CYFIRMA TLR 2020 Found Web Apps Attack of Bypassing Authentication are Common

Date : 06-Oct-2020
Location: Singapore/Japan - Tokyo


CYFIRMA is a leading Predictive Cyber Threat Visibility & Intelligence Platform company. 

Key Takeaways:

  • CYFIRMA today announced the findings of its Southeast Asia and Japan Threat Landscape Report (TLR) 2020 analyzing cyberattack campaigns against organizations in the region, as well as the motivation, methodologies, and tools behind the attacks.
  • Southeast Asia and Japan are many things. A haven for start-ups, a breeding ground for technological innovation and home to an increasingly mobile-first and hyper-connected population. Meanwhile, these factors have also sparked the interest of nefarious state-sponsored cybercriminals in the region.
  • The report found that Singapore, among other nations, has become a target for Chinese-sponsored MISSION2025 – a threat group that exploits cyber vulnerabilities for espionage purposes and financial gains.
  • Covid-19 oriented threat campaigns also proliferating - state-sponsored hackers from China, North Korea and Russia were using COVID-19 as a means to discourage nations from participating at the Tokyo 2020 Olympics, or at the least delay it. 

CYFIRMA Threat Landscape Report 2020


Kumar Ritesh, Founder and CEO at CYFIRMA shared insights on why the SEA and Japan region are hotspots for cyber attacks - these regions host a mixed of the world largest enterprises, promising tech startups on the rise, and homes to youths who are connected digitally, whilst governments are working towards smart cities; therefore, the dependencies towards technology are running super high. 


According to the Kumar Ritesh, CYFIRMA helps organisations to take a proactive and pre-emptive approach against cyberthreats by strengthening their tactical threat intelligence and constantly improving their cyber posture to stay ahead of adversaries.


Top Attack Methods:

  • Attack on Servers: Due to improper implementation of vulnerability management cycles, many organizations fail to patch their critical web servers or database servers in a timely manner. Threat actors always utilize this situation and keep looking for weak links on the servers.
  • Reconnaissance on Well-Known Ports: A port scan is a method for determining which ports on a network are possibly open. This is a popular reconnaissance tool for attackers seeking a weak point of access and possibly breaking into the server/system/application. The port scanning activity along with directory brute forcing severely spiked in the month of April and the trend continues till today.
  • Attack on Web Applications: Since last year, hackers have been seen targeting web applications for malicious intent. The primary motives were to look for sensitive information, credentials, API keys, critical server information, bypassing authentication, etc
  • Subdomain Takeover Attacks: Subdomain takeover vulnerabilities occur when a subdomain points to a service or projects that have been ended or deleted, but DNS entries still exist. The attacker can take over or seize the control of the organization's subdomain via various cloud services.

Trends in Malware:

  • Commodity Malware: Several incidents involving a heavy usage of commodity malware such as Emotet, Ursnif, TrickBot, were reported being used by nation-sponsored hacking groups such as Stone Panda and Lazarus Group. The compromised systems were used by hackers as a ‘Launch pad’ for their future activities and campaign operations.
  • Mirai Botnet: There has been a spike in Mirai Botnet usage starting this year - increased by over 2000 percent – in comparison to last year. From February 2020 we have seen many new variants of Mirai, including Echobot. Some Mirai variants attempted to download files named "Mozi.m" and "Mozi.a" by exploiting vulnerabilities in IoT devices. It also targeted vulnerabilities in DSL modems and GPON routers, D-Link and NETGEAR, Huawei routers, and Realtek SDK.
  • Ransomware: 2020 has been the year of ransomware. We came across a number of different ransomware groups including Maze, NetWalker, Sodinokibi, Nemty, DoppelPaymer, Revil, creating their own websites to publish details about the breaches or data exfiltration activities.

Best Practices:

Take a proactive and pre-emptive approach against cyberthreats by strengthening their tactical threat intelligence and constantly improving their cyber posture to stay ahead of adversaries.

Case Studies:

CYFIRMA uncovered the North Korean Lazarus Group planning a large-scale phishing campaign targeting more than 5M individuals and businesses across six countries and multiple continents, amongst other such campaigns.

 Editor's Comments:

  • Pay attention to the top attack methods laid out above, be sure to fortify your cybersecurity measures and defenses with a higher priority.  
  • Example, web apps and REST APIs must implement latest authentication best practices such as the Json Web Token (JWT).