News
- Report
Cyber Security Cloud Announces "Cyber-Attack Detection Report Targeting Websites and Web Applications" for the First Quarter of 2022 (January-March) take measures against
Cyber Security Cloud, Inc. (Headquarters: Shibuya-ku, Tokyo; Representative Director, President and CEO: Toshihiro Koike; hereinafter referred to as "our company") announced that from January 1, 2022 to March 31, 2022, "Website / Cyberattack Detection Report on Web Applications" will be announced. This data is Cloud-based WAF "Shadankun" that visualizes and blocks cyber-attacks on websites and web applications provided by our company, AWS WAF, Azure WAF, and Google Cloud Armor automated operation service "WafCharm". Aggregate, analyze and calculate the attack logs observed in .
■ Survey Overview
– Survey period: January 1 to March 31, 2022
- Survey target: User accounts using "Shadankun" and "WafCharm"
- Research method: Analysis of attack logs observed using "Shadankun" and "WafCharm"
■ Attack detection status from January to March 2022
〜The number of attacks detected is increasing especially in the second half of March〜
The number of attack detections per host (* 1) increased month by month: 2,760 in January 2022, 2,957 in February, and 4,449 in March.
* 1: Approximate calculation using the total number of hosts protected by "Shadankun" (Web type: number of FQDNs, server type: number of IPs) and "WafCharm" (WebACL) as the denominator.

Looking at the detected attack sources by country, from January to March 2021, Germany ranked 1st, Japan ranked 2nd, the United States ranked 3rd, followed by Canada and China. 32.3% of attacks were from Japan, followed by Japan at 22.9%, followed by Australia at 11%, followed by Germany and Canada. In addition, attacks from Russia and other countries, which have attracted much attention in recent international affairs, have been detected continuously for some time, but no significant increase or decrease could be confirmed.


■ Movable Type and Log4j vulnerabilities at the end of 2021 (follow-up report)
〜Continuous vigilance against critical vulnerabilities is essential〜
This time, we investigated two critical vulnerabilities that made headlines in the second half of 2021.
First of all, regarding Movable Type (CVE-2021-20837), as previously reported, our company detected communications assumed to be this attack from November 10, 2021, and from the second half of November of the same year to the end of the year, the corresponding communications from many hosts. was detected. The results of this survey revealed that signs of attacks will continue to be detected from January to March 2022, although the number of detections varies from day to day.


Next, regarding the Log4j vulnerability, the existence of a remotely exploitable vulnerability (CVE-2021-44228) was announced on December 9, 2021, and in the previous survey, one day in December 2021 We have confirmed the number of detections approaching 100,000 at maximum. According to this survey, there were about 700,000 cases in total in January, and there were also days when around 10,000 cases were recorded in February and March.
Regarding the above two vulnerabilities, we recommend that you promptly implement countermeasures against the vulnerabilities, such as updating to the latest version, and investigate whether you are affected by the attack.


■ Spring Framework vulnerability (Spring4shell)
~ Although there are no reports of major damage, the threat level is extremely high ~
On March 31, 2022, a fatal vulnerability was confirmed in the Spring Framework, one of the mainstream frameworks used in Java, and a patch was released. The CVSS (v3) value, which indicates the threat level of the vulnerability (CVE-2022-22965), is extremely high at 9.8 out of 10, and as of March 31, the exploit code for the vulnerability (attack code ) has been circulating, and its activities on the Internet have been reported (*2), which has become a hot topic.
*2: Confirmation reports of scans related to this vulnerability have been reported all over the world, but no specific damage reports have been confirmed.
According to our detection results from March 31st to April 6th, the number of detections from March 31st to April 3rd was the highest, and there were days when the number of detections exceeded 400. Although it has decreased considerably since then, countermeasures are still required. We recommend that you investigate whether you are affected by attacks, along with countermeasures against vulnerabilities, including the implementation of the following updates.
<Version that addresses the vulnerability (*3)>
– Spring Framework 5.2.20 or later (Spring Framework 5.2 users)
– Spring Framework 5.3.18 or later (Spring Framework 5.3 users)
– Spring Boot 2.5.12 or later (Spring Boot 2.5 users)
– Spring Boot 2.6.6 or higher (Spring Boot 2.6 users)
*3: If the following requirements are met, there is a risk of being subjected to cyber attacks that exploit this vulnerability.
– Execution environment is JDK 9 or higher
- Uses Apache Tomcat as a servlet container
– Packaged as a WAR
– Dependencies with Spring Web MVC (*4) and Spring WebFlux (*5)
*4: Spring Web MVC: A feature for easily creating web applications. Develop applications with blocking processing that uses annotation controllers.
*5: Spring WebFlux: A feature for easily creating web applications, which uses reactive programming to develop non-blocking, asynchronous applications.
(The main differences between *4 and *5 above are "the way the logic is written" and "the mechanism of the thread pool used to process requests.")

In addition, CVE-2022-22963: Spring Cloud's RCE vulnerability has already been announced, but this is a vulnerability related to Spring Cloud, allowing arbitrary code to be executed on the host or container, serverless functions in the cloud environment. This is a different vulnerability than Spring4shell.
■ Cyber security measures during Golden Week
-Be sure to take precautions before the long vacation! ~
During long holiday periods such as Golden Week, many organizations and organizations have their system administrators absent for long periods of time, making it more likely that they will not be able to respond quickly in the event of an emergency. In addition, there is a risk of virus infection when resuming work after the holidays because the period when the PC is not started is long and the OS and software used are not updated. Given the current instability of the international situation, it is important to remain vigilant against attacks such as Emotet. In order to minimize the damage, it is recommended to take preventive measures such as setting response notifications to employees around Golden Week.
# Information security measures during long holidays
https://www.ipa.go.jp/security/measures/vacation.html
[About Cyber Security Cloud, Inc.]
Company name: Cyber Security Cloud, Inc.
Location: VORT Ebisu maxim 3F, 3-9-19 Higashi, Shibuya-ku, Tokyo 150-0011
Representative: Toshihiro Koike, Representative Director, President and CEO
Established: August 2010
URL: https://www.cscloud.co.jp/