4 days ago
5% of Hong Kong critical infrastructure had ‘system vulnerabilities' in 2024, police cybersecurity report finds
Five per cent of more than 90,000 critical infrastructure facilities in Hong Kong had 'varying degrees of system vulnerabilities' last year, according to the cybercrime unit of the city's police force.
Credential leakage and compromise, hijackable subdomains, and exposed cloud storage were three critical and high-risk vulnerabilities identified in the systems of some key infrastructure facilities in Hong Kong last year, the Cyber Security and Technology Crime Bureau (CSTCB) said in its Cybersecurity Report released on Sunday.
The 36-page document was the CSTCB's first report on cybersecurity issues in Hong Kong and around the world.
The bureau found that 89 per cent of the system vulnerabilities identified during the Internet-facing Assets Security Assessment conducted last year on key infrastructure were of medium or low risk.
The remaining 11 per cent were critical and high-risk vulnerabilities.
One of the medium- and low-risk vulnerabilities identified was email servers of key infrastructure being blacklisted. The CSTCB said it may indicate a compromise and possible integration into a botnet – a network of computers or devices infected with malicious software and remotely controlled by a cybercriminal or hacker.
Other low-risk vulnerabilities included invalid or outdated cybersecurity certificates, weak cryptographic keys, unrestricted ports that can be exploited for malicious purposes, and hosting internal or sensitive systems on publicly accessible webpages.
'After the vulnerability testing, all identified system vulnerabilities were promptly patched, and the affected organisation [has] significantly enhanced their system security levels,' the report read.
The CSTCB also reported that it 'processed over 25 million pieces of cyber threat intelligence' last year. Among these, around 440,000 specifically targeted Hong Kong.
In addition, more than 280,000 phishing-related threats were detected in the past year. Phishing tactics can be used to conduct scams or serve as entry points for broader cyberattacks, the CSTCB warned.
In some cases, perpetrators used phishing to hijack WhatsApp accounts in Hong Kong. The CSTCB recorded 2,547 cases of WhatsApp hijacking, which resulted in losses reaching HK$73.5 million.
Sixty-five hacking incidents were recorded last year, with financial losses totalling HK$25.5 million. The number of ransomware cases stood at 46, with victims extorted for up to HK$38.8 million in total.
The CSTCB also handled five cases of Distributed Denial-of-Service (DDoS) attacks, which resulted in losses of up to HK$4.6 million.
'Despite the large volume of cyber threat intelligence collected, the number of successful attacks remained comparatively low,' the report read.
The CSTCB called on enterprises to learn from previous cybersecurity breaches and tackle issues such as inadequate access control and configuration, outdated and unpatched systems, and the lack of an effective threat detection mechanism, as some victim organisations took nearly 260 days to identify and contain a data breach.
In March, Hong Kong passed a law to enhance safeguards for the city's key infrastructure systems against cyberattacks, imposing fines of up to HK$5 million for cybersecurity lapses.
Under the law, critical infrastructure covers eight sectors: energy, information technology, banking and financial services, land transport, air transport, maritime, healthcare services, and communications and broadcasting.
The term also refers to infrastructures 'for maintaining important societal and economic activities,' including research and development parks and major sports and performance venues.
