7 posts categorized "#Tsubame" Feed

Feb 20, 2018

Identify Mirai Variant Infected Devices from SSDP Response

As it has been discussed in some reports from security researchers, devices infected with Mirai and its variants are forming large-scale botnets, which are often leveraged as a platform for attacks such as DDoS and other malicious activities.

JPCERT/CC has been conducting investigation and analysis of infection activities caused by Mirai variants from 2016 and providing measures to prevent further infection both in Japan and overseas. At the end of October 2017, given the significant increase in the devices infected with Mirai and its variant, JPCERT/CC issued a security alert on 19 December. For the release of this alert, JPCERT/CC coordinated with a device vendor in identifying the infected device models. This entry introduces the approaches that we took for this investigation.

Observation results and initial investigation

In late October 2017, we confirmed through JPCERT/CC’s packet traffic monitoring system (TSUBAME) that devices infected with a Mirai variant were carrying out scans to global IP addresses, targeting Port 23/TCP and 2323/TCP. Further detailed analysis revealed some of the source IP addresses used for the scan activities. [1]

Comparing the IP addresses against the network scan results provided by local/global security organisations, it turned out that most of the affected hosts were accessible directly from the Internet through Simple Service Discovery Protocol (SSDP).

How to Identify MAC address from SSDP response

SSDP is one of the protocols used for Universal Plug and Play (UPnP), which enables searching for devices connected to the network, and Port 1900/UDP is assigned. Communication performed when searching for devices with SSDP is described in Figure 1.

Figure 1: Part of communication for searching devices using SSDP

In this protocol, a client sends a query (M-SEARCH) to the network, and devices received this query returns a response (NOTIFY).

The NOTIFY response contains information about the device itself, including Universally Unique Identifier (UUID). This is a string to uniquely identify an object on the software. There are 5 versions for UUID [2], and the version 1 is based on the timestamp (when the UUID was generated) and the MAC address of the device. Figure 2 explains the data structure of the UUID version 1.

Figure 2: Structure of UUID version 1

In this version, the device’s MAC address is inserted in the UUID’s last 12 digits. This means that the device itself can be identified by looking at the NOTIFY payload in response to a SSDP query. The device vendor can also be determined from the vendor ID, which lies in the first 3 octets of the MAC address.

Identify infected devices and take measures

Most of the devices that were found infected with a Mirai variant had been used with SSDP service publicly available on the Internet, and its UUID was version 1. This made us possible to identify the MAC address and consequently the vendor of the affected devices. From the MAC addresses and packet traffic observed through TSUBAME, JPCERT/CC coordinated with the vendor in question and identified the affected device models, which led to the release of the security alert together with some related organisations to raise users’ awareness.

JPCERT/CC continues to coordinate with vendors in investigation on devices and request for security measures, so that the any further infection can be prevented.


We introduced how we came to identify infected devices. If SSDP port is left publicly accessible on the Internet, it has potential risks to be used for DDoS attacks [3] and other malicious activities leveraging UPnP vulnerability [4] [5]. If you are using UPnP-equipped devices, please make sure that the security measures are properly taken such as 1) keep the firmware up-to-date, 2) not expose UPnP service on the Internet and 3) disable UPnP function if not being used.

If you have any questions, please contact global-cc[at]jpcert.or.jp.

Thanks for reading.

- Tomoaki Tani

(Translated by Yukako Uchida)


[1] JPCERT/CC Internet Threat Monitoring Report [October 1, 2017 - December 31, 2017] [JPCERT/CC]


[2] RFC 4122: A Universally Unique IDentifier (UUID) URN Namespace


[3] Alert (TA14-017A) UDP-Based Amplification Attacks [US-CERT]


[4] US-CERT Vulnerability Note VU#357851

UPnP requests accepted over router WAN interfaces


[5] CVE-2014-8361 Detail [NIST]


Nov 16, 2016

APCERT Annual General Meeting & Conference 2016 in Tokyo and JPCERT/CC’s 20th Anniversary

Hi all, this is Yuka from Global Coordination Division and also serving as APCERT Secretariat.

We are happy to announce that we have just finished one of the big tasks for this year – the host of APCERT Annual General Meeting & Conference 2016, which was held on 24-27 October at Royal Park Hotel in Tokyo. After the official establishment of APCERT in 2003, its annual conference had never been held in Tokyo. There was, though, a meeting in 2002 as Asia Pacific Security Incident Response Coordination Conference (APSIRC; the predecessor of APCERT) where forming a community for CSIRTs in the Asia Pacific region was discussed. Strangely enough, the Conference in 2002 was also held in the same hotel – we actually booked the venue without knowing the fact. We were so thrilled to know about the chance.

The Conference was run for four days:

24 Oct: Working Group Meetings, Team Building, Welcome Cocktail

25 Oct: TSUBAME Workshop, CyberGreen Workshop, Steering Committee Meeting

26 Oct: Closed Conference, Annual General Meeting, Gala Dinner

27 Oct: Open Conference

(Photo taken during TSUBAME Workshop – trainees working on some hands-on exercise)

From Day 1 through to 3, sessions for APCERT members and invited guests were conducted, and Day 4 was an open session including the general public. Altogether we had APCERT Operational Members from 23 teams of 18 economies in Asia Pacific, Supporting Members, global partners, sponsors and some local guests – which counted up to approximately 200 people. The Conference was themed “Borderless Cooperation, Seamless Action – Towards a Cleaner, Greener Cyber Space –“, which indeed reflects the aim of this community. The Conference program on the 27th was arranged based on “Call For Papers”, with presentations which covered a wide range of topics on recent technical trends and concluded with a panel discussion on CSIRT operations as below.

- IoT Threat and IoT Botnet

- Protecting CNII against Malware Threats: A Coherent Response through Cooperation Amongst OIC Countries

- APT Campaign Targets Japanese Critical Infrastructure

- Ransomware Tracking and AP Region Footprint

- Who’s That Knocking on My Back Door: A Jboss Case

- Sophisticated Financial Fraud Malware (Mobile) in Korea

- Collaborative Research for Development of CSIRTs in Vietnam

- Best Practices and Common Missteps in Responding to Major Incidents

- Engaging the ISPs in Effective National Network Abuse Handling

(Programs available here: https://www.apcert.org/apcert2016/program.html)

(Team JPCERT/CC after the event – Photo by our colleague)

What made this event special was not only the fact that it was hosted in Tokyo for the first time as APCERT, but also that it coincided with the 20th anniversary for JPCERT/CC.

Being established in October 1996, as one of the oldest CSIRTs in the world, JPCERT/CC has been contributing in creating a safer cyber security environment both in Japan and across the globe. To look back over the activities from internal and external perspectives, a symposium was held on 28 October inviting local partners. The symposium contained presentations from JPCERT/CC staff and partners providing the history of activities and ideas for future plans, which was followed by a social cocktail.

What these two events brought us is the fact that JPCERT/CC has been supported by various partners locally and globally. For the anniversary event, some of our foreign counterpart organisations kindly sent us video messages with the words of celebration. From local communities, we received feedbacks about our activities, some positive evaluations and also encouragement. Indeed, since JPCERT/CC is a “Coordination Center”, our activities require coordination with various entities, and creating a safer cyber space cannot be accomplished without the support of such local and global partners. We hope that both events were good opportunities to show our gratitude for the special partnership for the past 20 years, and we look forward to continuing and developing the relationship for the next 10 years and more.

Thanks for reading.

- Yukako Uchida

Oct 13, 2015

APCERT Annual General Meeting and Conference 2015 in Kuala Lumpur

Hi again, it’s Yuka from Global Coordination Division and also serving as APCERT Secretariat. It’s been a while since I wrote here last time.

My entry this time is about the biggest event of APCERT which we just recently attended, the Annual General Meeting (AGM) and Conference 2015 in Kuala Lumpur, Malaysia on 6-10 September. This event, hosted by CyberSecurity Malaysia (MyCERT), marked the 12th annual conference for APCERT. What made the event special was that it was held concurrently with the AGM & Conference for OIC-CERT (Organisation of the Islamic Cooperation – Computer Emergency Response Team) and also Malaysia’s local cyber security exhibition. This was the first conference for APCERT and OIC-CERT to collaborate together, and members of both organisations had a great opportunity to interact with each other through a series of sessions during the week.

The event was conducted as follows:

6 September

AM: Workshops including Cyber Green

PM: APCERT Closed Session (Working Groups)

7 September

AM: APCERT Steering Committee Meeting

PM: APCERT Annual General Meeting (AGM)

8 September

AM: TSUBAME Workshop

PM: APCERT & OIC-CERT Desktop Exercise

9 September

AM: APCERT Closed Conference

PM: APCERT & OIC-CERT Steering Committee Discussion

10 September

All: APCERT & OIC-CERT Open Conference

For the APCERT AGM on 7 September, 26 Operational Members were present to discuss APCERT business matters and share information on the previous year’s activities of APCERT. As Secretariat, I would like to take this opportunity to thank Microsoft for providing the fellowship for our event, which significantly supported the participation of APCERT members.

JPCERT/CC completed our 4th consecutive term as Chair at this AGM, and CERT Australia was elected for this position. Also, MyCERT was elected as the new Deputy Chair, following KrCERT/CC’s completion of 4-year-term on this position. JPCERT/CC was re-elected as Steering Committee and Secretariat for the next 2-year-term and will keep contributing to the community by providing initiatives and administrative support. Also, we are happy to announce that we have been chosen to host the next APCERT AGM & Conference 2016 in Tokyo. It is also the year for JPCERT/CC’s 20th anniversary since its establishment, and we hope to celebrate such a milestone together with our domestic partners and APCERT members.

A token of appreciation for completing 4 years as Chair was presented from APCERT Steering Committee, and another token for contribution as a Steering Committee member was presented from the conference host (these were surprise gifts!).

JPCERT/CC colleagues with the tokens (Photo by Shikapon)

JPCERT/CC conducted TSUBAME Workshop and Cyber Green Workshop during the week. This year, TSUBAME workshop focused more on hands-on session rather than lectures, so the participants were more involved and able to familiarise themselves with the system. Our hope is that each member shares what was presented during the session and utilise it for their day-to-day incident handling activities. It was also our pleasure to invite OIC-CERT members to the TSUBAME Workshop for the first time.

For details on the Cyber Green Workshop, which was also a success, our colleague Taki wrote an article which is available on the Cyber Green website:


Yurie and Taki at the Cyber Green Workshop (Photo by Shikapon)

After all, it was a tense week with full of events – but indeed it was great to see some old and familiar colleagues of APCERT, and some new faces as well. I recall it really was a huge event, involving both APCERT and OIC-CERT. We would like to take this opportunity to thank MyCERT, the host team, for their hospitality and congratulate on the success of the event.


- Yukako Uchida

Dec 25, 2014

Increase in Possible Scan Activity from NAS Devices

Happy holidays to all, this is Tetsuya from Watch and Warning Group. Today, I would like to share a recent, remarkable trend discovered through TSUBAME sensors.


In TSUBAME, we have observed a significant increase in packets destined to 8080/TCP since December 5th, 2014. When accessing source IP addresses using a web browser, the admin login screen for NAS devices provided by QNAP was seen in many cases for IP addresses from certain regions.


[Figure 1: Scan count per hour observed at 8080/TCP from December 2nd, 2014 onwards (Source: TSUBAME)]


Below are some characteristics that we noticed from TSUBAME data:

  - Increase in packets to Port 8080/TCP since December 5th, 2014

  - The TTL value for most of the packets were between 30 - 59

  - A scan attempt sends 1 - 2 packets (the second packet is a re-send)

  - A source IP does not continuously scan a particular destination IP (The majority scans only once)



Also we were able to verify the following after checking some of the source IP addresses:

  - When accessing Port 80/TCP of the source address, a redirect to Port 8080/TCP occurs and the admin login screen of QNAP NAS is shown

  - The QNAP firmware looks to be version 4.1.0 or earlier (Information taken from the screen that is shown. 4.1.0 and earlier are affected by Shellshock) (*1)


Using an environment separate from TSUBAME to check the packets sent by an infected QNAP device, we saw the following request (there are several types of requests).


[Figure 2: Sample request from infected device (Source: JPCERT/CC)]


When a QNAP NAS device using a vulnerable version of firmware receives this request, the Shellshock vulnerability is leveraged to download a malicious attack program over the Internet and be infected by malware (*2, *3). Once infected, it begins to search for other vulnerable NAS devices. As a result of this activity, a large number of NAS devices were infected and we believe this is the reason for the sudden increase in packets to 8080/TCP.


The vendor has released firmware to address the Shellshock vulnerability. If you have yet to apply the update, we recommend that you first check (*2) whether you have been infected or not.


  JVN#55667175 QNAP QTS vulnerable to OS command injection (*1)



  The Shellshock Aftershock for NAS Administrators (*2)



  Worm Backdoors and Secures QNAP Network Storage Devices (*3)



 An Urgent Fix on the Reported Infection of a Variant of GNU Bash Environment Variable Command Injection Vulnerability (*4)



Thank you for reading, and we wish you all the best for the coming year.


- Tetsuya Mizuno

Oct 30, 2014

TSUBAME Training and Annual National Conference on Cyber Security in Sri Lanka

Hello, this is Taki and today I would like to write about my trip to Colombo, Sri Lanka from September 30th through October 2nd.

I went with Tetsuya to conduct TSUBAME trainings at Sri Lanka CERT|CC and TechCERT, and to give a presentation at Cyber Security Week 2014 - 7th Annual National Conference on Cyber Security.

TSUBAME Training for Sri Lanka CERT|CC and TechCERT

Unlike our previous TSUBAME trainings in Jakarta and Vientiane, this time the trainees were only from the respective organizations.

The number of trainees for both sessions were relatively small, which allowed us to facilitate more discussions during the sessions. However, unlike the previous trainings we only had about a day of training for each, so focused mainly on the analysis of TSUBAME data, while incorporating how to access data through the portal, etc.


Tetsuya at the training at Sri Lanka CERT|CC


Training at TechCERT

It is our hope at JPCERT/CC that the trainings helped in enhancing the trainees’ data analysis skills. Discussions on how to collect data and how to analyze large amounts of data were very fruitful and gave us a lot to think about as we move forward as well. We hope to continue dialog with our colleagues in Sri Lanka about these topics.

7th Annual National Conference on Cyber Security in Sri Lanka

Also, Tetsuya and I attended 7th Annual National Conference on Cyber Security, which was a part of Cyber Security Week 2014 on October 1st. There were a little over 200 people in attendance for the event of which about 20 or so from outside of Sri Lanka. From what I gathered, most of the people in attendance were IT professionals, IT managers, CEOs, Lawyers etc from vendors and  service providers in Sri Lanka.

The conference started with a celebration with music and a ceremonial oil lamp lighting followed by the national anthem of Sri Lanka. The traditional oil lamp lighting ceremony was something I had never seen before.


Traditional oil lamp lighting

I also presented during the conference and spoke about JPCERT/CC activities focusing on activities where we collaborate globally, including the TSUBAME project, overseas CSIRT development, vulnerability handling among others.

I had some people come up to me with some questions during the social event, held directly after the conference. Some of the questions included TSUBAME and network monitoring / data analysis and others related to vulnerabilities, but more on the disclosure side.


Taki talking at the Conference

All in all, my first trip to Colombo was very nice, but all too short. I do hope that I get to visit in the future and spend some time taking in the sites as well as the history of Sri Lanka.

Lastly I would like to thank our colleagues from Sri Lanka CERT|CC and TechCERT for their wonderful hospitality. I can definitely say that I would not have enjoyed this trip as much as I did without them taking such good care of us.

That is it for today. I hope to write again sometime soon.

- Taki Uchiyama

Jun 26, 2014

TSUBAME Training in Indonesia and Laos

Hi there! This is Tetsuya Mizuno from Watch and Warning group.


Today, I would like to introduce one of our activities: technical training through TSUBAME project. TSUBAME, headed by JPCERT/CC, is a project using a packet monitoring system which deploys sensors in multiple countries to detect wide-ranging malicious activities on the Internet (without collecting any sensitive data). The project is operated as one of the working groups of APCERT, and the members consist of 24 teams from 21 economies, mainly National CSIRTs in the Asia Pacific region (as of June, 2014). In order to boost up members’ capability in internet-based threat analysis, we have provided some on-site technical training. Its objective is to provide participants with sufficient knowledge of conducting investigation on global threats in order to promote data sharing as well as enhancing analysis competence among the members.


This article will cover how we are implementing this activity by introducing our two recent on-site trainings in Indonesia and Laos conducted by my colleague Takayuki (Taki) Uchiyama and myself.


Training in Indonesia

We organized training in Jakarta, Indonesia on 5-7 March 2014 for approximately 40 participants from ID-SIRTII/CC and their partner organization, ACAD-CSIRT. The training was based on hands-on exercise consisting of four phases: (1) TSUBAME sensor setup and management, (2) TSUBAME web functions, (3) analysis combining TSUBAME data and other obtained data and (4) analysis on case studies by examining various network protocols.


The main purpose of this training was to enhance trainees’ practical skills on analyzing network traffic and sensor management. Based on their basic knowledge on TSUBAME, we focused on advanced trainings on how to analyze various internet protocols and to identify the online behavior of the network threats.


I was glad to hear a lot of positive feedback from the participants – they feel that their skill has improved and would like to take it into practice in their daily job.



Photo taken by ID-SIRTII/CC



Photo taken by Tetsuya


Training in Laos

Followed by the training in Indonesia, we conducted another session at LaoCERT, in collaboration with ThaiCERT, on 21-22 May 2014 for approximately 20 participants. Along with the training, we installed our first sensor in Laos, which made LaoCERT our 24th member team of TSUBAME project. Since packet monitoring activity was a new challenge for some participants, we assisted in hands-on exercise by giving lectures about general network knowledge. The training consisted of five phases: (1) basic knowledge on network, (2) overview of TSUBAME, (3) TSUBAME sensor setup and management, (4) TSUBAME web functions and (5) tips for TSUBAME data analysis based on case studies.


During this training, we could see that the trainees were so motivated – and we were assured that the knowledge they acquired would definitely be helpful to improve their packet monitoring operation.



Photo taken by LaoCERT


Photo taken by Tetsuya


We are looking forward to continuously contributing to enhance the packet monitoring capability in order to promote collaboration among TSUBAME members and confront internet threat as a whole.


If you have any inquiries on this topic or TSUBAME, please contact me at tsubame-sec(at)jpcert.or.jp.


-        Tetsuya Mizuno

May 08, 2014

APCERT Annual General Meeting and TSUBAME Workshop by JPCERT/CC

Hello everyone! This is Yuka from the Global Coordination Division and APCERT Secretariat.


Today I would like to tell you about the biggest event of APCERT, the 11th Annual General Meeting (AGM) and Conference - 2014 which was held from 18th to 21st March in Taipei. 21 Operational Member teams participated in this reunion as well as some delegates from invited parties. TWNCERT was a host of this event, and JPCERT/CC assisted them as Chair and Secretariat team.



<Event Schedule>

18 March: Steering Committee Meeting and Working Group Meetings/Workshop

19 March: Closed Conference and Team Building Event

20 March: AGM & Closed Conference

21 March: Public Conference


At the Conference (photo by Yuka)


The event consists of three main different parts: meetings, conference and workshop. In the Steering Committee Meeting and the Annual General Meeting (Members only), APCERT members’ activities (e.g. participation in international conferences) in 2013 were reviewed, and also various topics about APCERT business and policies were presented for discussion. At the AGM, JPCERT/CC was elected as Chair team of APCERT for the 4th consecutive year – we feel honoured to keep our contribution to this community for another term. At the conference, speakers from different expertise areas – not only from CSIRT teams but also security vendors and other organisations - were invited to deliver a presentation.



Among all the agenda of the event, I would like to highlight on the TSUBAME workshop on the 2nd day, which was hosted by JPCERT/CC. TSUBAME is a network monitoring system developed by JPCERT/CC. 15 people from TSUBAME member teams and also from potential member teams participated in this workshop. JPCERT/CC have organised TSUBAME Workshop at the APCERT AGM every year since 2010 – so this was the 5th workshop. Kaori from the Global Coordination Division and Shikapon from Watch and Warning Group presented the latest trends observed through the system and gave a hands-on session on the TSUBAME portal site. In addition, 2 participating teams gave a presentation sharing their activities and outcomes gained through TSUBAME project.


At TSUBAME Workshop (photo by Yuka)



One of the topics covered in the workshop was DDoS attacks exploiting an NTP (Network Time Protocol) feature. Since the end of 2013, we have been observing lots of probes to Port 123/UDP, which is used for NTP through TSUBAME system.


We confirmed that some of the packets received by TSUBAME actually involved “monlist” command. The NTP service supports a monitoring tool that allows administrators to query the server for traffic counts of connected clients. This information is provided via the “monlist” command.


This feature has a potentiality to be abused in conducting a “Distributed Reflection Denial-of-Service (DRDoS) attack”. The basic attack technique consists of an attacker sending a "monlist" request to a vulnerable NTP server with the source address spoofed to be the victim’s address. By executing this command, a large-sized data including the traffic counts of recently connected clients is sent to the victim, which could delay its response or even suspend its system.


As it has been already announced by CSIRTs (including JPCERT/CC) and various security vendors, servers running the NTP based on implementations of ntpd (prior to version 4.2.7p26) that use the default unrestricted query configuration are vulnerable to this type of attack. Users of these versions are recommended to update it to a greater version to prevent the issue.

JPCERT/CC - Alert regarding DDoS attacks leveraging the monlist function in ntpd



CERT/CC - NTP can be abused to amplify denial-of-service attack traffic http://www.kb.cert.org/vuls/id/348126


We have been constantly seeing the packet flow addressed at Port 123/UDP, and it has been even increasing lately as the graph indicates. It can be interpreted that the recommended measures have not been widely taken yet. (Please note that the trends described in the graph include exploring activities by security organisations. The peaks are not necessarily associated with serious attacks.)

Graph: Scan count per day observed at 123/UDP from November 2013 to April 2014



Through TSUBAME system, JPCERT/CC will keep a very big eye on such suspicious packet traffic and share indications of cyber incidents with relevant parties. We sincerely hope to be of help in early discovery and prevention of potential incidents.



-Yukako Uchida