Skip to main content

Hong Kong Security Watch Report (Q4 2017)

Release Date: 25 Jan 2018 2724 Views

HKCERT is pleased to bring to you the "Hong Kong Security Watch Report" for the fourth quarter of 2017.


Nowadays, a lot of “invisible” compromised computers are controlled by attackers with the owner being unaware. The data on these computers may be mined and exposed every day and the computers may be utilized in different kinds of abuse and criminal activities.


The Hong Kong Security Watch Report aims to provide the public a better "visibility" of the situation of the compromised computers in Hong Kong so that they can make better decision in protecting their information security.


The report provides data about the activities of compromised computers in Hong Kong which suffer from, or participate in various forms of cyber attacks, including web defacement, phishing, malware hosting, botnet command and control centres (C&C) and bots. Computers in Hong Kong is defined as those whose network geolocation is Hong Kong, or the top level domain of their host name is “.hk” or “.香港”. 


Highlight of Report

This report is for Quarter 4 of 2017.


In 2017 Q4, there were 7,735 unique security events related to Hong Kong used for analysis in this report. The information is collected with IFAS1 from 19 sources of information2. They are not from the incident reports received by HKCERT.


Figure 1 –Trend of security events


The total number of security events in 2017 Q4 dropped by 10% or 784 events compared to the previous quarter. The decrease was mostly contributed by the decrease in both phishing and botnet events. In 2017 Q1, we had 15,365 events. It dropped significantly in Q2 by 41% and continued to decrease steadily in Q3 and Q4.




Server related security events


Server related security events include malware hosting, phishing and defacement. Their trends and distributions are summarized below:


 Figure 2 –Trend and distribution of server related security events


The number of server related security events decreased from 3,386 to 3,043 (decreased by 10%) in this quarter. Though the overall count decreased, the number of defacement was actually increased by 25%. If comparing with all quarters in 2017, the number of events is in decreasing trend, with the number of defacement events drops significantly during the year.


The URL/IP ratio of malware hosting events continued to increase to a very high value of 16, with the number of unique URL slightly increased from 1,226 to 1,270, and the number of unique IP decreased from 102 to 77, or by 25%. When comparing with both Q1 and Q2 in 2017, it can be seen that the number of unique IP decreased from 369 to 97, and then decreased to 77 in Q4. That means fewer servers are used for malware hosting.



 HKCERT urges system and application administrators to protect the servers.

  • patch server up-to-date to avoid the known vulnerabilities being exploited
  • update web application and plugins to the latest version
  • follow best practice on user account and password management
  • implement validation check for user input and system output
  • provide strong authentication e.g. two factor authentication, administrative control interface
  • do not expose unnecessary services to the internet



Botnet related security events


Botnet related security events can be classified into two categories:

  • Botnet Command and Control Centres (C&C) security events – involving small number of powerful computers, mostly servers, which give commands to bots
  • Bots security events – involving large number of computers, mostly home computers, which receive commands from C&C.


Botnet Command and Control Servers

The trend of botnet C&C security events is summarized below:


 Figure 3 –Trend of Botnet (C&Cs) related security events


Only 1 IRC botnet Command and Control (C&C) server was identified in this quarter.


Botnet Bots

The trend of botnet (bots) security events is summarized below:


 Figure 4 - Trend of Botnet (Bots) security events


Although the number of Botnet (bots) on Hong Kong network decreased by 9% in Q4 2017, the count of WannaCry family remains steady, slightly increase by 2%. WannaCry ransomware outbreak occurred in May 2017. The WannaCry-bots are machines infected by WannaCry ransomware with the encryption mechanism not activated. HKCERT had handled 1,210 cases for WannaCry-bot in 2017 to try to clean up these machines infected by malware.


Mirai botnet became active in end 2016. Global security organizations started to clean up in 2017 Q1. The number of events dropped sharply from 2,493 in Q1 to 746 in Q2 and steadily decreased in Q3 and Q4. HKCERT had handled 151 cases about Mirai botnet to eliminate its effect.


The drops of the families Ghost push and Pushdo were large, with 76% and 62% respectively. (P.17 of the report)




 HKCERT urges users to protect computers so as not to become part of the botnets.

  • patch their computers
  • install a working copy of the security software and scan for malware on their
  • machines
  • set strong passwords to avoid credential based attack
  • do not use Windows, media files and software that have no proper licenses
  • do not use Windows and software that have no security updates
  • do not open files from unreliable sources


HKCERT has been following up the security events received and proactively engaged local ISPs for the botnet clean up since June 2013. Currently, botnet cleanup operations against major botnet family - WannaCry, Avalanche, XCode Ghost, Pushdo, Citadel, Mumblehard, Ramnit, ZeroAccess and GameOver Zeus are still in action.


HKCERT urges general users to join the cleanup acts. Ensure your computers are not being infected and controlled by malicious software.


Protect yourself and keep the cyberspace clean.



 Users can use the HKCERT guideline to detect and clean up botnets



Download Report


< Please click to download Hong Kong Security Watch Report >


1 IFAS  Information Feed Analysis System is a HKCERT developed system that collects global security intelligence relating to Hong Kong for analysis.

2 Refer to Appendix 1 for the Sources of Information