Guardians of the Galaxy-Unknown Battle-April 13, 21:39

There is no end to the battle with the new coronavirus.



Meanwhile, the virus, which was more violent than ever, was suppressed in January.


It is a computer virus, Emotet, which was called "the scariest" in cyberspace.



Devices in more than 200 countries and territories around the world are said to have been infected, causing $ 2.5 billion in damage.


Computers of many companies in Japan were infected and damaged.



The control of the virus was the result of a two-year joint investigation by law enforcement agencies in eight countries around the world.

There was no name of a Japanese investigative agency there.



However, as we proceeded with the interview, we found that the activities of Japanese volunteer white hackers contributed greatly to this suppression operation.


They were working day and night to minimize the damage in Japan.



"The Most Dreadful Virus" VS "Guardians"



We followed the unknown battle that protected us from the malicious intent of cyberspace.



(Reporter, Network News Department, Yu Suzuki)

Ladybugs Operation-End Game-

Kharkiv, a town in eastern Ukraine.



Investigators armed with narrow alleys of apartments rush in.



Pry the door of one room with a crowbar, kick it and rush.



Investigators saw dozens of computers and hard disks.



And a lot of banknotes and gold nuggets.

It was the hub of the network of Emotet, a computer virus that was rampant around the world.



The following day, January 27, Europol-European Criminal Police Organization is a network that spreads emotes in a joint investigation with security authorities in eight countries, including the Netherlands, Germany, France, Lithuania, Canada, the United States, the United Kingdom, and Ukraine. It announced that it had invaded the information infrastructure, suppressed it, and stopped it from the inside.

The operation name is "Operation Lady Bird" (Ladybugs).



The criminal group that delivered the emotes was called "Mealybug", so it seems that it was named after its natural enemy, Ladybugs.



Volunteer white hackers from around the world cooperated in this operation.



White hackers are those who have advanced knowledge and skills in computers and networks, especially those who use the technology for good purposes.



Volunteer white hackers have been tracking the status of emotes on a daily basis and publishing the information online under the group name "Cryptolaemus" in Japanese.

During the interview, I noticed a tweet from this group.



The phrase "I want to thank you for sharing information on a daily basis."



And eight Twitter accounts were listed.



The accounts were all Japanese.



Are Japanese people involved?

How?

At this time, I first learned about the Japanese Guardians.

Who are the Guardians

I was able to interview two white hackers out of eight.



One is the account name, bom (working at a security organization: Ken Sajo).


The other is sugimu (working at an information security company: Shuhei Sasada).



He was a member of a group named "Dispersal Mail Collection Group".

This association was launched in 2018.



It is said to be a community of personal activities that share information on computer viruses that are widely distributed like emotes.



Eight people usually work as information security officers in companies, etc., and volunteer activities during work intervals or after returning home.



For virus monitoring, each uses its own observation network built on a personal computer at home.



Then, if a malicious email is found, the content is immediately shared on Twitter.

For example:

"○ Month × Sun" This



is a Japanese scattered email of #Emotet confirmed today.



Subject


Notice Regarding Change of Holidays



Attachment File

Notice Regarding


Our Response to Coronavirus Infectious Diseases .doc The



text is related to the new corona, and it is probable that the stolen text is diverted.


The design of the attached file is Japanese.

Most fearful virus threat and enormous damage

There are several reasons why emotes have been called the "most scary" and have caused enormous damage.



One is that it sends the virus with a clever fake email that "pretends to be the reply of the actual business partner."



If the content actually exchanged with the business partner in the past is quoted, it will be recognized as "having an idea", and the attached file will be opened, and attention will not be paid.



When infected, Emotet steals contacts in the terminal and sends fake emails to other computers one after another to further spread the infection.



The second is to repeat "mutations", just like the new coronavirus.



By changing the program type little by little, it tries to bypass the detection of antivirus software.



In addition, it had the function of attracting other viruses.



Due to these characteristics, Emotet infects more than 1.7 million terminals in more than 200 countries and regions around the world.



In Japan as well, more than 3,200 companies were infected and the system stopped, causing great damage.



The world's damages are estimated to be $ 2.5 billion.



Emotet, a virus that behaved more viciously than ever before.



Eight Guardians stood in front of the attack.

Thorough tracking of communication destinations and detailed analysis of viruses

The first thing I did was investigate the suspected email addresses.



We collected the emails that were scattered using the observation network that the eight people have, such as the information posted on Twitter and the information detected by antivirus software.



Then get the virus from the email attachment.



The program was analyzed.



In addition, we observed the virus-infected terminals and investigated where they communicated and how they behaved.



The virus steals information from infected computers and sends it to a server operated by an attacker called the management server of Emotet.



It recorded in detail which server in which country the virus was making unauthorized communications.



We also recorded and analyzed the subject and text of the email, as well as the name of the attached file.



That information was added to the website of "Cryptolaemus", which was involved in the suppression operation.



By listing and sharing the collected information, information security personnel around the world will be able to block unauthorized communications.



He also found and reported that virus "mutations" attempting to evade detection by antivirus software were carried out up to five times a day.



If you list the mutated types one after another in the list of antivirus software, you can prevent them from slipping through.

Discover the risk of Zip files

The emotte, which was quiet and raged around the world, once subsided in February last year.



It was bom's observation network that got the start of the epidemic again.



On July 17, last year, an attack email was caught for the first time in five months.



Changes appeared in late August.

The number of suspicious emails began to increase exponentially.



On September 2nd, I was struck by an email I received.

"What is this !?"

The email had an unfamiliar file attached to it.



It was a Zip file with a password.



bom raised the alert level one step further.



Zip files with passwords run the risk of slipping through email security software.



The attack email in this Zip file was only observed in Japan, and bom felt that "it is clear that he has aimed at holes in Japanese business practices."

Around this time, sugimu began analyzing downloaded virus programs through malicious Zip files.



After all, it turned out that the virus is likely to slip through security software.



The two posted these detailed analysis results to the world on blogs and Twitter.



In November, Kasumigaseki announced a policy to completely abolish Zip files, saying that there is a risk of not being able to check for viruses.



The movement to abolish it has spread even in local governments and companies nationwide.



The risk of Zip files, which eight people pointed out for the first time in the world, changed Japan's security consciousness.

The biggest crisis: bots from all over the world attack Japan

On September 2, the Zip file was observed, and the alert level rose at once, the next day.



A more serious situation becomes clear.



"Cryptolaemus" has sent us information that "Japan is being attacked all at once."



Emotet was a system in which a huge system was built and the virus was automatically distributed by hijacking various computers on the Internet instead of sending it manually by a malicious person.



It is a distribution system with an automated program called "botnet".



In the case of bots, there were roughly three types of bots (Epoch1, Epoch2, Epoch3).



It is probable that it corresponded to each daytime activity time in Europe, the United States, and Asia.



This is because it is more efficient to send an e-mail targeting a virus infection when a person opens a computer and works.



Asia was mainly attacked by the third bot (Epoc3).



However, according to the information received on September 3, all three bots are distributing emails targeting Japan all at once.



The boms immediately started the analysis.



I have confirmed that this information is correct.



"Japan is being targeted by botnets around the world."



It was an unprecedentedly serious situation.



In order to call attention with priority, bom clarified the specific areas of the affected companies and called for attention.

"The crisis is imminent. I wanted you to feel that way."

In addition, we also conducted activities to directly call on the owners of e-mail addresses that had been infected and spread the damage.



Since July last year, when Emotet's activities resumed, the number of infected email addresses has risen to more than 16,000, of which more than 4,500 have been called upon.



We also responded to individual consultations with Twitter followers and provided advice.

The target was a Japanese bank account!

In September, when Japan was hit by a mass attack, the threat turned out to be beyond imagination.



bom et al. Were observing the movement of terminals infected with emotes.



Then the emotet was calling in another virus.



I was downloading a virus called "Zloader".



If you use online shopping or a financial institution on a website while infected with this virus, a fake input screen for your ID and password will be displayed and you will try to extract information.



Further analysis of the virus program revealed that the targeted websites were Japanese financial institutions, credit card companies, and even shopping sites, all of which were Japanese sites.



Eight immediately provided this information to a security organization created by a domestic financial institution.



It led to a specific alert.

Defensive method devised-Active defense-

Bom et al. Have implemented new defenses against such virus attacks targeting Japanese financial institutions.



A virus called "Ursnif" that behaves in the same way as "Zloader".



The targeted websites included 30 domestic banks, 11 card companies, and 8 cryptocurrency exchanges.



I was trying to steal information by displaying a fake payment screen.



The new defense is called "active defense."



It is a defense that is actively and actively performed.



For example,


▽ Among the domains of the attacker's server where the virus is communicating illegally, the domain that the attacker has temporarily suspended was identified and the domain was purchased.



This is to prevent the attack from launching in the same domain again.



▽ In addition, it was confirmed that an old email account that was no longer used in Japan was hijacked and used for distribution.



I notified the owners of about 60 accounts and asked them to stop using them.



▽ Furthermore, the characteristics of the attacker's server used for distributing emails were analyzed, and the algorithm was analyzed to predict the next attack that the attacker would make.



On top of that, he took the lead and suppressed the bases for mail delivery.



The effect of combining these aggressive defenses was enormous.



Attackers using "Ursnif" have completely stopped their activities in Japan since June 2019.



The target has moved to another country.



A virus that was aimed at information on Japanese bank accounts.



One big threat is gone.

Victim bashing

Why can the eight volunteers continue these activities day and night?



I asked sugimu about that thought.



Then I got a shocking answer.

"In Japan, victims of cyber attacks are socially subject to bashing. I've always felt uncomfortable with that."

Cyber ​​attacks come suddenly.



You will be damaged by casual acts such as opening an email.



No matter how careful you are, you may not be able to prevent it.



However, when the damage spreads, the person who opened the email is often denounced.

"We received a lot of consultations about things like food not passing through our throat, sleeplessness for days, and mental limitations. In fact, an office worker infected with emotes was scolded by his boss and mentally cornered. I had to quit. "

What's really bad is the attackers who send virus emails.



However, victims infected with the virus are often treated like bad guys.



It overlaps with the structure of discrimination and prejudice against people infected with the new coronavirus.



sugimu said he would like to reduce such secondary damage as much as possible.

Thank you-Thank you !!-

A group of white hackers around the world thanked the Japanese group on Twitter after the emotte control operation.



"A lot of the data we publish has never been seen by anyone. We are always grateful for the shared information."



The power of Japanese volunteer white hackers was a major force in controlling the most feared virus.



In this thank-you word, bom recalls that he was honestly happy.

"The Japanese public agency was not involved in this emotte suppression operation. I felt frustrated there, but I believe that our activities could indirectly contribute to the takedown (destruction). I'm

Endless Threat-Infinity War

The scariest virus, Emotet, has been subdued, but that's not the end.



Another virus that spreads through email is being created one after another.



According to bom, emails targeting virus infection called "campoloader" have been distributed in Japan since last month.



For now, I don't know the details yet, but clicking the URL in the email downloads a Zip file with a malicious program.



Even if you prevent one, new attacks will come one after another.



The dark virus business network is growing everywhere in the world, and the threat will continue.

Guardians of the Galaxy

It doesn't matter if you have money or advancement, it's not an honor.



Despite this, the guardians who are unknowingly struggling at the forefront, fighting against vicious viruses, and protecting Japan.



Eight unique people protect us from the malicious intent of cyberspace.



"Guardians of the Galaxy"



Is it an exaggeration to call them superheroes?



As a lover of American comics, I suddenly thought about that.



However, one of the Guardians, hiro_, said:

"By sharing and disclosing information not only to people with special skills, but also to the general public, the attack will be recognized by the public, and as a result, damage will be minimized."

In the fight against the most fearful virus, not only the ability of each guardian but also a wide range of information sharing mechanisms were a major force.



If you are attacked, share that information.



I think this little thought is important.



That leads to countering the attacker.



We may also be able to fight with the "heroes".



Finally, I will post it with the consent of eight Japanese Guardians Twitter accounts.



Attobomccss


Atto Abel1ma


Attogorimpthon


Attosugimu_sec


Attopapa_anniekey


Attowaga_tw


Attowato_dn


Atto 58_158_177_102