NTT Com sincerely apologizes to all concerned for any inconvenience or concern caused by the possible information leak.
NTT Com announced on
1. Unauthorized access to construction information management server of BHE/ECL
Based on a log showing unauthorized access to construction information management server ('Server C' in diagram) used for BHE and ECL Option Services, the company conducted a forensic investigation3 of its Active Directory4 operation server ('Server A' in diagram), operation server for BHE/ECL service management ('Server B' in diagram) and Server C used for BHE/ECL service management. As a result, it was determined on
All of the affected clients outside of
There has been no effect on service availability or the quality of cloud services, including services provided outside of
2. Unauthorized access to internal file servers
Regarding NTT Com's investigation into unauthorized remote operation of the company's internal servers, as announced on
It was newly discovered on
Although extra time was required to identify which information the attackers may have browsed because a legitimate account and password were possibly stolen, the forensic investigation and analysis of the access history of internal file servers has now revealed that 188 clients may have been affected. NTT Com is in the process of contacting all of these clients. No clients outside of
Diagram of the event
Diagram of the event
3. Future measures
NTT Com is introducing measures to quickly recover any server in the event of a spoofing attack, which required extra time to assess in the recent case. These include the deployment of User and Entity Behavior Analytics (UEBA),7 which speeds up detection by visualizing the behavior of an attacker who uses a legitimate account and password after breaching the server. Also, NTT Com is working to prevent any recurrence by introducing Endpoint Detection and Response8 technology to strengthen endpoint security and by accelerating security measures based on a
In addition to reviewing the structure of information management in internal file servers, service quality is being further improved by strengthening the role of the Red Team10 in verifying security-measure effectiveness, and by continuously implementing Threat-Led Penetration Testing (TLPT)11 for internal IT and operational technologies.12
Hereafter, any additional relevant information will be disclosed as required, excluding information on individual clients to protect their confidentiality.
Background
Summary of press release issued in Japanese on
NTT Com's department in charge of internal systems detected unauthorized remote operation of the company's Active Directory (AD) server in a log on
After analyzing the access logs of the internal servers, it was discovered on
As a result of investigating the attackers' route, it was found that the intrusion reached Server B in
In summary, it has been determined that service-related construction information pertaining to 621 clients may have been leaked from the construction information management server (Server C) in the service management segment in
1 Biz Hosting Enterprise is a cloud service for enterprise ICT infrastructure. With the exception of certain optional services, it was terminated in
2 ECL Option Services include managed option, collocation interconnectivity, and provisioning support
3 Forensic investigation (digital forensics) is a technology and method to investigate electronic trails, such as access logs left in personal computers, communication devices and other electronic devices, related cyberattacks and similar crimes. It is also used to preserve evidence and analyze possible damage.
4 Active Directory is a feature that Windows Server provides to manage Windows PC features and user information.
5 Virtual Desktop Infrastructure (VDI) is a mechanism that virtualizes the desktop environment, aggregates the PC desktop environment on the server, and runs it on the server.
6 Bring Your Own Device (BYOD) is a policy for using employees' private devices for business.
7 User and Entity Behavior Analytics (UEBA) is a technology that analyzes user behavior for early-stage detection of risks.
8 Endpoint Detection and Response (EDR) is a technology that monitors and responds to suspicious behavior on a PC or server (endpoint).
9
10 Red Team is an independent team within a company that executes pseudo attacks to evaluate and propose security measures.
11 Threat-Led Penetration Testing (TLPT) are pseudo attacks based on fixed scenarios for evaluating the status of security measures.
12 Operational technologies include control and/or monitoring of industrial equipment that is used to optimize systems for essential infrastructure, such as electrical power grids.
About
(C) 2020 Electronic News Publishing, source