According to the definition and scope of critical information infrastructure in the Cybersecurity Law and the Regulations on the Security Protection of Critical Information Infrastructure (Draft for Comment), critical information infrastructure (CII) refers to the once damaged, lost Function or data leakage may seriously endanger national security, national economy and people’s livelihood, and information infrastructure of public interests, including key industries and fields such as energy, transportation, water conservancy, finance, e-government, public communications and information services.
With the active promotion of strategies such as “Internet +” and “Industrial Internet” and the rapid development of IoT technologies such as Lora, NB-IOT, and eMTC, IoT and key information infrastructure have begun to integrate deeply, which is improving the operation of related industries. Efficiency and convenience also increase the risk of cyber-attacks. Therefore, it is urgent to pay attention to and protect the Internet of Things network security issues of critical information infrastructure.
Relying on macro monitoring data, CNCERT conducts special monitoring on network security issues at key information infrastructure levels such as the “cloud-pipe-end” of the Internet of Things. The following is the monitoring situation this month.
Terminal 2 – Internet of Things terminal network security monitoring
(1) Monitoring of active communication IoT terminals
Sampling monitoring this month found that 250,000 IoT terminal devices had direct protocol communication with more than 110,000 IP addresses overseas, including 1,350 industrial control devices, 163,648 switches and routers, 83,603 network monitoring devices, and networked printers. 394 and 188 video conferencing systems.
The distribution of the main manufacturers involved in the IoT terminal equipment monitored this month is as follows:
Picture industrial control equipment: major manufacturers include Siemens (30.52%), Weyco (21.72%), Rockwell (14.7%), Schneider (9.26%), Mosha (8.05%), Omron (7.06%) ; Its equipment types mainly include programmable controllers, serial servers, industrial switches, communication adapters, etc. The type distribution is shown in Figure 1.
Figure 1 Distribution of active communication industrial control equipment types
Image switches and router equipment: major manufacturers include H3C (51.01%), Huawei (28.87%), Ruijie (11.76%), ZTE (4.51%), Cisco (3.01%), and Ralink (0.26%);
Major manufacturers of image network monitoring equipment: including Hikvision (73.47%), Dahua (20.45%) and Xiongmai (6.08%).
Major manufacturers of image network printer equipment: including Fuji (52.43%), Konica Minolta (17.9%), Canon (10.23%), Brother (8.18%), Epson (6.91%) and HP (3.84%).
Among them, weak password detection was carried out on the monitored network monitoring devices, and 43 devices were found to have weak password risks, including 184 Hikvision devices and 19 Dahua devices.
Among the active IoT terminal devices found in the monitoring, the top 5 provinces are Shanxi, Guangdong, Jilin, Zhejiang and Jiangsu. The distribution of the number of devices in each province is shown in Figure 2.
Figure 2 Distribution of active IoT devices by province and city
The key monitoring of active industrial control equipment found that there were 2.98 million incidents of communication between industrial control equipment and overseas IPs this month, involving 89 countries. The distribution of major overseas IP countries is shown in Table 1.
Table 1 Country distribution of overseas communication IP numbers
(2) Analysis of the activity of cyberspace resource mapping organizations
This month’s sampling monitoring found that there were 830 detection and response events for industrial control equipment from cyberspace mapping organizations such as Shodan and ShadowServer, involving 17 detection nodes. Detection protocols include Modbus, S7Comm, Fox, FINS, BACnet, etc. The protocol distribution of detection and response events As shown in Figure 3.
Figure 3 Protocol distribution of probe response events
3 Pipes – IoT Network Security Incident Monitoring
According to CNCERT monitoring data, from December 1 to 31, 2020, a total of 5,620 malicious samples of Internet of Things (IoT) devices were detected. It was found that there were 234,179 IP addresses of sample dissemination servers, mainly located in India (67.9%) and Brazil (12.9%). There were 7.14 million device addresses suspected of being attacked in China, of which Taiwan accounted for the highest proportion at 20.4%, followed by Zhejiang and others. See Threat Intelligence Monthly for details.
Figure 4 Country/region distribution of IP addresses of overseas Mozi botnet propagation servers
4 Cloud – IoT Cloud Platform Security Monitoring
(1) Network attack monitoring on IoT cloud platform
Sampling monitoring this month found that there were 3,189 cyberattacks on key IoT cloud platforms such as NeuSeer, CASICloud, Gizwits, Sany Heavy Industry ROOTCLOUD, Haier COSMOPlat, iSESOL, XCMG Hanyun HANYUN, etc. Attack types include exploit attacks, denial of service attacks, command injection attacks, SQL injection attacks, cross-site scripting attacks, directory traversal attacks, etc.
The platform distribution of key IoT cloud platform attack events this month is shown in Figure 5, and the distribution of attack types involved is shown in Figure 6.
Figure 5 Platform distribution of IoT cloud platform attack events
Figure 6 Distribution of types of cyber attacks on IoT cloud platforms
Among the cyber attack incidents against key cloud platforms monitored this month, the overseas attack sources involved 45 countries including the United States, Norway, Russia, etc., including 545 threat source nodes. Among them, the top 10 overseas countries that initiated the most attack incidents include: shown in Figure 7.
Figure 7 Country distribution of threat sources of cyber attacks on IoT cloud platforms
5 Power Industry Monitoring
In order to understand the network security situation of the key information infrastructure networked power system, this month focused on sampling monitoring of more than 90 power WEB assets, covering power inspection systems, power monitoring systems, power MIS systems, power office systems, and power management and control systems. , smart power station system and power intelligent system, etc. The analysis found that the monitored power asset IPs are all NAT export addresses, which are distributed in 23 provinces, municipalities or autonomous regions across the country. The top 10 geographical distribution of assets is shown in Figure 8, and the distribution of asset types is shown in Figure 9.
Figure 8 Geographical distribution of power WEB assets
Figure 9 Distribution of power WEB asset types
Sampling monitoring found that 49 power assets were attacked this month, involving more than 200 high-risk attacks. The types of assets covered power MIS systems, power monitoring systems, power management systems, power inspection systems, power management and control systems, and power office systems. Power operation and maintenance system, etc. The detailed asset attack distribution is shown in Figure 10.
Figure 10 Distribution of attacked power WEB asset types
In the network attacks against power WEB assets, the attack types include remote code execution attacks, arbitrary command execution attacks, web application attacks, logical vulnerability exploit attacks, directory traversal attacks, etc. The detailed distribution of attack types is shown in Figure 11. Among them: remote code execution attacks mainly involve Struts2 remote code execution vulnerabilities and phpunit remote code execution vulnerabilities; web application attacks mainly involve cross-site scripting attacks and SQL injection attacks; vulnerability exploit attacks mainly involve GPON home router security vulnerability attacks; command injection attacks mainly involve Involves ZeroShell remote command execution vulnerability; directory traversal attack mainly involves AppearTV Maintenance Centre path traversal attack; logic vulnerability exploit mainly involves login bypass, unreasonable verification logic, etc.
Figure 11 Distribution of attack types
In the cyber attack incident on power WEB assets, the overseas attack sources involved 21 countries including the United States, South Korea, Germany, France, the Philippines, etc., including 86 threat nodes. Through the correlation threat intelligence, it was found that most of the attack IPs existed Suspicious or malicious information flags, etc. The information on the foreign attackers who initiated the most attack events is shown in Table 2.
Table 2 Country distribution of attack sources of power WEB assets
Through sampling monitoring and situation assessment, the current networked power assets still face many security risks, there are many security threats, and the security situation is still grim. CNCERT will continue to conduct security monitoring on the power industry, conduct in-depth analysis of key targets, and regularly report the cyber security situation of the power industry.
Through macro data monitoring, CNCERT has discovered three security problems in the “cloud, pipe and end” of the Internet of Things. However, the security problems discovered so far are only the tip of the iceberg of the hidden dangers of Internet of Things network security in key information infrastructure. CNCERT will focus on IoT network security issues for a long time, and continue to carry out security monitoring and regular reporting.