Initial Disclosure Date: Jun 21, 2013

Japan faces increasing website defacements since April 2013. Some of the defacements aim to drive-by download, which leads to the unintended download of malware from the Internet when a user is browsing a website. At least a couple of dozens of cases that occurred in May are driven by hacktivism to display political messages. Since culprits use obfuscated JavaScript for drive-by download, it makes challenging for website administrators to notice such an incident. Website administrators are encouraged to maintain File Transfer Protocol (FTP)/Secure Shell (SSH) accounts appropriately and check FTP/SSH logs; minimize allowed access to the administration of contents or servers; update Operating Systems or software; create back-up for content files and a list of hashes to check website defacement.

The Japan Computer Emergency Response Team Coordination Center (JPCERTコーディネーションセンター, JPCERT/CC) received approximately 1,000 website defacement reports between April and June 7th. Culprits insert iframe to bring website visitors to a malicious website or obfuscated JavaScript in order to infect their computers although the users remain unaware. Since iframe is used to display a webpage within a webpage, it enables attackers to reduce the size of their malicious website to hide. Those malicious websites include an exploit kit to install Adobe Acrobat/Reader, Adobe Flash, or Oracle Java in the computer of the victim. As far as JPCERT/CC has found out, attackers use known vulnerabilities. Thus, updated Operating Systems or software would minimize the risk of malware infection. JPCERT/CC warns about possible information thefts because some of the used malware to steal account information from FTP/SSH clients or web browsers. ^(footnote:1)

In fact, the National Police Agency (警察庁, NPA) points out that some of the websites were defaced through FTP. If culprits had obtained FTP logs beforehand, they accessed only once and still were able to log in. Thus, the NPA believes that those attackers had stolen FTP accounts. ^(footnote:2) Furthermore, when the agency used part of inserted JavaSpript in a search engine, it found several thousand Japanese websites. In other words, there may be a large number of website administrators who have not realized infection yet. ^(footnote:3)

While the Information-technology Promotion Agency, Japan (独立行政法人情報処理推進機構, IPA), has a small number of samples, it provides intriguing analysis of the defacement causes. The agency received ten reports between April 1st and May 31st, and noticed that attackers exploited the vulnerability of Apache Struts2, Joomla!, or WordPress although the last one year saw frequent exploitation of Parallels Plesk Panel. Culprits seem to have installed malware such as BIND, MySQL, or phpAdmin in servers using Parallels Plesk Panel. ^(footnote:4)

Although the IPA, JPCERT/CC, and NPA have not named possible attackers, Trend Micro Inc. picked up some website defacements which attribute to overseas hacktivist groups to attack Japan in May 2013. The Trend Micro Forward Looking Threat Research (FTR) noticed at least 20 Japanese websites had been defaced as of May 30th. FTR believes that the attackers targeted websites randomly because some of them are run by individuals and some are online shopping websites. Some of the defaced websites display a message posted by hacktivist groups, whereas the others show a video probably to present the political agenda of the group rather than causing malware infection. A leading actor of the hacktivism used QQ, a popular instant messenger in China, to announce which website was defaced and encourage more cyber-attacks. This person had released various hacking techniques including SQL injection. ^(footnote:5)

Sources:

1. JPCERT/CC. “JPCERT/CC Alert 2013-06-07: Webサイト改ざんに関する注意喚起” (“JPCERT/CC Alert 2013-06-07: Alert regarding website defacements”). Jun. 7, 2013.
   https://www.jpcert.or.jp/at/2013/at130027.html
2. NPA @police. “ウェブサイト改ざん事案の多発に係る注意喚起について” (“Warning about frequent website defacements”). May 24, 2013.
   https://www.npa.go.jp/cyberpolice/detect/pdf/20130524_1.pdf , 1
3. NPA @police. “外見上変化のないウェブサイト改ざん事案の多発について” (“A large number of website defacements although those websites look unchanged”). Jun. 7, 2013.
   http://www.npa.go.jp/cyberpolice/detect/pdf/20130607.pdf , 2
4. IPA. “「ウェブサイトが改ざんされないように対策を！」　～サーバーやパソコンのみならず、システム全体での対策が必要です～” (“Take measures to prevent the defacement of your website! You need to take care of not only your server and computers but also the entire system”). Jun. 4, 2013.
   https://www.ipa.go.jp/security/txt/2013/06outline.html
5. 岡本勝之 (Okamoto, Katsuyuki). “TrendLabs SECURITY BLOG: 日本を標的とするハクティビズム的Web改ざん攻撃を確認：今後の攻撃拡大に注意” (“TrendLabs SECURITY BLOG: TrendMicro confirmed website defacements driven by hacktivism that targets Japan --- Please be alerted about potential growth of such cyber-attacks”). May 30, 2013. Trend Micro.
   http://blog.trendmicro.co.jp/archives/7318