Japanese space agency spotted zero-day attacks while cleaning up attack on M365
- Reference: 1720675918
- News link: https://www.theregister.co.uk/2024/07/11/jaxa_m365_zeroday_attacks/
- Source link:
JAXA’s systems came under in attack in [1]late 2023 , with its Active Directory implementation taking the brunt of it.
An investigation ensued, and saw networks taken offline to verify that no classified data on rockets, satellites, or national security was compromised.
[2]
Unauthorized access to Microsoft 365 (M365) was found to be the start of the incident. JAXA asked Microsoft to help with the probe and together found no further breaches, the agency [3]revealed.
[4]
[5]
But the space org’s statement also revealed the discovery of malware found and removed by an actor other than Microsoft. And then there’s the mention of zero-day attacks in the last sentence of a section about countermeasures like closer network monitoring and improve remote access security the agency adopted.
“In the course of taking the above measures and strengthening monitoring, we have detected and responded to multiple unauthorized accesses to JAXA's network since January of this year (including zero-day attacks), though no information was compromised,” the statement reads.
[6]
The 2023 breach did provide the attackers with some information hosted in JAXA's MS365 service, including personal information.
Luckily, the compromised systems are believed to not include sensitive information related to launch vehicles and satellite operations. The space agency also dismissed potential impact on cooperation with domestic and international partners from the attack.
[7]Users rage as Microsoft announces retirement of Office 365 connectors within Teams
[8]Japan's space agency suffers cyber attack, points finger at Active Directory
[9]JAXA's Akatsuki probe goes silent after more than a decade studying Venus
[10]Japan's space agency enlists train operator's AI to foresee in-orbit failures
Because the attacker used multiple unknown strains of malware, it was difficult to detect the unauthorized access, explained JAXA. Initial entry to JAXA's internal servers and computers was likely gained by exploiting a VPN vulnerability. The attacker then expanded its unauthorized access and compromised the space agency’s user account information. That account information in turn was used to access the MS365 services.
The newly found cyberattacks adds to a growing list for JAXA. The agency was breached in both 2016 and 2012. The 2016 attack led to the [11]arrest of a Chinese national affiliated with the Chinese Communist Party (CCP) and living in Japan.
The 2023 attack has not publicly been attributed to a person or organization. Considering the 2016 attack took five years before legal action was taken, that may still be a while coming. ®
Get our [12]Tech Resources
[1] https://www.theregister.com/2023/11/29/jaxa_cyberattack/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zo@tSo5EXf40dCEk81C5EwAAAQk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://global.jaxa.jp/press/2024/07/20240705-2_e.html
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zo@tSo5EXf40dCEk81C5EwAAAQk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zo@tSo5EXf40dCEk81C5EwAAAQk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zo@tSo5EXf40dCEk81C5EwAAAQk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/07/09/users_rage_as_microsoft_announces/
[8] https://www.theregister.com/2023/11/29/jaxa_cyberattack/
[9] https://www.theregister.com/2024/06/03/jaxa_loses_akatsuki/
[10] https://www.theregister.com/2024/05/24/jaxa_enlists_railway_ai_maintenance/
[11] https://www.theregister.com/2021/04/21/japan_accuses_china_of_attacking_jaxa/
[12] https://whitepapers.theregister.com/
Re: If it was 0 days it was very likely a state actor
I wonder if it was a man in the middle [kingdom] attack?
Malware and Exploits as a Service
The more I read of cloud services the more I think you'd have to be an idiot to rid get rid of your on prem infrastructure in favour of it
Re: Malware and Exploits as a Service
I'm aware of three cyber attacks within a five mile radius of my desk over the past couple of years. Each one was against on-prem systems. The only reason they haven't made the news is because it was all covered up: Easier to do if the attack is confined to just one company (and in business it's easier to hush things up compared to the public sector)
I'm not claiming cloud is "better" than on-prem just that on-prem attacks are often hushed up.
The tendancy to hush up is general for all companies. It used to be taken as a sign that your network was not secure. Today, your network can be very secure and yet, you can still suffer being attacked.
But the tradition is to hush it up. That's why there are laws mandating that public companies fess up when they get hacked. Private companies might be a different matter, depending on the jurisdiction.
Re: Malware and Exploits as a Service
"Easier to do if the attack is confined to just one company"
I.E. Microsoft and their M365 platform where a zero day has potential to affect every connected organisation and user, worldwide
We have a couple of clients who have had multiple email accounts totally raped recently by multiple targeted attacks (to the point where we are prepping to deploy an absolutely absurd custom security solution which works by security through obscurity... Not something I normally endorse but we are desperate). After user training (thankfully) prevented them being able to raid the bank accounts we thought things were hopefully over for now and they had moved on.
Then someone got mugged by people who followed them until they were alone then forced them to unlock their phone before handing it over.
What the hell are we supposed to do to protect against that?
...also, no. They have not informed anyone about the breaches. Some clients know they received a phishing email from someone claiming to be an employee at the company, but those are easily dismissed as spoofs...
If it was 0 days it was very likely a state actor
Not hard to guess which, either.