HKCERT is pleased to bring to you the "Hong Kong Security Watch Report" for the first quarter of 2019.

Nowadays, a lot of “invisible” compromised computers are controlled by attackers with the owner being unaware. The data on these computers may be mined and exposed every day and the computers may be utilized in different kinds of abuse and criminal activities.

The Hong Kong Security Watch Report aims to provide the public a better "visibility" of the situation of the compromised computers in Hong Kong so that they can make better decision in protecting their information security.

The report provides data about the activities of compromised computers in Hong Kong which suffer from, or participate in various forms of cyber attacks, including web defacement, phishing, malware hosting, botnet command and control centres (C&C) and bots. Computers in Hong Kong is defined as those whose network geolocation is Hong Kong, or the top level domain of their host name is “.hk” or “.香港”. 

Highlight of Report

This report is for Quarter 1 of 2019.

In 2019 Q1, there were 80,266 unique security events related to Hong Kong used for analysis in this report. The information is collected with IFAS¹ from 13 sources of information². They are not from the incident reports received by HKCERT.

Figure 1 –Trend of security events

The total number of security events in 2019 Q1 sharply increased by 389%, or 63,852 events compared to the previous quarter. While the number of defacement and phishing events showed a downward trend, the number of malware hosting events made a dramatic increase by nearly eight folds over 2018 Q4, which reached the peak of recent years. (See Figure 2)

Server related security events

Server related security events include malware hosting, phishing and defacement. Their trends and distributions are summarized below:

 Figure 2 –Trend and distribution of server related security events

The number of malware hosting events, each involving a unique malware hosting URL, wildly surge from 8,152 in 2018 Q4 to 72,201 in 2019 Q1, or 786% increase. Although the URL/IP ratio halved to 20, the top two IPs 43.240.13.41 and 45.124.72.40 accounted for 5,366 and 4,586 events respectively. Meanwhile, the number of unique malware hosting IP significantly climbed up from 154 to 3,643.

Based on the log records, there was an intermittent Ramnit campaign started from Mar 2019. The number of events reached a peak of 11,464 on 6 Mar 2019. Part of infected IPs (within same IP block) registered large numbers of similar domain names. It can be seen that those IPs were infected in same network and contributed to massive events. Another phenomenon we noticed that there are 138 IPs involved over 100 unique malware hosting URLs, totally accounted for 53,801, or 75% events. As Ramnit can generate pseudo-random link to host malware, large number of malware hosting URLs were produced. Despite the infected IPs were located in Hong Kong, the major of malware hosting websites came from China. Part of them contained illegal gambling content. The malware campaign did not mainly target Hong Kong. HKCERT has notified the affected operators to clean up their malware hosting links and to find out if there were security vulnerabilities in their servers.

On the other hand, the number of phishing events, each involving a unique phishing URL, slightly dropped from 365 in 2018 Q4 to 289 in 2019 Q1, or a 21% decrease; the involved phishing IP also decreased to 72. At the same time, the number of defacement events also gradually declined to 318 and the URL/IP ratio of defacement remained to 2. In 2019 Q1, both phishing and defacement event amounts are lower than the previous quarters.

Botnet related security events

Botnet related security events can be classified into two categories:

• Botnet Command and Control Centres (C&C) security events – involving small number of powerful computers, mostly servers, which give commands to bots
• Bots security events – involving large number of computers, mostly home computers, which receive commands from C&C.

Botnet Command and Control Servers

The trend of botnet C&C security events is summarized below:

 Figure 3 –Trend of Botnet (C&Cs) related security events

There was no Command and Control Server event in this quarter.

Botnet Bots

The trend of botnet (bots) security events is summarized below:

 Figure 4 - Trend of Botnet (Bots) security events

The number of Botnet (bots) in Hong Kong network only slightly increased by 2% in 2019 Q1. The top five major botnet remained constant, Mirai is still top botnet and accounted for 4,521, or 61% of total events; the second and third botnet family are WannaCry and Conficker, with the number of unique IP address 989 and 565 respectively.

Compared with the last quarter, Gamarue got a significant increase from 1 to 112 unique IP addresses. There are various infection methods of Gamarue, it can spread via USB, email, exploit kit, software installations, etc. HKCERT urges the public to raise their security awareness for protecting their servers and devices.

HKCERT has been following up the security events received and proactively engaged local ISPs for the botnet clean up since June 2013. Currently, botnet cleanup operations against major botnet family - WannaCry, Avalanche, XCode Ghost, Pushdo, Citadel, Mumblehard, Ramnit, ZeroAccess and GameOver Zeus are still in action.

HKCERT urges general users to join the cleanup acts. Ensure your computers are not being infected and controlled by malicious software.

Protect yourself and keep the cyberspace clean.

Download Report

< Please click to download Hong Kong Security Watch Report >

¹ IFAS  Information Feed Analysis System is a HKCERT developed system that collects global security intelligence relating to Hong Kong for analysis.

² Refer to Appendix 1 for the Sources of Information