HKCERT is pleased to bring to you the "Hong Kong Security Watch Report" for the second quarter of 2020.
Nowadays, many networked digital devices, such as computers, smartphones, tablets, are being compromised without the user's knowledge. The data on them may be mined and exposed every day, and even be used for various criminal activities.
The Hong Kong Security Watch Report aims to raise public awareness of the problem of compromised systems in Hong Kong, enabling them to make better decision in information security. The data in this quarterly report focuses on the activities of compromised systems in Hong Kong which suffer from, or have participated in various types of cyber attacks, including web defacement, phishing, malware hosting, botnet command and control centres (C&C) or bots. "Computers in Hong Kong'' refer to those whose network geolocation is Hong Kong, or the top level domain of their host name is ".hk'' or “.香港”.
Highlight of Report
In 2020 Q2, there were 13,365 unique security events related to Hong Kong used for analysis in this report. Data were collected through IFAS1 with 10 sources of information2, and not collected from the incident reports received by HKCERT.
Figure 1 –Trend of security events
The total number of security events in the second quarter of 2020 was down 7%, from 14,433 in 2020 Q1 to 13,365 in this quarter. Although web defacement and phishing events recorded a significant rise, it was offset by a drop in botnet and malware hosting events, resulting in a slight decrease in overall events.
Server related security events
Server related security events include malware hosting, phishing and defacement. Their trends and distributions are summarised below:
Figure 2 –Trend and distribution of server related security events
Table 1–Trend and distribution of server related security events
As shown in Table 1, the number of URLs involved in phishing events rose by 4 times, from 399 in 2020 Q1 to 2017 in this quarter, while the number of IP addresses involved in increased by 68% correspondingly. The URL/IP ratio also doubled to 8.62. As discovered, around 71% of these phishing URLs were spoofing an online gambling website. These websites do not provide any features or information as ordinary websites, but prompt for user name and password once accessed. Our observation is that the rise in phishing events is due to the COVID-19 outbreak as more people work and spend their leisure time at home, increasing the demand for online entertainment. Hackers noticed the needs and therefore create phishing websites which related to epidemic to defraud sensitive information of victims. The account would be taken over by hackers once the user enter the info.
Compared to the previous quarter, the number of defacement events increased by 85% to 1062, while the number of IP addresses involved in defacement increased by 72% to 463. The highest number of URL being defaced happened on 23 Apr 2020. A total of 106 websites in the same IP address were affected. A hacker gained unauthorised access to the server and then put an “.htm”file to all websites hosted in it to show off the successful compromise. Another notable incident happened on 23 May 2020 as a total of 49 IP addresses containing 64 websites were hacked. Likewise, hacker left a special “.html” file. Based on the file name, it was believed that these 63 websites were hacked by the same threat actor. HKCERT recommends that site administrators can consider deploying a system auditing tool and setting up related checking routine or auto alert to monitor any file changes as an early detection of possible defacement attacks.
The number of malware hosting events decreased by 20% from 5,445 in 2020 Q1 to 4,334 in this quarter. Related IP address number decreased by 63% to 492. The URL/IP ratio was, however, recorded a one-fold increase from 4.09 to 8.81. According to the data, the website with most malwares is an unofficial site for software download. HKCERT urges users not to download any software from any unofficial sites.
HKCERT urges system and application administrators to protect the servers.
- Patch server up-to-date to avoid the known vulnerabilities being exploited
- Update web application and plugins to the latest version
- Follow best practice on user account and password management
- Implement validation check for user input and system output
- Provide strong authentication e.g. two factor authentication, administrative control interface
- Acquire information security knowledge to prevent social engineering attack
Botnet related security events
Botnet related security events can be classified into two categories:
- Botnet Command and Control Centres (C&C) security events – involving a small number of powerful computers, mostly servers, which give commands to bots
- Botnet security events - involving a large number of computers, mostly personal computers which receive commands from C&Cs.
Botnet Command and Control Servers
The trend of Botnet C&C security events is summarised below:
Figure 3 –Trend of Botnet (C&Cs) related security events
There was no Botnet Command and Control Centers (C&C) security events in this quarter.
The trend of botnet (bots) security events is summarised below:
Figure 4 - Trend of Botnet (Bots) security events
The number of botnet (bots) events decreased by 25% to 5,952 in this quarter. Most botnet families had recorded a decrease. Although the Mirai bot fell by 11.3% to 3,969 in this quarter, it still topped the list in Hong Kong in terms of maximum daily count. The largest drop is the Ramnit bot which had a 99% decrease from 816 to 8 and fell out of this quarter’s major botnet family chart, and a long-standing bot Tinba filled the gap. Tinba can also act as a Trojan which mainly targets banks to steal sensitive data.
The result of this quarter was counter-intuitive. Originally, it was anticipated as more people adopted work from home (WFH) arrangement during the COVID-19 outbreak, more vulnerable devices would be connected to the Internet and become victims of bot’s malware. However, the result implied that the general users had increased their security awareness and had taken proper measures on malware removal. It might possibly do with the fact that WFH arrangement has made users raise their security awareness. HKCERT will keep monitoring the trend and continue with necessary botnet cleanup activities.
HKCERT urges users to protect computers so as not to become part of the botnets.
- Patch their computers
- Install a working copy of the security software and scan for malware on their machines
- Set strong passwords to avoid credential based attack
- Do not use Windows, media files and software that have no proper licenses
- Do not use Windows and software that have no security updates
- Do not open files from unreliable sources
HKCERT has been following up the security events received and proactively engaged local ISPs for the botnet cleanup since June 2013. Currently, botnet cleanup operations against major botnet family Avalanche, Pushdo, Citadel, Ramnit, ZeroAccess, GameOver Zeus, VPNFilter and Mirai are still ongoing.
HKCERT urges general users to join the cleanup acts, ensuring their computers are not being infected and controlled by malicious software, and protecting their personal data for a cleaner cyberspace.
< Please click to download Hong Kong Security Watch Report >
1 IFAS Information Feed Analysis System is a HKCERT developed system that collects global security intelligence relating to Hong Kong for analysis.
2 Refer to Appendix 1 for the Sources of Information
3 Shodan is a search engine for Internet-connected devices: https://www.shodan.io/