Cybersecurity Insights-4

Cybersecurity Insights-4

novembro 13, 2019 | Adeline Zhang

3.3 Recidivists

“Recidivists” here refer to attack sources found to repeatedly engage in malicious activities. In the 2018 H1 Cybersecurity Insights, we pointed out that 25% of recidivists were responsible for 40% of attack events24. Considering the quantity and level of threat, these attackers should not be underestimated. By the end of 2018, the number of attack sources detected totaled around 43 million, up from 27 million at the end of June 2018. Of all these attack sources, recidivists accounted for 17% and were responsible for 35% of events. While those percentages were down slightly from mid-year, the actual threat was higher due to the sheer volume of attackers seen.

The annual geographic distribution of recidivists was the same as observed in the first half of the year. Globally, China and the USA were home to the most recidivists, followed by Russia and India. On the other hand, China and the USA were the most targeted. Russia, Australia, Brazil, and some European countries were also favored by recidivists. In China, recidivists were mainly distributed in prosperous coastal regions like Shandong, Jiangsu, Zhejiang, and Guangdong. Some high population inland provinces, such as Hebei and Henan, were also found to have many recidivists. This indicates that recidivists often attack then infiltrate the most affluent provinces and municipalities as their targets.


In the following figure, 39.36% of recidivists were botnets and 27.13% were involved in DDoS attacks. The two types alone accounted for a combined 66.49% of all attacks initiated by recidivists. Exploitation and scanning came in third and fourth. This indicates a lot of bots on the network are busy scanning for and exploiting vulnerabilities.

Based on NSFOCUS monitoring, we can categorize recidivists by target systems, target services, attack methods, and attack types:

Target systems: Individual attacks targeting only Windows accounted for 80.87% of all recidivistinitiated attacks, while those targeting Windows and Linux at the same time accounted for 13.04%.
Obviously, Windows is the most coveted target for recidivists, suffering the majority of attacks. This is likely because Windows has both the largest installed base and contains a lot of vulnerabilities that can be easily exploited for system intrusion.

Target services: CGI and SNMP combined were over half of all target services. The Common Gateway Interface (CGI) is a protocol used for communication between web forms and programs.
CGI converts input data into a fixed format for output to allow any CGI-compliant programs to call such data for use. The Simple Network Management Protocol (SNMP) is a protocol for standardized management of network devices. It comes in three versions, among which version 2c is mostfrequently exploited by hackers.

Attack methods: Malformed attacks were 54.24% of total attacks. This cyberattack is conducted by sending malformed packets to a target system. Such packets take time to process or even
cause errors to the system. In the worst-case scenario, the system may crash from receiving or processing these packets. Therefore, malformed attacks have the potential to cause great damage.
Brute-force cracking, Trojans, overflows, and scanning were other common methods recidivists often employed.

Attack types: Information gathering aims at identifying operating system types and versions, services provided by targets, server program types and versions, and related social information. From the collected information, hackers can find out whether there are exploitable vulnerabilities. Privilege escalation usually is the next step after information gathering to conduct attacks. After gaining privileges, hackers will execute activities such as cryptomining and malicious file downloading.

To be continued.