Hong Kong Security Watch Report (Q1 2018)
HKCERT is pleased to bring to you the "Hong Kong Security Watch Report" for the first quarter of 2018.
Nowadays, a lot of “invisible” compromised computers are controlled by attackers with the owner being unaware. The data on these computers may be mined and exposed every day and the computers may be utilized in different kinds of abuse and criminal activities.
The Hong Kong Security Watch Report aims to provide the public a better "visibility" of the situation of the compromised computers in Hong Kong so that they can make better decision in protecting their information security.
The report provides data about the activities of compromised computers in Hong Kong which suffer from, or participate in various forms of cyber attacks, including web defacement, phishing, malware hosting, botnet command and control centres (C&C) and bots. Computers in Hong Kong is defined as those whose network geolocation is Hong Kong, or the top level domain of their host name is “.hk” or “.香港”.
Highlight of Report
This report is for Quarter 1 of 2018.
In 2018 Q1, there were 7,855 unique security events related to Hong Kong used for analysis in this report. The information is collected with IFAS1 from 19 sources of information2. They are not from the incident reports received by HKCERT.
Figure 1 –Trend of security events
The total number of security events in 2018 Q1 increased by 1.5% or 120 events compared to the previous quarter. The decreases in Malware hosting and Defacement events were compensated by the increase of Botnet events. Even though the number of events was increased slightly, the trend of security events is stable in the last half year.
Server related security events include malware hosting, phishing and defacement. Their trends and distributions are summarized below:
Figure 2 –Trend and distribution of server related security events
The number of server related security events decreased from 3,043 to 2,107 (decreased by 31%) in this quarter. Though the overall count decreased, the number of Phishing was actually increased by 41%. If comparing with all quarters in 2017, the number of events is in decreasing trend, with the number of defacement events drops significantly during the year.
The URL/IP ratio of malware hosting events dropped from a very high value of 16 in the last quarter to 14 in this quarter, with the number of unique URL dropped sharply from 1,270 to 649, or by 49%, and the number of unique IP continued to decrease from 77 to 47, or by 39%. When comparing this quarter with all quarters in 2017, it can be seen that the number of unique IP decreased from 369 in 2017 Q1 to 97 in 2017 Q2, and then continued to decrease to 77 in 2017 Q4 and 47 in 2018 Q1 respectively. That means fewer servers are used for malware hosting.
HKCERT urges system and application administrators to protect the servers.
Botnet related security events can be classified into two categories:
- Botnet Command and Control Centres (C&C) security events – involving small number of powerful computers, mostly servers, which give commands to bots
- Bots security events – involving large number of computers, mostly home computers, which receive commands from C&C.
The trend of botnet C&C security events is summarized below:
Figure 3 –Trend of Botnet (C&Cs) related security events
The number of botnet Command and Control Servers remained unchange in 2 in this quarter. Both of them were identified as an IRC bot C&C server.
The trend of botnet (bots) security events is summarized below:
Figure 4 - Trend of Botnet (Bots) security events
The number of Botnet (bots) in Hong Kong network increased by 23% in 2018 Q1. Mirai contributed to the increase of total count of Botnets by 275% and thus, this family takes the first place in the rank of Major Botnet Families in Hong Kong Networks. On the other hand, the count of WannaCry family is decreased by 25%, and thus, this family becomes the second in the rank. There is a note that Virut has increased by 6120%, with the number of unique IP address increased from 5 in 2017 Q4 to 311 in 2018 Q1.
Mirai botnet became active at the end of 2016. Global security organizations started to clean up in 2017 Q1. The number of events dropped sharply from 2,493 in Q1 to 746 in Q2 and steadily decreased in Q3 and Q4. That means Mirai botnet is on a decrease trend. But we note that since the end of 2017, there is an increase of Mirai events. We regularly saw reports on Mirai variants or recent attacks, but cannot confirm the increase is related to these variants and attacks. HKCERT will keep monitoring on the trend and continue the cleanup.
WannaCry ransomware outbreak occurred in May 2017. The WannaCry-bots are machines infected by WannaCry ransomware with the encryption mechanism not activated. HKCERT had handled 1,210 cases for WannaCry-bot in 2017 to try to clean up these machines infected by malware.
Virut botnet became active in 2006 and in 2013, its operations were disrupted by the Polish organization Naukowa i Akademicka Sie Komputerowa. According to security researcher3, its comeback was related to a recent campaign delivering 'Avzhan DDoS bot'. The researcher found that the server used for attack was infected with Virut, which was therefore attached on Avzhan and infected the targets. (P.17 of the report)
HKCERT urges users to protect computers so as not to become part of the botnets.
HKCERT has been following up the security events received and proactively engaged local ISPs for the botnet clean up since June 2013. Currently, botnet cleanup operations against major botnet family - WannaCry, Avalanche, XCode Ghost, Pushdo, Citadel, Mumblehard, Ramnit, ZeroAccess and GameOver Zeus are still in action.
HKCERT urges general users to join the cleanup acts. Ensure your computers are not being infected and controlled by malicious software.
Protect yourself and keep the cyberspace clean.
Users can use the HKCERT guideline to detect and clean up botnets
< Please click to download Hong Kong Security Watch Report >