Skip to main content

Hong Kong Security Watch Report (Q3 2018)

Release Date: 15 Oct 2018 4802 Views

HKCERT is pleased to bring to you the "Hong Kong Security Watch Report" for the third quarter of 2018.


Nowadays, a lot of “invisible” compromised computers are controlled by attackers with the owner being unaware. The data on these computers may be mined and exposed every day and the computers may be utilized in different kinds of abuse and criminal activities.


The Hong Kong Security Watch Report aims to provide the public a better "visibility" of the situation of the compromised computers in Hong Kong so that they can make better decision in protecting their information security.


The report provides data about the activities of compromised computers in Hong Kong which suffer from, or participate in various forms of cyber attacks, including web defacement, phishing, malware hosting, botnet command and control centres (C&C) and bots. Computers in Hong Kong is defined as those whose network geolocation is Hong Kong, or the top level domain of their host name is “.hk” or “.香港”. 


Highlight of Report

This report is for Quarter 3 of 2018.


In 2018 Q3, there were 24,118 unique security events related to Hong Kong used for analysis in this report. The information is collected with IFAS1 from 13 sources of information2. They are not from the incident reports received by HKCERT.


Figure 1 –Trend of security events


The total number of security events in 2018 Q3 fell by 49% or 23,016 events compared to the previous quarter. The decrease was mostly contributed by the dropdown of phishing events by 99%, while the malware hosting and defacement events jumped up by 78% and 408% respectively. Despite the decrease in last quarter, comparing with 2017 Q3 to 2018 Q1, we still got a surge in the overall events by 183% to 211%.




Server related security events


Server related security events include malware hosting, phishing and defacement. Their trends and distributions are summarized below:


 Figure 2 –Trend and distribution of server related security events


The number of phishing events got drastic drop from 34,391 in Q2 to 319 in Q3, or 99% decrease. While the number of defacement events jumped up from 1,071 in Q2 to 5,439 in Q3, or 408% increase. The top IP is, registered under AS36351 (HostHatch Hong Kong). It is noted that this IP has contributed 4,493 events since 29 September 2018, and HKCERT has notified the affected operator to clean up the defaced content and fix any vulnerabilities in their server.


The number of malware events got relatively smaller increase from 4,359 in Q2 to 7,773 in Q3, or 78% increase. Among these events, each of them involved a unique malware URL. The top 2 IPs are and The both IPs were registered under AS38197 (Sun Network).


The drastic drop of number of mass phishing events caused its URL/IP ratio to drop from 15 to 3. It can be seen that much fewer servers (dropped from 2,242 in 2018 Q2 to 117 in 2018 Q3) were breached/abused for phishing activities in 2018 Q3.


On the other hand, the URL/IP ratios of defacement and malware hosting events increased. For defacement events, the URL/IP ratio rose up from 3 to 8. It is because the IP (AS36351 HostHatch Hong Kong) has hosted 4,493 unique defacement URLs. On the other hand, the number of unique defacement IPs increased from 392 to 697, or by 78%. If excluding these unique URLs from the IP, the number of unique defacement URLs is only 934. Therefore, it can be seen that more number of servers were breached/abused for defacement activities in 2018 Q3.


For malware hosting events, the URL/IP ratio continued to rise up from 36 to 56. The cause of it is because the number of unique malware hosting URLs increased from 4,359 to 7,773, or by 78%, while the increase of number of unique malware hosting IPs increased only from 121 to 140, which was not comparable with that of the number of unique URLs. It can be seen that the small number of breached/abused servers contributed large number of URL for malware hosting.



 HKCERT urges system and application administrators to protect the servers.

  • patch server up-to-date to avoid the known vulnerabilities being exploited
  • update web application and plugins to the latest version
  • follow best practice on user account and password management
  • implement validation check for user input and system output
  • provide strong authentication e.g. two factor authentication, administrative control interface
  • do not expose unnecessary services to the internet



Botnet related security events


Botnet related security events can be classified into two categories:

  • Botnet Command and Control Centres (C&C) security events – involving small number of powerful computers, mostly servers, which give commands to bots
  • Bots security events – involving large number of computers, mostly home computers, which receive commands from C&C.


Botnet Command and Control Servers

The trend of botnet C&C security events is summarized below:


 Figure 3 –Trend of Botnet (C&Cs) related security events


There was no Command and Control Server reported in this quarter.


Botnet Bots

The trend of botnet (bots) security events is summarized below:


 Figure 4 - Trend of Botnet (Bots) security events


The number of Botnet (bots) in Hong Kong network increased by 45% in 2018 Q3. Mirai contributed to the increase of total count of Botnets by 116%, and keeps the first place in the rank of Major Botnet Families in Hong Kong Networks. There is a note that Ramnit has decreased by 41%, with the number of unique IP address decreased from 90 in 2018 Q2 to 53 in 2018 Q3.


Mirai botnet became active at the end of 2016. Following our cleanup operation in early 2017, we saw a decrease in Mirai events in 2017. However, Mirai botnet became active again since the end of 2017. New IoT devices were targeted. Counting the ports being scanned by infected IP addresses in each quarter, we see the steady falling trend for ports 23 (3,645 in Q4 2017 vs 3,242 in Q3 2018) and 2323 (1,502 in Q4 2017 vs 962 in Q3 2018), but seeing a surge in port 5555 (1 in Q4 2017 vs 126,724 in Q3 2018). According to Kaspersky research3, ports 23 and 2323 are the target ports of the original Mirai variant. But in February and July 2018, we began to see reports of ports 5555 being targeted456. Port 5555 is the default port used by the Android Debug Bridge (ADB) for development purpose. It was found that many devices have this port open to the Internet. Attackers become interested in scanning for this port to find any vulnerable Android devices. HKCERT will keep monitoring on the trend and continue the cleanup.




 HKCERT urges users to protect computers so as not to become part of the botnets.

  • patch their computers
  • install a working copy of the security software and scan for malware on their
  • machines
  • set strong passwords to avoid credential based attack
  • do not use Windows, media files and software that have no proper licenses
  • do not use Windows and software that have no security updates
  • do not open files from unreliable sources


HKCERT has been following up the security events received and proactively engaged local ISPs for the botnet clean up since June 2013. Currently, botnet cleanup operations against major botnet family - WannaCry, Avalanche, XCode Ghost, Pushdo, Citadel, Mumblehard, Ramnit, ZeroAccess and GameOver Zeus are still in action.


HKCERT urges general users to join the cleanup acts. Ensure your computers are not being infected and controlled by malicious software.


Protect yourself and keep the cyberspace clean.



 Users can use the HKCERT guideline to detect and clean up botnets



Download Report


< Please click to download Hong Kong Security Watch Report >


1 IFAS  Information Feed Analysis System is a HKCERT developed system that collects global security intelligence relating to Hong Kong for analysis.

2 Refer to Appendix 1 for the Sources of Information