News
- Report
[2018 Cyber Attack White Paper: Attack Analysis Announced in 3Q Report] Approximately 60% of the attack logs detected by "Shadankun" were found to be accesses intended for vulnerability scanning. 13 million attacks observed in 3 months
Cyber Security Cloud, Inc. (Headquarters: Shibuya-ku, Tokyo; CEO: Akira Ohno; hereinafter referred to as "Cyber Security Cloud") is pleased to announce the release of the "2018 Cyber Attack White Paper - 3Q Ver.", which summarizes the current state of cyber attacks in 2018.
The "2018 Cyber Attack White Paper" is a research report that aggregates, analyzes, and calculates attack logs observed by "Shadankun," Cloud-based WAF that visualizes and blocks cyber attacks on websites.
By publishing this report, we hope to raise awareness of cybersecurity among companies in various industries.
■ Overview of the 2018 Cyber Attack White Paper
-Survey period: July 1, 2018 (Sunday) to September 30, 2018 (Sunday)
- Survey target: User accounts using "Shadankun "
-Investigation method: Analysis of attack logs observed by "Shadankun"
■Attack status in 3Q 2018 (July to September)

In the third quarter of 2018 (July to September), attacks against companies that have adopted the service were mostly "Blacklisted user agent" attacks, accounting for approximately 60% of the total, with 13,098,070 attacks detected in the three months.
Additionally, "web attacks," which randomly test known vulnerabilities, and "web scans," which search for attackable web pages, will continue to be common, as they were last year.
Additionally, September 2018 saw the highest number of attacks in the third quarter, at 8,668,717.
■About Blacklisted User Agents
"Blacklisted user agents," which account for approximately 60% of the total, are attacks detected by bots using vulnerability scanning tools.
The graph below shows the number of attacks using "Blacklisted user agents" detected by day during the third quarter of 2018. Cloud-based WAF "Shadankun" detected around 100,000 to 150,000 attacks per day, with the highest number being 374,300.
"ZmEu," one of the scanning tools that detects "Blacklisted user agents," was developed around September 2012, but is still used as a means of attack. This tool scans for vulnerabilities in phpMyAdmin. To ensure the security of your web server, you should update to the latest version.

■About the Apache Struts2 vulnerability
The Apache Software Foundation announced a vulnerability in Apache Struts 2 (CVE-2018-11776) on August 22, 2018. While Cloud-based WAF "Shadankun" was able to detect attacks against this vulnerability using existing signatures, a dedicated signature has been created and updated to improve accuracy. The graph below shows the detection log measured after the dedicated signature was applied. The number of detections increased significantly after August 24, and we can see that attacks have continued to be detected since then.
This shows that caution is required not only immediately after a vulnerability is announced, but also after a certain period of time has passed.

■ Attack situation by country
The graph below shows the source IP addresses of attacks detected in the third quarter of 2018 (July to September) broken down by country.
Germany came in first in the top 10 countries of origin for attacks using Cloud-based WAF "Shadankun" service.
The rankings and percentages for each country are: 1st: Germany (30%), 2nd: USA (19%), 3rd: Japan (16%), 4th: China (8%), and 5th: France (5%).

Below is a graph looking at attacks detected using "Blacklisted user agents" by country in the third quarter.
Among the five countries, Germany has seen the most attacks over the three months.
A graph showing attacking IP addresses by country after the announcement of the Apache Starts2 vulnerability (CVE-2018-11776) on August 23rd shows that the majority of attacks originate from China.


Attacks targeting the "Apache Struts 2 vulnerability (CVE-2018-11776)" were most prevalent in China, but attacks using the "Blacklisted user agent" were most prevalent in Germany, and Germany is also ranked first when looking at attack detections overall.
■ Attack Overview
1. Blacklisted user agent
This is a bot attack that uses vulnerability scanning tools.
Examples of such scan tools include "ZmEu", "Nikto", and "Morfeus".
2.Web Attack
Web attacks are similar to DoS attacks or involve OS command injection.
3.Web Scan
Web scanning is a predictive attack that involves searching for targets for attack or randomly conducting simple attacks to look for vulnerabilities.
4. Brute Force Attack
A brute force attack is a brute force attack that uses all possible methods to crack a code or find a password.
5. SQL Injection
SQL injection is an attack that takes advantage of a vulnerability in a web application to execute SQL statements that are not expected by the application, thereby manipulating the DB improperly.
6. Cross-site scripting
Cross-site scripting is a method of attacking a vulnerable website by using a script created by an attacker.
This is an attack that requires the viewer to carry out the attack.
7. Directory Traversal
Directory traversal is an attack that allows unauthorized access to files on a web server.
8.Other
Attacks that exploit vulnerabilities in various operating systems, middleware, etc. are considered "other."
This also includes things that are usually considered outside the scope of a WAF.
This is an attack that does not go through a website or web application.
■ Expert comments (summary)
Yoji Watanabe, Director and CTO Cyber Security Cloud, Inc.

An Apache Struts2 vulnerability (S02-057/CVE-2018-11776) was made public on August 23, 2018, and it is recommended that users update their Apache Struts2 to the latest version. Exploit code information sites continue to report many PHP-related vulnerabilities, and attacks against HTTP/HTTPS are occurring more frequently than other types of communication.
There are many attacks targeting vulnerabilities in web applications developed with Struts and PHP, and these are expected to cause significant damage. This quarter, Cloud-based WAF "Shadankun" detected the most frequent attacks, including those scanning open web applications for vulnerabilities. Even websites that do not contain personal information are at risk of being hijacked and hidden without your knowledge, potentially being used as a springboard for attacks. Furthermore, simple scans do not guarantee complete security without defense; sensitive information could easily be exposed. It is also important to update your systems to the latest versions, and consider implementing security measures, including WAFs, to protect against the worst-case scenario.
■ About "Shadankun "
https://www.shadan-kun.com/

"Shadankun" is Cloud-based WAF web security service that visualizes and blocks cyber attacks on websites.
It has been adopted by a wide range of companies, from government agencies and financial institutions to large corporations and venture businesses, regardless of industry or size, and in the approximately three and a half years since the service was launched in December 2013, it has recorded the highest cumulative number of companies and websites using it in Japan*1.
*The name and logo of Shadankun are registered trademarks or trademarks of Cyber Security Cloud, Inc. in Japan.
*1 Source: Market research on "Cloud-based WAF services" (as of August 25, 2017) <ESP Research Institute> (survey conducted in August 2017)
■About Cyber Security Cloud, Inc.
Company name: Cyber Security Cloud, Inc.
Address: VORT Ebisu Maxim 3rd Floor, 3-9-19 Higashi, Shibuya-ku, Tokyo 150-0011
Representative: Akira Ohno, Representative Director
Established: August 2010
URL: https://www.cscloud.co.jp/
Cyber Security Cloud is committed to the philosophy of "creating a cyberspace that is safe and secure for people all over the world." Based on this philosophy, the company develops, operates, maintains, and sells web security services.
In the field of web security, which previously required technical personnel, we have been highly praised for being one of the first to move to the cloud, enabling "faster, easier, and safer" web security measures and dramatically reducing operational burdens. In October 2018, we were ranked 10th in the Deloitte Touche Tohmatsu Limited 2018 Japan Technology Fast 50, a ranking of industry growth rates based on revenue (sales), with a growth rate of 495.72% based on revenue (sales) over the past three fiscal years. We will continue to develop services that all companies can use safely and securely, and contribute to the advancement of the information revolution.