Skip to main content

Hong Kong Security Watch Report (Q1 2020)

Release Date: 19 May 2020 7784 Views

HKCERT is pleased to bring to you the "Hong Kong Security Watch Report" for the first quarter of 2020.


Nowadays, many networked digital devices, such as computers, smartphones, tablets, are being compromised without the user's knowledge. The data on them may be mined and exposed every day, and even be used for various criminal activities.


The Hong Kong Security Watch Report aims to raise public awareness of the problem of compromised systems in Hong Kong, enabling them to make better decision in information security. The data in this quarterly report focuses on the activities of compromised systems in Hong Kong which suffer from, or have participated in various types of cyber attacks, including web defacement, phishing, malware hosting, botnet command and control centres (C&C) or bots. "Computers in Hong Kong'' refer to those whose network geolocation is Hong Kong, or the top level domain of their host name is ".hk'' or “.香港”. 


Notice for the correction of 2019 Q4 report


An error was found in the 2019 Q4 report for the Botnet (Bots) security events. Certain Botnet (Bots) figures were missing from the report. As a result, the total number of Botnet (Bots) security events and the major security botnet families list was incorrect. HKCERT has since corrected the figures and republished the report on the website.

The 2019 Q4 figures used in this report is based on the corrected version.


Highlight of Report


In 2020 Q1, there were 14,433 unique security events related to Hong Kong used for analysis in this report. Data were collected through IFAS1 with 10 sources of information2, and not collected from the incident reports received by HKCERT.


Trend of security events: 2020 Q1 had 14433 security events, 2019 Q4 had 9911  security events, 2019 Q3 had 26324  security events, 2019 Q2 has 62284 security events, 2019 Q1 had 80266 security events

Figure 1 –Trend of security events


In the first quarter of 2020, the total number of security events raised by 45.6%, from 9,911 in 2019 Q4, to 14,433. The growth was mainly attributed to the increase in the number of malware hosting events, which jumped up by 3.5 times, to 5,445 in this quarter. The second obvious change was the rise in phishing events, up by more than 50%. The count of defacement and botnet events did not change much when compared with the previous quarter.




Server related security events


Server related security events include malware hosting, phishing and defacement. Their trends and distributions are summarised below:


Trend and distribution of server related security events Figure 2 –Trend and distribution of server related security events



Event Type2019 Q12019 Q22019 Q32019 Q42020 Q1
Malware Hosting72,20148,89217,2731,1855,445

 Table 1–Trend and distribution of server related security events


As shown in Table 2, after falling continuously last year, the number of malware hosting events began to go up again this year. The amount of malware hosting involved IP addresses soared by more than 20 times (Figure 9), from 63 in 2019 Q4 to 1,330 in this quarter. The highest count was 961 events on February 9, 2020, which accounted for 17.6% of total events. Furthermore, we also noticed that the malware hosting URLs that were using the ".top" top-level domain increased significantly, accounting for 7.4% of total events, while it was only 0.5% and 3.4% in the third and fourth quarters of 2019 respectively.
Compared with the previous quarter, the number of defacement events fell slightly by 19 to 572; while the amount of defacement involved IP addresses decreased by around a third. According to data from Zone-H, apart from the most commonly known system vulnerabilities, other compromised methods such as file inclusion and SQL injection also had an upward trend, rising 3.22% and 6.41% respectively. Besides updating the security patches of systems regularly, HKCERT advises all website administrators and developers to pay attention to the vulnerabilities in web application and secure coding practices. A web application security risk assessment should also be conducted before system launch and at regular intervals. Details can refer to Open Web Application Security Project (OWASP) Top 10.



 HKCERT urges system and application administrators to protect the servers.

  • Patch server up-to-date to avoid the known vulnerabilities being exploited
  • Update web application and plugins to the latest version
  • Follow best practice on user account and password management
  • Implement validation check for user input and system output
  • Provide strong authentication e.g. two factor authentication, administrative control interface
  • Acquire information security knowledge to prevent social engineering attack



Botnet related security events


Botnet related security events can be classified into two categories:

  • Botnet Command and Control Centres (C&C) security events – involving a small number of powerful computers, mostly servers, which give commands to bots
  • Botnet security events - involving a large number of computers, mostly personal computers which receive commands from C&Cs.


Botnet Command and Control Servers

The trend of Botnet C&C security events is summarised below:


Trend of Botnet (C&C) security events: 2020 Q1 had 0 security event, 2019 Q4 had 0 security event, 2019 Q3 had 4 security events, 2019 Q2 had 0 security event, 2019 Q1 had 0 security event Figure 3 –Trend of Botnet (C&Cs) related security events


There was no Botnet (C&C) security events in this quarter.


Botnet Bots

The trend of botnet (bots) security events is summarised below:


Trend of Botnet (Bots) security events: 2020 Q1 had 8017 security events, 2019 Q4 had 7878 security events, 2019 Q3 had 7078 security events, 2019 Q2 had 11554 security events, 2019 Q1 had 7458 security events Figure 4 - Trend of Botnet (Bots) security events


The number of Botnet (Bots) events increased slightly by 1.76% or 139 events in this quarter with Necurs bot experiencing the largest growth rate, increasing more than 16 times; while Ramnit bot had the largest quantitative increase of 775 events. Although the number of Avalanche bot event reduced by 40% to 790 in this quarter, it was still more than double the number in the first three quarters of 2019. Also, although WannaCry bot continued to decline since 2018 Q2, it rebounded by 28.2% in this quarter. Since WannaCry ransomware had ceased operation and would not infect any new devices, the increase might have to do with previously infected devices being re-connected to the network.



 HKCERT urges users to protect computers so as not to become part of the botnets.

  • Patch their computers
  • Install a working copy of the security software and scan for malware on their machines
  • Set strong passwords to avoid credential based attack
  • Do not use Windows, media files and software that have no proper licenses
  • Do not use Windows and software that have no security updates
  • Do not open files from unreliable sources


HKCERT has been following up the security events received and proactively engaged local ISPs for the botnet cleanup since June 2013. Currently, botnet cleanup operations against major botnet family Avalanche, Pushdo, Citadel, Ramnit, ZeroAccess, GameOver Zeus, VPNFilter and Mirai are still ongoing.
HKCERT urges general users to join the cleanup acts, ensuring their computers are not being infected and controlled by malicious software, and protecting their personal data for a cleaner cyberspace.



 Users can use the HKCERT guideline to detect and clean up botnets



Download Report


< Please click to download Hong Kong Security Watch Report >


1 IFAS  Information Feed Analysis System is a HKCERT developed system that collects global security intelligence relating to Hong Kong for analysis.

2 Refer to Appendix 1 for the Sources of Information

3 Shodan is a search engine for Internet-connected devices:





Related Tags