1. Overview
JPCERT/CC has placed multiple monitoring sensors across the Internet to monitor packets that are transmitted exhaustively to certain IP address ranges. It can be assumed that these packets are intended to scan for certain devices or service functions. Also, JPCERT/CC continuously gathers packets that are observed by the sensors, and these packets are categorized by the destination port number, source region, etc. Then this information is analyzed along with information about vulnerabilities, malware and attack tools to obtain information on attacking activities or preparatory activities. Data collected through sensors are analyzed, and if any problem subjected to an attack or used to carry out an attack is found, JPCERT/CC provides information to parties who may be able to solve the problem and asks them to take appropriate steps. This report will provide an overview of the results of monitoring activities by JPCERT/CC’s Internet threat monitoring system (TSUBAME) during this quarter and their analysis. The top 5 services scanned in Japan during this quarter are shown in [Table 1].
| Rank | Destination Port Numbers | Previous Quarter |
|---|---|---|
| 1 | Telnet (23/TCP) | 1 |
| 2 | http (80/TCP) | 3 |
| 3 | https (443/TCP) | 5 |
| 4 | 8728/TCP | 2 |
| 5 | ssh (22/TCP) | 4 |
*For details on services provided on each port number, please refer to the documentation provided by IANA (1).The service names listed are based on the information provided by IANA, but this does not always mean that the packets received are in a format relevant for that service / protocol.
The numbers of scan packets observed for the services listed in [Table 1] are shown in [Figure 1].
![[Figure 1: Number of observed packets targeted to the top 5 services (destination port numbers) frequently scanned (April through June 2025)]](./img/2025q1_report_fig1.png)
The service most frequently scanned this quarter was Telnet
(23/TCP).The second and third places were http (80/TCP) and https
(443/TCP), which are mainly used by websites. 8728/TCP fell to fourth
place,The fifth places was ssh (22/TCP). Next, the top 5 source regions
where scanning activities targeting Japan were seen most frequently
during this quarter are shown in [Table 2].
| Rank | Source Regions | Previous Quarter |
|---|---|---|
| 1 | USA | 1 |
| 2 | Bulgaria | 2 |
| 3 | China | 3 |
| 4 | Netherlands | 5 |
| 5 | Canada | 9 |
The trend of source regions for this quarter listed in [Table
2] are shown in [Figure 2].
![[Figure 2: Number of packets by source region (April through June 2025)]](./img/2025q1_report_fig2.png)
The top three regions were the same as in the previous quarter,
The Netherlands rose from the fifth to fourth place, and Canada jumped
from the ninth to fifth place.TSUBAME uses Regional Internet Registry
(RIR) allocation data to determine the region of each IP address.
2. Observation of packets sent from malware-infected devices
JPCERT/CC believes that most of the packets observed by TSUBAME are
scan packets sent from devices infected with malware such as Mirai.
Among the packets targeted to Telnet (23/TCP), JPCERT/CC investigated
those sent from IP addresses in Japan for the presence of Mirai
characteristics (Figure 3). There are packets with the characteristics
of Mirai and those without them, and in early June packets without Mirai
characteristics temporarily increased. This is presumably because
different hacker groups use different malware. The type of device used
can be identified by tracing the source.
This chapter will discuss
the types of device that were found to be used.
![[Figure 3: Number of source IP addresses for packets sent from within Japan and targeted to Telnet]](./img/2025q1_report_fig9.png)
DVR/NVR
Based on evidence such as WebUI and HTML source code, it is assumed that many of the devices are overseas products made in China, South Korea, and elsewhere (Figures 4–6). These devices have reported vulnerabilities, which are apparently exploited to spread Mirai and other malware infections.
![[Figure 4: Login screen of an overseas vendor’s DVR/NVR captured by accessing a packet source]](./img/2025q1_report_fig4.png)
![[Figure 5: Login screen of an overseas vendor’s DVR/NVR captured by accessing a packet source]](./img/2025q1_report_fig5.png)
![[Figure 6: Login screen of an overseas vendor’s DVR/NVR captured by accessing a packet source]](./img/2025q1_report_fig6.png)
Many of these digital video recorders (DVRs) and network video
recorders (NVRs) are presumably installed as part of a security
surveillance system. To protect the device itself and the organization
installing and operating it, as well as any related parties, from
attackers, business operators that install such systems must take
appropriate protective measures by installing a router and firewall
between the Internet and the system, and set up VPN when making a device
remotely accessible.
NAS
Based on evidence such as WebUI and HTML source code, it is assumed that many of the devices are NAS products made by Taiwanese vendors for SOHO applications (Figure 7). JPCERT/CC has also confirmed the existence of a server incorporating open source NAS software (Figure 8). These devices have reported vulnerabilities, which are apparently exploited to spread Mirai and other malware infections.
![[Figure 7: Login screen of an overseas vendor’s NAS captured by accessing a packet source]](./img/2025q1_report_fig7.png)
![[Figure 8: Login screen of an overseas vendor’s NAS captured by accessing a packet source]](./img/2025q1_report_fig8.png)
It is assumed that these products were installed inside of
routers or other network devices and yet made publicly accessible on the
iInternet via UPNP or other means. When installing NAS devices, it is
important to carefully consider whether they need to be accessed from
outside the organization or home, and if there is no such need, to avoid
making any unnecessary settings that entail risk. Some of the NAS
devices investigated appeared to be infected with ransomware.
In addition to the above devices, JPCERT/CC also found products that appeared to be routers and solar power generation monitors offered by vendors in Japan and abroad, based on WebUI and HTML source code and other evidence. Many of these products were already past the end of support. They have reported vulnerabilities, which are apparently exploited to spread Mirai and other malware infections.
Internet-connected devices are not just accessible to users but subject to access attempts by attackers as well. Be sure to take necessary precautions when using these devices, such as keeping the firmware up-to-date, using proper authentication methods, setting strong passwords, and disabling unnecessary services.
3. Request from JPCERT/CC
JPCERT/CC may contact users of IP addresses sending suspicious packets and ask them to take certain action via Internet service providers. If you ever receive such requests, we hope you understand the purpose of our investigation activities and, if possible, provide information such as products used, firmware versions, and any evidence of intrusion. There are a number of unknown scanning activities, including those discussed in this report. Your information may offer valuable insights leading to clarification.
4. References
1. Service Name and Transport Protocol Port Number
Registry
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
