Skip to main content

Hong Kong Security Watch Report (Q4 2020)

Release Date: 24 Feb 2021 2400 Views

HKCERT is pleased to bring to you the "Hong Kong Security Watch Report" for the forth quarter of 2020.


Nowadays, many networked digital devices, such as computers, smartphones, tablets, are being compromised without the user's knowledge. The data on them may be mined and exposed every day, and even be used for various criminal activities.


The Hong Kong Security Watch Report aims to raise public awareness of the problem of compromised systems in Hong Kong, enabling them to make better decision in information security. The data in this quarterly report focuses on the activities of compromised systems in Hong Kong which suffer from, or have participated in various types of cyber attacks, including web defacement, phishing, malware hosting, botnet command and control centres (C&C) or bots. "Computers in Hong Kong'' refer to those whose network geolocation is Hong Kong, or the top level domain of their host name is ".hk'' or “.香港”. 


Highlight of Report


In 2020 Q4, there were 5,074 unique security events related to Hong Kong used for analysis in this report. Data were collected through IFAS1 with 10 sources of information2, and not collected from the incident reports received by HKCERT.


Trend of security events: 2020 Q4 had 5074 security events, 2020 Q3 had 6753 security events, 2020 Q2 had 13365 security events, 2020 Q1 had 14433 security events, 2019 Q4 had 9911 security events

Figure 1 –Trend of security events


The total number of cyber security events in 2020 Q4 was 5,074, down by 25% from 2020 Q3 (6,753 cases). It had been on a downward trend for three consecutive quarters (Figure 1). Security events of all types had reported a decrease in this quarter. Malware hosting security events, in particular, had dropped from nearly 1,000 cases in 2020 Q3 to single digit in this quarter (Table 1).




Server related security events


Server related security events include malware hosting, phishing and defacement. Their trends and distributions are summarised below:


Trend and distribution of server related security events 

Figure 2 –Trend and distribution of server related security events



Event Type2019 Q42020 Q12020 Q22020 Q32020 Q4
Malware Hosting1,1855,4454,3349342

 Table 1–Trend and distribution of server related security events


As shown in Table 1, while the number of phishing sites receded by over 28%, from 552 sites in 2020 Q3 to 395 sites in this quarter, the number of unique IP addresses involved had edged up to 149 (Figure 7). The unique URL/IP ratio shrank by 30% from 3.81 in 2020 Q3 to 2.65 in 2020 Q4 (Figure 8). Of these phishing sites, over half impersonated financial institutions and online shops. Besides, phishing sites with SSL certificates had been on the upward trend in recent years. The proportion of such sites has more than doubled from 27% in 2020 Q3 to over 56% in 2020 Q4. Checking for the SSL certificate had been one of the methods to identify a phishing website but the above-mentioned phenomenon had made the task more difficult. Also, HKCERT noted an automated phishing kit had been made available online recently, making it easier for hackers to develop high quality forged phishing content. HKCERT advises users to beware of web links of unknown sources. If suspicious, do not provide any personal information; and contact the related companies or organisations.


Compared with last quarter, both defacement events and unique IP addresses involved in such events decreased by 48% to 305 cases and 159 cases respectively (Figure 5). The unique URL/IP ratio is 1.92, similar to last quarter (Figure 6). 


In this quarter, the number of malware hosting events dropped significantly, from last quarter’s 934 cases to this quarter’s two cases only. Since they came from two IP addresses (Figure 9), the unique URL/IP ratio was 1 (Figure 10). Both sites are inaccessible now, with one having already been taken down; and the other blocked by common browsers.



 HKCERT urges system and application administrators to protect the servers.

  • Patch server up-to-date to avoid the known vulnerabilities being exploited
  • Update web application and plugins to the latest version
  • Follow best practice on user account and password management
  • Implement validation check for user input and system output
  • Provide strong authentication e.g. two factor authentication, administrative control interface
  • Acquire information security knowledge to prevent social engineering attack



Botnet related security events


Botnet related security events can be classified into two categories:

  • Botnet Command and Control Centres (C&C) security events – involving a small number of powerful computers, mostly servers, which give commands to bots
  • Botnet security events - involving a large number of computers, mostly personal computers which receive commands from C&Cs.


Botnet Command and Control Servers

The trend of Botnet C&C security events is summarised below:

There was no Botnet Command and Control Centers (C&C) security events in this quarter.
There was no Botnet Command and Control Centers (C&C) security events from 2019 Q4 to 2020 Q4.

Trend of Botnet (C&C) security events: 2020 Q4 had 0 security event, 2020 Q3 had 0 security event, 2020 Q2 had 0 security event, 2020 Q1 had 0 security event, 2019 Q4 had 0 security event 

Figure 3 –Trend of Botnet (C&Cs) related security events




Botnet Bots

The trend of botnet (bots) security events is summarised below:


Trend of Botnet (Bots) security events: 2020 Q4 had 4372 security events, 2020 Q3 had 4696 security events, 2020 Q2 had 5952 security events, 2020 Q1 had 8017 security events, 2019 Q4 had 7878 security events 

Figure 4 - Trend of Botnet (Bots) security events


The number of botnet (bots) event decreased by 7% to 4,372 in this quarter (Figure 4). Most botnet families have recorded a decrement. The top 5 botnet families are Mirai, WannaCry, Conficker, Avalanche and Virut, accounting for 91% of the total count.


Mirai botnet has a worm-like characteristic. It mainly targets unsecure IoT devices. Hackers had used those infected devices to launch large scale DDoS attacks against multiple organisations. It works by continuously scanning for IoT devices and attempting to intrude with default user name and password. Once succeeded, it took full control of the device. HKCERT reminds user to change the default password and close the TCP port 23 before using any IoT devices to enhance security. Since Mirai is memory-resident (volatile) only, if your device is infected, you can repeat the above mentioned steps, and then restart the infected device. Users can also visit HKCERT website to read the relevant guideline:



 HKCERT urges users to protect computers so as not to become part of the botnets.

  • Patch their computers
  • Install a working copy of the security software and scan for malware on their machines
  • Set strong passwords to avoid credential based attack
  • Do not use Windows, media files and software that have no proper licenses
  • Do not use Windows and software that have no security updates
  • Do not open files from unreliable sources


HKCERT has been following up the security events received and proactively engaged local ISPs for the botnet cleanup since June 2013. Currently, botnet cleanup operations against major botnet family Avalanche, Pushdo, Citadel, Ramnit, ZeroAccess, GameOver Zeus, VPNFilter and Mirai are still ongoing.
HKCERT urges general users to join the cleanup acts, ensuring their computers are not being infected and controlled by malicious software, and protecting their personal data for a cleaner cyberspace.



 Users can use the HKCERT guideline to detect and clean up botnets



Download Report


< Please click to download Hong Kong Security Watch Report >


1 IFAS  Information Feed Analysis System is a HKCERT developed system that collects global security intelligence relating to Hong Kong for analysis.

2 Refer to Appendix 1 for the Sources of Information

3 Shodan is a search engine for Internet-connected devices:





Related Tags