Skip to main content

Hong Kong Security Watch Report (Q1 2021)

Release Date: 25 May 2021 4735 Views

HKCERT is pleased to bring to you the "Hong Kong Security Watch Report" for the first quarter of 2021.

 

Nowadays, many networked digital devices, such as computers, smartphones, tablets, are being compromised without the user's knowledge. The data on them may be mined and exposed every day, and even be used for various criminal activities.

 

The Hong Kong Security Watch Report aims to raise public awareness of the problem of compromised systems in Hong Kong, enabling them to make better decision in information security. The data in this quarterly report focuses on the activities of compromised systems in Hong Kong which suffer from, or have participated in various types of cyber attacks, including web defacement, phishing, malware hosting, botnet command and control centres (C&C) or bots. "Computers in Hong Kong'' refer to those whose network geolocation is Hong Kong, or the top level domain of their host name is ".hk'' or “.香港”. 

 


Highlight of Report

 

In 2021 Q1, there were 5,017 unique security events related to Hong Kong used for analysis in this report. Data were collected through IFAS1 with 10 sources of information2, and not collected from the incident reports received by HKCERT.

 

Trend of security events: 2021 Q1 had 5017 security events, 2020 Q4 had 5074 security events, 2020 Q3 had 6753 security events, 2020 Q2 had 13365 security events, 2020 Q1 had 14433 security events

Figure 1 –Trend of security events

 

There were 5,017 cyber security events in 2021 Q1, marginally down 1% from 2020 Q4 (5,074 cases) (Figure 1). Except phishing sites, all other security events recorded a drop this quarter. Also, for the first time, there was no malware hosting security event (Table 1).

 

 

 


Server related security events

 

Server related security events include malware hosting, phishing and defacement. Their trends and distributions are summarised below:

 

Trend and distribution of server related security events 

Figure 2 –Trend and distribution of server related security events

 

 

Event Type2020 Q12020 Q22020 Q32020 Q42021 Q1
Defacement5721,062571305295
Phishing3992,017552395495
Malware Hosting5,4454,33493420

 Table 1–Trend and distribution of server related security events

 

As shown in Table 1, the number of phishing sites increased by 25%, from 395 sites in 2020 Q4 to 495 sites this quarter. However, the number of unique IP addresses involved in phishing sites fell 7% to 138, similar to that of 2020 Q1. As the number of unique IP addresses decreased, the unique URL/IP ratio went up 35% from 2.65 in 2020 Q4 to 3.59 in 2021 Q1. Of these phishing sites, as usual, most would impersonate financial institutions and online shops. However, over 30 of them were related to cryptocurrency. In addition, the proportion of phishing sites with SSL certificates has risen from 56% in the last quarter to 80% in this quarter. This has become a new norm for phishing sites. 


Also, phishing sites using the “.com” domain name came top with 179 of such sites, followed by “.xyz“ with 53. Launched in 2014, the easy-to-remember “.xyz“ domain name has been favoured by hackers due to its low registration cost. Meanwhile, “.cn“, “.buzz“ and “.org“ occupied third to fifth places and only one phishing site used “.hk“ domain name.

 

The most frequently used top-level domain of phishing sites 

Figure 3: The most frequently used top-level domain of phishing sites

 

Against last quarter, although defacement events decreased slightly to 295, the number of unique IP addresses involved rose by 35% to 215. The unique URL/IP ration dropped 29% to 1.37. The increase of IP addresses reflected that more servers have been compromised which might be related to unpatched vulnerabilities in software. HKCERT has issued several bulletins of vulnerabilities in operating systems and content management systems and their handling methods in 2021 Q1, and urges server administrators to subscribe its Security Bulletin to get the latest security information (https://www.hkcert.org/getrss). 


Also, from the statistics, most of the compromised servers were running on the open source and free Linux operating systems, though some were still running Windows 2003 and Windows 2008 versions which had already reached end-of-support. Since the manufacturer would no longer release security updates for them, the servers would become more vulnerable to cyber attacks. HKCERT urges owners of these servers to upgrade the operating systems or migrate to a supported version.

 

Distribution of operating systems in defacement events 

Figure 4: Distribution of operating systems in defacement events


There was no malware hosting security events in this quarter.

 

 

 HKCERT urges system and application administrators to protect the servers.

  • Patch server up-to-date to avoid the known vulnerabilities being exploited
  • Update web application and plugins to the latest version
  • Follow best practice on user account and password management
  • Implement validation check for user input and system output
  • Provide strong authentication e.g. two factor authentication, administrative control interface
  • Acquire information security knowledge to prevent social engineering attack

 

 


Botnet related security events

 

Botnet related security events can be classified into two categories:

  • Botnet Command and Control Centres (C&C) security events – involving a small number of powerful computers, mostly servers, which give commands to bots
  • Botnet security events - involving a large number of computers, mostly personal computers which receive commands from C&Cs.

 

Botnet Command and Control Servers

The trend of Botnet C&C security events is summarised below:

There was no Botnet Command and Control Centers (C&C) security events in this quarter.

 

Trend of Botnet (C&C) security events: 2021 Q1 had 0 security event, 2020 Q4 had 0 security event, 2020 Q3 had 0 security event, 2020 Q2 had 0 security event, 2020 Q1 had 0 security event 

Figure 5 –Trend of Botnet (C&Cs) related security events

 

 

 

Botnet Bots

The trend of botnet (bots) security events is summarised below:

 

Trend of Botnet (Bots) security events: 2021 Q1 had 4227 security events, 2020 Q4 had 4372 security events, 2020 Q3 had 4696 security events, 2020 Q2 had 5952 security events, 2020 Q1 had 8017 security events 

Figure 6 - Trend of Botnet (Bots) security events

 

The number of botnet (bots) event only decreased by 3% from 4,327 in the last quarter to 4,227 this quarter (Figure 6). Although the number of Mirai botnets has decreased continuously, falling by 19.2% from 2,801 in 2020 Q4 to 2,264 this quarter, it still came top in the Major Botnet Families in Hong Kong Network. Nymaim, Zeus and Avalanche had the largest percentage rises with increases of 276.8%, 130% and 43.2% respectively. Avalanche even climbed to second in the major botnet table


Most botnet families have recorded a decrement. The top 5 botnet families are Mirai, Avalanche, WannaCry, Conficker and Bymaim, accounting for 84% of the total count.


Avalanche botnet first appeared in 2009. Infected devices would receive commands from the server to conduct malicious activities (e.g. sending out fraudulent emails, conducting money laundering activities). In order to hide the server’s actual locations, it would make use of proxy server as well as “double fast flux” techniques, i.e. changing both DNS and IP address of a malicious domain every 5 minutes, for infected devices to connect to the platform. A device infected with Avalanche may also be subject to other cyber attacks, such as theft of banking and credit card information, ransomware, unauthorised access, etc. The compromised device may also be used to launch distributed denial-of-service (DDoS) attacks. In case of infection, please refer to the HKCERT guideline for handling and prevention:
https://www.hkcert.org/blog/hk-victims-reported-in-global-takedown-of-avalanche-cybercrime-hosting-platform

 

 

 

 HKCERT urges users to protect computers so as not to become part of the botnets.

  • Patch their computers
  • Install a working copy of the security software and scan for malware on their machines
  • Set strong passwords to avoid credential based attack
  • Do not use Windows, media files and software that have no proper licenses
  • Do not use Windows and software that have no security updates
  • Do not open files from unreliable sources

  

HKCERT has been following up the security events received and proactively engaged local ISPs for the botnet cleanup since June 2013. Currently, botnet cleanup operations against major botnet family Avalanche, Pushdo, Citadel, Ramnit, ZeroAccess, GameOver Zeus, VPNFilter and Mirai are still ongoing.
 
HKCERT urges general users to join the cleanup acts, ensuring their computers are not being infected and controlled by malicious software, and protecting their personal data for a cleaner cyberspace.

 

 

 Users can use the HKCERT guideline to detect and clean up botnets

 

 

Download Report

 

< Please click to download Hong Kong Security Watch Report >

 


1 IFAS  Information Feed Analysis System is a HKCERT developed system that collects global security intelligence relating to Hong Kong for analysis.

2 Refer to Appendix 1 for the Sources of Information

3 Shodan is a search engine for Internet-connected devices: https://www.shodan.io/

 

 

 

 
 
 

Related Tags