Notice and apology regarding the possibility of information leakage due to unauthorized access (first report)

＞Please check here for the second report.
＞Please check here for the final report.

Respect
We would like to express our gratitude for the continued success of your company. Thank you very much for your continued patronage.

Recently, unauthorized access to our verification server (maintenance contract management system verification server, hereinafter referred to as the server) has been confirmed. There is a file stored on the server containing customer information used in the maintenance contract management system migration work, and there is a possibility that this information was leaked to a third party who gained unauthorized access (hereinafter referred to as the attacker). It turns out that. We deeply apologize for the great concern and inconvenience caused to our customers and everyone involved.

A third-party organization is currently conducting a detailed investigation, and we plan to announce the details as soon as they become available. Our company and a third-party organization conducted a primary investigation to confirm that the attacker had taken out the file, but no evidence of information leakage was found. Details are as below.

Record

1. Unauthorized access situation
An alert was generated for the detection of malware (virtual currency mining program) within our network environment, and as a result of investigating the malware, it was discovered that the server in question had been accessed without authorization. The server contained a file containing customer information, which was accessible to the attacker.

Despite the server being able to connect to the Internet, it was possible for an attacker to gain unauthorized access because (1) there was an unnecessary account, (2) the password for the account was weak, and (3) external access measures were not appropriate. I caused it to occur. In addition, there was a file stored on the server that contained customer information used for verification work, etc., but (4) the file was poorly managed, leading to the possibility of information leakage.

Furthermore, based on the attacker's behavior, it is assumed that the attack was aimed at installing a virtual currency mining program rather than collecting information, and no trace of information leakage has been confirmed by our company or a third-party organization's primary investigation. .

2. Information on the person in charge of the business partner company where there is a possibility of information leakage (information stored in the relevant server)

3. History of response
After 7:50 pm on Monday, July 17, 2017, the server that was attacked has been shut off from the network and cannot be accessed from outside. A detailed investigation is currently being conducted by a third-party organization.

2017/7/17　13:52	Security monitoring team detects malware execution and communication blocking.
2017/7/17　14:08	Disseminated information to CISO, information systems department, and CSIRT members.
2017/7/17　15:45	Started network isolation of the computer.
2017/7/17　19:45	Based on the malware investigation results, the server that was accessed illegally was identified.
2017/7/17　19:50	Shut off the server from the network. An investigation into the server has begun.
2017/7/20　10:00	Confirmed evidence of unauthorized access to the server. It was discovered that the attacker was able to access the file containing customer information on the server. Started arranging for a third party agency.
2017/7/21　16:00	An investigation by a third-party organization has begun.
2017/7/22　13:50	The primary investigation by a third-party organization has been completed.

4. Future actions
As a result of the primary investigation, it was not confirmed that files containing customer information were leaked from the server, but a third-party organization is currently investigating the matter, and details will be announced as soon as they are known. Thank you for your patience as we wait for the results of the investigation. In addition, our company takes this situation seriously and will conduct a comprehensive review of the current situation and work to prevent recurrence.

■About the server

① Unnecessary account existed (inadequate account management)
We have completed an inventory of our accounts and have stopped using any account other than the minimum necessary.

② The password for the account was weak (poor password management)
We have checked to see if there are any accounts with weak passwords, and have suspended the use of accounts with weak passwords.

③ External access measures were not appropriate (insufficient access control)
Currently, the server in question has been isolated from the network for investigation and has been set to prevent external access.

④Insufficient management of customer data (insufficient information management)
The server is currently isolated from the network for investigation. We will promptly take measures to prevent recurrence and ensure thorough compliance.

■For company-wide systems
We are currently conducting a comprehensive inspection of our company-wide systems from the four perspectives listed above. In addition to the above, we will consider measures to prevent recurrence and review of operations, and will strengthen our response as a top priority.

5. Reference information
Information on the malware (virtual currency mining program) discovered this time

file name	java.exe
hash value	MD5: 40f49dbb3e95960d9cb93871931f5b33 SHA1: 17d108dc510186713d2daae9ea13790e779b23e9 SHA256: 86bfcca2aa4100897ad3c49fed6824286a7db3da1efcf08ced8 d5b27ba07bbfe
Communication destination	xmr[.]crypto-pool[.]fr:3333 *For the communication destination listed, ". (dot)" has been changed to "." from the actual address.

<Inquiries regarding this matter>