Final Report on Cyberattack Incident and Declaration of System Safety

MINO INDUSTRY CO., LTD.

Our company experienced a cybersecurity incident involving unauthorized external access, which resulted in the encryption of certain servers and personal computers.

Following the occurrence of this security incident, we worked in close cooperation with specialized cybersecurity vendors to conduct investigations, system restoration, and continuous monitoring. As a result, we have confirmed the complete eradication of all malwares that had infiltrated our internal systems, identified the intrusion route and attack methods, and verified that there is no possibility of new unauthorized access or reinfection. In addition, a 24-hour monitoring framework has been established.

Based on these findings, we hereby declare that our IT environment is currently secure.

We hereby report the details of the situation and the actions taken.

１．Current Status

Emergency restoration of our core systems has been completed. All operations are functioning normally, and there has been no impact on production activities, shipments, or transactions with financial institutions.

This declaration of safety is based on the following facts:

• The intrusion route has been identified and has been completely shut down and blocked.
• Internal systems were continuously monitored for approximately one month, during which no suspicious behavior was detected. In addition, advanced security scans were conducted, and no malicious artifacts were found. Based on these results, we determined that all malware within our environment has been eradicated.
• Passwords for all user accounts, including the compromised administrator account, have been changed.

２．Overview of the Incident

Between October 1 and October 4, 2025, our company was attacked by a ransomware group known as “SafePay.” As a result, major business servers—including domain controllers (Active Directory) and virtualization platforms (ESXi) as well as certain client PCs were encrypted. In addition, data was exfiltrated from major file servers.

3. Intrusion Route

The attackers gained access by compromising the credentials of a legitimate VPN account through FortiGate (SSL-VPN). At the time of the incident, the firmware was up to date, and no known vulnerabilities were exploited.

We confirmed that the intrusion was carried out through the misuse of a legitimate VPN account that had been created on April 10, 2025, for temporary use.

Because this account was created for temporary purposes, it was configured with extremely weak credentials (e.g., ID: temp / Password: password1msys1). Furthermore, the account was not deleted after its intended use had ended.

Although the exact method by which the credentials were compromised could not be identified, it is presumed that they were breached through a password-based attack.

On May 4, 2025, a successful login using this VPN account from an external IP address was confirmed. Thereafter, repeated access attempts and logins from external IP addresses were recorded. (During these accesses, only login and immediate logout occurred.)

On October 1, 2025, intrusion and malicious activities originating from an external IP address began (see the fourth report).

It remains unclear whether the attacker who conducted periodic access attempts from May and the attacker who carried out the intrusion in October were the same, as the IP addresses and access regions differed.

＜Issues Identified＞

• Weak password strength for temporarily created accounts
• Failure to delete temporary accounts after use
• Lack of authentication mechanisms to restrict legitimate use (e.g., multi-factor authentication or biometric authentication)
• Absence of a password lockout mechanism to detect unauthorized use
• Lack of behavior-based anomaly detection systems

４．Compromise of Administrator Privileges

After gaining access via VPN, the attackers obtained administrative privileges on our Windows server environment (Active Directory). The administrator account also had weak password strength and was compromised in a short period of time (e.g., ID: admin-yamada / Password: pw1mino01).

Although the account name had been changed, the account continued to use the default security identifier (SID: S-1-5-<domain>-500), which likely made it easy for the attackers to identify it as an administrator account.

With administrator privileges, the attackers conducted reconnaissance within the internal network. Due to the network being configured without sufficient segmentation, lateral movement was easily possible, leading to the exfiltration of data stored on file servers.

A sample of the ransomware was partially recovered and analyzed in detail. The analysis revealed that the ransomware was designed to perform encryption in a sophisticated manner while minimizing unnecessary replication and leaving as little evidence as possible. It also deleted itself after execution to conceal its traces.

＜Issues Identified＞

• Administrator account retained the default security identifier (SID: S-1-5-<domain>-500)
• Weak password strength for administrator accounts
• Lack of authentication mechanisms to restrict legitimate use (e.g., multi-factor authentication or biometric authentication)
• Absence of a password lockout mechanism to detect unauthorized use
• Lack of network segmentation

５．Information Leakage

On October 28, we confirmed that approximately 60 GB of our company’s data had been published on a dark web site operated by the attackers. Additionally, logs from our internet communication devices indicate that approximately 300 GB of data was transmitted externally between the night of October 2 and the early morning of October 4.

The published data has been reviewed and includes information related to business partners.

While no personal information managed by our company was found on the dark web site, the possibility of data leakage cannot be completely ruled out.

６．Response Measures

Upon confirmation of the attack, we immediately implemented the following measures:

• Disconnection of communication lines linking each site
• Suspension of all external VPN connections
• Verification of the safety of all servers and endpoints, and isolation of devices suspected of infection or encryption
• Forensic investigations conducted by cybersecurity vendors (detailed analysis of intrusion routes and data exfiltration)
• Reporting to relevant authorities (including the police and the Personal Information Protection Commission) and major business partners
• Restoration of affected servers from intact backup systems, prioritizing those necessary for production activities
• Forced password changes for all employee accounts

７．Measures to Prevent Recurrence

In response to this incident, we will implement the following enhancement measures over approximately one year:

• Introduce multi-factor authentication and related mechanisms for VPN access. As VPN access is the highest-risk intrusion point, services will not be resumed prematurely and will be reinstated only after careful implementation of countermeasures.
• Rebuild the Windows security infrastructure (including Active Directory), which was compromised, incorporating enhanced authentication functions and alert mechanisms for unauthorized operations.
• Implement a policy requiring the use of complex passwords with a minimum length of 12 characters to reduce the risk of password‑related attacks and establish an account lockout mechanism that is triggered after multiple unsuccessful login attempts.
• Redesign the internal network by segmenting it into multiple blocks to prevent easy lateral movement of malware.
• Implement EDR solutions to detect suspicious behavior and introduce 24-hour SOC monitoring services (already completed).
• Separate administrative accounts by role, scope, and privilege.
• Review and redesign file server architecture to avoid centralized storage of large volumes of data, and segregate sensitive information.
• Maintain offline backups in addition to standard backup storage.
• Upgrade legacy Windows systems to the latest supported operating systems and strengthen vulnerability management.
• Update the ransomware incident response manual.
• Expand employee security training by adding ransomware response drills in addition to existing phishing simulation training.

【Message to Customers, Business Partners, and Stakeholders】

We sincerely apologize for the concern and inconvenience this incident has caused.

We take this matter extremely seriously and remain fully committed to preventing recurrence and continuously strengthening our cybersecurity measures.