Japanese network defense experts warn about poorly-tested software peril

State-sponsored attacks that exploit security vulnerabilities in region-specific software can offer assailants an easier means to compromise targeted networks.

At today’s Virus Bulletin Conference in London, representatives of the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) discussed several cases of malware that exploits vulnerabilities in software that is only used in the country.

Instead of restricting themselves to targeting software used all over the world (such as Microsoft Office, browser programs, and Adobe Flash Player), the attackers targeted Ichitaro, a word processor package widely used in Japan, as well as Sanshiro, a spreadsheet program, and SKYSEA Client View.

JPCERT/CC has been involved in the incident handling and investigation of these and other cases.

Readymade regional targets

Attackers took advantage of a vulnerability in Sanshiro to attach a malicious file to an email, in an attack ultimately designed to infect targets with PlugX malware.

In another case, cyber-espionage operatives used bugs in Ichitaro to attach a malicious document file to an email, which infected the user with PlugX.

Advanced Persistent Threat (APT) groups ran these similar attacks at the same time around five years ago.

One group started in April 2013 with a Microsoft Office exploit before moving onto spear-phishing emails with the Ichitaro exploit in September and Sanshiro in December 2013.

A second group of miscreants targeted government agencies and enterprises in Japan with CVE-2014-7247, a zero-day vulnerability in Ichitaro, and spear-phishing emails.

YOU MIGHT ALSO LIKE Experts warn against uptick in fileless malware attacks

The cyber-attack used shell code to spread three strains of malware: Emdivi, PlugX, and Agtid. Two weeks after the attack was confirmed, the vendor released a patch for Ichitaro, according to JPCERT/CC.

Various Ichitaro vulnerabilities have been harnessed in a series of attacks between 2010 and 2014.

During its presentation at the Virus Bulletin conference, JPCERT/CC listed nine such vulnerabilities – eight of which had a CVSSv2 score of 9.3 or above.

Sayanora to security

Attacks against region-specific software in Japan is not just a historic problem.

Another attack which began this year targeted SKYSEA, a popular asset management package tailored to the needs of the Japanese market.

A remotely exploitable security vulnerability in the software allowed attackers in a group known as ‘Tick’ to sling multi-platform malware.

Nor is the problem limited to Japan: Bugs in the Hangul Word Processor (HWP) in South Korea have been harnessed in attacks against local organizations.

Elsewhere, a supply chain compromise in accounting software mandated in Ukraine was infamously used to seed the NotPetya ransomware that affected Maersk and other businesses.

Attractive target

Tomoaki Tani of JPCERT/CC told The Daily Swig that region-specific software has often not been subjected to the same level of penetration testing as international software, making it an attractive target to groups.

The SKYSEA Client View vulnerability, in particular, would have been easy to find, with knowledge of Japanese more of a barrier to bug finding than technical knowledge.

“Unlike more popular software, it is often the case that countermeasures against vulnerabilities in such region-specific software are not well prepared,” a research paper published as part of the Virus Bulletin Conference concludes.

“Attackers understand and aim at such weak points.”

Some cyber espionage-style attacks are carried out by exploiting vulnerabilities in region-specific software, not least because government agencies (a popular target for attackers) frequently use such localized software.

Such attacks are rarely discussed at international conferences since they relate exclusively to a particular country. It was hoped that the JPCERT/CC talk would help in raising the profile of the issue internationally.

The Virus Bulletin Conference continues tomorrow. The Daily Swig will be back with more coverage throughout the week.

YOU MIGHT ALSO LIKE IoT security concerns raised as researchers detect massive increase in malicious traffic