The main points:

Government departments, public institutions and the financial industry are in the first half of 2023cyber securityThe industries with the highest incidence of emergency response incidents. This highlights the importance of cyber security issues to key sectorsData Securityposed a serious threat.

The vast majority of government and enterprise institutions have serious deficiencies in network security infrastructure construction and operational capabilities. Only a few government and enterprise institutions can detect problems in advance and avoid losses through safety inspections, while most institutions can only discover safety problems after major losses occur or are reported by a third party. Attackers use weak passwords, common vulnerabilities and other methods to attack hosts and servers, accounting for a considerable proportion of incidents.

Emergency response incidents triggered by illegal operations by internal employees accounted for about a quarter of the total. Lack of security awareness leads to the leakage of sensitive information on the public network, opening of high-risk ports to the public network, and downloading of pirated software, which leads to the infection of intranet servers, leading to the spread of ransomware viruses, data leaks, and even server compromises. Therefore, large and medium-sized government and enterprise institutions need to strengthen the cybersecurity awareness of internal employees.

Actual attack and defense exercises can help enterprises discover and identify potential security vulnerabilities, repair threats early, prevent actual attacks from occurring, and reduce losses. Among the security incidents received in the first half of 2023, some came from actual offensive and defensive exercises within government and enterprise institutions.

To sum up, network security issues pose a serious threat to the data security of important industries such as government departments, public institutions, and the financial industry. Most government and enterprise institutions have deficiencies in network security infrastructure construction and operational capabilities, and the network security awareness of internal employees needs to be improved urgently. Through actual offensive and defensive exercises, companies can better discover and repair potential security vulnerabilities and reduce potential losses.

event:

In the first half of 2023, the 95015 service platform received a total of 376 network security emergencies from government and enterprise institutions across the country. The Qi'an Security Service team invested 3157.1 hours (394.6 man-days) in handling related incidents, with an average time of 8.4 hours.

According to industry distribution, government departments reported the most incidents, with a total of 70 incidents; followed by public institutions, with a total of 51 incidents; financial institutions ranked third, with a total of 50 incidents. In addition, manufacturing, medical institutions, transportation and other industries are also industries with high incidence of cybersecurity emergency response incidents.

Government and enterprise agencies in 47.6% reported for help only after there were obvious signs of intrusion into the system. Government and enterprise agencies in 33.8% dialed 95015 after being blackmailed by attackers. Only 12.7% organizations can detect problems in advance through safety operation inspections.

In terms of the impact scope of the incident, the 63.6% incident mainly affected the business private network, and the 36.4% incident mainly affected the office network. Among the number of affected devices, 5,481 were compromised servers and 3,817 compromised office terminals. Business private networks and servers are the main targets of attackers.

In terms of losses, the 40.4% incident caused low production efficiency, the 22.9% incident caused data loss, and the 11.4% incident caused data leakage. In addition, there were 22 reputation impact incidents and 18 data tampering incidents.

There were 98 cyber security incidents triggered by insiders performing illegal operations for work convenience and other reasons. The number was second only to black industry activities (106 incidents) and exceeded the number of stolen important data (71 incidents) and extortion (68 incidents). ) for the purpose of external network attacks.

Network attacks using malicious programs as the main means are the most common, accounting for 34.3%, followed by vulnerability exploitation (31.9%) and phishing emails (7.2%). Network monitoring attacks, web page tampering, web application CC attacks and denial of service attacks are also common.

Among the ransomware handled in emergency response incidents, Phobos ransomware was the most common, triggering network security emergency response incidents in large and medium-sized government and enterprise institutions 12 times; followed by LockBit ransomware (10 times), Wannacry ransomware and Makop ransomware (6 times each) Second-rate). These popular ransomware viruses are a cause for concern.

Weak passwords are the network security vulnerability most exploited by attackers, with 133 related emergency incidents, accounting for 35.4%. Followed by the Eternal Blue vulnerability, there were 84 related exploitation incidents, accounting for 22.3%.

1. Overview of the Cybersecurity Emergency Response Situation

From January to June 2023, the 95015 service platform received a total of 376 network security emergency response incidents nationwide. The Qi'an Xin Security Service team assisted government and enterprise institutions in handling security incidents immediately, ensuring that the portals, databases and security incidents of government and enterprise institutions were ensured. The continued safe and stable operation of important business systems.
Comprehensive statistics show that among the 376 cybersecurity emergency response incidents handled in the first half of 2023, Qi
The Anxin Security Service team has invested a total of 3157.1 hours of work, equivalent to 394.6 man-days, and it takes an average of 8.4 hours to handle an emergency incident. Among them, in January, the emergency response volume decreased slightly due to the Spring Festival holiday.

2. Analysis of victims of emergency response incidents

This chapter will start from the perspective of victims of network security emergency response incidents, and analyze the impact of the 95015 service platform in the first half of 2023 from the aspects of industry distribution, incident discovery methods, scope of impact, and the impact of attack behaviors.
376 reported network security emergency response incidents were analyzed.

2.1 Industry Distribution

From the perspective of industry distribution, in the first half of 2023, among the network security emergency response incidents reported to the 95015 service platform, government departments reported the most incidents, with 70 incidents, accounting for 18.6%; followed by public institutions, with 51 incidents, accounting for 18.6%. Ratio of 13.6%; financial institutions ranked third with 50 cases, accounting for 13.3%. In addition, manufacturing, medical institutions, transportation and other industries are also industries with high incidence of cybersecurity emergency response incidents.
The figure below shows the TOP10 ranking of the number of network security emergency response incident reports in different industries.

2.2. Event discovery

Judging from the way security incidents are discovered, the government and enterprise organizations of 47.6% reported for help after the system showed very obvious signs of intrusion; the government and enterprise organizations of 33.8% called after being blackmailed by attackers. 95015 networksecurity serviceshotline. The sum of the two is 81.4%.
In other words, about 80% of large and medium-sized government and enterprise institutions seek help from professional institutions only after their systems have suffered huge losses or even irreversible damage. The proportion of government and enterprise institutions that can truly detect problems and call for help before losses occur through safe operation inspections to avoid losses is only 12.7%.
In addition, there are about 5.9% government and enterprise agencies that initiated emergency response after receiving notifications from competent authorities, regulatory agencies and third-party platforms. Not only do these institutions seriously lack effective network security operations, they also seriously lack the necessary threat capabilities.

With the support of threat intelligence capabilities, their own supervisory units or regulatory agencies always discover their own security problems or being attacked before they do. Among them, some notifications may also cause relevant units to face legal liability and administrative penalties. These notified government and corporate institutions are potential time bombs that may explode at any time.

2.3. Scope of influence

Cybersecurity incidents often have a significant impact on IT and business systems. Among the network security emergency response incidents reported and handled by the 95015 service platform in the first half of 2023, 63.6% incidents mainly affected the business private network, while the proportion of incidents that mainly affected the office network was 36.4%. Judging from the number of devices affected by network security incidents, 5,481 compromised servers and 3,817 compromised office terminals.
The scope of the impact of cyber attacks on large and medium-sized government and enterprise institutions in the first half of 2023 is shown in the figure below.

In this report, the office network refers to the basic office network composed of desktops, laptops, printers and other equipment used by enterprise employees, while the business private network generally refers to the various network systems required for the overall operation and external support of the organization.
It can be seen from the scope of impact and the number of affected devices that the private business networks and servers of large and medium-sized government and enterprise institutions are the main targets of network attackers.
While large and medium-sized government and enterprise institutions are building security protection for their private business networks, they should also improve the security awareness of internal personnel and strengthen the security protection and data security management of office terminals and important servers in the intranet.

2.4. Event losses

Cybersecurity incidents usually cause varying degrees and types of losses to government and enterprise institutions. Analysis of the emergency response site situation shows that among the 376 reports received by the 95015 service platform in the first half of 2023, 152 incidents caused low production efficiency of relevant institutions, accounting for 40.4%, ranking first in the type of loss. ; followed by 86 incidents causing data loss, accounting for 22.9%, ranking second; 43 incidents causing data leakage, accounting for TP3T
11.4%, ranked third; in addition, there were 22 incidents that affected the reputation of government and enterprise institutions, resulting in data tampering.
18 onwards.

In particular, in the above statistics, the same event is only counted once, and we only count the main types of losses caused by each event.
The main reason for low production efficiency is that mining, worms, Trojans and other attack methods make the server CPU usage too high, resulting in reduced production efficiency. Some companies have also shut down part of their production systems due to ransomware attacks.
There are many reasons for data loss, among which the irrecoverability of data due to ransomware encryption is the primary reason. The main causes of data breaches arehackerIntrusions and insider leaks.

3. Analysis of attackers in emergency response incidents

This chapter will start from the perspective of the attacker in the network security emergency response incident, and analyze the 376 network security emergency response incidents reported to the 95015 service platform in the first half of 2023 from the aspects of attack intention, attack type, malicious program and vulnerability exploitation. analyze.

3.1. Attack intention

For what purpose did the attacker launch the cyber attack? During the traceability analysis of network security incidents, emergency personnel found that in the first half of 2023, internal personnel conducted illegal operations for work convenience and other reasons, which led to system failures or intrusions, and as many as 98 network security incidents triggered emergency responses. . This number is second only to black industry activities (106 cases) and exceeds the number of external network attacks aimed at stealing important data (71 cases) and extortion (68 cases).

Here, illegal activities are dominated by domestic gangs, which mainly refer to illegal activities to make huge profits through black words, black links, phishing pages, mining programs and other attack methods.
Attacks aimed at stealing important data are generally divided into two types: one is private hackers illegally intruding into the internal systems of government and enterprise institutions to steal sensitive and important data, such as personal information, account passwords, etc.; the other is commercial espionage. or APT activity. From a practical point of view, the first situation is more common, and the second situation occasionally occurs.
Extortion mainly refers to attackers using ransomware to attack terminals and servers of government and enterprise institutions, and then carry out extortion. Almost all such attacks are initiated by foreign attackers, making them extremely difficult to crack down on.

3.2. Attack methods

Different security incidents have different attack methods used by attackers. Network for the first half of 2023

Analysis of security emergency response events found that network attacks using malicious programs as the main method were the most common, accounting for 34.3%; followed by vulnerability exploitation, accounting for 31.9%; phishing emails ranked third, accounting for 7.2%. In addition, network monitoring attacks, web page tampering, Web application CC attacks, denial of service attacks, etc. are also common. There were also approximately 21.81 TP3T security incidents, which were ultimately determined to be non-attack incidents. In other words, due to internal illegal operations, accidents and other reasons, even if the system is not invaded, there are still many incidents that trigger network security emergency response, which are worthy of vigilance.

3.3. Malicious programs

Emergency incident analysis shows that ransomware, mining Trojans, and worms are the most common types of malicious programs used by attackers, accounting for 20.7%, 12.0%, and 7.2% of malicious program attack events respectively. In addition, website Trojans, Eternal Blue Downloader Trojans, DDOS Trojans, APT-specific Trojans, etc. are also common types of malicious programs. There is also the 11.4% malicious program attack incident related to the relatively common popular Internet Trojans targeting ordinary netizens.

Table 1 shows the top 10 ransomware rankings with the highest frequency among the network security emergency response incidents reported to the 95015 service platform in the first half of 2023. It can be seen that the number one ransomware is Phobos ransomware, which triggered network security emergency response events for large and medium-sized government and enterprise institutions 12 times in the first half of 2023; followed by LockBit ransomware 10 times, Wannacry ransomware and Makop ransomware 6 times each. These popular ransomware viruses are very worthy of vigilance.
Table 1 Top 10 types of ransomware attacked

Ransomware name	Number of emergencies
Phobos ransomware	12
LockBit Ransomware	10
Wannacry ransomware	6
Makop ransomware	6
Tellyouthepass Ransomware	4
Mallox ransomware	3
BeijingCrypt ransomware	3
Gottacry ransomware	2
Devos ransomware	2
Elbie ransomware	2

3.4. Exploiting vulnerabilities

Emergency incident analysis shows that weak passwords are the most frequently exploited network security vulnerability by attackers in the first half of 2023.
There were as many as 133 related network security emergency response incidents, accounting for 35.4% of the total number of emergency response incident reports received by the 95015 platform in the first half of 2023. Followed by the Eternal Blue vulnerability, there were 84 related exploit events, accounting for 22.3%. In comparison, the proportion of other single types of vulnerability exploits is much smaller. The third-ranked phishing email only has 19 cases, accounting for 5.1%.

The prevalence of weak passwords is completely a reflection of weak security awareness and lax security management. Since the outbreak of the WannaCry virus in 2017, the EternalBlue vulnerability has become a well-known security vulnerability that must be patched. To this day, a large number of government and enterprise institutions still fall under the guns of Eternal Blue, which shows that these government and enterprise institutions seriously lack the most basic network security infrastructure construction and lack the most basic network security operation capabilities. It is expected that for a long time in the future, weak passwords and Eternal Blue vulnerabilities will remain basic network security issues that need to be solved urgently for domestic government and enterprise institutions.

4. Analysis of typical cases of emergency response

In the first half of 2023, the 95015 cyber security service hotline received a total of 376 cyber security emergency response requests across the country, involving 31 provinces and cities (autonomous regions and municipalities) and 2 special administrative regions across the country, covering government departments, institutions, finance, and manufacturing More than 20 industries including industry, medical and health care, and transportation. This chapter will combine the actual network security emergency response in the first half of 2023
Practice, introduce 5 typical cases, hoping to provide valuable reference for the network security construction and operation of government and enterprise institutions.

4.1. An enterprise database server was infected with the Mallox ransomware virus emergency incident

 Event overview
In January 2023, the Qi'an Security Service emergency response team received an emergency request from a company. The company's server was blackmailed and the files were encrypted, hoping to trace the source of the intrusion.
After emergency personnel arrived at the scene, they investigated the victim database server (xxx31) and combined the ransom note and encryption suffix to confirm that the enterprise server was infected with the Mallox ransomware virus and could not be decrypted temporarily. After investigating the application logs of the victim database server (xxx31) and the cloud logs of the on-site security protection software, it was found that the external attacker (92.63.196.x) conducted a large number of violent cracking behaviors on the database server (xxx31) and successfully invaded the server (xxx31 ) Download and install the remote desktop tool Anydesk, upload the hacking tool hrsword_v5.0.1.1.exe, and close the security protection software. Emergency personnel conducted a threat intelligence query on the external network attacker (92.63.196.x), which showed that the IP address was a malicious C2 server, and its common method was to scan and breach port 1433. The emergency personnel communicated with the employees of the company and learned that in order to facilitate business operations, port 1433 of the database server (xxx31) is open to the public network. Subsequently, emergency personnel investigated the recently accessed files and suspicious programs on the server (xxx31) and found that there were a large number of brute force dictionaries and the brute force cracking tool NLBrute1.2.exe.
At this point, the emergency personnel concluded that because the server (xxx31) opened port 1433 to the outside world and the server account had a weak password, the attacker successfully obtained the permissions of the server (xxx31) and then used the server (xxx31) as a springboard to access the internal network. Other hosts are brute-forced, and after success, the Mallox ransomware is dropped and the host files are encrypted.

Protection recommendations
1) System and application-related users should avoid using weak passwords, and should use highly complex passwords that contain a mixture of uppercase and lowercase letters, numbers, special symbols, etc. to enhance administrators' security awareness and prohibit password reuse;
2) Configure necessary firewalls and enable firewall policies to prevent unnecessary services from being exposed and providing conditions for hackers to exploit;

3) It is recommended to deploy full traffic monitoring equipment to detect malicious network traffic in a timely manner. At the same time, it can further strengthen the tracking and traceability capabilities and provide reliable traceability basis when security incidents occur;
4) Effectively strengthen the access control ACL policy, refine the policy granularity, strictly limit access to various network areas and servers by area and business, and use a whitelist mechanism to only allow the opening of specific business necessary ports, and prohibit access to other ports. The administrator IP can access management ports, such as FTP, database services, remote desktop and other management ports.

4.2. Emergency response to the incident where a certain unit’s official website was linked to a black link

 Event overview
In February 2023, the Qi'anxin emergency team received emergency help from a certain unit. The unit received a notification from Butian that the official website was hacked by the attacker. It hopes to analyze and investigate the incident and trace the source of the intrusion.
Emergency personnel arrived at the scene and verified that the official website of the unit was indeed linked to a black link. Subsequent investigation of the Web logs of the black-linked server (xxx117) revealed that there were records of uploading the Webshell backdoor file 123123123.aspx and a large number of accesses to the backdoor file. The file 12312 3123.aspx was successfully located in the templates directory through file search. . Emergency personnel tested the upload point https://xxedu.cn/xx/admin/settings/ttemplet_file_edi t.aspx and found that there is an arbitrary file upload vulnerability in this location.
Checking the user status of the server (xxx117), we found that the Guest user was cloned and elevated to an administrator user, and there were multiple suspicious logins. After checking the iis configuration file of the server (xxx117), it was found that there is a suspicious dll file containing search engine SEO related characters and related jump codes.
So far, emergency personnel have confirmed that due to the arbitrary file upload vulnerability on the official website of the unit, the attacker used the vulnerability to gain server permissions, cloned the guest user with privilege escalation, tampered with the iis configuration, loaded a malicious dll file and implanted a black link to hack the official website of the unit. chain.

 Protection recommendations
1) Configure necessary firewalls and enable firewall policies to prevent unnecessary services from being exposed and providing conditions for hackers to exploit;

2) Strengthen permission management, set permissions for sensitive directories, limit script execution permissions for uploaded directories, disallow configuration of execution permissions, etc.;
3) Include the site within the boundary WAF protection scope, and HTTPS sites need to load certificates;

4) Carry out security assessment, penetration testing and code auditing at the system, application and network levels, and proactively discover security risks in current systems and applications;
5) Strengthen the daily security inspection system, regularly check the system configuration, network equipment coordination, security logs and security policy implementation, and normalize itinformation securityWork.

4.3. Emergency handling of router hijacking by a certain operator’s users

 Event overview
In March 2023, the Qi'anxin emergency response team received emergency help from an operator. Because users' pages were hijacked when they were watching TV normally using the operator's broadband, the operator was complained by users. The operator hopes to determine the cause of the incident.
Emergency personnel arrived at the scene to investigate the hijacked page and found that hijacking occurs only when specific pages are accessed. When a user page is hijacked, it will first jump to two addresses: 106.14.xx and 139.196.xx. By constructing requests to access these two addresses, emergency personnel discovered that a malicious js file containing a large number of advertisements, pornographic addresses, and jump codes would be automatically loaded when accessed. Subsequently, emergency personnel tested the TV box of the same model and found no related hijacking situations. They speculated that it might be a problem with the router.
After the user agreed, emergency personnel tried to test the routing device from the attacker's perspective and found that the router had a command execution vulnerability that could directly gain access to the router system. After the emergency personnel obtained the router system permissions, they checked the router system processes, files, etc. and found that the existing nginx process would start monitoring on the device's port 8080 when running. Subsequently, we investigated the configuration file of the nginx process and found that hijacking code was implanted in the nginx.conf file.

Since the router is a home router and users are not assigned a public address when accessing the operator's network, attackers cannot directly access the router. Therefore, emergency personnel speculated that the hijacking code already existed when the user purchased the router. Since the official website of the router manufacturer was inaccessible, emergency personnel could not obtain the official firmware and could not determine whether the firmware used by the router was the official version. At present, emergency personnel suggest that the operator blocks relevant malicious addresses on user network exits and the emergency is over.

 Protection recommendations
1) It is recommended that operators block relevant malicious addresses on user network exits;

2) When purchasing products, be sure to purchase from official channels and avoid purchasing from unofficial or suspicious third-party channels to prevent the risk of encountering counterfeit, pirated or low-quality products.

4.4. An emergency incident involving a company being infected with the WatchDogs mining virus

Event overview
In May 2023, the Qi'anxin emergency response team received emergency help from a company. Multiple servers on the company's intranet were infected with mining viruses. The server system resources were occupied high, which affected the normal operation of the business. They hoped to investigate the victim servers and Tracing the source of invasion.
After emergency personnel arrived at the scene, they analyzed the external malicious mining domain name provided by the company's operation and maintenance personnel and determined that the server was infected with the WatchDogs mining virus. We investigated the system processes and scheduled tasks of the victim server (xxx80) and found malicious processes and malicious scheduled tasks that matched the characteristics of the WatchDogs mining virus. After the emergency personnel used the command to delete the malicious scheduled task and end the malicious process, the server (xxx80) processor resource usage returned to normal.
Subsequently, emergency personnel checked the logs of the victim server (xxx80) and found that a large number of files came from the intranet server.
SSH blasting behavior of (xxx81), (xxx22), (xxx82) and (xxx187). After checking the logs of these four servers, it was found that the earliest attack came from the server (xxx81) of the company's subordinate unit. emergency personnel on server
(xxx81) conducted an investigation and found that the server deployed java applications and used shiro components, and the on-site traffic monitoring device had an alarm that the server was successfully attacked by IP (xxx69) using the shiro deserialization vulnerability. After querying the threat intelligence, the IP (xxx69) was Malicious IP.

Therefore, the emergency personnel determined that because the server (xxx81) of the company's subordinate unit had not updated the shiro deserialization vulnerability patch, the attacker successfully used it to obtain the permissions of the server, and the company's intranet servers all used the same password and had low strength. The attacker The server (xxx81) was used to successfully obtain a large number of server permissions on the company's intranet through batch password brute force and launch the WatchDogs mining virus.
Emergency personnel then wrote and executed python scripts to help the company delete malicious scheduled tasks, end malicious processes, and restore a large number of victim servers on the intranet to normal. The emergency ended.

Protection recommendations
1) System and application-related users should avoid using weak passwords, and should use highly complex passwords that contain a mixture of uppercase and lowercase letters, numbers, special symbols, etc. to enhance administrators' security awareness and prohibit password reuse;
2) Regularly maintain the server, deploy the server security protection system, repair system application vulnerabilities, middleware vulnerabilities, components, plug-ins and other related vulnerabilities to ensure server security;
3) It is recommended to install anti-virus software, update the virus database in a timely manner, and conduct regular comprehensive scans to strengthen server virus prevention, suppression and removal capabilities;
4) The server is prohibited from actively initiating external connection requests. For those that need to push shared data to external servers, a whitelist should be used, and relevant policies should be added to the egress firewall to limit the IP range of active connections.

4.5. An enterprise’s 50+ office PCs used an unofficial KMS activation tool, resulting in an emergency incident of all being infected with worm viruses.

Event overview
In May 2023, the Qi'an Security Service emergency team received an emergency request from a company. The company was notified by the regulatory agency that more than 50 office PCs on the intranet were infected with worm viruses. It was hoped to investigate this incident and trace the source of the intrusion.

When emergency personnel arrived at the scene, they learned that none of the on-site office PCs could connect to the Internet and had no security alarm equipment. An immediate investigation of the notified PCs revealed that the same virus sample file, tasksche.exe, existed in the Windows directory of the C drive of all notified PCs. Subsequent analysis of the virus sample tasksche.exe confirmed that the sample was the Eternal Blue Worm.
Emergency personnel investigated the directory where the virus sample files were located and found that residual files of the KMS activation tool existed in all reported PCs. The emergency personnel communicated with the company's employees and learned that all the notified PCs on site were activated by the staff using the KMS activation tool downloaded from a third-party website.
Emergency personnel checked the on-site host system information and found no suspicious accounts. After checking the host patch status, it was found that there is a patch for the MS17010 vulnerability, but the patching time cannot be determined.
Based on the above investigation information, emergency personnel initially concluded that the virus sample was carried by the KMS activation tool. Due to the lack of security awareness of the company's employees, they used the KMS activation tool downloaded from a third-party website, which led to this security incident. Because some on-site logs are missing, detailed attack details cannot be traced. Currently, emergency personnel have assisted the company to remove virus samples and put forward security protection suggestions, and the emergency has ended.
Protection recommendations
1) Strengthen personnel security awareness training, emphasize the importance of network security, and prohibit downloading application software through unofficial channels. Files from unknown sources, including email attachments and uploaded files, must be disinfected first;
2) It is recommended to install anti-virus software, update the virus database in a timely manner, and conduct comprehensive scans regularly to strengthen server virus prevention, suppression and removal capabilities;
3) Deploy advanced threat monitoring equipment to detect malicious network traffic in a timely manner. At the same time, it can further enhance traceability capabilities and provide reliable traceability basis when security incidents occur;
4) Configure and enable relevant key system and application logs, and regularly archive and back up system logs off-site to avoid being unable to trace attack paths and behaviors when attacks occur, and to strengthen security traceability capabilities;
5) Strengthen the daily security inspection system, regularly inspect system configuration, network equipment coordination, security logs, and security policy implementation, and normalize information security work.