Secretariat.

We are happy to announce that we have just finished one of the big tasks for this year – the host of APCERT Annual General Meeting & Conference 2016, which was held on 24-27 October at Royal Park Hotel in Tokyo. After the official establishment of APCERT in 2003, its annual conference had never been held in Tokyo. There was, though, a meeting in 2002 as Asia Pacific Security Incident Response Coordination Conference (APSIRC; the predecessor of APCERT) where forming a community for CSIRTs in the Asia Pacific region was discussed. Strangely enough, the Conference in 2002 was also held in the same hotel – we actually booked the venue without knowing the fact. We were so thrilled to know about the chance.

The Conference was run for four days:

24 Oct: Working Group Meetings, Team Building, Welcome Cocktail

25 Oct: TSUBAME Workshop, CyberGreen Workshop, Steering Committee Meeting

26 Oct: Closed Conference, Annual General Meeting, Gala Dinner

27 Oct: Open Conference

(Photo taken during TSUBAME Workshop – trainees working on some hands-on exercise)
161025e_0200

From Day 1 through to 3, sessions for APCERT members and invited guests were conducted, and Day 4 was an open session including the general public. Altogether we had APCERT Operational Members from 23 teams of 18 economies in Asia Pacific, Supporting Members, global partners, sponsors and some local guests – which counted up to approximately 200 people. The Conference was themed “Borderless Cooperation, Seamless Action – Towards a Cleaner, Greener Cyber Space –“, which indeed reflects the aim of this community. The Conference program on the 27th was arranged based on “Call For Papers”, with presentations which covered a wide range of topics on recent technical trends and concluded with a panel discussion on CSIRT operations as below.

- IoT Threat and IoT Botnet

- Protecting CNII against Malware Threats: A Coherent Response through Cooperation Amongst OIC Countries

- APT Campaign Targets Japanese Critical Infrastructure

- Ransomware Tracking and AP Region Footprint

- Who’s That Knocking on My Back Door: A Jboss Case

- Sophisticated Financial Fraud Malware (Mobile) in Korea

- Collaborative Research for Development of CSIRTs in Vietnam

- Best Practices and Common Missteps in Responding to Major Incidents

- Engaging the ISPs in Effective National Network Abuse Handling

(Programs available here: https://www.apcert.org/apcert2016/program.html)

(Team JPCERT/CC after the event – Photo by our colleague)
Img_3562

What made this event special was not only the fact that it was hosted in Tokyo for the first time as APCERT, but also that it coincided with the 20th anniversary for JPCERT/CC.

Being established in October 1996, as one of the oldest CSIRTs in the world, JPCERT/CC has been contributing in creating a safer cyber security environment both in Japan and across the globe. To look back over the activities from internal and external perspectives, a symposium was held on 28 October inviting local partners. The symposium contained presentations from JPCERT/CC staff and partners providing the history of activities and ideas for future plans, which was followed by a social cocktail.

What these two events brought us is the fact that JPCERT/CC has been supported by various partners locally and globally. For the anniversary event, some of our foreign counterpart organisations kindly sent us video messages with the words of celebration. From local communities, we received feedbacks about our activities, some positive evaluations and also encouragement. Indeed, since JPCERT/CC is a “Coordination Center”, our activities require coordination with various entities, and creating a safer cyber space cannot be accomplished without the support of such local and global partners. We hope that both events were good opportunities to show our gratitude for the special partnership for the past 20 years, and we look forward to continuing and developing the relationship for the next 10 years and more.

Thanks for reading.

- Yukako Uchida

Oct 13, 2015

APCERT Annual General Meeting and Conference 2015 in Kuala Lumpur

Hi again, it’s Yuka from Global Coordination Division and also serving as APCERT Secretariat. It’s been a while since I wrote here last time.

My entry this time is about the biggest event of APCERT which we just recently attended, the Annual General Meeting (AGM) and Conference 2015 in Kuala Lumpur, Malaysia on 6-10 September. This event, hosted by CyberSecurity Malaysia (MyCERT), marked the 12th annual conference for APCERT. What made the event special was that it was held concurrently with the AGM & Conference for OIC-CERT (Organisation of the Islamic Cooperation – Computer Emergency Response Team) and also Malaysia’s local cyber security exhibition. This was the first conference for APCERT and OIC-CERT to collaborate together, and members of both organisations had a great opportunity to interact with each other through a series of sessions during the week.

The event was conducted as follows:

6 September

AM: Workshops including Cyber Green

PM: APCERT Closed Session (Working Groups)

7 September

AM: APCERT Steering Committee Meeting

PM: APCERT Annual General Meeting (AGM)

8 September

AM: TSUBAME Workshop

PM: APCERT & OIC-CERT Desktop Exercise

9 September

AM: APCERT Closed Conference

PM: APCERT & OIC-CERT Steering Committee Discussion

10 September

All: APCERT & OIC-CERT Open Conference

For the APCERT AGM on 7 September, 26 Operational Members were present to discuss APCERT business matters and share information on the previous year’s activities of APCERT. As Secretariat, I would like to take this opportunity to thank Microsoft for providing the fellowship for our event, which significantly supported the participation of APCERT members.

JPCERT/CC completed our 4th consecutive term as Chair at this AGM, and CERT Australia was elected for this position. Also, MyCERT was elected as the new Deputy Chair, following KrCERT/CC’s completion of 4-year-term on this position. JPCERT/CC was re-elected as Steering Committee and Secretariat for the next 2-year-term and will keep contributing to the community by providing initiatives and administrative support. Also, we are happy to announce that we have been chosen to host the next APCERT AGM & Conference 2016 in Tokyo. It is also the year for JPCERT/CC’s 20th anniversary since its establishment, and we hope to celebrate such a milestone together with our domestic partners and APCERT members.

A token of appreciation for completing 4 years as Chair was presented from APCERT Steering Committee, and another token for contribution as a Steering Committee member was presented from the conference host (these were surprise gifts!).

JPCERT/CC colleagues with the tokens (Photo by Shikapon)
_dsc1407

JPCERT/CC conducted TSUBAME Workshop and Cyber Green Workshop during the week. This year, TSUBAME workshop focused more on hands-on session rather than lectures, so the participants were more involved and able to familiarise themselves with the system. Our hope is that each member shares what was presented during the session and utilise it for their day-to-day incident handling activities. It was also our pleasure to invite OIC-CERT members to the TSUBAME Workshop for the first time.

For details on the Cyber Green Workshop, which was also a success, our colleague Taki wrote an article which is available on the Cyber Green website:

http://www.cybergreen.net/blog/apcert-oic-cert-annual-conference

Yurie and Taki at the Cyber Green Workshop (Photo by Shikapon)
_dsc1055_2

After all, it was a tense week with full of events – but indeed it was great to see some old and familiar colleagues of APCERT, and some new faces as well. I recall it really was a huge event, involving both APCERT and OIC-CERT. We would like to take this opportunity to thank MyCERT, the host team, for their hospitality and congratulate on the success of the event.

Cheers,

- Yukako Uchida

Dec 25, 2014

Increase in Possible Scan Activity from NAS Devices

Happy holidays to all, this is Tetsuya from Watch and Warning Group. Today, I would like to share a recent, remarkable trend discovered through TSUBAME sensors.

 

In TSUBAME, we have observed a significant increase in packets destined to 8080/TCP since December 5th, 2014. When accessing source IP addresses using a web browser, the admin login screen for NAS devices provided by QNAP was seen in many cases for IP addresses from certain regions.

20141218_8080tcp

[Figure 1: Scan count per hour observed at 8080/TCP from December 2nd, 2014 onwards (Source: TSUBAME)]

 

Below are some characteristics that we noticed from TSUBAME data:

  - Increase in packets to Port 8080/TCP since December 5th, 2014

  - The TTL value for most of the packets were between 30 - 59

  - A scan attempt sends 1 - 2 packets (the second packet is a re-send)

  - A source IP does not continuously scan a particular destination IP (The majority scans only once)

 

 

Also we were able to verify the following after checking some of the source IP addresses:

  - When accessing Port 80/TCP of the source address, a redirect to Port 8080/TCP occurs and the admin login screen of QNAP NAS is shown

  - The QNAP firmware looks to be version 4.1.0 or earlier (Information taken from the screen that is shown. 4.1.0 and earlier are affected by Shellshock) (*1)

 

Using an environment separate from TSUBAME to check the packets sent by an infected QNAP device, we saw the following request (there are several types of requests).

20141218_shellshockrequesten

[Figure 2: Sample request from infected device (Source: JPCERT/CC)]

 

When a QNAP NAS device using a vulnerable version of firmware receives this request, the Shellshock vulnerability is leveraged to download a malicious attack program over the Internet and be infected by malware (*2, *3). Once infected, it begins to search for other vulnerable NAS devices. As a result of this activity, a large number of NAS devices were infected and we believe this is the reason for the sudden increase in packets to 8080/TCP.

 

The vendor has released firmware to address the Shellshock vulnerability. If you have yet to apply the update, we recommend that you first check (*2) whether you have been infected or not.

 

  JVN#55667175 QNAP QTS vulnerable to OS command injection (*1)

  https://jvn.jp/en/jp/JVN55667175/

 

  The Shellshock Aftershock for NAS Administrators (*2)

 https://www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html

 

  Worm Backdoors and Secures QNAP Network Storage Devices (*3)

 https://isc.sans.edu/forums/diary/Worm+Backdoors+and+Secures+QNAP+Network+Storage+Devices/19061

 

 An Urgent Fix on the Reported Infection of a Variant of GNU Bash Environment Variable Command Injection Vulnerability (*4)

  http://www.qnap.com/i/en/support/con_show.php?cid=74

 

Thank you for reading, and we wish you all the best for the coming year.

 

- Tetsuya Mizuno

Oct 30, 2014

TSUBAME Training and Annual National Conference on Cyber Security in Sri Lanka

Hello, this is Taki and today I would like to write about my trip to Colombo, Sri Lanka from September 30th through October 2nd.

I went with Tetsuya to conduct TSUBAME trainings at Sri Lanka CERT|CC and TechCERT, and to give a presentation at Cyber Security Week 2014 - 7th Annual National Conference on Cyber Security.

TSUBAME Training for Sri Lanka CERT|CC and TechCERT

Unlike our previous TSUBAME trainings in Jakarta and Vientiane, this time the trainees were only from the respective organizations.

The number of trainees for both sessions were relatively small, which allowed us to facilitate more discussions during the sessions. However, unlike the previous trainings we only had about a day of training for each, so focused mainly on the analysis of TSUBAME data, while incorporating how to access data through the portal, etc.

Dsc08666

Tetsuya at the training at Sri Lanka CERT|CC

Dsc08769

Training at TechCERT

It is our hope at JPCERT/CC that the trainings helped in enhancing the trainees’ data analysis skills. Discussions on how to collect data and how to analyze large amounts of data were very fruitful and gave us a lot to think about as we move forward as well. We hope to continue dialog with our colleagues in Sri Lanka about these topics.

7th Annual National Conference on Cyber Security in Sri Lanka

Also, Tetsuya and I attended 7th Annual National Conference on Cyber Security, which was a part of Cyber Security Week 2014 on October 1st. There were a little over 200 people in attendance for the event of which about 20 or so from outside of Sri Lanka. From what I gathered, most of the people in attendance were IT professionals, IT managers, CEOs, Lawyers etc from vendors and  service providers in Sri Lanka.

The conference started with a celebration with music and a ceremonial oil lamp lighting followed by the national anthem of Sri Lanka. The traditional oil lamp lighting ceremony was something I had never seen before.

Dsc08705

Traditional oil lamp lighting

I also presented during the conference and spoke about JPCERT/CC activities focusing on activities where we collaborate globally, including the TSUBAME project, overseas CSIRT development, vulnerability handling among others.

I had some people come up to me with some questions during the social event, held directly after the conference. Some of the questions included TSUBAME and network monitoring / data analysis and others related to vulnerabilities, but more on the disclosure side.

Dsc08737

Taki talking at the Conference

All in all, my first trip to Colombo was very nice, but all too short. I do hope that I get to visit in the future and spend some time taking in the sites as well as the history of Sri Lanka.

Lastly I would like to thank our colleagues from Sri Lanka CERT|CC and TechCERT for their wonderful hospitality. I can definitely say that I would not have enjoyed this trip as much as I did without them taking such good care of us.

That is it for today. I hope to write again sometime soon.

- Taki Uchiyama

Jun 26, 2014

TSUBAME Training in Indonesia and Laos

Hi there! This is Tetsuya Mizuno from Watch and Warning group.

 

Today, I would like to introduce one of our activities: technical training through TSUBAME project. TSUBAME, headed by JPCERT/CC, is a project using a packet monitoring system which deploys sensors in multiple countries to detect wide-ranging malicious activities on the Internet (without collecting any sensitive data). The project is operated as one of the working groups of APCERT, and the members consist of 24 teams from 21 economies, mainly National CSIRTs in the Asia Pacific region (as of June, 2014). In order to boost up members’ capability in internet-based threat analysis, we have provided some on-site technical training. Its objective is to provide participants with sufficient knowledge of conducting investigation on global threats in order to promote data sharing as well as enhancing analysis competence among the members.

 

This article will cover how we are implementing this activity by introducing our two recent on-site trainings in Indonesia and Laos conducted by my colleague Takayuki (Taki) Uchiyama and myself.

 

Training in Indonesia

We organized training in Jakarta, Indonesia on 5-7 March 2014 for approximately 40 participants from ID-SIRTII/CC and their partner organization, ACAD-CSIRT. The training was based on hands-on exercise consisting of four phases: (1) TSUBAME sensor setup and management, (2) TSUBAME web functions, (3) analysis combining TSUBAME data and other obtained data and (4) analysis on case studies by examining various network protocols.

 

The main purpose of this training was to enhance trainees’ practical skills on analyzing network traffic and sensor management. Based on their basic knowledge on TSUBAME, we focused on advanced trainings on how to analyze various internet protocols and to identify the online behavior of the network threats.

 

I was glad to hear a lot of positive feedback from the participants – they feel that their skill has improved and would like to take it into practice in their daily job.

 

Dsc06638_tsubame

Photo taken by ID-SIRTII/CC

 

Dsc06635_

Photo taken by Tetsuya

 

Training in Laos

Followed by the training in Indonesia, we conducted another session at LaoCERT, in collaboration with ThaiCERT, on 21-22 May 2014 for approximately 20 participants. Along with the training, we installed our first sensor in Laos, which made LaoCERT our 24th member team of TSUBAME project. Since packet monitoring activity was a new challenge for some participants, we assisted in hands-on exercise by giving lectures about general network knowledge. The training consisted of five phases: (1) basic knowledge on network, (2) overview of TSUBAME, (3) TSUBAME sensor setup and management, (4) TSUBAME web functions and (5) tips for TSUBAME data analysis based on case studies.

 

During this training, we could see that the trainees were so motivated – and we were assured that the knowledge they acquired would definitely be helpful to improve their packet monitoring operation.

 

Dsc_0420

Photo taken by LaoCERT

Dsc07425_

Photo taken by Tetsuya

 

We are looking forward to continuously contributing to enhance the packet monitoring capability in order to promote collaboration among TSUBAME members and confront internet threat as a whole.

 

If you have any inquiries on this topic or TSUBAME, please contact me at tsubame-sec(at)jpcert.or.jp.

 

-        Tetsuya Mizuno

May 08, 2014

APCERT Annual General Meeting and TSUBAME Workshop by JPCERT/CC

Hello everyone! This is Yuka from the Global Coordination Division and APCERT Secretariat.

 

Today I would like to tell you about the biggest event of APCERT, the 11th Annual General Meeting (AGM) and Conference - 2014 which was held from 18th to 21st March in Taipei. 21 Operational Member teams participated in this reunion as well as some delegates from invited parties. TWNCERT was a host of this event, and JPCERT/CC assisted them as Chair and Secretariat team.

 

ABOUT APCERT AGM & CONFERENCE 2014

<Event Schedule>

18 March: Steering Committee Meeting and Working Group Meetings/Workshop

19 March: Closed Conference and Team Building Event

20 March: AGM & Closed Conference

21 March: Public Conference

 

At the Conference (photo by Yuka)

 

The event consists of three main different parts: meetings, conference and workshop. In the Steering Committee Meeting and the Annual General Meeting (Members only), APCERT members’ activities (e.g. participation in international conferences) in 2013 were reviewed, and also various topics about APCERT business and policies were presented for discussion. At the AGM, JPCERT/CC was elected as Chair team of APCERT for the 4th consecutive year – we feel honoured to keep our contribution to this community for another term. At the conference, speakers from different expertise areas – not only from CSIRT teams but also security vendors and other organisations - were invited to deliver a presentation.

 

TSUBAME WORKSHOP HOSTED BY JPCERT/CC

Among all the agenda of the event, I would like to highlight on the TSUBAME workshop on the 2nd day, which was hosted by JPCERT/CC. TSUBAME is a network monitoring system developed by JPCERT/CC. 15 people from TSUBAME member teams and also from potential member teams participated in this workshop. JPCERT/CC have organised TSUBAME Workshop at the APCERT AGM every year since 2010 – so this was the 5th workshop. Kaori from the Global Coordination Division and Shikapon from Watch and Warning Group presented the latest trends observed through the system and gave a hands-on session on the TSUBAME portal site. In addition, 2 participating teams gave a presentation sharing their activities and outcomes gained through TSUBAME project.

 

At TSUBAME Workshop (photo by Yuka)

 

SCANNING ACTIVITIES ON NTP, PORT 123/UDP

One of the topics covered in the workshop was DDoS attacks exploiting an NTP (Network Time Protocol) feature. Since the end of 2013, we have been observing lots of probes to Port 123/UDP, which is used for NTP through TSUBAME system.

 

We confirmed that some of the packets received by TSUBAME actually involved “monlist” command. The NTP service supports a monitoring tool that allows administrators to query the server for traffic counts of connected clients. This information is provided via the “monlist” command.

 

This feature has a potentiality to be abused in conducting a “Distributed Reflection Denial-of-Service (DRDoS) attack”. The basic attack technique consists of an attacker sending a "monlist" request to a vulnerable NTP server with the source address spoofed to be the victim’s address. By executing this command, a large-sized data including the traffic counts of recently connected clients is sent to the victim, which could delay its response or even suspend its system.

 

As it has been already announced by CSIRTs (including JPCERT/CC) and various security vendors, servers running the NTP based on implementations of ntpd (prior to version 4.2.7p26) that use the default unrestricted query configuration are vulnerable to this type of attack. Users of these versions are recommended to update it to a greater version to prevent the issue.

JPCERT/CC - Alert regarding DDoS attacks leveraging the monlist function in ntpd

https://www.jpcert.or.jp/english/at/2014/at140001.html

 

CERT/CC - NTP can be abused to amplify denial-of-service attack traffic http://www.kb.cert.org/vuls/id/348126

 

We have been constantly seeing the packet flow addressed at Port 123/UDP, and it has been even increasing lately as the graph indicates. It can be interpreted that the recommended measures have not been widely taken yet. (Please note that the trends described in the graph include exploring activities by security organisations. The peaks are not necessarily associated with serious attacks.)

Graph: Scan count per day observed at 123/UDP from November 2013 to April 2014

Source: JPCERT/CC

 

Through TSUBAME system, JPCERT/CC will keep a very big eye on such suspicious packet traffic and share indications of cyber incidents with relevant parties. We sincerely hope to be of help in early discovery and prevention of potential incidents.

 

Cheers!

-Yukako Uchida