Executive Summary

In March 2023, Fujitsu, a prominent Japanese technology company, experienced a significant cybersecurity breach involving sophisticated malware. This incident, although not a ransomware attack, has raised concerns about a potential surge in ransomware activities in Japan. The breach led to the exposure of sensitive data, affecting Fujitsu's internal network. This report delves into the technical intricacies of the malware, the potential implications for future ransomware attacks, and the necessary mitigation strategies to safeguard against such threats.

Technical Information

The malware that infiltrated Fujitsu's systems was characterized by its advanced evasion techniques, making it particularly challenging to detect. Described as "wormable," the malware had the capability to propagate from the initially compromised machine to 48 other devices within Fujitsu's internal network. This propagation was facilitated by the malware's ability to disguise itself, a tactic commonly employed by Advanced Persistent Threats (APTs) to maintain persistence and evade detection. The malware executed commands to exfiltrate data, potentially including personal and business-related information. Fujitsu has adhered to Japan's data protection laws by notifying affected individuals and customers. The breach was geographically confined to Japan, with no evidence of spread to customer environments or international networks. In response, Fujitsu isolated the infected machines, blocked external server connections, and enhanced monitoring and detection measures. External cybersecurity experts were engaged to assist in the investigation.

Exploitation in the Wild

While the malware used in the Fujitsu breach was not ransomware, the exposure of sensitive data could lead to future exploitation by ransomware groups. The incident underscores the potential for threat actors to leverage exposed data for subsequent attacks. Indicators of Compromise (IOCs) include the malware's ability to spread laterally within a network and its use of advanced evasion techniques.

APT Groups using this vulnerability

The sophisticated nature of the malware suggests the involvement of advanced threat actors, possibly APT groups. These groups are known for their use of advanced techniques to infiltrate and persist within targeted networks. The tactics, techniques, and procedures (TTPs) observed in this incident align with those used by APTs to maintain persistence and evade detection.

Affected Product Versions

The breach affected Fujitsu's internal business computers, specifically within its network in Japan. The malware spread to 48 devices, indicating a significant impact on Fujitsu's internal operations. However, there is no evidence of the malware affecting customer environments or international networks.

Workaround and Mitigation

Organizations should implement robust monitoring systems to detect and respond to suspicious activities promptly. Network segmentation is crucial to prevent the lateral movement of malware within a network. Developing and regularly updating incident response plans can help organizations respond effectively to breaches. Additionally, organizations should conduct regular security audits and vulnerability assessments to identify and remediate potential weaknesses in their systems.

References

1. Cyber Daily: Fujitsu confirms March cyber attack not a ransomware incident, data exposed (https://www.cyberdaily.au/security/10812-fujitsu-confirms-march-cyber-attack-not-a-ransomware-incident-data-exposed)
2. The Register: Fujitsu blames malware that's 'not ransomware' for attack (https://www.theregister.com/2024/07/10/fujitsu_malware_attack/)
3. CRN: Fujitsu Confirms It Was Hacked Via Malware, Says Probe Ongoing (https://www.crn.com/news/security/2024/fujitsu-confirms-it-was-hacked-via-malware-says-probe-ongoing)
4. Fujitsu Global: Notice regarding results of security incident investigation (https://www.fujitsu.com/global/about/resources/news/notices/2024/0709-01.html)
5. ThreatKey: Fujitsu Faces the Cybersecurity Storm: A Comprehensive Breakdown of the Recent Data Breach (https://www.threatkey.com/resource/fujitsu-faces-the-cybersecurity-storm-a-comprehensive-breakdown-of-the-recent-data-breach)

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complex cybersecurity landscape. Our Continuous Threat and Exposure Management (CTEM) platform is designed to provide comprehensive threat intelligence and vulnerability management solutions. We are here to assist you in enhancing your cybersecurity posture and mitigating the risk of similar incidents. Should you have any questions about this report or any other cybersecurity concerns, please do not hesitate to contact us at ops@rescana.com.