According to the definition and scope of critical information infrastructure in the “Cyber ​​Security Law” and “Critical Information Infrastructure Security Protection Regulations (Draft for Comment)”, critical information infrastructure (Critical Information Infrastructure, CII) means that once it is damaged or lost Functional or data leakage that may seriously endanger national security, national economy, people’s livelihood, and public interest information infrastructure, including key industries and fields such as energy, transportation, water conservancy, finance, e-government, public communications, and information services.

With the active advancement of strategies such as “Internet+” and “Industrial Internet” and the rapid development of IoT technologies such as Lora, NB-IOT, and eMTC, the Internet of Things and key information infrastructure have begun to integrate deeply, improving the operation of related industries In addition to efficiency and convenience, it also increases the risk of network attacks. Therefore, there is an urgent need to pay attention to and protect the Internet of Things network security issues of critical information infrastructure.

CNCERT relies on macro-monitoring data to conduct special monitoring of network security issues at the “cloud pipe end” of the Internet of Things in the key information infrastructure. The following is the monitoring situation this month.

2

End-Internet of Things terminal network security monitoring situation

(1) Monitoring of active communication IoT terminals

Sampling monitoring this month found that 240,000 IoT terminal devices had direct protocol communication with more than 90,000 IP addresses overseas, including 1,243 industrial control equipment, 15,738 switches and routers, 76222 network monitoring equipment, and networked printers. 306 and 139 video conferencing systems.

The distribution of the main vendors involved in the IoT terminal equipment monitored this month is as follows:

Picture of industrial control equipment: major manufacturers include Siemens (33.39%), Weyco Controls (21.32%), Rockwell (13.19%), Schneider (9.65%), Omron (7.48%), Mosha (6.76%) ; Its equipment types mainly include programmable controllers, serial port servers, industrial switches, communication adapters, etc. The type distribution is shown in Figure 1.

Figure 1 Distribution of active communication industrial control equipment types

Picture switch and router equipment: Major manufacturers include China Three (57.1%), Huawei (21.83%), Ruijie (12.69%), ZTE (4.78%), Cisco (2.73%), Ralink (0.28%);

Major manufacturers of image network monitoring equipment: including Hikvision (66.15%), Dahua (25.72%) and Xiongmai (8.13%).

The main manufacturers of image network printer equipment include Fuji (43.37%), Konica Minolta (15.86%), Canon (15.21%), Brother (11%), Epson (7.44%) and HP (5.5%).

Among them, weak password detection was performed on the monitored networked monitoring equipment, and 82 devices were found to be at risk of weak passwords, including 66 Hikvision equipment and 16 Dahua equipment.

Among the active IoT terminal devices discovered by monitoring, the top 5 provinces are Shanxi, Guangdong, Jilin, Zhejiang, and Jiangsu, respectively. The distribution of the number of devices in each province is shown in Figure 2.

Figure 2 Distribution of active IoT devices in provinces and cities

The key monitoring of active industrial control equipment found that there were a total of 2.6 million communication incidents between industrial control equipment and overseas IP this month, involving 97 countries. The distribution of the main overseas IP numbers is shown in Table 1.

Table 1 Country distribution of the number of overseas communication IP

(2) Analysis of the active situation of cyberspace resource surveying and mapping organizations

Sampling monitoring this month found 739 detection and response incidents for industrial control equipment from cyberspace surveying and mapping organizations such as Shodan and ShadowServer, involving 18 detection nodes. The detection protocols include Modbus, S7Comm, Fox, FINS, BACnet, etc., and the distribution of detection and response events. As shown in Figure 3.

Figure 3 Protocol distribution of detection response events

3

Management-IoT network security event monitoring

According to CNCERT monitoring data, from January 1 to 31, 2021, a total of 5,175 malicious samples of Internet of Things (IoT) devices have been detected. 215,084 IP addresses of the sample distribution servers were found, mainly located in India (65.9%), Brazil (16.8%), Russia (4.9%), South Korea (1.9%), and so on. There are 7.11 million device addresses suspected of being infected in the country, of which Zhejiang accounted for the highest proportion at 20.0%. The distribution of infected devices in the country is shown in Figure 4. See the monthly threat intelligence report for details.

Figure 4 Distribution of malicious sample families

4 Cloud-IoT cloud platform security monitoring

(1) Monitoring of cyber attacks on the IoT cloud platform

Sampling monitoring this month found that there were 3,819 cyber attacks on key IoT cloud platforms such as Jiyun NeuSeer, CASICloud, Gizwits, SANY ROOTCLOUD, Haier COSMOPlat, iSESOL, XCMG Hanyun HANYUN, etc. The types of attacks involve vulnerability exploitation attacks, denial of service attacks, command injection attacks, SQL injection attacks, cross-site scripting attacks, directory traversal attacks, etc.

The distribution of key IoT cloud platform attacks this month is shown in Figure 5, and the distribution of types of attacks involved is shown in Figure 6.

Figure 5 Platform distribution of IoT cloud platform attack events

Figure 6 Distribution of types of cyber attacks on IoT cloud platforms

Among the cyber attacks on key cloud platforms monitored this month, the sources of overseas attacks involved 57 countries including the United States, Norway, Russia, etc., and included 721 threat source nodes. Among them, the top 10 overseas countries that launched the most attack incidents, such as Shown in Figure 7.

Figure 7 The distribution of threat sources of cyber attacks on IoT cloud platforms

5 Power industry monitoring

In order to understand the network security situation of the key information infrastructure networked power system, this month focused on sampling and monitoring more than 90 power WEB assets, covering power inspection systems, power monitoring systems, power MIS systems, power office systems, and power management and control systems , Smart power station system and power intelligent system, etc. The analysis found that the monitored power asset IPs are all NAT export addresses, distributed in 23 provinces, municipalities or autonomous regions across the country. The TOP10 asset geographical distribution is shown in Figure 8, and the asset type distribution is as shown in 9.

Figure 8 Regional distribution of power WEB assets

Figure 9 Distribution of power WEB asset types

Sampling monitoring found that 49 power assets were attacked this month, involving more than 200 high-risk attack incidents. The asset types covered power MIS systems, power monitoring systems, power management systems, power inspection systems, power management and control systems, power office systems, and Electric power operation and maintenance system, etc. The detailed asset attack distribution is shown in Figure 10.

Figure 10 Distribution of attacked power WEB asset types

In the network attacks against power WEB assets, the types of attacks include remote code execution attacks, arbitrary command execution attacks, web application attacks, logic exploit attacks, and directory traversal attacks. The detailed attack type distribution is shown in Figure 11. Among them: remote code execution attacks mainly involve Struts2 remote code execution vulnerabilities, phpunit remote code execution vulnerabilities and Kodak image viewer remote code execution vulnerabilities; Web application attacks mainly involve cross-site scripting attacks and SQL injection attacks; exploit attacks mainly involve GPON family Router security vulnerability attacks; command injection attacks mainly involve ZeroShell remote command execution vulnerabilities; directory traversal attacks mainly involve AppearTVMaintenance Centre path traversal attacks; logic vulnerability exploits mainly involve vulnerabilities such as login bypass and unreasonable verification logic.

Figure 11 Distribution of attack types

In the cyber attacks on power WEB assets, overseas attack sources involved 20 countries including the United States, South Korea, Germany, France, the Philippines, etc., including 73 threat nodes. Through associated threat intelligence, it was discovered that most of the attacked IPs existed. Suspicious or malicious information flags, etc. The information of the foreign attackers who launched the most attacks is shown in Table 2.

Table 2 The distribution of power WEB asset attack source countries

Through sampling monitoring and situation assessment, the current networked power assets still face many security risks, there are many security threats, and the security situation is still severe. CNCERT will continue to conduct security monitoring of the power industry, conduct in-depth analysis of key targets, and regularly report the network security situation of the power industry.

6 Summary

Through macro data monitoring, CNCERT found three security problems in the “cloud pipe end” of the Internet of Things. However, the security problems found so far are only the tip of the iceberg of the hidden dangers of the Internet of Things network security in the key information infrastructure. CNCERT will pay attention to the security issues of the Internet of Things for a long time, and continue to carry out security monitoring and regular notifications.

Link to this article：Critical Information Infrastructure Network Security (Internet of Things Security Special) Monitoring Monthly Report 202101