The National Institute of Information and Communications Technology (NICT)'s Cyber Security Nexus (CYNEX) recently published its observation report for 2022. The report presents observations and analysis of cyberattack‐related communications. The report summarizes the results of observation and analysis of cyberattack‐related communications in 2022 through the Network Incident analysis Center for Tactical Emergency Response (NICTER) Project's large‐scale cyberattack observation network. It found that cyberattack‐related communications increased only slightly compared to 2021. However, it also notes that, by destination port, the percentage of attacks targeting IoT devices on TCP port 23 (telnet) saw a particular increase.
Cyberattack‐related communications observed in NICTER's darknet observation network (approximately 290,000 IP addresses) in 2022 totaled 52.26 billion packets, or approximately 1.83 million packets per IP address in one year. It was a slight increase over the previous year's result of 1.74 million packets and was the second‐highest result in the past decade, after 2020, when approximately 1.85 million packets were received. Of all the packets, 54.9% were observed to originate from investigatory scans by overseas organizations. This trend has persisted since 2019, with more than half of the total packets falling into this category.
Excluding these scanning packets, the main targets of attacks (destination port numbers) observed by NICTER in 2022 were telnet (23/TCP), which doubled from 11% to 23% in the previous year. This service is still commonly used by IoT devices. In the past, botnet attacks have targeted characteristic port numbers used by IoT devices. However, in 2022, attacks on port sets, including 23/TCP, were particularly active.
The project observed multiple DVR products being infected by the Mirai malware. Mirai infects IoT devices such as home routers and network cameras and uses these devices as a springboard for DoS attacks by sending large numbers of packets to the target host.
The NICTER project collaborated with product vendors to investigate vulnerabilities and observed these attacks using actual devices. Its study revealed that zero‐day vulnerabilities, where developers are unaware of software vulnerabilities, and no patches or other countermeasures are available, were exploited in pinpoint attacks on vulnerable devices.
Observations of DRDoS attacks, which exploit DNS, NTP, and other servers on the Internet to send large numbers of packets to an attack target and overwhelm its network bandwidth, showed that the scale of large‐scale carpet‐bombing DRDoS attacks seen in the previous year had shrunk, returning to 2020 levels. However, the percentage of attacks lasting more than one hour increased from approximately 2.9% to approximately 16%, indicating longer durations. The types of services exploited in attacks also increased from 38 in the previous year to 151.
NICT has established a large‐scale network for observing cyberattacks (darknet observation network) as part of the NICTER project and has been observing cyberattack‐related communications since 2005. The network observes packets that reach unused IP address space (the darknet) to identify trends in unauthorized activities on the Internet.
In addition, on April 1, 2021, NICT established CYNEX, a new organization that aims to act as a node for industry, academia, and government in the field of cybersecurity. CYNEX comprises four subprojects: Co‐NexuA, S, E, and C. The S subproject is responsible for disseminating cybersecurity‐related information. The report for 2022 was published and disseminated based on the results of observations and analyses by CYNEX in the NICTER project.
This article has been translated by JST with permission from The Science News Ltd. (https://sci-news.co.jp/). Unauthorized reproduction of the article and photographs is prohibited.