< Overall Threat Trend >

Ex ante joint defense and monitoring

    A total of 96,175 pieces of government agency cybersecurity joint defense intelligence were collected this month (an increase of 5,417 from the previous month). Analyzing the types of identifiable threats, the top one was information collection (52%), i.e., mainly obtaining information through attacks such as scanning, detection, and social engineering; followed by intrusion attempts (19%), most dominated by attempts to intrude into unauthorized hosts; and intrusion attacks (18%), most involving unauthorized access to systems or acquisition of system/user privileges. The distribution of intelligence volume in the past year is as shown in Figure 1.

After further compilation and analysis of joint defense information, it was discovered that hackers had recently used commercial quotations or invoices as the reason for sending a large number of malicious spam emails to attack government agencies. The malicious email contains a compressed file as an attachment to avoid scanning detection, and the attachment contains the XRed Trojan Horse program, which attempts to deceive recipients to steal information. The relevant information has been provided to the authorities for joint surveillance and protection suggestions.

Figure 1   Statistics of cybersecurity monitoring intelligence in joint defense

In-process reporting and responding

    The number of cybersecurity incident reports totaled 53 this month (a decrease of 26 from the previous month), a 0.62-fold decrease compared to the same period last year. This is due to the abnormal connection or execution of abnormal instructions or presence of malicious programs, which accounted for 37.74% of the total number of reports for this month. The statistics of cybersecurity incident reports in the past year are as shown in Figure 2.

 Figure 2   Number of cybersecurity incident reports

Post-incident information sharing

    This month, an organization's Endpoint Detection and Response (EDR) detected the execution of abnormal commands by information equipment. After investigation, it was discovered that the malware program came from a complaint content from the public opinion mailbox on the official website, which requested to download the file from a Google Drive link and provides the password of the compressed file to circumvent the file upload inspection mechanism of the public opinion mailbox. For business needs, the staff downloaded and decompressed the file. After clicking on the shortcut file (LNK) disguised as a PDF file, the malicious program was loaded and executed, and thus was detected by EDR detection and alerted.

Additional Reference：

    Social engineering attack is a common attack technique. Recently, hackers have been found to attach encrypted zip files or external download links to complaints or reports to avoid security protection detection and increase the probability of attack success. It is recommended to strengthen the security protection mechanism of public opinion mailboxes, such as scanning the files with anti-virus software before viewing them, not clicking on unknown external links, or strengthening security education and training for internal personnel, as well as enhancing their ability to recognize the attacking tactics in social engineering, and avoiding executing malicious programs due to the misleading filenames or iconography. In addition, the authorities should review and strengthen the mechanism for handling public opinion mailboxes, such as disabling or marking external links and restricting the format of files uploaded by the public, and managing external high-risk files in an isolated environment, to reduce the risk of system intrusion.