HKCERT is pleased to bring to you the "Hong Kong Security Watch Report" for the second quarter of 2018.

Nowadays, a lot of “invisible” compromised computers are controlled by attackers with the owner being unaware. The data on these computers may be mined and exposed every day and the computers may be utilized in different kinds of abuse and criminal activities.

The Hong Kong Security Watch Report aims to provide the public a better "visibility" of the situation of the compromised computers in Hong Kong so that they can make better decision in protecting their information security.

The report provides data about the activities of compromised computers in Hong Kong which suffer from, or participate in various forms of cyber attacks, including web defacement, phishing, malware hosting, botnet command and control centres (C&C) and bots. Computers in Hong Kong is defined as those whose network geolocation is Hong Kong, or the top level domain of their host name is “.hk” or “.香港”. 

Highlight of Report

This report is for Quarter 2 of 2018.

In 2018 Q2, there were 47,134 unique security events related to Hong Kong used for analysis in this report. The information is collected with IFAS¹ from 13 sources of information². They are not from the incident reports received by HKCERT.

Figure 1 –Trend of security events

The total number of security events in 2018 Q2 jumped up by 500% or 39,279 events compared to the previous quarter. The increase was mostly contributed by the jump up of phishing events by 5,324%, then by malware hosting events by 572%. In 2017 Q2, we had 9,042 events. It decreased steadily in Q3 and Q4, with slightly increased in 2018 Q1.

Server related security events

Server related security events include malware hosting, phishing and defacement. Their trends and distributions are summarized below:

 Figure 2 –Trend and distribution of server related security events

The number of phishing events got drastic surge from 634 in Q1 to 34,391 in Q2, or 5,324% increase. Among these events, each of them involved a unique phishing URL. Counting the mostly seen domain in the events, the top 2 domains are ruiyuauto.com.cn (3,072 unique URLs) and hitsem.com (9,641 unique URLs). After examining the data in April, May and June, the data contained exceptional increase in May especially on domains hitsem.com and ruiyuauto.com.cn, and IP address 27.111.199.166, and dropped significantly in June. High volume of phishing events involving the domain hitsem.com were already reported in Q4 2015 and Q2 2016 HKSWR. For ruiyuauto.com.cn, the domain is used by a Chinese motorcycle parts company to publish their website, and it was already categorized as known infection source and phishing and other frauds in VirusTotal report.

The number of malware events also got huge increase from 649 in Q1 to 4,359 in Q2 or 572% increase. Among these events, each of them involved a unique malware URL. The top 2 IPs are 183.91.33.52 and 183.91.33.51. The both IPs were registered under AS4134 (China Telecom Backbone).

The huge increases of number of phishing and malware hosting events caused URL/IP ratio of both events to increase to very high values. For phishing events, the URL/IP ratio doubled from 7 to 14. Apart from the increase of the number of unique URLs for phishing events, the number of unique phishing IP increased from 92 to 2,242, or by 2,337%. It can be seen that more numbers of servers were breached/abused for phishing activities in 2018 Q2.

For malware hosting events, the URL/IP ratio rose up from 14 to 36. The cause of this is because the number of unique malware hosting IP increased from 47 to 121, or by 157%, but the increase was not comparable with that of the number of unique URLs. It can be seen that the small number of breached/abused servers contributed large number of URL for malware hosting.

Botnet related security events

Botnet related security events can be classified into two categories:

• Botnet Command and Control Centres (C&C) security events – involving small number of powerful computers, mostly servers, which give commands to bots
• Bots security events – involving large number of computers, mostly home computers, which receive commands from C&C.

Botnet Command and Control Servers

The trend of botnet C&C security events is summarized below:

 Figure 3 –Trend of Botnet (C&Cs) related security events

The number of botnet Command and Control Servers was increased to 3 in this quarter. All of them were identified as an IRC bot C&C server.

Botnet Bots

The trend of botnet (bots) security events is summarized below:

 Figure 4 - Trend of Botnet (Bots) security events

The number of Botnet (bots) in Hong Kong network increased by 27% in 2018 Q2. Mirai contributed to the increase of total count of Botnets by 46%, and keeps the first place in the rank of Major Botnet Families in Hong Kong Networks. There is a note that Ramnit has increased by 374%, with the number of unique IP address increased from 19 in 2018 Q1 to 90 in 2018 Q2.

Mirai botnet became active at the end of 2016. Global security organizations started to clean up in 2017 Q1. The number of events dropped sharply from 2,493 in Q1 to 746 in Q2 and steadily decreased in Q3 and Q4. That means Mirai botnet is on a decrease trend. But we note that since the end of 2017, there is an increase of Mirai events. We regularly saw reports on Mirai variants or recent attacks, but cannot confirm the increase is related to these variants and attacks. HKCERT will keep monitoring on the trend and continue the cleanup.

In May 2018, Security research group Talos has released a report on a potentially destructive malware called VPNFilter, which has infected at least 500,000 home routers and network-attached storage (NAS) devices in at least 54 countries. HKCERT has obtained the first batch of infected IP addresses and then notified the related network operators. In early June, further information showed that the devices infected by VPNFilter were far more than the initial report. Since then Shadowserver has provided VPNFilter infection data. In Q2 2018, VPNFilter has recorded 100 events or 1.4% of total botnet events.

HKCERT will set up regular operations on notifying network operators of the VPNFilter infected IP addresses together with other botnet cleanup activities.

HKCERT has been following up the security events received and proactively engaged local ISPs for the botnet clean up since June 2013. Currently, botnet cleanup operations against major botnet family - WannaCry, Avalanche, XCode Ghost, Pushdo, Citadel, Mumblehard, Ramnit, ZeroAccess and GameOver Zeus are still in action.

HKCERT urges general users to join the cleanup acts. Ensure your computers are not being infected and controlled by malicious software.

Protect yourself and keep the cyberspace clean.

Download Report

< Please click to download Hong Kong Security Watch Report >

¹ IFAS  Information Feed Analysis System is a HKCERT developed system that collects global security intelligence relating to Hong Kong for analysis.

2 Refer to Appendix 1 for the Sources of Information