News
- Report
[Cyber Attack White Paper 2018 Attack Analysis Report Released] Over 100 Million Attack Logs Detected by "Shadankun" - Cyberattacks Observed Across Companies of All Sizes
Cyber Security Cloud, Inc. (Headquarters: Shibuya-ku, Tokyo; CEO: Akira Ohno; hereinafter referred to as "Cyber Security Cloud") is pleased to announce the release of its "Cyber Attack White Paper 2018," which summarizes the current state of cyber attacks in 2018.
The "Cyber Attack White Paper" is a research report that aggregates, analyzes, and calculates attack logs observed by "Shadankun," Cloud-based WAF that visualizes and blocks cyber attacks on websites.
By publishing this report, we hope to raise awareness of cybersecurity among companies in various industries.
■ Overview of the 2018 Cyber Attack White Paper
-Survey period: January 1, 2018 (Monday) to December 31, 2018 (Monday)
- Survey target: User accounts using "Shadankun "
-Investigation method: Analysis of attack logs observed by "Shadankun"
■Attack situation in 2018
The total number of attack logs for companies that have adopted the system in 2018 was 107,803,890. The month with the most attacks was May. Furthermore, the number of attacks observed each month increased toward the second half of 2018, and the number of attack logs is expected to continue to increase in the future.

■ Proportion of attack origins by country
The graph below shows the source IP addresses of attacks detected in 2018, broken down by country.
Germany came in first in the top 10 countries of origin for attacks on cloud-Cloud-based WAF "Shadankun" deployment services. The rankings and percentages are: 1st: Germany (28%), 2nd: Japan (17%), 3rd: USA (16%), 4th: China (9%), and 5th: Finland (6%).

■ Composition ratio by attack type
The graph below shows the breakdown of detected attack types. We can see that 56% of all attacks were caused by "Blacklisted user agents," which is a significant number.

■About Blacklisted User Agents
"Blacklisted user agents," which account for approximately 60% of the total, are attacks detected by bots using vulnerability scanning tools.
"ZmEu," one of the scanning tools that detects "Blacklisted user agents," was developed around September 2012, but is still used as a means of attack. This tool scans for vulnerabilities in phpMyAdmin. To ensure the security of your web server, you should update to the latest version.
■ Average number of attacks detected by company size
The graph below shows the average number of attacks detected per company, categorized by company size. Attacks were most frequently observed against companies with 50 to 199 employees. Attacks were also observed against companies with 1 to 50 employees and companies with 5,000 employees, indicating that companies of all sizes are exposed to a variety of cyber-attack threats, including the aforementioned blacklisted user agents (bot attacks using vulnerability scanning tools).

■ Attack Overview
1. Blacklisted user agent
This is a bot attack that uses vulnerability scanning tools.
Examples of such scan tools include "ZmEu", "Nikto", and "Morfeus".
2. Web attacks
These attacks are similar to DoS attacks or involve OS command injection.
3.Web scan
This method is seen as a precursor to an attack, searching for and investigating targets for attack, or searching for vulnerabilities through random, simple attacks.
4.Brute force attack
This is a brute force attack method to decipher encryption or find passwords.
5.SQL injection
It exploits vulnerabilities in web applications and
This is an attack that manipulates the database illegally by executing unauthorized SQL statements.
6.Other
In addition to the attack methods described above, there are other attack methods such as cross-site scripting and directory traversal.
Items with a relatively small percentage are classified as "Other."
This includes attacks that exploit vulnerabilities in various operating systems and middleware, as well as attacks that are normally outside the scope of a WAF.
■ Expert comments (summary)
Yoji Watanabe, Director and CTO Cyber Security Cloud, Inc.

Looking back at web security in 2018, a security hole was discovered in Drupal (Drupalgeddon 2.0) in March, which caused a lot of buzz. This vulnerability has also been used to prepare for cryptocurrency mining, which has become a hot topic recently, and it can be said that the objectives of attacks are diversifying.
Vulnerabilities have also been reported in web application frameworks such as Struts2, Tomcat, Spring, and WebLogic, so you must have been busy investigating and determining whether they affected your applications and whether updates were necessary.
Security holes that allow remote code execution make it possible for attackers to run programs tailored to their purposes, and it can be said that investigations into coin miners and the deployment of these programs were characteristic of 2018. Looking at the year as a whole, there has also been an increase in the number of attacks detected that investigate server file configurations, known as WebScan, suggesting a correlation.
Some programs in which vulnerabilities are discovered are no longer supported, and in such cases there are no security updates, making it difficult to respond.
Even for supported versions, updates take time to be released.
The objectives of attacks are becoming more diverse, and there are an increasing number of cases where the purpose is not to steal personal information. Therefore, it can be said that it is becoming increasingly important for organizations that own websites to monitor their servers and take countermeasures, regardless of whether they contain personal information or their company size.
■ About "Shadankun "
https://www.shadan-kun.com/

"Shadankun" is Cloud-based WAF web security service that visualizes and blocks cyber attacks on websites.
It has been adopted by a wide range of companies, from government agencies and financial institutions to large corporations and venture businesses, regardless of industry or size, and in the approximately three and a half years since the service was launched in December 2013, it has recorded the highest cumulative number of companies and websites using it in Japan*1.
*The name and logo of Shadankun are registered trademarks or trademarks of Cyber Security Cloud, Inc. in Japan.
*1 Source: Market research on "Cloud-based WAF services" (as of August 25, 2017) <ESP Research Institute> (survey conducted in August 2017)
■About Cyber Security Cloud, Inc.
Company name: Cyber Security Cloud, Inc.
Address: VORT Ebisu Maxim 3rd Floor, 3-9-19 Higashi, Shibuya-ku, Tokyo 150-0011
Representative: Akira Ohno, Representative Director
Established: August 2010
URL: https://www.cscloud.co.jp/
Cyber Security Cloud is committed to the philosophy of "creating a cyberspace that is safe and secure for people all over the world." Based on this philosophy, the company develops, operates, maintains, and sells web security services.
In the field of web security, which previously required technical personnel, we have been highly praised for being one of the first to move to the cloud, enabling "faster, easier, and safer" web security measures and dramatically reducing operational burdens. In October 2018, we were ranked 10th in the Deloitte Touche Tohmatsu Limited 2018 Japan Technology Fast 50, a ranking of industry growth rates based on revenue (sales), with a growth rate of 495.72% based on revenue (sales) over the past three fiscal years. We will continue to develop services that all companies can use safely and securely, and contribute to the advancement of the information revolution.