(Hong Kong, 1 November 2024) The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) has released the Hong Kong Security Watch Report for the third quarter of 2024. The data shows significant increases in phishing websites and botnet events in Hong Kong, with respective increases of 155.8% and 83.4%. Specifically, botnet events rose from 2,754 cases in the previous quarter to 5,051 cases in the current quarter. This surge is primarily attributed to the discovery of a botnet named "911 S5" which accounts for over half of the total botnet events, with more than 2,700 cases.
According to the threat intelligence cited in the report, the first "911 S5" event was recorded back to May 2024. This was triggered by a joint operation led by the United States Department of Justice, which successfully dismantled the "911 S5" infrastructure. Subsequently, details about infected devices were disclosed, revealing the true scale and impact of this botnet for the first time.
Although "911 S5" has been dismantled by overseas law enforcement agencies, many infected devices remain uncleared. Since "911 S5" is a type of backdoor malware, the possibility of other cyber criminals exploit these backdoors to regain control over the infected devices cannot be ruled out. Therefore, to prevent the malicious utilisation of backdoor malwares again, ongoing monitoring and removal are essential.
Over 2,700 Local Devices Infected with "911 S5" Botnet, Potentially Used for Cyber Criminal Activities
The "911 S5" botnet has been operational since 2014 and was renamed "CloudRouter" in 2023. It has infected over 19 million devices across more than 190 countries worldwide. This botnet embeds a malicious backdoor in certain VPN applications, allowing hackers to use the infected devices to connect to the internet while concealing their own network footprints. This facilitates various criminal activities such as financial crimes, cyber attacks and data theft.
The VPN applications connected to the "911 S5" infrastructure include MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN. These VPNs are often embedded in pirated games or software. Upon downloading these games or software, the VPN application and the backdoor are installed without victims’ consent, inadvertently making their devices part of the "911 S5" botnet. HKCERT has initiated immediate monitoring of the "911 S5" infection situation in Hong Kong and has notified the relevant IP owners of the infected devices for remediation.
HKCERT urges the public and organizations to remain vigilant against any malware attacks and to adopt the following defence recommendations:
HKCERT has also published methods for removing "911 S5" for public reference. For detailed information, please refer to below link:
https://www.hkcert.org/blog/massive-911-s5-botnet-affecting-nearly-19-million-ip-addresses-worldwide-was-dismantled
Hong Kong Security Watch Report (Q3 2024):
https://www.hkcert.org/watch-report/hong-kong-security-watch-report-q3-2024
Businesses or members of the public who wish to report to HKCERT on cyber security related events can do so by completing the online form at: https://www.hkcert.org/event-reporting, or call the 24-hour hotline at 8105 6060. For further enquiries, please contact HKCERT at hkcert@hkcert.org.
- Ends -
Our Services
Community
Support & Resource
HKPC Spotlights
HKPC Academy
COPYRIGHT© Hong Kong Productivity Council
FOLLOW US
SUBSCRIBE TO OUR NEWSLETTERS
Share the latest information of HKPC to your inbox
SIGNUP NOW